7u221 Update Release Notes
Java™ SE Development Kit 7, Update 221 (JDK 7u221)
April 16, 2019
The full version string for this update release is 1.7.0_221-b08 (where "b" means "build"). The version number is 7u221.
IANA Data 2018g
JDK 7u221 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u221 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 7 | 1.7.0_221-b08 |
| 6 | 1.6.0_221 |
JRE Expiration Date
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 7u221) will expire with the release of the next critical patch update scheduled for July 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u221) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
Known Issues
core-libs
Accessing REIWA era in java.time.chrono.JapaneseEra
A static field representing a singleton instance of the REIWA era in java.time.chrono.JapaneseEra is added as a private field in this update. The singleton instance is not directly accessible, instead it can be obtained by calling JapaneseEra.of(3) and JapaneseEra.valueOf("Reiwa”).
See JDK-8174268
Changes
security-libs/java.security
Added GlobalSign R6 Root Certificate
The following root certificate has been added to the OpenJDK cacerts truststore:
-
GlobalSign
-
globalsignrootcar6
DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
-
JDK-8216577 (not public)
security-libs/javax.net.ssl
Distrust TLS Server Certificates Anchored by Symantec Root CAs
The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.
TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).
An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.
The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.
An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:
"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"
If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.
The restrictions are imposed on the following Symantec Root certificates included in the JDK:
Root Certificates distrusted after 2019-04-16
| Distinguished Name | SHA-256 Fingerprint |
|---|---|
| CN=GeoTrust Global CA, O=GeoTrust Inc., C=US |
FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA:DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A |
| CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US |
37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8:2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C |
| CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US |
5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F:7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66 |
| CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US |
B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E:E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4 |
| CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US |
A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93:42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12 |
| CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US |
8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A:97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F |
| CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US |
A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB:43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57 |
| CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US |
4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C:06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C |
| EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA |
3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47:9C:36:93:65:08:80:50:56:98:10:5D:BC:E9 |
| OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US |
3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1 |
| OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US |
A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09:CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05 |
| OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US |
83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E:DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B |
| CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1:B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 |
| CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 |
| CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99:89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF |
| CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5:C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C |
Subordinate Certificates distrusted after 2019-12-31
| Distinguished Name | SHA-256 Fingerprint |
|---|---|
| CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US |
AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A:9C:DB:EC:77:29:6A:42:4B |
| CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US |
A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A:C1:49:08:82:D4:88:ED |
If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.
You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore
<your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.
See JDK-8207258
core-libs/java.time
The placeholder name, "NewEra", for the Japanese era that started from May 1st, 2019 has been replaced with the Japanese Government declared name "Reiwa". Applications that rely on the placeholder name to obtain the new era singleton (JapaneseEra.valueOf("NewEra")) will no longer work.
See JDK-8205432
core-libs/java.util:i18n
Japanese New Era Implementation
The placeholder "NewEra" has been replaced with "Reiwa." Refer to the release note for JDK-8205432.
Japanese calendars, both in java.time.chrono and java.util packages support the upcoming Japanese new era, which will be in effect from May 1st, 2019. At the moment, the name of the era is not yet known, placeholder names ("元号" for Japanese, "NewEra" for other languages) are provided for its display names. The placeholder names will be replaced with the legitimate era name in a future update, thus applications should not depend on those placeholder names. Use integer values to refer to the new era instead. For example:
java.time.chrono.JapaneseEra.of(3).getDisplayName(TextStyle.FULL, Locale.US)
or
new java.util.Calendar.Builder()
.setCalendarType("japanese")
.setFields(Calendar.ERA, 5,
Calendar.YEAR, 1,
Calendar.MONTH, Calendar.MAY,
Calendar.DAY_OF_MONTH, 1)
.build()
.getDisplayName(Calendar.ERA, Calendar.LONG, Locale.US)
will output "NewEra."
See JDK-8202088
Bug Fixes
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 7u221 Bug Fixes page.