This week's Java roundup for October 9th, 2023, features news from OpenJDK, JDK 22, Apache Tomcat CVEs, Devoxx Morocco, and milestone, point and release candidates of: Spring Framework; Spring Data; Micronaut; Quarkus; Micrometer Metrics; Micrometer Tracing; Apache Kafka; Apache Camel; Eclipse Vert.x; Project Reactor; JHipster Lite; Piranha; and RefactorFirst.
OpenJDK
After its review has concluded, JEP 454, Foreign Function & Memory API, has been promoted from Proposed to Target to Targeted for JDK 22. This JEP proposes to finalize this feature after two rounds of incubation and three rounds of preview: JEP 412, Foreign Function & Memory API (Incubator), delivered in JDK 17; JEP 419, Foreign Function & Memory API (Second Incubator), delivered in JDK 18; JEP 424, Foreign Function & Memory API (Preview), delivered in JDK 19; JEP 434, Foreign Function & Memory API (Second Preview), delivered in JDK 20; and JEP 442, Foreign Function & Memory API (Third Preview), to be delivered in the upcoming GA release of JDK 21. Improvements since the last release include: a new Enable-Native-Access manifest attribute that allows code in executable JARs to call restricted methods without the use of the --enable-native-access flag; allow clients to programmatically build C function descriptors, avoiding platform-specific constants; improved support for variable-length arrays in native memory; and support for multiple charsets in native strings. InfoQ will follow up with a more detailed news story.
JEP 460: Vector API (Seventh Incubator), has been promoted from its JEP Draft 8315945 to Candidate status. This JEP, under the auspices of Project Panama, incorporates enhancements in response to feedback from the previous six rounds of incubation: JEP 448, Vector API (Sixth Incubator), to be delivered in the upcoming GA release of JDK 21; JEP 438, Vector API (Fifth Incubator), delivered in JDK 20; JEP 426, Vector API (Fourth Incubator), delivered in JDK 19; JEP 417, Vector API (Third Incubator), delivered in JDK 18; JEP 414, Vector API (Second Incubator), delivered in JDK 17; and JEP 338, Vector API (Incubator), delivered as an incubator module in JDK 16. The most significant change from JEP 448 includes an enhancement to the JVM Compiler Interface (JVMCI) to support Vector API values.
JEP Draft 8315398, Implicitly Declared Classes and Instance Main Methods (Second Preview), formerly known as Unnamed Classes and Instance Main Methods (Preview), Flexible Main Methods and Anonymous Main Classes (Preview) and Implicit Classes and Enhanced Main Methods (Preview), incorporates enhancements in response to feedback from the previous round of preview, namely JEP 445, Unnamed Classes and Instance Main Methods (Preview). This JEP proposes to "evolve the Java language so that students can write their first programs without needing to understand language features designed for large programs." This JEP moves forward the September 2022 blog post, Paving the on-ramp, by Brian Goetz, Java language architect at Oracle. Gavin Bierman, consulting member of technical staff at Oracle, has published the first draft of the specification document for review by the Java community. More details on JEP 445 may be found in this InfoQ news story.
Gavin Bierman, consulting member of technical staff at Oracle, has provided an updated specification document for JEP 447, Statements before super() (Preview), a JEP that proposes to: allow statements that do not reference an instance being created to appear before the this() or super() calls in a constructor; and preserve existing safety and initialization guarantees for constructors.
JDK 22
Build 19 of the JDK 22 early-access builds was made available this past week featuring updates from Build 18 that include fixes to various issues. Further details on this build may be found in the release notes.
For JDK 22, developers are encouraged to report bugs via the Java Bug Database.
Spring Framework
The first release candidate of Spring Framework 6.1.0 delivers bug fixes, improvements in documentation, dependency upgrades and new features such as: a move of the ReactorResourceFactory class from the org.springframework.http.client.reactive to the org.springframework.http.client package for improved support of CRaC; allow custom implementations of the ClientRequestObservationConvention interface for the RestClient interface; and expose the shouldHandle(ApplicationEvent) method in the ApplicationListenerMethodAdapter class to inspect whether a listener is actually interested in an event instance. More details on this release may be found in the release notes.
