BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Java News Roundup: Virtual Threads, JReleaser 1.0, Project Loom, Vendor Statements on Spring4Shell

Java News Roundup: Virtual Threads, JReleaser 1.0, Project Loom, Vendor Statements on Spring4Shell

This item in japanese

Lire ce contenu en français

This week's Java roundup for April 4th, 2022, features news from OpenJDK, JEP 425, JDK 19, Project Loom Build 19-loom+5-429, Jakarta EE Starter utility, Spring milestone and point releases, Payara and JetBrains statements on Spring4Shell, JReleaser 1.0, Helidon 2.5.0, JHipster 7.8.1, Hibernate Search 6.1.4, Kotlin 1.6.20, and JDKMon 17.0.24.

OpenJDK

JEP 425, Virtual Threads (Preview), was promoted from its JEP Draft 8277131 to Candidate status. This JEP introduces virtual threads, lightweight threads that dramatically reduce the effort of writing, maintaining, and observing high-throughput concurrent applications, to the Java platform.

JEP Draft 8284289, Improved Way of Obtaining Call Traces Asynchronously for Profiling, a feature JEP type, defines an efficient API for obtaining asynchronous call traces for profiling from a signal handler with information on Java and native frames.

JEP Draft 8284453, Optionally Record Thread Context in JFR, a feature JEP type, proposes to add the ability to attach user-defined context of relevant events to the existing standard JFR stack trace, the thread ID, and the time events.

JDK 19

Mark Reinhold, chief architect, Java Platform Group at Oracle, has proposed the following schedule for the release of JDK 19:

  • June 9, 2022: Rampdown Phase One
  • July 21, 2022: Rampdown Phase Two
  • August 11, 2022: Initial Release Candidate
  • August 25, 2022: Final Release Candidate
  • September 20, 2022: General Availability

This proposal will remain in review for comments until April 13, 2022, before it is finalized. At this time, only one new feature, JEP 422: Linux/RISC-V Port, has been targeted for JDK 19.

Build 17 of the JDK 19 early-access builds was made available this past week, featuring updates from Build 16 that include fixes to various issues. More details may be found in the release notes.

For JDK 19, developers are encouraged to report bugs via the Java Bug Database.

Project Loom

Build 19-loom+5-429 of the Project Loom early-access builds was made available to the Java community and is based on Build 16 of the JDK 19 early-access builds. This latest release features the update of the ForkJoinPool class that improves performance in cases such as message passing.

Jakarta EE Starter

The Jakarta EE Ambassadors have introduced version 1.0 of the Jakarta Starter utility, a Maven Archetype that generates sample code to build simple Jakarta EE microservices projects. Jakarta Starter has been tested with JDK 8, JDK 11 and JDK 17, and requires Maven 3+.

Spring Framework

On the road to Spring Cloud 2022.0.0, codenamed Kilburn, the second milestone release has been made available featuring a number of improvements, bug fixes and dependency upgrades to its subprojects: Spring Cloud Stream, Spring Cloud Config, Spring Cloud Kubernetes, Spring Cloud Contract, Spring Cloud Gateway, Spring Cloud Function and Spring Cloud Commons. There are, however, breaking changes. Spring Cloud 2022.0.0-M2 is compatible with Spring Boot 3.0.0-M2. More details on this release may be found in the release notes.

Spring Cloud Data Flow 2.9.4 has been released which addresses vulnerabilities CVE-2022-22965, AKA Spring4Shell, and CVE-2021-29425. There is also a dependency upgrade to Spring Boot 2.5.12. Further details on this release may be found in the release notes.

Vendor Statements on Spring4Shell Vulnerability

Payara statement on Payara Platform:

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

However, users that deploy Spring Framework WAR packaged applications in Payara Server are affected by this vulnerability as Payara Server shares pieces of code in its Servlet implementation, Catalina, which was originally branched from Apache Tomcat.

To mitigate the risk of being impacted by this vulnerability, we have implemented an urgent fix that effectively disables the affected code in the corresponding Catalina modules. This hotfix will be included in the upcoming releases of both Payara Community (5.2022.2) and Payara Enterprise (5.38).

JetBrains statement on JetBrains products:

Together with the product teams we ran an audit of JetBrains web applications, including the products: YouTrack, Hub, TeamCity, Space, Datalore, and services: JetBrains Website and JetBrains Account.

None of the applications listed above use vulnerable versions of Spring or don't meet known exploitation criteria and are therefore not affected by the discovered security issues. Please refer to the following technical discussions concerning TeamCity, Hub and YouTrack.

JReleaser

On the one-year anniversary of the initial version 0.1.0 release of JReleaser, the anticipated version 1.0 has been made available which ships with many new features such as: add a formatting function based on the releaser's download URL; allow named templates for the appName and appVersion properties; an option to skip template files; and add a packageVersion property to resolve a version scheme issue with Chocolatey.

More details on this release may be found in the changelog and Q&A with Andres Almiray, creator of JReleaser, may be found in this InfoQ news story.

Helidon

Oracle has released Helidon 2.5.0 that ships with: improved Oracle Cloud Infrastructure (OCI) Java SDK support; improved implementation of JAX-RS to support the @Path annotation; and a number of bug fixes and dependency upgrades. Further details on this release may be found in the release notes.

JHipster

A week after the release of version 7.8.0, version 7.8.1 of JHipster was released to include: many library upgrades; and a fix to address CVE-2022-24815, SQL Injection when creating an application with Reactive SQL backend. More details about this release may be found in the changelog.

Hibernate

Hibernate Search 6.1.4.Final has been released featuring: an upgrade to the -orm6 artifacts for Hibernate ORM 6.0.0.Final and Hibernate Commons Annotations 6.0.0.Final; an upgrade to latest version of Jakarta dependencies for the -orm6 and -jakarta artifacts; using an instance of the SearchSort interface in multiple queries with the Lucene backend that eliminates the side effects; and a fix on the Elasticsearch backend in which sorting on a dynamic field that has never been indexed.

Kotlin

JetBrains has released Kotlin 1.6.20 featuring: support for defining context-dependent declarations in Kotlin/JVM; improved interoperability with generic Java classes and interfaces; faster build times resulting from the parallel compilation of a single module in the JVM IR backend; a streamlined development experience facilitated by incremental compilation in Kotlin/JS IR; improvements with Kotlin/Native performance; and improved code sharing due to the hierarchical structure of multiplatform projects. Further details on this release may be found in this InfoQ news story.

JDKMon

The latest version of JDKMon, a new tool that monitors and updates installed JDKs, has been made available to the Java community. Created by Gerrit Grunwald, principal engineer at Azul, version 17.0.24 ships with: fixes related to the Linux version of JDKMon, and a replacement of the indicator for CVEs. The Ubuntu builds of OpenJDK builds will be detected, but there is no update support in the Disco API.

About the Author

Rate this Article

Adoption
Style

BT