java

Release Notes for JDK 8 and JDK 8 Update Releases

This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 8.

Consolidated Release Notes for JDK 8 and JDK 8 Update Releases

BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.

  • JDK 8u421 (GA, PERF, and BPR builds)
  • JDK 8u411 (GA, PERF, and BPR builds)
  • JDK 8u401 (GA, PERF, and BPR builds)
  • JDK 8u391 (GA, PERF, and BPR builds)
  • JDK 8u381 (GA, PERF, and BPR builds)
  • JDK 8u371 (GA, PERF, and BPR builds)
  • JDK 8u361 (GA, PERF, and BPR builds)
  • JDK 8u351 (GA, PERF, and BPR builds)
  • JDK 8u345 (PERF and BPR builds)
  • JDK 8u341 (GA and BPR builds)
  • JDK 8u333 (GA and BPR builds)
  • JDK 8u331 (GA and BPR builds)
  • JDK 8u321 (GA and BPR builds)
  • JDK 8u311 (GA and BPR builds)
  • JDK 8u301 (GA and BPR builds)
  • JDK 8u291 (GA and BPR builds)
  • JDK 8u281 (GA and BPR builds)
  • JDK 8u271 (GA and BPR builds)
  • JDK 8u261 (GA and BPR builds)
  • JDK 8u251 (GA and BPR builds)
  • JDK 8u241 (GA and BPR builds)
  • JDK 8u231 (GA and BPR builds)
  • JDK 8u221 (GA and BPR builds)
  • JDK 8u212 (GA and BPR builds)
  • JDK 8u211 (GA)
  • JDK 8u202 (GA and BPR builds)
  • JDK 8u201 (GA)
  • JDK 8u192 (GA and BPR builds)
  • JDK 8u191 (GA)
  • JDK 8u181 (GA and BPR builds)
  • JDK 8u172 (GA and BPR builds)
  • JDK 8u171 (GA)
  • JDK 8u162 (GA and BPR builds)
  • JDK 8u161 (GA)
  • JDK 8u152 (GA and BPR builds)
  • JDK 8u151 (GA)
  • JDK 8u144 (GA and BPR builds)
  • JDK 8u141 (GA and BPR builds)
  • JDK 8u131 (GA and BPR builds)
  • JDK 8u121 (GA and BPR builds)
  • JDK 8u112 (GA and BPR builds)
  • JDK 8u111 (GA)
  • JDK 8u102 (GA and BPR builds)
  • JDK 8u101 (GA)
  • JDK 8u92 (GA and BPR builds)
  • JDK 8u91 (GA)
  • JDK 8u77 (GA and BPR builds)
  • JDK 8u74 (GA and BPR builds)
  • JDK 8u72 (GA and BPR builds)
  • JDK 8u73 (GA)
  • JDK 8u71 (GA)
  • JDK 8u66 (GA and BPR builds)
  • JDK 8u65 (GA)
  • JDK 8u60 (GA and BPR builds)
  • JDK 8u51 (GA and BPR builds)
  • JDK 8u45 (GA and BPR builds)
  • JDK 8u40 (GA and BPR builds)
  • JDK 8u31 (GA and BPR builds)
  • JDK 8u25 (GA and BPR builds
  • JDK 8u20 (GA and BPR builds)
  • JDK 8u11 (GA and BPR builds)
  • JDK 8u5 (GA and BPR builds)
  • JDK 8 (GA)

Java SE 8u421 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u421 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u421 b34

Bug Fixes

Release date: August 23, 2024
BugId Category Subcategory Summary
JDK-8336952 (not public) install jre msi installer can fail if run after using MSI Advertise option

 

Changes in Java SE 8u421 b33

Bug Fixes

Release date: August 12, 2024
BugId Category Subcategory Summary
JDK-8336107 (not public) install JDK rpm upgrade from 11.0.23 to 11.0.25 leaves "orphan" alternatives entry

 

Changes in Java SE 8u421 b32

Bug Fixes

Release date: July 16, 2024
BugId Category Subcategory Summary
JDK-8331765 javafx web Websocket callbacks are not executed after WebKit 617.1 update
JDK-8333859 core-libs java.util.jar Pack200.newUnpacker().unpack() throws IOException
JDK-8333447 (not public) install install "alternatives" uninstallation results into intermittent “Java not available” issues

Java SE 8u421 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u421 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u421-Perf b31

Bug Fixes

Release date: July 16, 2024
BugId Category Subcategory Summary
JDK-8333859 core-libs java.util.jar Pack200.newUnpacker().unpack() throws IOException

Java™ SE Development Kit 8, Update 421 Enterprise Performance Pack (JDK 8u421-PERF)

Release date: July 16, 2024

The full version string for this update release is 8u421-perf-b07 (where "b" means "build"). The version number is 8u421-perf.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u421 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u421-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u421) be used after the next critical patch update scheduled for October 15, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u421) on 2024-11-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

Other Notes

security-libs/java.security
 Added GlobalSign R46 and E46 Root CA Certificates (JDK-8316138)

The following root certificates have been added to the cacerts truststore:

+ GlobalSign

  + globalsignr46
    DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE

+ GlobalSign
  + globalsigne46
    DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE

security-libs/javax.net.ssl
 Disabled DTLS 1.0 (JDK-8256660)

DTLS 1.0 has been disabled by default, by adding "DTLSv1.0" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. Any attempts to use DTLSv1.0 will fail with an SSLHandshakeException. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the jdk.tls.disabledAlgorithms security property.

 

Changes in Java SE 8u421-Perf

Bug Fixes

JDK 8u421 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8321599hotspot/compilerData loss in AVX3 Base64 decoding
2JDK-8310844hotspot/compiler[AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate
3JDK-8324050hotspot/compilerIssue store-store barrier after re-materializing objects during deoptimization
4JDK-8326638hotspot/compilerCrash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop
5JDK-8319372hotspot/compilerC2 compilation fails with "Bad immediate dominator info"
6JDK-8282414hotspot/compilerx86: Enhance the assembler to generate more compact instructions
7JDK-8298129hotspot/jfrLet checkpoint event sizes grow beyond u4 limit
8JDK-8298649hotspot/jfrJFR: RemoteRecordingStream support for checkpoint event sizes beyond u4
9JDK-8286740hotspot/jfrJFR: Active Setting event emitted incorrectly
10JDK-8326106hotspot/jfrWrite and clear stack trace table outside of safepoint
11JDK-8298472hotspot/runtimeAArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options
12JDK-8278241hotspot/runtimeImplement JVM SpinPause on linux-aarch64
13JDK-8296437hotspot/runtimeNMT incurs costs if disabled
14JDK-8327036hotspot/runtime[macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0
15JDK-8319048hotspot/runtimeMonitor deflation unlink phase prolongs time to safepoint
16JDK-8324933hotspot/runtimeConcurrentHashTable::statistics_calculate synchronization is expensive

Java™ SE Development Kit 8, Update 421 (JDK 8u421)

Release date: July 16, 2024

The full version string for this update release is 8u421-b09 (where "b" means "build"). The version number is 8u421.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u421 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u421-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u421) be used after the next critical patch update scheduled for October 15, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u421) on 2024-11-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

install/install
 Adding Debug Log Files in macOS for Java Updater and JCP (JDK-8319745 (not public))

Debug log files for Java Updater and JCP have been added to the directory $HOME/Library/Application Support/Oracle/Java/Java Updater/ for macOS x64 and aarch64. Logs for Java Updater and JCP are separated into two log files: JavaUpdaterLog.txt and JCPUpdateLog.txt.

JavaUpdaterLog.txt is generated and logs debug lines if it does not already exist when Java Updater is run. Likewise, JCPUpdateLog.txt is generated and logs debug lines if it does not already exist when Java Control Panel is run.

If a log file already exists for Java Updater or JCP, the newly logged debug lines are appended at the end of the log file. Each log session has a header with a timestamp of when the application was run.

security-libs/java.security
 New Security Category for -XshowSettings Launcher Option (JDK-8281658)

The -XshowSettings launcher has a new security category. Settings from security properties, security providers and TLS related settings are displayed with this option. A security sub-category can be passed as an argument to the security category option. See the output from java -X:

   -XshowSettings:security

       show all security settings and continue
   -XshowSettings:security:*sub-category*
       show settings for the specified security sub-category and continue. Possible *sub-category* arguments for this option include:
       all: show all security settings and continue
       properties: show security properties and continue
       providers: show static security provider settings and continue
       tls: show TLS related security settings and continue

Third party security provider details will be reported if they are included in the application class path or module path and such providers are configured in the java.security file.

 

Known Issues

deploy/webstart
 Browser Keystore Usage on Windows (JDK-8330728 (not public))

On Windows, once the feature “Use certificates and keys in browser keystore” is enabled (which it is by default), Java WebStart and Java Plugin can access the certificates that are currently trusted by the local machine. There is no guarantee that the full list of trusted certificates is available, since the certificates are dynamically loaded. As a result, Java applets and Java WebStart applications might experience signature validation and secure connection issues caused by a lack of relevant certificates since the Deployment framework can only access the certificates that are 'active' at the time of an application's launch.

 

Notable Issues fixed

install
 No Default Java after 8u371 32-bit Upgrade (JDK-8306784)

To allow the java, javaw, and javaws executables to be run from any location, the JRE 8 Windows installers copy java.exe, javaw.exe, and javaws.exe helper files into the following directory:

C:\Program Files (x86)\Common Files\Oracle\Java\java8path.

Also, the system PATH variable is updated to include this location.

Note: In 8u411 and later releases, the directory name was changed from "javapath" to "java8path" to ensure compatibility with newer JDK family versions.

 

Removed Features and Options

install/install
 Remove Obsolete Desktop Integration from Linux Installers (JDK-8322234 (not public))

Delete nonfunctional desktop integration functionality from Linux installers. The installers will stop depositing files in /usr/share/icons, /usr/share/mime, and /usr/share/applications subtrees.

 

Other Notes

install/install
 Adding the STATIC=1 Argument to the JRE Installer (JDK-8313223 (not public))

This fix will add the STATIC=1 installer argument and deprecating the RETAIN_ALL_VERSIONS=1 installer argument. Passing STATIC=1 will protect older JRE 8 versions from being uninstalled during a manual upgrade or an auto-update.

install/install
 Provide Transition RPM with Old Package Name "jdk1.8" (JDK-8323482 (not public))

The "Obsoletes" tag has been removed from "jdk-1.8" and "jre-1.8" RPM packages.

New stub "jdk1.8" and "jre1.8" RPM packages have been provided. These are the pre-8u371 names without a dash. These packages do not install any files, but require corresponding update releases for "jdk-1.8" and "jre-1.8" packages, the post-8u371 name with the dash, respectively.

Users who only have 8u371 or newer RPM packages installed do not need to use the new stub "jdk1.8" or "jre1.8" RPM packages, and will not be affected by this change.

Users who install the new stub "jdk1.8" package and would like to downgrade it to 8u361 or an older version, will need to first manually uninstall the "jdk-1.8" package before the downgrade to prevent the side-by-side installation of older and newer Java 8 JDK RPM packages. The same applies to the "jre1.8" and "jre-1.8" packages.

If the "jdk-1.8" package is stored in an RPM repository, maintainers of the repository need to place an additional stub "jdk1.8" package next to "jdk-1.8" in that RPM repository. The same applies to the "jre1.8" and "jre-1.8" packages.