Similarly, Spring Framework 6.0.13 has been released featuring bug fixes, improvement in documentation, dependency upgrades and new features such as: improved diagnostics for when repeated text size calculation results in overflow in the Spring Expression Language; and reintroduce the FastClass class in CGLIB proxy class names annotated with @Configuration. Further details on this release may be found in the release notes.
The first release candidate of Spring Data 2023.1.0, codenamed Vaughn, delivers: support for JDK 21; use of virtual threads via configuration of the Java Executor interface; support for Kotlin value classes; an initial exploration of optimizations with CRaC; and a migration of documentation to Antora. More details on this release may be found in the release notes.
Versions 2023.0.5, 2022.0.11 and 2021.2.17, all service releases of Spring Data, feature bug fixes and respective dependency upgrades to sub-projects such as: Spring Data Commons 3.1.5, 3.0.11 and 2.7.17; Spring Data MongoDB 4.1.5, 4.0.11 and 3.4.17; Spring Data Elasticsearch 5.1.5, 5.0.11 and 4.4.17; and Spring Data Neo4j 7.1.7, 7.0.11 and 6.3.17. These versions can be consumed by the upcoming releases of Spring Boot 3.1.5, 3.0.12 and 2.7.17, respectively.
The second milestone release of Spring Shell 3.2.0 provides: experimental support for a new Terminal UI and other notable changes such as: a new ViewCommand class to provide a higher level instruction for the View interface; and improved implementations of the ButtonView and DialogView classes. Further details on this release, including a demo of the new Terminal UI, may be found in the release notes.
Micronaut
The Micronaut Foundation has released version 4.1.4 of the Micronaut Framework featuring Micronaut Core 4.1.9 and update to modules: Micronaut Serialization, Micronaut AWS, Micronaut Email, Micronaut Data, Micronaut Maven Plugin, Micronaut SQL Libraries, and Micronaut Discovery Client. More details on this release may be found in the release notes.
Quarkus
Red Hat has released version 3.4.3 of Quarkus 3.4.3 that primarily addresses CVE-2023-44487, a vulnerability in which Tomcat's implementation of HTTP/2 was vulnerable to the rapid reset attack causing a denial of service that was typically manifested as an OutOfMemoryError. There were also improvements in documentation and notable fixes such as: a call to a Reactive REST Client that hangs when receiving an invalid chunked response resulting in resources not being released; a ClassNotFoundException when Quarkus applications using Picocli and JAX-RS to consume SSEs breaks when converted to a native build; and allow the MicroProfile @ClientHeaderParam annotation to override the "User-Agent" header parameter. Further details on this release may be found in the changelog.
Micrometer
Versions 1.12.0-RC1, 1.11.5, 1.10.12 and 1.9.16 of Micrometer Metrics all deliver dependency upgrades and these bug fixes: an instance of the ObservationRegistry.NOOP interface is null when running in a Spring Boot application; and a ConcurrentModificationException using the computeIfAbsent() method defined in the Context inner class of the Observation interface. New features in version 1.12.0-RC1 include: move the instrumentation for the Jakarta Messaging specification to a new module, micrometer-jakarta9; and support for the VMware CSP authentication system for their integration of Wavefront. More details on these releases may be found in the release notes for version 1.12.0-RC1, version 1.11.5, version 1.10.12 and version 1.9.16.
Similarly, versions 1.2.0-RC1, 1.1.6 and 1.0.11 of Micrometer Tracing all deliver dependency upgrades and bug fixes such as: apply a wider inclusion for Zipkin Reporter in the Gradle build to resolve dependency issues; and a scope override when a scope was set in the ObservationAwareSpanThreadLocalAccessor class. New features in version 1.2.0-RC1 include: define the SpanTagAnnotationHandler class as optional to match the TimedAspect class for improved configuration by frameworks; and a migration of io.opentelemetry:opentelemetry-semconv to io.opentelemetry.semconv:opentelemetry-semconv due to OpenTelemetry having deprecated their old Semantic Conventions module with a new module that have different Maven coordinates. Further details on these releases may be found in the release notes for version 1.2.0-RC1, version 1.1.6 and version 1.0.11.
Apache Software Foundation
The Apache Tomcat team has disclosed four Common Exposures and Vulnerabilities (CVEs) that affect versions 11.0.0-M1 to 11.0.0-M11, 10.1.0-M1 to 10.1.13, 9.0.0-M1 to 9.0.80 and 8.5.0 to 8.5.93.
