Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the following Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 15.0.2) be used after the next critical patch update scheduled for January 19, 2021.

For full information and terms, refer to the OTN License Agreement for Java SE. The OTN License Agreement for Java SE for current Oracle Java SE releases allows them to be used, without cost:

  • (i) For personal use on a desktop or laptop computer, such as to play games or run other personal applications.
  • (ii) For development, testing, prototyping, and demonstrating applications, including to use by/with profilers, debuggers, and Integrated Development Environment tools.
  • (iii) For use with some approved products, such as Oracle SQL Developer, or as an end user of a software application created by an approved product. (referred to as "Schedule A" and "Schedule B" Products in the OTN License Agreement for Java SE)
  • (iv) With identified Oracle Cloud Infrastructure products.

The latest version of Java is Java 20 or JDK 20, however many versions of Java are actively maintained for compatibility purposes. Java 8, Java 11 and Java 17 are the three long-term support versions recommended by Oracle. You can download the version you need below:

Java 8 is the last free software public update for commercial use, which explains why it remains popular. Oracle plans to maintain it until at least 2030. Also, you should know that some applications might refer to Java 8 as version 1.8.0.

What's New

  • The full version string for this update release is 15.0.2+7 (where "+" means "build"). The version number is 15.0.2.

IANA Data 2020d

  • JDK 15.0.2 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.

New Features

security-libs/javax.net.ssl

  • Improve Certificate Chain Handling
    • A new system property, jdk.tls.maxHandshakeMessageSize, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).
    • A new system property, jdk.tls.maxCertificateChainLength, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10. JDK-8245417 (not public)

Other notes:

core-libs/javax.naming

Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear Connections

  • A new environment property, jdk.jndi.ldap.mechsAllowedToSendCredentials, has been added to control which LDAP authentication mechanisms are allowed to send credentials over clear LDAP connections - a connection not secured with TLS. An encrypted LDAP connection is a connection opened by using ldaps scheme, or a connection opened by using ldap scheme and then upgraded to TLS with a STARTTLS extended operation.
  • The value of the property, which is by default not set, is a comma separated list of the mechanism names that are permitted to authenticate over a clear connection. If a value is not specified for the property, then all mechanisms are allowed. If the specified value is an empty list, then no mechanisms are allowed (except for none and anonymous). The default value for this property is 'null' ( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials") returns 'null'). To explicitly permit all mechanisms to authenticate over a clear connection, the property value can be set to "all". If a connection is downgraded from encrypted to clear, then only the mechanisms that are explicitly permitted are allowed.
  • The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.

Note: none and anonymous authentication mechanisms are exempted from these rules and are always allowed regardless of the property value.