Users who install the "jdk-1.8" package from something other than an RPM repository need to specify paths to the RPM files with "jdk1.8" and "jdk-1.8" packages in a single update command if they would like to upgrade from 8u361 or older "jdk1.8" package. The same applies to the "jre1.8" and "jre-1.8" packages.

security-libs/java.security
 Added GlobalSign R46 and E46 Root CA Certificates (JDK-8316138)

The following root certificates have been added to the cacerts truststore:

+ GlobalSign

  + globalsignr46
    DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE

+ GlobalSign
  + globalsigne46
    DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE

infrastructure/build
 Native Executables and Libraries on Linux Use RPATH Instead of RUNPATH (JDK-8326891)

Native executables and libraries on Linux have switched to using RPATH instead of RUNPATH in this release.

JDK native executables and libraries use embedded runtime search paths to locate other internal JDK native libraries. On Linux these can be defined as either RPATH or RUNPATH. The main difference is that the dynamic linker considers RPATH before the LD_LIBRARY_PATH environment variable, while RUNPATH is only considered after LD_LIBRARY_PATH.

By making the change to using RPATH, it is no longer possible to replace JDK internal native libraries using LD_LIBRARY_PATH.

install/install
 Install DEB and RPM Java Packages in Version Directory (JDK-8325265 (not public))

The installation directory name of the Oracle JDK in RPM and DEB packages has changed from /usr/lib/jvm/jdk-1.8-oracle-${ARCH} to /usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}.

The installation directory name of the Oracle JRE in RPM and DEB packages has changed from /usr/lib/jvm/jre-1.8-oracle-${ARCH} to /usr/lib/jvm/jre-${VERSION}-oracle-${ARCH}.

Every update release will be installed in a separate directory on Linux platforms.

Installers will create a /usr/java/jdk-1.8-oracle-${ARCH} link pointing to the installation directory to allow programs to find the latest JDK8 version.

Installers will create a /usr/java/jre-1.8-oracle-${ARCH} link pointing to the installation directory to allow programs to find the latest JRE8 version.

install/install
 Installer Will Create a Junction Directory in a New Location (JDK-8329700 (not public))

The JRE will be installed in the following location, C:\Program Files\Java\jre$fullversion, where $fullversion is the technical version of the JRE. For instance, 8u421 will install into C:\Program Files\Java\jre1.8.0_421.

"C:\Program Files" will be adjusted to "C:\Program Files (x86)" for 32-bit Java.

For 64-bit installs, a junction will be created at C:\Program Files\Java\latest\jre-1.8. It will point to the latest 64-bit JRE of the Java 8 family.

For 32-bit installs, a junction will be created at C:\Program Files (x86)\Java\latest\jre-1.8. It will point to the latest 32-bit JRE of the Java 8 family.

This change of the JRE installation directories will also be reflected in the public JRE that is shipped with the JDK installer. Such changes were part of STATIC support implementation introduced in the 8u421 release.

 

Updates to Third Party Libraries

Library New Version Module JBS
ICU4C 74.2 javafx JDK-8324326
LCMS 2.16 java.desktop JDK-8321489
JPEG Image Decoding Software 9f java.desktop JDK-8324233
Zlib Data Compression Library 1.3.1 java.base JDK-8324632

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u421 release:

# BugId Component Summary
1JDK-8317771client-libs/javax.accessibility[macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma
2JDK-8296878client-libs/javax.swingDocument Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters
3JDK-8218917client-libs/javax.swingKeyEvent.getModifiers() returns inconsistent values for ALT keys
4JDK-8322239client-libs/javax.swing[macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane
5JDK-8318599core-libs/java.netHttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809
6JDK-8180310core-libs/java.rmi[testlibrary] TestSocketFactory null pointer when updating match bytes
7JDK-8324632core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.3.1
8JDK-8315117core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.3
9JDK-8318322core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-10-16
10JDK-8304761core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-03-22
11JDK-8302512core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-02-14
12JDK-8306031core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-04-13
13JDK-8308021core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-05-11
14JDK-8327631core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-03-07
15JDK-8313702core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-08-02
16JDK-8325029core-libs/javax.namingConnection.java now requires custom socket factories to implement javax.net.SocketFactory
17JDK-8285835hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work
18JDK-8287432hotspot/compilerC2: assert(tn->in(0) != __null) failed: must have live top node
19JDK-8197901hotspot/runtimeCrash during GC when logging level is debug
20JDK-8059924hotspot/runtimecom/sun/management/DiagnosticCommandMBean/DcmdMBeanPermissionsTest.java: assert(Universe::verify_in_progress() || !SafepointSynchronize::is_at_safepoint()) failed: invariant
21JDK-8329705javafx/accessibilityAdd missing Application thread checks to platform specific a11y methods
22JDK-8309374javafx/accessibilityAccessibility Focus Rectangle on ListItem is not drawn when ListView is shown for first time
23JDK-8311492javafx/graphicsFontSmoothingType LCD produces wrong color when transparency is used
24JDK-8324233javafx/graphicsUpdate JPEG Image Decoding Software to 9f
25JDK-8324326javafx/webUpdate ICU4C to 74.2
26JDK-8327177javafx/window-toolkitmacOS: wrong GlobalRef deleted in GlassMenu
27JDK-8326643security-libs/java.securityJDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message
28JDK-8312383security-libs/javax.net.sslLog X509ExtendedKeyManager implementation class name in TLS/SSL connection
29JDK-8247907security-libs/javax.xml.cryptoXMLDsig logging does not work
30JDK-8303809security-libs/org.ietf.jgssDispose context in SPNEGO NegotiatorImpl

Java SE 8u411 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u411 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u411 b32

Bug Fixes

Release date: June 10, 2024

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 8, Update 411 Enterprise Performance Pack (JDK 8u411-PERF)

Release date: April 16, 2024

The full version string for this update release is 8u411-perf-b08 (where "b" means "build"). The version number is 8u411-perf.

 

IANA TZ Data 2024a

JDK 8u411 contains IANA time zone data 2024a which contains the following changes:

  • Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
  • Vostok, Antarctica changed time zones on 2023-12-18.
  • Casey, Antarctica changed time zones five times since 2020.
  • Code and data fixes for Palestine timestamps starting in 2072.
  • A new data file zonenow.tab for timestamps starting now.
  • Kazakhstan unifies on UTC+5 beginning 2024-03-01.
  • Palestine springs forward a week later after Ramadan.
  • zic no longer pretends to support indefinite-past DST.
  • localtime no longer mishandles Ciudad Juárez in 2422.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u411 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u411-perf-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u411) be used after the next critical patch update scheduled for July 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider Java Management Service (JMS).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u411-perf) on 2024-08-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

security-libs/javax.crypto
 Update XML Security for Java to 3.0.3 (JDK-8319124)

The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1, SHA3_256_RSA_MGF1, SHA3_384_RSA_MGF1, and SHA3_512_RSA_MGF1. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.

Additionally, support for the following EdDSA signatures has been added: ED25519 and ED448. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here() function by default. However, we recommend avoiding the use of the here() function in new signatures and replacing existing signatures that use the here() function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here() function by setting the security property jdk.xml.dsig.hereFunctionSupported to "false".

 

Other Notes

java-libs/java.awt
 AWT SystemTray API Is Not Supported on Most Linux Desktops (JDK-8322750)

The java.awt.SystemTray API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.

Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported() will return false where ever the JDK determines the platform bug is likely to be present.

The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.

security-libs/java.security
 Added Certainly R1 and E1 Root Certificates (JDK-8321408)

The following root certificates have been added to the cacerts truststore:

+ Certainly

  + certainlyrootr1
    DN: CN=Certainly Root R1, O=Certainly, C=US

+ Certainly
  + certainlyroote1
    DN: CN=Certainly Root E1, O=Certainly, C=US

 

Changes in Java SE 8u411-Perf

Bug Fixes

JDK 8u411 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8271118hotspot/compilerC2: StressGCM should have higher priority than frequency-based policy
2JDK-8316679hotspot/compilerC2 SuperWord: wrong result, load should not be moved before store if not comparable
3JDK-8274060hotspot/compilerC2: Incorrect computation after JDK-8273454
4JDK-8273454hotspot/compilerC2: Transform (-a)*(-b) into a*b
5JDK-8315920hotspot/compilerC2: "control input must dominate current control" assert failure
6JDK-8297968hotspot/compilerCrash in PrintOptoAssembly
7JDK-8321215hotspot/compilerIncorrect x86 instruction encoding for VSIB addressing mode
8JDK-8316414hotspot/compilerC2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86
9JDK-8320209hotspot/compilerVectorMaskGen clobbers rflags on x86_64
10JDK-8318889hotspot/compilerC2: add bailout after assert Bad graph detected in build_loop_late
11JDK-8317507hotspot/compilerC2 compilation fails with "Exceeded _node_regs array"
12JDK-8277919hotspot/jfrOldObjectSample event causing bloat in the class constant pool in JFR recording
13JDK-8287113hotspot/jfrJFR: Periodic task thread uses period for method sampling events
14JDK-8322321hotspot/runtimeAdd man page doc for -XX:+VerifySharedSpaces
15JDK-8312585hotspot/runtimeRename DisableTHPStackMitigation flag to THPStackMitigation
16JDK-8312182hotspot/runtimeTHPs cause huge RSS due to thread start timing issue
17JDK-8312620hotspot/runtimeWSL Linux build crashes after JDK-8310233
18JDK-8312394hotspot/runtime[linux] SIGSEGV if kernel was built without hugepage support
19JDK-8323243hotspot/runtimeJNI invocation of an abstract instance method corrupts the stack

Java™ SE Development Kit 8, Update 411 (JDK 8u411)

Release date: April 16, 2024

The full version string for this update release is 8u411-b09 (where "b" means "build"). The version number is 8u411.

 

IANA TZ Data 2024a

JDK 8u411 contains IANA time zone data 2024a which contains the following changes:

  • Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
  • Vostok, Antarctica changed time zones on 2023-12-18.
  • Casey, Antarctica changed time zones five times since 2020.
  • Code and data fixes for Palestine timestamps starting in 2072.
  • A new data file zonenow.tab for timestamps starting now.
  • Kazakhstan unifies on UTC+5 beginning 2024-03-01.
  • Palestine springs forward a week later after Ramadan.
  • zic no longer pretends to support indefinite-past DST.
  • localtime no longer mishandles Ciudad Juárez in 2422.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u411 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u411-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u411) be used after the next critical patch update scheduled for July 16, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u411) on 2024-08-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.crypto
 Update XML Security for Java to 3.0.3 (JDK-8319124)

The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1, SHA3_256_RSA_MGF1, SHA3_384_RSA_MGF1, and SHA3_512_RSA_MGF1. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.

Additionally, support for the following EdDSA signatures has been added: ED25519 and ED448. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here() function by default. However, we recommend avoiding the use of the here() function in new signatures and replacing existing signatures that use the here() function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here() function by setting the security property jdk.xml.dsig.hereFunctionSupported to "false".

 

Other Notes

client-libs/java.awt
 AWT SystemTray API Is Not Supported on Most Linux Desktops (JDK-8322750)

The java.awt.SystemTray API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.

Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported() will return false where ever the JDK determines the platform bug is likely to be present.

The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.

security-libs/java.security
 Added Certainly R1 and E1 Root Certificates (JDK-8321408)

The following root certificates have been added to the cacerts truststore:

+ Certainly

  + certainlyrootr1
    DN: CN=Certainly Root R1, O=Certainly, C=US

+ Certainly
  + certainlyroote1
    DN: CN=Certainly Root E1, O=Certainly, C=US

security-libs/javax.xml.crypto
 Enable XML Signature Secure Validation Mode by Default (JDK-8259801)

The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property.

If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation property to Boolean.FALSE with the DOMValidateContext.setProperty() API.

