July 17, 2018
The full version string for this update release is 10.0.2+13 (where "+" means "build"). The version number is 10.0.2.
JDK 10.0.2 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 10.0.2 are specified in the following table:
|JRE Family Version||JRE Security Baseline |
(Full Version String)
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 10.0.2) will expire with the release of the next critical patch update scheduled for October 16, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 10.0.2) on November 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
The specification of the method
java.lang.invoke.MethodHandles.filterArguments was clarified to state more clearly that filter arguments are invoked in left to right order. The implementation of this method was also fixed to ensure it conformed to the specification. Prior to the fix the implementation incorrectly invoked filters in right to left order. For the majority of usages it is expected such a change in behavior will not be observable. Only in the minority of cases where two or more filters have side-effects that affect their results will such behavior be observable.
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:
Define this system property (or set it to
true) to disable endpoint identification algorithms.
New access checks have been added during the object creation phase of deserialization. This should not affect ordinary uses of deserialization. However, reflective frameworks that make use of JDK-internal APIs may be impacted. The new checks can be disabled if necessary by setting the system property jdk.disableSerialConstructorChecks to the value "true". This must be done by adding the argument -Djdk.disableSerialConstructorChecks=true to the Java command line.
The following are some of the notable bug fixes included in this release:
A klass that has been considered unreachable by the concurrent marking of G1, can be looked up in the
ClassLoaderData/SystemDictionary, and its
_class_loader fields can be stored in a root or any other reachable object making it alive again. Whenever a klass is resurrected in this manner, the SATB part of G1 needs to be notified about this, otherwise, the concurrent marking remark phase will erroneously unload that klass.
In this particular crash, while G1 was doing concurrent marking and had prepared its list of unreachable classes, JVMTI on a Java thread could traverse classes in the CLD and store thread-local JNIHandles for the java_mirror of the loaded classes. G1 did not have knowledge of these thread-local JNIHandles, and in the remark phase, it unloaded classes per its prior knowledge of unreachable classes. When these JNIHandles were later scanned, it lead to a crash.
This fix for JDK-8187577 informs G1's SATB that a klass has been resurrected and should not be unloaded.