- CVE-2023-42795, an exposure that occurs when recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
- CVE-2023-45648, a vulnerability in which an attacker can send a specially crafted, invalid trailer header that could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
- The aforementioned CVE-2023-44487.
- CVE-2023-42794, a vulnerability in which Tomcat's internal fork of a Commons FileUpload package included an unreleased, in progress refactoring on Windows if a web application opened a stream for an uploaded file, but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. It is important to note that this CVE only affected Tomcat versions 9.0.70 to 9.0.80 and 8.5.85 to 8.5.93.
Users of these affected versions should apply one of the following mitigations: upgrade to minimal versions of Apache Tomcat 11.0.0-M12, 10.1.14, 9.0.81 and 8.5.94.
The release of Apache Kafka 3.6.0 delivers bug fixes, improvements and new features such as: support for delegation tokens in Kafka Raft (KRaft); the ability to migrate Kafka clusters from a ZooKeeper metadata system to a KRaft metadata system; and support for Tiered Storage as an early-access feature. More details on this release may be found in the release notes.
The release of Apache Camel 4.1.0 provides bug fixes, dependency upgrades and new features such as: capture startup events and report time in a report for human-readable form; a new Camel Thymeleaf template component to complement the existing Camel Freemarker and Camel Velocity components for working with templates; and a new command to generate SBOM for a given JBang project in CycloneDX format. Further details on this release may be found in the release notes.
Eclipse Vert.x
The release of Eclipse Vert.x 4.4.6 delivers dependency upgrades and notable changes such as: an upgrade to Netty 4.1.100.Final that addresses the aforementioned CVE-2023-44487; fixes in the Money class that include deprecating the Money(long, int) constructor in favor of Money(Number); and drop support for an empty Host header in a curl command that caused a NullPointerException. More details on this release may be found in the release notes and deprecations and breaking changes.
Project Reactor
The first release candidate of Project Reactor 2023.0.0 provides dependency upgrades to reactor-core 3.6.0-RC1, reactor-pool 1.0.3 and reactor-netty 1.1.12. There was also a realignment to version 2023.0.0-RC1 with the reactor-kafka 1.3.21, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. Further details on this release may be found in the changelog.
Similarly, Project Reactor 2022.0.12, the twelfth maintenance release, provides dependency upgrades to reactor-core 3.5.11, reactor-netty 1.1.12 and reactor-pool 1.0.3. There was also a realignment to version 2022.0.11 with the reactor-kafka 1.3.21, reactor-addons 3.5.1 and reactor-kotlin-extensions 1.2.2 artifacts that remain unchanged. More details on this release may be found in the changelog.
JHipster Lite
Version 0.44.0 of JHipster Lite has been released featuring bug fixes, dependency upgrades and new features/enhancements such as: enable some builds on JDK 21; fix use of the Java HashMap class in the KafkaPropertiesTest class; and display a minimap on the landscape screen for improved navigation. Further details on this release may be found in the release notes.
Piranha
The release of Piranha 23.10.0 delivers notable changes such as: dependency and plugin upgrades; a code smell fix in the PiranhaJarContainer class; and a removal of the Vulnerabilities, Technical Debt, Security and Reliability badges. More details on this release may be found in their documentation and issue tracker.
RefactorFirst
Jim Bethancourt, principal software consultant at Improving, an IT services firm offering training, consulting, recruiting, and project services, has announced the release of RefactorFirst 0.5.0-M1. This release delivers: many dependency upgrades and new features such as: a new command line for RefactorFirst; and a refactor of the HTML, CSV and JSON reports into their own respective modules. It is important to note that RefactorFirst now requires JDK 11 to address CVE-2023-4759, a vulnerability in JGit versions below 6.6.0 that allows an attacker to use a symbolic link in a specially crafted git repository to write a file to locations outside the working tree. As a result, the project has also been moved into the newly created RefactorFirst organization on GitHub. Further details on this release may be found in the release notes.
Devoxx Morocco
Devoxx Morocco was held at the Hilton Taghazout Bay Beach Resort & Spa in Taghazout, Morocco, this past week featuring speakers from the Java community who presented on topics such as: Architecture, Data & AI, Development Practices, DevOps & Cloud, and Security.