 

Updates to Third Party Libraries

Library New Version Module JBS
Libxslt 1.1.39 javafx JDK-8318388
WebKit 617.1 javafx JDK-8318614
Glib 2.78.1 javafx JDK-8318386
GStreamer 1.22.6 javafx JDK-8318387
libpng 1.6.40 java.desktop JDK-8316030
Joni 2.2.1 jdk.scripting.nashorn JDK-8322094
Xalan Java 2.7.3 java.xml JDK-8305814
XML Security for Java 3.0.3 java.xml.crypto JDK-8319124

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u411 release:

# BugId Component Summary
1JDK-8318951client-libs/2dAdditional negative value check in JPEG decoding
2JDK-8152924core-libs/java.util.concurrentImprove scalability of CompletableFuture with large number of dependents
3JDK-8186464core-libs/java.util.jarZipFile cannot read some InfoZip ZIP64 zip files
4JDK-8321480core-libs/java.util:i18nISO 4217 Amendment 176 Update
5JDK-8260556docs/guidesUpdate Security Guide for Enable XML Signature secure validation mode by default
6JDK-8244207hotspot/compilerSimplify usage of Compile::print_method() when debugging with gdb and enable its use with rr
7JDK-8144856hotspot/compilerfix assert in CompiledStaticCall::set_to_interpreted
8JDK-8236772hotspot/compilerFix build for windows 32-bit after 8212160 and 8234331.
9JDK-8231430hotspot/compilerC2: Memory stomp in max_array_length() for T_ILLEGAL type
10JDK-8318889hotspot/compilerC2: add bailout after assert Bad graph detected in build_loop_late
11JDK-8317507hotspot/compilerC2 compilation fails with "Exceeded _node_regs array"
12JDK-8147611hotspot/gcG1 - Missing memory barrier in start_cset_region_for_worker
13JDK-8061467hotspot/gcBad page size passed to setup_large_pages() on Solaris
14JDK-8212160hotspot/jvmtiJVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value"
15JDK-8227277hotspot/jvmtiHeapInspection::find_instances_at_safepoint walks dead objects
16JDK-8236124hotspot/jvmtiMinimal VM slowdebug build failed after JDK-8212160
17JDK-8322321hotspot/runtimeAdd man page doc for -XX:+VerifySharedSpaces
18JDK-8059586hotspot/runtimehs_err report should treat redirected core pattern.
19JDK-8323243hotspot/runtimeJNI invocation of an abstract instance method corrupts the stack
20JDK-8067447hotspot/svcFactor out the shared implementation of the VM flags manipulation code
21JDK-8284544javafx/accessibility[Win] Name-Property of Spinner cannot be changed
22JDK-8319079javafx/graphicsMissing range checks in decora
23JDK-8320267javafx/webWebView crashes on macOS 11 with WebKit 616.1
24JDK-8320260javafx/webWebView: Update Public Suffix List to b5bf572
25JDK-8323879javafx/webconstructor Path(Path) which takes another Path object fail to draw on canvas html
26JDK-8324337javafx/webCherry-pick WebKit 617.1 stabilization fixes
27JDK-8322703javafx/webIntermittent crash in WebView in a JFXPanel from IME calls on macOS
28JDK-8325258javafx/webAdditional WebKit 617.1 fixes from WebKitGTK 2.42.5
29JDK-8323880javafx/webCaret rendered at wrong position in case of a click event on RTL text
30JDK-8326989javafx/webText selection issues on WebView after WebKit 617.1
31JDK-8221261javafx/window-toolkitDeadlock on macOS in JFXPanel app when handling IME calls
32JDK-8319669javafx/window-toolkit[macos14] Running any JavaFX app prints Secure coding warning
33JDK-8319727other-libs/corba:idlHarden BufferManagerReadStream underflow logic
34JDK-8307185security-libs/javax.crypto:pkcs11pkcs11 native libraries make JNI calls into java code while holding GC lock
35JDK-8255867security-libs/javax.net.sslSignatureScheme JSSE property does not preserve ordering in handshake messages
36JDK-8308245tools/javacAdd -proc:full to describe current default annotation processing policy
37JDK-8317815xml/jaxpXerces-J - Version.java did not get updated in JDK-8282280

Java SE 8u401 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u401 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u401 b35

Bug Fixes

Release date: April 3, 2024
BugId Category Subcategory Summary
JDK-8326643 security-libs java.security JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message

 

Changes in Java SE 8u401 b34

Bug Fixes

Release date: March 14, 2024
BugId Category Subcategory Summary
JDK-8325580 (not public) install install Remove "alternatives --remove" call from Java rpm installer

 

Changes in Java SE 8u401 b33

Bug Fixes

Release date: February 22, 2024
BugId Category Subcategory Summary
JDK-8309374 javafx accessibility Accessibility Focus Rectangle on ListItem is not drawn when ListView is shown for first time
JDK-8311492 javafx graphics FontSmoothingType LCD produces wrong color when transparency is used
JDK-8325150 core-libs java.time (tz) Update Timezone Data to 2024a

 

Changes in Java SE 8u401 b32

Bug Fixes

Release date: February 5, 2024
BugId Category Subcategory Summary
JDK-8227277 hotspot jvmti HeapInspection::find_instances_at_safepoint walks dead objects
JDK-8322725 core-libs java.time (tz) Update Timezone Data to 2023d

 

Changes in Java SE 8u401 b31

Bug Fixes

Release date: January 16, 2024
BugId Category Subcategory Summary
JDK-8284544 javafx accessibility [Win] Name-Property of Spinner cannot be changed
JDK-8319727 other-libs corba:idl Harden BufferManagerReadStream underflow logic

Java SE 8u401 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u401 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u401-Perf b31

Bug Fixes

January 16, 2024

This BPR contains all of the fixes included in the previous JDK 8 Enterprise Performance Pack BPR.


Java™ SE Development Kit 8, Update 401 Enterprise Performance Pack (JDK 8u401-PERF)

January 16, 2024

The full version string for this update release is 8u401-perf-b10 (where "b" means "build"). The version number is 8u401-perf.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u401 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u401-perf-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u401) be used after the next critical patch update scheduled for April 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider Java Management Service (JMS).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u401-perf) on 2024-05-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

security-libs/javax.xml.crypto
 New System Property to Toggle XML Signature Secure Validation Mode (JDK-8301260)

A new system property named org.jcp.xml.dsig.secureValidation has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.

Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.

 

Known Issues

hotspot/compiler
 Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))

When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].

 

Other Notes

security-libs/java.security
 Added Four Root Certificates from DigiCert, Inc. (JDK-8318759)

The following root certificates have been added to the cacerts truststore:

+ DigiCert, Inc.

  + digicertcseccrootg5
    DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicertcsrsarootg5
    DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlseccrootg5
    DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlsrsarootg5
    DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

security-libs/java.security
 Added Three Root Certificates from eMudhra Technologies Limited (JDK-8319187)

The following root certificates have been added to the cacerts truststore:

+ eMudhra Technologies Limited

  + emsignrootcag1
    DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsigneccrootcag3
    DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsignrootcag2
    DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

security-libs/java.security
 Added ISRG Root X2 CA Certificate from Let's Encrypt (JDK-8317374)

The following root certificate has been added to the cacerts truststore:

+ Let's Encrypt

  + letsencryptisrgx2
    DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US

security-libs/javax.net.ssl
 Call X509KeyManager.chooseClientAlias Once for All Key Types (JDK-8262186)

The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .

 

Changes in Java SE 8u401-Perf

Bug Fixes

JDK 8u401 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8299658hotspot/compilerC1 compilation crashes in LinearScan::resolve_exception_edge
2JDK-8301489hotspot/compilerC1: ShortLoopOptimizer might lift instructions before their inputs
3JDK-8313626hotspot/compilerC2 crash due to unexpected exception control flow
4JDK-8313402hotspot/compilerC1: Incorrect LoadIndexed value numbering
5JDK-8312909hotspot/compilerC1 should not inline through interface calls with non-subtype receiver
6JDK-8303279hotspot/compilerC2: crash in SubTypeCheckNode::sub() at IGVN split if
7JDK-8304954hotspot/compilerSegmentedCodeCache fails when using large pages
8JDK-8316178hotspot/compilerBetter diagnostic header for CodeBlobs
9JDK-8315377hotspot/compilerC2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes?
10JDK-8316514hotspot/compilerBetter diagnostic header for VtableStub
11JDK-8314024hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info
12JDK-8313262hotspot/compilerC2: Sinking node may cause required cast to be dropped
13JDK-8312440hotspot/compilerassert(cast != nullptr) failed: must have added a cast to pin the node
14JDK-8313756hotspot/compiler[BACKOUT] 8308682: Enhance AES performance
15JDK-8313760hotspot/compiler[REDO] Enhance AES performance
16JDK-8308103hotspot/compilerMassive (up to ~30x) increase in C2 compilation time since JDK 17
17JDK-8307683hotspot/compilerLoop Predication should not hoist range checks with trap on success projection by negating their condition
18JDK-8309119hotspot/compiler[17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication
19JDK-8275333hotspot/gcPrint count in "Too many recored phases?" assert
20JDK-8316906hotspot/gcClarify TLABWasteTargetPercent flag
21JDK-8270894hotspot/runtimeUse acquire semantics in ObjectSynchronizer::read_stable_mark()
22JDK-8305994hotspot/runtimeGuarantee eventual async monitor deflation
23JDK-8309228hotspot/runtimeClarify EXPERIMENTAL flags comment in hotspot/share/runtime/globals.hpp
24JDK-8306825hotspot/runtimeMonitor deflation might be accidentally disabled by zero intervals
25JDK-8279545hotspot/runtimeBuffer overrun in reverse_words of sharedRuntime_x86_64.cpp:3517
26JDK-8283326hotspot/runtimeImplement SafeFetch statically
27JDK-8314679hotspot/svc-agentSA fails to properly attach to JVM after having just detached from a different JVM

Java™ SE Development Kit 8, Update 401 (JDK 8u401)

January 16, 2024

The full version string for this update release is 8u401-b10 (where "b" means "build"). The version number is 8u401.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u401 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u401-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u401) be used after the next critical patch update scheduled for April 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u401) on 2024-05-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.xml.crypto
 New System Property to Toggle XML Signature Secure Validation Mode (JDK-8301260)

A new system property named org.jcp.xml.dsig.secureValidation has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.

Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.

core-libs/java.io:serialization
 JDK Flight Recorder Event for Deserialization (JDK-8261160)

A new JDK Flight Recorder (JFR) event has been added to monitor deserialization of objects. When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named java/deserialization, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object.

The new Deserialization Event captures:

  • Whether a serialization filter is configured or not.
  • The serialization filter status, if one is configured.
  • The class of the object being deserialized.
  • The number of array elements when deserializing an array.
  • The current graph depth.
  • The current number of object references.
  • The current number of bytes in the stream that have been consumed.
  • The exception type and message, if thrown by the serialization filter.

Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.

 

Known Issues

hotspot/compiler
 Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))

When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].

 

Other Notes

security-libs/java.security
 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

security-libs/java.security
 Added Four Root Certificates from DigiCert, Inc. (JDK-8318759)

The following root certificates have been added to the cacerts truststore:

+ DigiCert, Inc.

