Java™ SE Development Kit 7, Update 72 (JDK 7u72) Release Notes

Java™ SE Development Kit 7, Update 72 (JDK 7u72)

The full version string for this update release is 1.7.0_72-b14 (where "b" means "build"). The version number is 7u72.

IANA Data 2014c

JDK 7u72 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u72 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
7 1.7.0_71
6 1.6.0_85
5.0 1.5.0_75

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 7u72) will expire with the release of the next critical patch update scheduled for January 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u72) on February 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

JavaFX Release Notes

This JDK release includes JavaFX version 2.2.72.

Selecting a Suitable JDK 7 Release

In this release, both JDK 7u71 and JDK 7u72 products are available. JDK 7u71 (CPU) contains vulnerability fixes and JDK 7u72 (PSU) contains all the fixes from 7u71 plus additional non-critical stability fixes.

Use JDK 7u71 release unless you need one of the additional fixes found on the JDK 7u72 release. For mission critical applications you should test with the PSU release regardless of whether you chose to use the CPU or the PSU as the fixes on the PSU will be included in the next CPU.

Instructions to disable SSL v3.0 in Oracle JDK and JRE

Oracle recommends that users and developers disable use of the SSLv3 protocol. Please follow the Instructions to disable SSL v3.0 in Oracle JDK and JRE.

Unsafe Server Certificate Change in SSL/TLS Renegotiations Not Allowed.

Starting with JDK 7u71, unsafe server certificate change in SSL/TLS renegotiations is not allowed by default. Server certificate change in an SSL/TLS renegotiation may be unsafe and should be restricted:

  • if endpoint identification is not enabled in an SSL/TLS handshaking; and
  • if the previous handshake is a session-resumption abbreviated initial handshake; and
  • the identities represented by both certificates (in previous handshake and this handshake) cannot be regraded as the same.

If unsafe server certificate change is really required, please set the system property, jdk.tls.allowUnsafeServerCertChange, to "true" before JSSE is initialized. Note that this would re-establish the unsafe server certificate change issue.

Change in javax.smartcardio.Card.disconnect(boolean reset) method behavior

Prior to the JDK 8u20 and JDK 7u72 releases, the javax.smartcardio.Card.disconnect(boolean reset) method had inverted logic for the 'reset' boolean value passed to it. The card was reset upon a disconnect if false was passed to it and vice versa. Starting with JDK 7u72 and JDK 8u20, the correct behavior as per API documentation has been implemented.

In order to provide backwards compatibility to users who rely on the old behavior, a new system property has been introduced. The following command-line option can be used to enforce the old broken behavior:

-Dsun.security.smartcardio.invertCardReset=true

This property is set by default for 7u72 and later JDK 7 update releases. By default, no behavioral change will be noticed in this area for JDK 7 update releases.

Also the following command-line option can be used to enforce the new correct behavior:

-Dsun.security.smartcardio.invertCardReset=false

This is default for 8u20 and later JDK 8 update releases. In future Java releases, the property will be ignored/disabled and default disconnect method behavior will be as specified by API.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 7u72 Bug Fixes page.

Area: security-libs/javax.net.ssl
Synopsis: Decrease the preference mode of RC4 in the enabled cipher suite list

This fix decreases the preference of RC4 based cipher suites in the default enabled cipher suite list of SunJSSE provider.

See JDK-8043832 (not public).