7u201 Update Release Notes

Update Release Notes Index

Java™ SE Development Kit 7, Update 201 (JDK 7u201)

October 16, 2018

The full version string for this update release is 1.7.0_201-b11 (where "b" means "build"). The version number is 7u201.

IANA Data 2018e

JDK 7u201 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u201 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
7 1.7.0_201-b11
6 1.6.0_211-b11

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 7u201) will expire with the release of the next critical patch update scheduled for January 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u201) on February 15, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Changes

security-libs/javax.net.ssl

Disabled All DES TLS Cipher Suites

DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the java.security file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.

See JDK-8208350

security-libs/java.security

Removal of Several Symantec Root CAs

The following Symantec root certificates are no longer in use and have been removed:

  • Symantec

    • equifaxsecureca

      DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

    • equifaxsecureglobalebusinessca1

      DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

    • equifaxsecureebusinessca1

      DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

    • verisignclass1g3ca

      DN: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass2g3ca

      DN: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass1g2ca

      DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

    • verisignclass1ca

      DN: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

See JDK-8191031

security-libs/java.security

Removal of Baltimore Cybertrust Code Signing CA

The following Baltimore CyberTrust Code Signing root certificate is no longer in use and has been removed:

  • baltimorecodesigningca

    DN: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE

See JDK-8189949

security-libs/java.security

Removal of SECOM Root Certificate

The following SECOM root certificate is no longer in use and has been removed:

  • secomevrootca1

    DN: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP

See JDK-8191844

client-libs/java.awt

Touch Keyboard for Swing/AWT Text Components

This release adds support for automatically showing the touch keyboard for Swing/AWT text components on Microsoft Windows 8 or later. A user can display the touch keyboard either by using a touch screen to tap the text component area or by using a mouse to click in the area, when a keyboard is not attached to a computer.

The system property awt.touchKeyboardAutoShowIsEnabled controls whether this functionality is enabled in the JDK. This functionality is enabled by default. However, if the functionality is not needed, the user can switch it off from the command line by setting the system property to false:

-Dawt.touchKeyboardAutoShowIsEnabled=false

See JDK-8166772

security-libs/javax.crypto

Improved Cipher Inputs

The specification of javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.

JDK-8201756 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:

core-libs

Better HTTP Redirection Support

In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request.

JDK-8196902 (not public)

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 7u201 Bug Fixes page.