  + digicertcseccrootg5
    DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicertcsrsarootg5
    DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlseccrootg5
    DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlsrsarootg5
    DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

security-libs/java.security
 Added Three Root Certificates from eMudhra Technologies Limited (JDK-8319187)

The following root certificates have been added to the cacerts truststore:

+ eMudhra Technologies Limited

  + emsignrootcag1
    DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsigneccrootcag3
    DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsignrootcag2
    DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

security-libs/java.security
 Added Telia Root CA v2 Certificate (JDK-8317373)

The following root certificate has been added to the cacerts truststore:

+ Telia Root CA v2

  + teliarootcav2
    DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI

security-libs/java.security
 Added ISRG Root X2 CA Certificate from Let's Encrypt (JDK-8317374)

The following root certificate has been added to the cacerts truststore:

+ Let's Encrypt

  + letsencryptisrgx2
    DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US

security-libs/javax.net.ssl
 Call X509KeyManager.chooseClientAlias Once for All Key Types (JDK-8262186)

The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u401 release:

# BugId Component Summary
1JDK-8286481client-libs/java.awtException printed to stdout on Windows when storing transparent image in clipboard
2JDK-6176679client-libs/java.awtApplication freezes when copying an animated gif image to the system clipboard
3JDK-8153090client-libs/javax.swingTAB key cannot change input focus after the radio button in the Color Selection dialog
4JDK-8313657core-libs/javax.namingcom.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors
5JDK-8314063core-libs/javax.namingThe socket is not closed in Connection::createSocket when the handshake failed for LDAP connection
6JDK-8302577docs/guidesUpdate JSSE Guide for JDK-8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit
7JDK-8283441hotspot/compilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
8JDK-8059735hotspot/compilermake_not_entrant_or_zombie sees zombies
9JDK-8075922hotspot/compilerassert(t == t_no_spec) fails in phaseX.cpp
10JDK-8067247hotspot/compilerCrash: assert(method_holder->data() == 0 ...) failed: a) MT-unsafe modification of inline cache
11JDK-8086053hotspot/compilerAddress inconsistencies regarding ZeroTLAB
12JDK-8169177hotspot/gcaarch64: SIGSEGV when "-XX:+ZeroTLAB" is specified along with GC options
13JDK-8149343hotspot/gcassert(rp->num_q() == no_of_gc_workers) failed: sanity
14JDK-8316906hotspot/gcClarify TLABWasteTargetPercent flag
15JDK-8032223hotspot/jvmtinsk/regression/b4663146 gets assert(SafepointSynchronize::is_at_safepoint() || JvmtiEnv::is_thread_fully_suspended(get_thread(), false, &debug_bits))
16JDK-8165496hotspot/jvmtiassert(_exception_caught == false) failed: _exception_caught is out of phase
17JDK-8193386hotspot/runtimeCompressedClassSize too large with MaxMetaspace
18JDK-8194246hotspot/runtimeJVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class
19JDK-8163146hotspot/runtimeRemove os::check_heap on Windows
20JDK-8227815hotspot/svcMinimal VM: set_state is not a member of AttachListener
21JDK-8313856javafx/graphicsReplace VLA with malloc in pango
22JDK-8317508javafx/mediaProvide media support for libavcodec version 60
23JDK-8313900javafx/mediaPossible NULL pointer access in NativeAudioSpectrum and NativeVideoBuffer
24JDK-8311097javafx/webSynchron XMLHttpRequest not receiving data
25JDK-8315074javafx/window-toolkitPossible null pointer access in native glass
26JDK-8315958javafx/window-toolkitMissing range checks in GlassPasteboard
27JDK-8315657javafx/window-toolkitApplication window not activated in macOS 14 Sonoma
28JDK-8319066javafx/window-toolkitApplication window not always activated in macOS 14 Sonoma
29JDK-8320597security-libs/java.securityRSA signature verification fails on signed data that does not encode params correctly
30JDK-8302017security-libs/java.securityAllocate BadPaddingException only if it will be thrown
31JDK-8284910security-libs/javax.securityBuffer clean in PasswordCallback

Java SE 8u391 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u391 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u391 b33

Bug Fixes

December 14, 2023
BugId Category Subcategory Summary
JDK-8054022 core-libs java.net HttpURLConnection timeouts with Expect: 100-Continue and no chunking
JDK-8306784 install install No default java after 8u371 upgrade

 

Changes in Java SE 8u391 b32

Bug Fixes

November 6, 2023
BugId Category Subcategory Summary
JDK-8312489 security-libs java.security Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

 

Changes in Java SE 8u391 b31

Bug Fixes

Fixes from the prior BPR are included in this version.


Java SE 8u391 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u391 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u391-Perf b33

Bug Fixes

October 19, 2023

This BPR contains all of the fixes included in the previous JDK 8 Enterprise Performance Pack BPR.


Java™ SE Development Kit 8, Update 391 Enterprise Performance Pack (JDK 8u391-PERF)

October 17, 2023

The full version string for this update release is 8u391-perf-b13 (where "b" means "build"). The version number is 8u391-perf.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u391-perf-b13

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


Other Notes

hotspot/compiler
 GregorianCalender.computeTime() JVM Crash (JDK-8308884)

A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime() method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.

 

Changes in Java SE 8u391-Perf

Bug Fixes

JDK 8u391 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Subcomponent Summary
1JDK-8274243hotspotcompilerImplement fast-path for ASCII-compatible CharsetEncoders on aarch64
2JDK-8299544hotspotcompilerImprove performance of CRC32C intrinsics (non-AVX-512) for small inputs
3JDK-8153837hotspotcompilerAArch64: Handle special cases for MaxINode & MinINode
4JDK-8272586hotspotcompileremit abstract machine code in hs-err logs
5JDK-8308192hotspotcompilerError in parsing replay file when staticfield is an array of single dimension
6JDK-8309266hotspotcompilerC2: assert(final_con == (jlong)final_int) failed: final value should be integer
7JDK-8300584hotspotcompilerAccelerate AVX-512 CRC32C for small buffers
8JDK-8274986hotspotcompilermax code printed in hs-err logs should be configurable
9JDK-8310126hotspotcompilerC1: Missing receiver null check in Reference::get intrinsic
10JDK-8284760hotspotcompilerCorrect type/array element offset in LibraryCallKit::get_state_from_digest_object()
11JDK-8299158hotspotcompilerImprove MD5 intrinsic on AArch64
12JDK-8303154hotspotcompilerInvestigate and improve instruction cache flushing during compilation
13JDK-8252990hotspotcompilerIntrinsify Unsafe.storeStoreFence
14JDK-8305088hotspotcompilerSIGSEGV in Method::is_method_handle_intrinsic
15JDK-8296545hotspotcompilerC2 Blackholes should allow load optimizations
16JDK-8292713hotspotcompilerUnsafe.allocateInstance should be intrinsified without UseUnalignedAccesses
17JDK-8302736hotspotcompilerMajor performance regression in Math.log on aarch64
18JDK-8307572hotspotcompilerAArch64: Vector registers are clobbered by some macroassemblers
19JDK-8280396hotspotgcG1: Full gc mark stack draining should prefer to make work available to other threads
20JDK-8308643hotspotgcIncorrect value of 'used' jvmstat counter
21JDK-8284532hotspotjfrMemory leak in BitSet::BitMapFragmentTable in JFR leak profiler
22JDK-8283520hotspotjfrJFR: Memory leak in dcmd_arena
23JDK-8307526hotspotjfr[JFR] Better handling of tampered JFR repository
24JDK-8309862hotspotjfrUnsafe list operations in JfrStringPool
25JDK-8307331hotspotjvmtiCorrectly update line maps when class redefine rewrites bytecodes
26JDK-8306428hotspotruntimeRunThese30M.java crashed with assert(early->flag() == current->flag() || early->flag() == mtNone)
27JDK-8297887hotspotruntimeUpdate Siphash
28JDK-8305425hotspotruntimeThread.isAlive0 doesn't need to call into the VM
29JDK-8269466hotspotruntimeFactor out the common code for initializing and starting internal VM JavaThreads
30JDK-8287854hotspotruntimeDangling reference in ClassVerifier::verify_class
31JDK-8303215hotspotruntimeMake thread stacks not use huge pages
32JDK-8290067hotspotruntimeShow stack dimensions in UL logging when attaching threads
33JDK-8283849hotspotsvcAsyncGetCallTrace may crash JVM on guarantee
34JDK-8301170hotspotsvcperfMemory_windows.cpp add free_security_attr to early returns
35JDK-8295657hotspotsvc-agentSA: Allow larger object alignments

Java™ SE Development Kit 8, Update 391 (JDK 8u391)

October 17, 2023

The full version string for this update release is 8u391-b13 (where "b" means "build"). The version number is 8u391.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u391-b13

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/java.security
 New JFR Event: jdk.SecurityProviderService (JDK-8254711)

A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm) calls.

The new event name is jdk.SecurityProviderService and contains the following fields:

Field name Field Description
type Type of Service
algorithm Algorithm Name
provider Security Provider

This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

tools/launcher
 -XshowSettings:locale Output Now Includes Tzdata Version (JDK-8305950)

The -XshowSettings launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale showSettings option.

Example output using -X:showSettings:locale:

.....

Locale settings:
    default locale = English
    default display locale = English
    default format locale = English
    tzdata version = 2023c
    .....

 

Known Issues

javafx/media
 Media Playback Does Not Work on Ubuntu 23.10 (JDK-8317508)

Media playback does not work on Ubuntu 23.10. This affects most media formats such as MP4 with H.264/H.265, MP3, AAC, and HTTP Live Streaming. This is because JavaFX Media does not support libavcodec version 60. Support for libavcodec version 60 will be added with JDK-8317508. As a workaround, install libavcodec version 59 compiled with support for at least the following:

  • decoder: aac, mp3, mp3float, h264, hevc
  • parser: aac, h264, hevc
  • demuxer: aac, h264, hevc, mpegts, mpegtsraw

 

Removed Features and Options

security-libs/java.security
 Removed SECOM Trust System's RootCA1 Root Certificate (JDK-8295894)

The following root certificate from SECOM Trust System has been removed from the cacerts keystore:

+ alias name "secomscrootca1 [jdk]"

  Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP

infrastructure/build
 Removal of Linux ARM32 Support for JDK 8 (JDK-8305927 (not public))

Platform support for Linux ARM32 in JDK 8 has been removed. As a result, the ARM32 Hard Float ABI download will not be available. Operating Systems that supported ARM32 have reached their End of Life, thus there is no known OS support available.

 

Other Notes

security-libs/java.security
 Added Certigna Root CA Certificate (JDK-8314960)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)

  + certignarootca
    DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

security-libs/java.security
 Ignore Allow and Disallow Options for java.security.manager System Property (JDK-8301118)

In JDK 12, two new token options for the java.security.manager system property, "allow" and "disallow", were introduced.

Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.

Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager Error and the application will not start up.

From this release onward, the "allow" and "disallow" options for the java.security.manager system property will be ignored.

security-libs/javax.net.ssl
 The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit (JDK-8301700)

The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.

As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize system property to 1024 (at their own risk).

This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.

install/install
 Allow JDK 8 Installed by MSI to Install Side-by-Side with Other JRE 8 Installations (JDK-8306899 (not public))

In 8u371, the behavior of the JRE installer was changed from installing the JRE in a full-version-specific directory to installing the JRE into a common shared directory. It also removed all older JRE versions in that same family.

In JDK 8u391, a new argument, RETAIN_ALL_VERSIONS=1, was introduced for the MSI installer. If the argument is used, the JRE will install into a jre$fullversion directory. Other JREs of the Java SE 8 family will not be automatically removed. More information can be found in the MSI Enterprise JRE Installer Guide for Windows.

other-libs/corba:idl
 CORBA _DynAnyStub and Associated Subclasses readObject Accepts Only Stringified IORs in IOR: URI format (JDK-8303384 (not public))

The readObject method changes made to _DynAnyFactoryStub in JDK-8285021, have been extended to a set of stub classes that have been categoriezed as pseudo IDL interfaces. These include:

org.omg.DynamicAny._DynArrayStub,

org.omg.DynamicAny._DynEnumStub,
org.omg.DynamicAny._DynFixedStub, 
org.omg.DynamicAny._DynSequenceStub, 
org.omg.DynamicAny._DynStructStub, 
org.omg.DynamicAny._DynUnionStub, 
org.omg.DynamicAny._DynValueStub,
org.omg.DynamicAny._DynAnyStub, 

For each of these stub classes, the readObject method has been amended such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format only. As the above stub classes are termed, locally or as ORB constrained types, it is not useful that serialized data should contain corbaname or corbaloc URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to an IOR of these stub classes. As such, using a corbaname to reference an instance of these locally constrained stub classes is not meaningful.

A system property is introduced, com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR, which when set to true, will revert the readObject method to its current behavior and disable the additional IOR checks. The default value of this system property is false. This system property can also be used to disable the IOR check performed in the org.omg.DynamicAny._DynAnyFactoryStub readObject method. As such, with respect to _DynAnyFactory, it complements the system property org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck introduced in JDK-8285021.

Additionally, the readObject method of the remote CORBA service stub classes:

org.omg.CosNaming._NamingContextStub.java,

org.omg.CosNaming._BindingIteratorStub.java,
org.omg.CosNaming._NamingContextExtStub.java,
org.omg.PortableServer._ServantActivatorStub.java,
org.omg.PortableServer._ServantLocatorStub.java,
com.sun.corba.se.spi.activation._ServerManagerStub.java,
com.sun.corba.se.spi.activation._ActivatorStub.java,
com.sun.corba.se.spi.activation._RepositoryStub.java,
com.sun.corba.se.spi.activation._InitialNameServiceStub.java,
com.sun.corba.se.spi.activation._LocatorStub.java,
com.sun.corba.se.spi.activation._ServerStub.java,

included in the JDK, have been similarly amended to include an IOR check when reading a stringified IOR from serialised data. To enable the IOR check, and prohibit corbaname or corbaloc URLs in a stringified IOR, the setting of the com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR system property to true is required.

A system property is introduced, com.sun.CORBA.IDL.Stubs.allowCorbanameInIOR, which when set to false, will activate an IOR check when reading a stringified IOR from serialised data and constrain a stringified IOR to that of IOR: URI format. Thus, prohibiting corbaname or corbaloc as a valid stringified IOR format. The default value of this system property is true. That is, corbaname or corbaloc are allowed in stringified IORs.

security-libs/javax.net.ssl
 Use Server Cipher Suites Preference by Default (JDK-8168261)

For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder​() method.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u391 release:

# BugId Component Summary
1JDK-8311689client-libs/java.awtWrong visible amount in Adjustable of ScrollPane
2JDK-8310054client-libs/java.awtScrollPane insets are incorrect
3JDK-8297923client-libs/java.awtjava.awt.ScrollPane broken after multiple scroll up/down
4JDK-8305815client-libs/java.awtUpdate Libpng to 1.6.39
5JDK-8305517core-libs/java.netMemory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress()
6JDK-8300098core-libs/java.util.concurrentjava/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3
7JDK-8234808core-svc/debuggerjdb quoted option parsing broken
8JDK-8290451hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1
9JDK-8213419hotspot/compilerC2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1
10JDK-8183910hotspot/gcgc/arguments/TestAggressiveHeap.java fails intermittently
11JDK-8257239hotspot/gc[8u] G1: guarantee(!obj->is_forwarded()) failed: Object must not be forwarded
12JDK-8182703hotspot/gcCorrect G1 barrier queue lock orderings
13JDK-8207011hotspot/runtimeRemove uses of the register storage class specifier
14JDK-8297887hotspot/runtimeUpdate Siphash
15JDK-8284542javafx/accessibility[Accessibility] [Win] Missing attribute for toggle state of CheckBox in CheckBoxTreeItem
16JDK-8309508javafx/graphicsPossible memory leak in JPEG image loader
17JDK-8306328javafx/mediaUpdate libFFI to 3.4.4
18JDK-8306918javafx/webWebView: Update Public Suffix List to 88467c9
19JDK-8303748javafx/webWebKit build fails with Visual Studio 2022 17.5.0
20JDK-8306329javafx/webUpdate ICU4C to 73.1
21JDK-8310681javafx/webUpdate WebKit to 616.1
22JDK-8313177javafx/webWeb Workers timeout with Webkit 616.1
23JDK-8314212javafx/webCrash when loading cnn.com in WebView
24JDK-8313711javafx/webCherry-pick WebKit 616.1 stabilization fixes
25JDK-8313181javafx/webEnabling modern media controls on webkit 616.1 does not load button images on HTML5 video Element
26JDK-8144781javafx/window-toolkitAssertion failure in debug build running any JavaFX program on Mac
27JDK-8296452security-libs/javax.cryptoSolaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error
28JDK-8236671security-libs/javax.cryptoNullPointerException in JKS keystore
29JDK-8232950security-libs/javax.crypto:pkcs11SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
30JDK-8183107security-libs/javax.crypto:pkcs11PKCS11 regression regarding checkKeySize

Java SE 8u381 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u381 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u381 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-6176679 client-libs java.awt Application freezes when copying an animated gif image to the system clipboard
JDK-8286481 client-libs java.awt Exception printed to stdout on Windows when storing transparent image in clipboard
JDK-8314188 (not public) install install [macOS] Installation complete confirmation message not displayed

 

Changes in Java SE 8u381 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8306899 (not public) install install JRE 8u371 MSI unable to install side-by-side JREs
JDK-8311244 (not public) hotspot gc frequent crashes at g1CollectedHeap.cpp:5923 after updating to JDK8u371

 

Changes in Java SE 8u381 b31

Bug Fixes

BugId Category Subcategory Summary
JDK-8284542 jfx accessibility Missing attribute for toggle state of CheckBox in CheckBoxTreeItem
JDK-8309557 (not public) install Update the JRE 8 Description in RPM packages

Java SE 8u381 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u381 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u381-Perf b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8314063 core-libs javax.naming The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection
JDK-8313657 core-libs javax.naming com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors
JDK-8314929 (not public) hotspot jfr Fix 8286707 JFR: Don't commit JFR internal jdk.JavaMonitorWait events

 

Changes in Java SE 8u381-Perf b31

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.


Other Notes

hotspot/runtime
 ASLR Support for CDS Archive (JDK-8294323 (not public))

Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.

This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.

In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0. The usage of such flags is not recommended.

 

Changes in Java SE 8u381-Perf

Bug Fixes

JDK 8u381 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Subcomponent Summary
1JDK-8280007hotspotcompilerEnable Neoverse N1 optimizations for Arm Neoverse V1 & N2
2JDK-8299179hotspotcompilerArrayFill with store on backedge needs to reduce length by 1
3JDK-8302595hotspotcompileruse-after-free related to GraphKit::clone_map
4JDK-8299959hotspotcompilerC2: CmpU::Value must filter overflow computation against local sub computation
5JDK-8303564hotspotcompilerC2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi
6JDK-8303508hotspotcompilerVector.lane() gets wrong value on x86
7JDK-8299570hotspotcompiler[JVMCI] Insufficient error handling when CodeBuffer is exhausted
8JDK-8300079hotspotcompilerSIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
9JDK-8299259hotspotcompilerC2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
10JDK-8296318hotspotcompileruse-def assert: special case undetected loops nested in infinite loops
11JDK-8296412hotspotcompilerSpecial case infinite loops with unmerged backedges in IdealLoopTree::check_safepts
12JDK-8297730hotspotcompilerC2: Arraycopy intrinsic throws incorrect exception
13JDK-8301491hotspotcompilerC2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument
14JDK-8303588hotspotcompiler[JVMCI] make JVMCI source directories conform with standard layout
15JDK-8201516hotspotcompilerDebugNonSafepoints generates incorrect information
16JDK-8302508hotspotcompilerAdd timestamp to the output TraceCompilerThreads
17JDK-8289748hotspotcompilerC2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM
18JDK-8308884hotspotcompiler[17u/11u] Backout JDK-8297951
19JDK-8303511hotspotcompilerC2: assert(get_ctrl(n) == cle_out) during unrolling
20JDK-8291456hotspotjvmticom/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
21JDK-8280784hotspotruntimeVM_Cleanup unnecessarily processes all thread oops
22JDK-8294677hotspotruntimechunklevel::MAX_CHUNK_WORD_SIZE too small for some applications
23JDK-8277946hotspotruntimeNMT: Remove VM.native_memory shutdown jcmd command option
24JDK-8301123hotspotruntimeEnable Symbol refcounting underflow checks in PRODUCT
25JDK-8295974hotspotruntimejni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
26JDK-8287007hotspotruntime[cgroups] Consistently use stringStream throughout parsing code
27JDK-8278965hotspotruntimecrash in SymbolTable::do_lookup
28JDK-8301749hotspotruntimeTracking malloc pooled memory size

Java™ SE Development Kit 8, Update 381 (JDK 8u381)

July 18, 2023

The full version string for this update release is 8u381-b09 (where "b" means "build"). The version number is 8u381.

 

IANA TZ Data 2023c

JDK 8u381 contains IANA time zone data 2023c which contains the following changes since the previous update.

  • Egypt now uses DST again, from April through October.
  • This year Morocco springs forward April 23, not April 30.
  • Palestine delays the start of DST this year.
  • Much of Greenland still uses DST from 2024 on.
  • America/Yellowknife now links to America/Edmonton.
  • tzselect can now use current time to help infer timezone.
  • The code now defaults to C99 or later.
  • Fix use of C23 attributes.
  • This release's code and data are identical to 2023a.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u381 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u381-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u381) be used after the next critical patch update scheduled for October 17, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u381) on 2023-11-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

core-libs/java.lang
 Allow Additional Characters for GB18030-2022 Support (JDK-8301400)

The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 35 code points (U+9FCD - U+9FEF) from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 1 requirements.

core-libs/java.nio.charsets
 Support for GB18030-2022 (JDK-8307229)

The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset implementation for this new standard has now replaced the prior 2000 standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030, is introduced. By setting its value to 2000, the previous JDK releases' mappings for the GB18030 Charset are used, which are based on the 2000 standard.

core-libs/java.lang
 Allow Additional Characters for GB18030-2022 (Level 2) Support (JDK-8305681)

The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 108 code points from CJK Unified Ideographs Extension E block from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 2 requirements.

security-libs/javax.crypto
 JDK Now Accepts RSA Keys in PKCS#1 Format (JDK-8023980)

RSA private and public keys in PKCS#1 format can now be accepted by JDK providers, such as the RSA KeyFactory.impl from the SunRsaSign provider. The RSA private or public key object should have the PKCS#1 format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA private key and public key.

 

Known Issues

install
 Problem Upgrading JDK on Windows if System User Is Using Shared Files (JDK-8310932 (not public))

Installing into the same, shared jdk-(family) directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.

hotspot/gc
 JVM Crashes with Internal Error (g1CollectedHeap.cpp:5923) after Upgrading to JDK 8u371 or JDK 8u381 (JDK-8311244 (not public))

There is the possibility of an application crash with the following error:


# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx
# guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be

 

This affects JDK 8u371 and JDK 8u381 runtimes using G1 GC on all supported platforms.

The failure is now corrected in the JDK 8u381 b32 Bundle Patch Release available via My Oracle Support.

install
 No Default Java after 8u371 32-bit Upgrade (JDK-8306784 (not public))

Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe command to not be found. For example:

  1. Install 32-bit 8u361
  2. Install 64-bit 8u371 (or later)
  3. Install 32-bit 8u371 (or later)

java.exe will now not work from all places. It will only work directly from the bin directory.

java.exe will not work unless you specify the full path to the bin directory of your JRE.

There are 2 workarounds:

  • Workaround 1: uninstall and reinstall the latest version of 64-bit 8u371 (or later)
  • Workaround 2: specify the full path to java.exe in the \bin directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe

 

Other Notes

hotspot/runtime
 Cgroup v2 Support and Improvements in 8u381 (JDK-8307634)

JDK 8u381 includes several enhancements and fixes to improve the cgroup v1 and v2 support for containers. The improvements include accurately detecting the resource limits of containers, correctly reporting the collected container metrics, printing additional container information, and improving application stability in containerized environments.

Some of the notable stability enhancements are:

JDK-8292083: Java applications may experience out-of-memory errors and run the risk of being killed by the OOM killer when running in a containerized environment where the container is configured with a higher memory limit than the available physical memory on the host system. JDK 8u381 addresses this stability issue. In the previous release, this situation can be avoided by using either -XX:-UseContainerSupport, or -XX:MaxRAM=<physical memory>, or by setting a memory limit for your container that is lower than the physical memory.

JDK-8286030: This release addresses an issue where Java applications may encounter a fatal error when the same /tmp directory is shared across multiple containers. In earlier releases, this crash can be avoided by mounting /tmp to different locations for different containers. Alternatively, the '-XX:-UsePerfData' JVM option can be used to prevent JVMs running within different containers from writing performance data to the shared /tmp folder and thus avoid this issue.

install/install
 Starting in 8u371, the New RPM Package Obsoletes Older JDK 8 Packages and Disallows Downgrades (JDK-8307400)

Added an "Obsoletes" tag to JDK 8 RPM packages to allow automatic upgrades from older JDK 8 RPM packages.

  • jdk-1.8 package obsoletes jdk1.8 package.
  • jre-1.8 package obsoletes jre1.8 package.
  • jdk-1.8-headful package obsoletes jdk1.8 package.
  • jre-1.8-headful package obsoletes jre1.8 package.

No "Obsoletes" tag was added to the jdk-1.8-headless package to prevent upgrading from the full to headless JDK.

The changes allow automatic upgrades for JDK 8 RPM packages starting from the 8u151 update when jdk1.8 and jre1.8 package names were first introduced. Older JDK 8 updates will not be eligible for automatic upgrades to 8u381 and newer updates.

Due to the limitations of "Obsoletes" tag downgrades from 8u381 to older versions are not supported.

install/install
 Missing /usr/java/default Symlink on Linux Restored (JDK-8306690)

A regression where the /usr/java/default symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default symlink if it doesn't exist, targeting the /usr/java/latest symlink.

install/install
 Installation of JDK RPM Corrupts Alternatives (JDK-8308244)

The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.

An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.

An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.

All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.

The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.

security-libs/java.security
 Added TWCA Root CA Certificate (JDK-8305975)

The following root certificate has been added to the cacerts truststore:

+ TWCA

  + twcaglobalrootca
    DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW

security-libs/java.security
 Added 4 GTS Root CA Certificates (JDK-8307134)

The following root certificates have been added to the cacerts truststore:

+ Google Trust Services LLC

 + gtsrootcar1
  DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootcar2
  DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar3
  DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar4
  DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US

security-libs/java.security
 Added Microsoft Corporation's 2 TLS Root CA Certificates (JDK-8304760)

The following root certificates have been added to the cacerts truststore:

+ Microsoft Corporation

  + microsoftecc2017
    DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US

+ Microsoft Corporation
  + microsoftrsa2017
    DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US

core-libs/java.lang
 System Property java.specification.maintenance.version Set to 5 (JDK-8303028)

This JDK implements Maintenance Release 5 of the Java SE 8 specification (JSR 337). This is indicated by the system property java.specification.maintenance.version having the value of "5".

hotspot/runtime
 ASLR Support for CDS Archive (JDK-8294323 (not public))

Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.

This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.

In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0. The usage of such flags is not recommended.

security-libs/java.security
 Throw Error If Default java.security File Fails to Load (JDK-8155246)

A behavioral change has been made when the default conf/security/java.security security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError.

Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.

security-libs/java.security
 New System Property to Control the Maximum Size of Signature Files (JDK-8300596 (not public))

A new system property, jdk.jar.maxSignatureFileSize, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u381 release:

# BugId Component Summary
1JDK-8304636client-libs/java.awtjava/awt/Mouse/EnterExitEvents/DragWindowTest.java fails with Compilation Error on JDK 8u
2JDK-8189604client-libs/java.awtpossible hang in sun.awt.shell.Win32ShellFolder2$KnownFolderDefinition::<clinit>
3JDK-8159956client-libs/java.awtEXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins
4JDK-8302151client-libs/javax.imageioBMPImageReader throws an exception reading BMP images
5JDK-8003399client-libs/javax.swingJFileChooser gives wrong path to selected file when saving to Libraries folder on Windows 7
6JDK-8017487client-libs/javax.swingfilechooser in Windows-Libraries folder: columns are mixed up
7JDK-8284756core-libs[11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
8JDK-8212528core-libsWrong cgroup subsystem being used for some CPU Container Metrics
9JDK-8275735core-libs[linux] Remove deprecated Metrics api (kernel memory limit)
10JDK-8305681core-libs/java.langAllow additional characters for GB18030-2022 (Level 2) support
11JDK-8241786core-libs/java.netImprove heuristic to determine default network interface on macOS
12JDK-8211382core-libs/java.nio.charsetsISO2022JP and GB18030 NIO converter issues
13JDK-8301119core-libs/java.nio.charsetsSupport for GB18030-2022
14JDK-8172347core-libs/java.rmiRefactoring src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java to improve testability of rmiregistry
15JDK-8212970core-libs/java.timeTZ database in "vanguard" format support
16JDK-8305400core-libs/java.util:i18nISO 4217 Amendment 175 Update
17JDK-8254001core-svc[Metrics] Enhance parsing of cgroup interface files for version detection
18JDK-8293540core-svc[Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
19JDK-8292541core-svc/java.lang.management[Metrics] Reported memory limit may exceed physical machine memory
20JDK-8301282docs/guidesJMX simple and delegation security samples don't work because of missing access control entries
21JDK-8293821docs/guidesJDK LTS backports for Doc Tasks for JEP C206/C208: Modernize Oracle JDK Linux RPMs and installers on Windows and macOS
22JDK-8233023hotspot/compilerassert(Opcode() == mem->Opcode() || phase->C->get_alias_index(adr_type()) == Compile::AliasIdxRaw) failed: no mismatched stores, except on raw memory
23JDK-8210389hotspot/compilerC2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
24JDK-8217230hotspot/compilerassert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()
25JDK-8062258hotspot/compilercompiler/debug/TraceIterativeGVN.java segfaults in trace_PhaseIterGVN
26JDK-8281297hotspot/gcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
27JDK-8167196hotspot/gcWhiteBox methods should throw an exception if used with inappropriate collector.
28JDK-8264593hotspot/runtimedebug.cpp utilities should be available in product builds.
29JDK-8281274hotspot/runtimedeal with ActiveProcessorCount in os::Linux::print_container_info
30JDK-8266490hotspot/runtimeExtend the OSContainer API to support the pids controller of cgroups
31JDK-8273526hotspot/runtimeExtend the OSContainer API pids controller with pids.current
32JDK-8231610hotspot/runtimeRelocate the CDS archive if it cannot be mapped to the requested address
33JDK-8287741hotspot/runtimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
34JDK-8287107hotspot/runtimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
35JDK-8286030hotspot/runtimeAvoid JVM crash when containers share the same /tmp dir
36JDK-8287011hotspot/runtimeImprove container information
37JDK-8293472hotspot/runtimeIncorrect container resource limit detection if manual cgroup fs mounts present
38JDK-8292083hotspot/runtimeDetected container memory limit may exceed physical machine memory
39JDK-8272124hotspot/runtimeCgroup v1 initialization causes NullPointerException when cgroup path contains colon
40JDK-8281517install/installImprove the error message shown when a user tries to install the aarch64 bundle on an intel mac
41JDK-8284662javafx/accessibility[Win][Accessibility][ListCell] Screen reader fails to read ListView/ComboBox item count if > 100
42JDK-8251862javafx/graphicsWrong position of Popup windows at the intersection of 2 screens
43JDK-8301009javafx/webUpdate libxml2 to 2.10.3
44JDK-8306115javafx/webUpdate libxml2 to 2.10.4
45JDK-8304441javafx/window-toolkit[macos] Crash when putting invalid unicode char on clipboard
46JDK-8296654javafx/window-toolkit[macos] Crash when launching JavaFX app with JDK that targets SDK 13
47JDK-8292297security-libs/java.securityFix up loading of override java.security properties file
48JDK-8173181security-libs/java.securityEmpty string alias in KeyStore throws StringIndexOutOfBoundsException for getEntry()
49JDK-8293858security-libs/java.securityChange PKCS7 code to use default SecureRandom impl instead of SHA1PRNG
50JDK-8294906security-libs/javax.crypto:pkcs11Memory leak in PKCS11 NSS TLS server
51JDK-8274205security-libs/org.ietf.jgss:krb5Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
52JDK-8301269xml/jaxpUpdate Commons BCEL to Version 6.7.0

Java SE 8u371 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u371 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u371 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8307400 (not public) install install The new Java 8u371 RPMs break the standard RHEL OS update mechanism
JDK-8307777 (not public) install install JDK rpm packages have wrong license
JDK-8307831 (not public) install install Move dependency on libfreetype.so.6 from JDK8 headless to headful jdk

 

Changes in Java SE 8u371 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8159956 client-libs java.awt EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins
JDK-8305113 core-libs java.time (tz) Update Timezone Data to 2023c
JDK-8212970 core-libs java.time TZ database in "vanguard" format support
JDK-8306690 install install Restore missing /usr/java/default symlink on Linux
JDK-8305976 install install Installation of OL-specific x64 jdk rpms pulls in i686 dependencies
JDK-8305177 (not public) infrastructure build Perf and milestone suffix missing in rpm bundle names
JDK-8302112 (not public) hotspot test remove windows 2012 from task definitions

 

Changes in Java SE 8u371 b31

Bug Fixes

Fixes from the prior BPR are included in this version.


Java SE 8u371 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u371 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u371-Perf b35

Bug Fixes

BugId Category Subcategory Summary
JDK-8303215 hotspot runtime Make thread stacks not use huge pages
JDK-8303776 (not public) hotspot compiler Disable UseDynamicNumberOfCompilerThreads by default in Emmett
JDK-8301749 hotspot runtime Tracking malloc pooled memory size
JDK-8302508 hotspot compiler Add timestamp to the output TraceCompilerThreads
JDK-8229147 hotspot runtime Linux os::create_thread() overcounts guardpage size with newer glibc (>=2.27)
JDK-8285987 core-libs java.lang executing shell scripts without #! fails on Alpine linux

 

Changes in Java SE 8u371-Perf b34

Bug Fixes

BugId Category Subcategory Summary
JDK-8309862 hotspot jfr Unsafe list operations in JfrStringPool

 

Changes in Java SE 8u371-Perf b33

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.

 

Changes in Java SE 8u371-Perf b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8159956 client-libs java.awt EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins
JDK-8305113 core-libs java.time (tz) Update Timezone Data to 2023c
JDK-8212970 core-libs java.time TZ database in "vanguard" format support
JDK-8306690 install install Restore missing /usr/java/default symlink on Linux
JDK-8305976 install install Installation of OL-specific x64 jdk rpms pulls in i686 dependencies
JDK-8305177 (not public) infrastructure build Perf and milestone suffix missing in rpm bundle names
JDK-8302112 (not public) hotspot test remove windows 2012 from task definitions

 

Changes in Java SE 8u371-Perf b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8303452 (not public) hotspot jfr [JFR] Larger strings arent added to string pool

 

Changes in Java SE 8u371-Perf

Bug Fixes

JDK 8u371 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component/Subcomponent Summary
1JDK-8297656performance/hotspotAArch64: Enable AES/GCM Intrinsics
2JDK-8268276hotspot/compilerBase64 Decoding optimization for x86 using AVX-512
3JDK-8269404hotspot/compilerBase64 Encoding optimization enhancements for x86 using AVX-512
4JDK-8273108hotspot/compilerRunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276
5JDK-8273459hotspot/compilerUpdate code segment alignment to 64 bytes
6JDK-8296958hotspot/compiler[JVMCI] add API for retrieving ConstantValue attributes
7JDK-8296961hotspot/compiler[JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField
8JDK-8296960hotspot/compiler[JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool
9JDK-8296967hotspot/compiler[JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod
10JDK-8282528hotspot/compilerAArch64: Incorrect replicate2L_zero rule
11JDK-8277137hotspot/compilerSet OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
12JDK-8294902hotspot/compilerUndefined Behavior in C2 regalloc with null references
13JDK-8290322hotspot/compilerOptimize Vector.rearrange over byte vectors for AVX512BW targets.
14JDK-8295066hotspot/compilerFolding of loads is broken in C2 after JDK-8242115
15JDK-8296912hotspot/compilerC2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1
16JDK-8294538hotspot/compilermissing is_unloading() check in SharedRuntime::fixup_callers_callsite()
17JDK-8292602hotspot/compilerZGC: C2 late barrier analysis uses invalid dominator information
18JDK-8292660hotspot/compilerC2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly
19JDK-8292285hotspot/compilerC2: remove unreachable block after NeverBranch-to-Goto conversion
20JDK-8290964hotspot/compilerC2 compilation fails with assert "non-reduction loop contains reduction nodes"
21JDK-8281122hotspot/compiler[IR Framework] Cleanup IR matching code in preparation for JDK-8280378
22JDK-8276064hotspot/compilerCheckCastPP with raw oop input floats below a safepoint
23JDK-8296924hotspot/compilerC2: assert(is_valid_AArch64_address(dest.target())) failed: bad address
24JDK-8290850hotspot/compilerC2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph
25JDK-8297431hotspot/compiler[JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception
26JDK-8296136hotspot/compilerUse correct register in aarch64_enc_fast_unlock()
27JDK-8285835hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work
28JDK-8295788hotspot/compilerC2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node"
29JDK-8297951hotspot/compilerC2: Create skeleton predicates for all If nodes in loop predication
30JDK-8297264hotspot/compilerC2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top
31JDK-8295116hotspot/compilerC2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead
32JDK-8296389hotspot/compilerC2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors
33JDK-8242115hotspot/compilerC2 SATB barriers are not safepoint-safe
34JDK-8292301hotspot/compiler[REDO v2] C2 crash when allocating array of size too large
35JDK-8272985hotspot/gcReference discovery is confused about atomicity and degree of parallelism
36JDK-8296733hotspot/jfrJFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
37JDK-8283199hotspot/runtimeLinux os::cpu_microcode_revision() stalls cold startup
38JDK-8287011hotspot/runtimeImprove container information
39JDK-8271506hotspot/runtimeAdd ResourceHashtable support for deleting selected entries
40JDK-8294160hotspot/runtimemisc crash dump improvements
41JDK-8286030hotspot/runtimeAvoid JVM crash when containers share the same /tmp dir
42JDK-8048190hotspot/runtimeNoClassDefFoundError omits original ExceptionInInitializerError
43JDK-8293472hotspot/runtimeIncorrect container resource limit detection if manual cgroup fs mounts present
44JDK-8262386hotspot/svc-agentresourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out

Java™ SE Development Kit 8, Update 371 (JDK 8u371)

April 18, 2023

The full version string for this update release is 8u371-b11 (where "b" means "build"). The version number is 8u371.

 

IANA TZ Data 2022g

JDK 8u371 contains IANA time zone data 2022g which contains the following changes since the previous update.

  • The northern edge of Chihuahua changes to US timekeeping.
  • Much of Greenland stops changing clocks after March 2023.
  • Fix some pre-1996 timestamps in northern Canada.
  • C89 is now deprecated; please use C99 or later.
  • Portability fixes for AIX, libintl, MS-Windows, musl, z/OS.
  • In C code, use more C23 features if available.
  • C23 timegm now supported by default.
  • Fixes for unlikely integer overflows.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u371 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u371-b11

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u371) after the next critical patch update release, scheduled for July 18, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u371) on 2023-08-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/org.ietf.jgss
 Added a Default Native GSS-API Library on Windows (JDK-6722928)

A native GSS-API library named sspi_bridge.dll has been added to the JDK on the Windows platform. The library is client-side only and uses the default credentials. It will be loaded when the sun.security.jgss.native system property is set to "true". A user can still load a third-party native GSS-API library by setting the sun.security.jgss.lib system property to its path.

Native GSS automatically uses cached credentials from operating systems, thus the javax.security.auth.useSubjectCredsOnly system property should be set to false.

com.sun.security.auth.module.Krb5LoginModule does not call native JGSS. Avoid using com.sun.security.auth.module.Krb5LoginModule from JAAS config.

 

Removed Features and Options

other-libs
 javax.script Engine Implementation and com.apple.concurrent.Dispatch Are Removed for macOS AArch64 (DK-8297475 (Not Public))

The AppleScript engine implementing the javax.script engine API has been removed without replacement. The AppleScript engine has worked inconsistently. The services configuration (META-INF/services) file was missing and only worked by accident when installing JDK 7 or JDK 8 on systems that had Apple's version of AppleScriptEngine.jar already on the system.

The com.apple.concurrent.Dispatch API was a Mac-only API. It was carried into JDK 7u4 with the port of Apple's JDK 6 code. Developers are encouraged to use the standard java.util.concurrent.Executor and java.util.concurrent.ExecutorService APIs instead.

 

Known Issues

install/install
 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8305976 (Not Public))

This issue prevents yum from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum but with the x86_64 architecture.

After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:

rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo

It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install command to ensure the installation of the required packages.

install/install
 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8306690 (Not Public))

Fixed a regression where the /usr/java/default symlink is not created by RPM installers on Linux platforms. Now, installers will create the /usr/java/default symlink if it doesn't exist, targeting the /usr/java/latest symlink.

hotspot
 JVM Crashes with `Internal Error (g1CollectedHeap.cpp:5923)` after Upgrading to JDK 8u371 (JDK-8311244 (not public))

After upgrading to JDK 8u371 or later, there is the possibility of an application crash. The error log has a stack trace that starts with the following:


# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx
# guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be

 

The above error may impact applications using G1 GC on all supported platforms.

Those who encounter the above error are encouraged to create a Service Request through My Oracle Support so that we can provide an interim solution to resolve the error.

 

Other Notes

client-libs/javax.swing
 System Property to Handle HTML ObjectView Creation (JDK-8296832 (Not Public))

Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object> tag which allows for subclasses of java.awt.Component to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true.

install/install
 RPM JDK Installer Changes (JDK-8292838 (Not Public))

The installation directory name of the Oracle JRE in an RPM package has changed from /usr/java/jre-1.8.0_${UPDATE}-${ARCH} to /usr/lib/jvm/jre-1.8-oracle-${ARCH}. The installation directory name of the Oracle JDK in an RPM package has changed from /usr/java/jdk-1.8.0_${UPDATE}-${ARCH} to /usr/lib/jvm/jdk-1.8-oracle-${ARCH}. Thus the 8u371 and 8u381 releases of JDK for x64 will both be installed in the /usr/lib/jvm/jdk-1.8-oracle-x64 directory and the JRE for x64 will both be installed in the /usr/lib/jvm/jre-1.8-oracle-x64 directory. Both JDK and JRE RPM packages will create /usr/java/jdk-1.8.0-${ARCH} and /usr/java/jre-1.8.0-${ARCH} links respectively pointing to the installation directories for backward compatibility.

For the x86_64 platform, the value of the ${ARCH} suffix has changed from amd64 to x64. For the x86_32 platform, the value of the ${ARCH} has changed from i586 to x86.

The JRE RPM package name has changed from jre1.8 to jre-1.8 to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JRE and then install the new JRE. For example, sudo rpm -e jre1.8; sudo rpm -i jre-8u371-linux-x64.rpm. The JDK RPM package name has changed from jdk1.8 to jdk-1.8 to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JDK and then install the new JDK. For example, sudo rpm -e jdk1.8; sudo rpm -i jdk-8u371-linux-x64.rpm.

Communication with the alternatives framework for the JDK RPM package has changed. JDK RPM packages of prior versions registered a single java group of commands with the alternatives framework. The JDK 1.8 RPM package registers java and javac groups with the alternatives framework. The java group is for commands used to run applications: java, javaws, jcontrol, jjs, keytool, orbd, pack200, policytool, rmic, rmid, rmiregistry, servertool, tnameserv, unpack200. The javac group is used for all other commands. The set of commands registered by the package has not changed.

Three new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-1.8-headless, jdk-1.8-headful, and jre-1.8-headful. These packages are available in OL7, OL8, and OL9 repositories. They are not available for download from oracle.com.

  • jdk-1.8-headless is a Headless Java Runtime for running non-GUI applications.
  • jdk-1.8-headful is a Headful Java Runtime with Development Tools for developing and running applications of all types.
  • jre-1.8-headful is a Headful Java Runtime for running applications of all types.

The combination of the OL-specific jdk-1.8-headless and jdk-1.8-headful packages provides the same JDK image and the same capabilities as the jdk-1.8 oracle.com package. The jre-1.8-headful package provides the same JRE image and the same capabilities as the jre-1.8 oracle.com package. OL-specific JDK and JRE RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist} suffix. The value of the Release property of all RPM packages contains the value of the build number instead of the milestone.

install/install
 Disable Side-by-Side Installations of Multiple JDK Updates in Windows JDK Installers (JDK-8292824 (Not Public))

Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE% instead of %Program Files%\Java\jdk-%VNUM%. That is, all updates of the same release must share one installation directory. It will not be possible to install older versions of a family if there is a newer JRE of that family already installed.

Thus the JDK 8u371 and JDK 8u381 releases will both install into %Program Files%\Java\jdk-1.8 by default, and they both cannot be installed at the same time.

Note: The Java 8u371 feature JDK-8293762 will now only allow one JRE of each family to be installed at one time. The REMOVEOLDERJRES=1 feature will no longer be supported with the standalone MSI. This is by design, as we only allow one JRE of each family of Java. The newer JREs will auto-upgrade older JREs of the same family.

install/install
 All JDK Update Releases Are Installed into the Same Directory on macOS (JDK-8292832 (Not Public))

The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk1.8.0_${UPDATE}.jdk to /Library/Java/JavaVirtualMachines/jdk-1.8.jdk. Thus the 8u371 and 8u381 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-1.8.jdk installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 8 update releases shipped prior to this release, JDK 8u371, will not be uninstalled during installation of JDK 8u371 or later.

security-libs/java.security
 Added Certigna(Dhimyotis) CA Certificate (JDK-8245654)

The following root certificate has been added to the cacerts truststore:


+ Certigna (Dhimyotis)
   + certignaca
      DN: CN=Certigna, O=Dhimyotis, C=FR

security-libs/javax.net.ssl
 Removed SSLv2Hello and SSLv3 From Default Enabled TLS Protocols (JDK-8190492)

SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.

After this update, if SSLv3 is removed from the jdk.tls.disabledAlgorithms security property, the SSLSocket.getEnabledProtocols(), SSLServerSocket.getEnabledProtocols(), SSLEngine.getEnabledProtocols() and SSLParameters.getProtocols() APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.

If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the jdk.tls.client.protocols or jdk.tls.server.protocols system properties or with the SSLSocket.setEnabledProtocols(), SSLServerSocket.setEnabledProtocols() and SSLEngine.setEnabledProtocols() APIs.

hotspot/runtime
 JVM May Fail to Initialize on Some cgroups v1 Systems (JDK-8302716)

After updating to JDK 8u361, applications failed to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem.

The JVM sometimes failed to initialize on Linux systems where /proc/self/mountinfo does not contain any mounted filesystem or controllers for cgroup.

For background information, see also My Oracle Support see KM Doc ID 2923131.1.

infrastructure
 Toolchain Upgrade to Visual Studio 2022 (JDK-8283723)

As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.

If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes. More information can be found in “C++ binary compatibility between Visual Studio versions”.

security-libs/java.security
 Crypto-J Exception for Diffie-Hellman and DSA AlgorithmParameters Requests (JDK-8278027)

Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:

Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)

Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.

install
 No Default Java after 8u371 32-bit Upgrade (JDK-8306784 (not public))

Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe command to not be found. For example:

  1. Install 32-bit 8u361
  2. Install 64-bit 8u371 (or later)
  3. Install 32-bit 8u371 (or later)

java.exe will now not work from all places. It will only work directly from the bin directory.

java.exe will not work unless you specify the full path to the bin directory of your JRE.

There are 2 workarounds:

  • Workaround 1: uninstall and reinstall the latest version of 64-bit 8u371 (or later)
  • Workaround 2: specify the full path to java.exe in the \bin directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u371 release:

# BugId Component Summary
1JDK-8285399client-libs/2dJNI exception pending in awt_GraphicsEnv.c:1432
2JDK-8284023client-libs/java.awtjava.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
3JDK-8296496client-libs/java.awtOverzealous check in sizecalc.h prevents large memory allocation
4JDK-8295685client-libs/java.awtUpdate Libpng to 1.6.38
5JDK-8294378core-libs/java.netURLPermission constructor exception when using tr locale
6JDK-8297569core-libs/java.netURLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378
7JDK-8299439core-libs/java.textjava/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
8JDK-8295530core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.2.13
9JDK-8287180core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-08-08
10JDK-8267038core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-03-02
11JDK-8296239core-libs/java.util:i18nISO 4217 Amendment 174 Update
12JDK-8241900hotspot/compilerLoop unswitching may cause dependence on null check to be lost
13JDK-8179954hotspot/compilerAArch64: C1 and C2 volatile accesses are not sequentially consistent
14JDK-8210387hotspot/compilerC2 compilation fails with "assert(node->_last_del == _last) failed: must have deleted the edge just produced"
15JDK-8248552hotspot/compilerC2 crashes with SIGFPE due to division by zero
16JDK-8069191hotspot/compilermoving predicate out of loops may cause array accesses to bypass null check
17JDK-8250825hotspot/compilerC2 crashes with assert(field != __null) failed: missing field
18JDK-8255466hotspot/compilerC2 crashes at ciObject::get_oop() const+0x0
19JDK-8272985hotspot/gcReference discovery is confused about atomicity and degree of parallelism
20JDK-8005165hotspot/runtimeRemove CPU-dependent code in self-patching vtables
21JDK-8271506hotspot/runtimeAdd ResourceHashtable support for deleting selected entries
22JDK-8253797hotspot/runtime[cgroups v2] Account for the fact that swap accounting is disabled on some systems
23JDK-8239785hotspot/runtimeCgroups: Incorrect detection logic on old systems in hotspot
24JDK-8239559hotspot/runtimeCgroups: Incorrect detection logic on some systems
25JDK-8048190hotspot/runtimeNoClassDefFoundError omits original ExceptionInInitializerError
26JDK-8197859hotspot/runtimeVS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp
27JDK-8254997hotspot/runtimeRemove unimplemented OSContainer::read_memory_limit_in_bytes
28JDK-8252359hotspot/runtimeHotSpot Not Identifying it is Running in a Container
29JDK-8253435hotspot/runtimeCgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
30JDK-8284633hotspot/runtimeCompressedClassPointers.java fails on macos-aarch64
31JDK-8220658hotspot/runtimeImprove the readability of container information in the error log
32JDK-8291763hotspot/runtimeInclude virtualization information in hs_err crash log on Solaris
33JDK-8289424hotspot/runtimeInclude LD_HWCAP in hs_err log output
34JDK-8298349install/install/usr/java/latest points to wrong JDK
35JDK-8298330install/install/usr/java/latest is missing after one of JDK rpms is uninstalled
36JDK-8149508javafx/controlsPerformance issue when scrolling ListView due to excess CSS processing
37JDK-8294400javafx/mediaProvide media support for libavcodec version 59
38JDK-8257895javafx/mediaAllow building of JavaFX media libs for Apple Silicon
39JDK-8298167javafx/webOpacity in WebView not working anymore
40JDK-8295755javafx/webUpdate SQLite to 3.39.4
41JDK-8303217javafx/webWebview loaded webpage is not showing play, volume related buttons for embeded Audio/Video elements
42JDK-8301022javafx/webVideo distortion is observed while playing youtube video
43JDK-8300954javafx/webHTML default Range input control not rendered
44JDK-8301712javafx/web[linux] Crash on exit from WebKit 615.1
45JDK-8302684javafx/webCherry-pick WebKit 615.1 stabilization fixes (2)
46JDK-8302294javafx/webCherry-pick WebKit 615.1 stabilization fixes
47JDK-8299977javafx/webUpdate WebKit to 615.1
48JDK-8242151security-libs/java.securityImprove OID mapping and reuse among JDK security providers for aliases registration
49JDK-8242897security-libs/java.securityKeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException
50JDK-8280890security-libs/java.securityCannot use '-Djava.system.class.loader' with class loader in signed JAR
51JDK-8200468security-libs/org.ietf.jgssPort the native GSS-API bridge to Windows
52JDK-8253829security-libs/org.ietf.jgssWrong length compared in SSPI bridge
53JDK-8225687security-libs/org.ietf.jgssNewly added sspi.cpp in JDK-6722928 still contains some small errors
54JDK-8175000tools/launcherjexec fails to execute simple helloworld.jar

Java SE 8u361 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u361 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u361 b35

Bug Fixes

BugId Category Subcategory Summary
JDK-8299439 core-libs java.text java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
JDK-8017487 client-libs javax.swing filechooser in Windows-Libraries folder: columns are mixed up
JDK-8301318 (Confidential) deploy webstart Few JVM arguments are not supported in JAVAWS/JNLP

 

Changes in Java SE 8u361 b34

Bug Fixes

BugId Category Subcategory Summary
JDK-8274205 security-libs org.ietf.jgss:krb5 Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
JDK-8284662 javafx accessibility Screen reader fails to read ListView/ComboBox item count if > 100

 

Changes in Java SE 8u361 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8251862 javafx graphics Wrong position of Popup windows at the intersection of 2 screens
JDK-8149508 javafx controls Performance issue when scrolling ListView due to excess CSS processing
JDK-8299741 install autoupdate A temporary file is left in 'locallow' temp directory after Java Update

 

Changes in Java SE 8u361 b32

hotspot/runtime
 JVM Will Fail to Initialize on Some cgroups v1 Systems (JDK-8302716)

The JVM will fail to initialize on Linux systems where /proc/self/mountinfo does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.

A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).

Bug Fixes

BugId Category Subcategory Summary
JDK-8089986 javafx controls Menu beeps when mnemonics is used
JDK-7131823 client-libs javax.imageio bug in GIFImageReader
JDK-6357887 client-libs 2d selected printertray is ignored under linux
JDK-8239559 hotspot runtime Cgroups: Incorrect detection logic on some systems
JDK-8239785 hotspot runtime Cgroups: Incorrect detection logic on old systems in hotspot
JDK-8048190 hotspot runtime NoClassDefFoundError omits original ExceptionInInitializerError
JDK-8271506 hotspot runtime Add ResourceHashtable support for deleting selected entries

 

Changes in Java SE 8u361 b31

Bug Fixes

BugId Category Subcategory Summary
JDK-8205959 core-libs java.net Do not restart close if errno is EINTR
JDK-8280890 security-libs java.security Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8299628 (Confidential) javafx graphics BMP top-down images fail to load after JDK-8289336
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

Java SE 8u361 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u361 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u361-Perf b35

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.

 

Changes in Java SE 8u361-Perf b34

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.

 

Changes in Java SE 8u361-Perf b33

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.

 

Changes in Java SE 8u361-Perf b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-6357887 client-libs 2d selected printertray is ignored under linux
JDK-7131823 client-libs javax.imageio bug in GIFImageReader

 

Changes in Java SE 8u361-Perf b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8205959 core-libs java.net Do not restart close if errno is EINTR
JDK-8280890 security-libs java.security Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

 

Changes in Java SE 8u361-Perf

Bug Fixes

JDK 8u361 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Subcomponent Summary
1JDK-8293319hotspotcompiler[C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
2JDK-8280511hotspotcompilerAArch64: Combine shift and negate to a single instruction
3JDK-8276108hotspotcompilerWrong instruction generation in aarch64 backend
4JDK-8251216hotspotcompilerImplement MD5 intrinsics on AArch64
5JDK-8186670hotspotcompilerImplement _onSpinWait() intrinsic for AArch64
6JDK-8290781hotspotcompilerSegfault at PhaseIdealLoop::clone_loop_handle_data_uses
7JDK-8282347hotspotcompilerAARCH64: Untaken branch in has_negatives stub
8JDK-8282049hotspotcompilerAArch64: Use ZR for integer zero immediate volatile stores
9JDK-8291775hotspotcompilerC2: assert(r != __null && r->is_Region()) failed: this phi must have a region
10JDK-8290711hotspotcompilerassert(false) failed: infinite loop in PhaseIterGVN::optimize
11JDK-8287349hotspotcompilerAArch64: Merge LDR instructions to improve C1 OSR performance
12JDK-8277411hotspotcompilerC2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
13JDK-8277358hotspotcompilerAccelerate CRC32-C
14JDK-8291599hotspotcompilerAssertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
15JDK-8290705hotspotcompilerStringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
16JDK-8290529hotspotcompilerC2: assert(BoolTest(btest).is_canonical()) failure
17JDK-8288445hotspotcompilerAArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
18JDK-8280872hotspotcompilerReorder code cache segments to improve code density
19JDK-8272094hotspotcompilercompiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
20JDK-8293816hotspotcompilerCI: ciBytecodeStream::get_klass() is not consistent
21JDK-8293044hotspotcompilerC1: Missing access check on non-accessible class
22JDK-8292158hotspotcompilerAES-CTR cipher state corruption with AVX-512
23JDK-8270947hotspotcompilerAArch64: C1: use zero_words to initialize all objects
24JDK-8287425hotspotcompilerRemove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
25JDK-8290451hotspotcompilerIncorrect result when switching to C2 OSR compilation from C1
26JDK-8268779hotspotgcZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
27JDK-8278389hotspotgcSuspendibleThreadSet::_suspend_all should be volatile/atomic
28JDK-8288754hotspotgcGCC 12 fails to build zReferenceProcessor.cpp
29JDK-8279398hotspotjfrjdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
30JDK-8268297hotspotjfrjdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
31JDK-8291459hotspotruntimeJVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
32JDK-8292083hotspotruntimeDetected container memory limit may exceed physical machine memory
33JDK-8293156hotspotsvcDcmd VM.classloaders fails to print the full hierarchy

Java™ SE Development Kit 8, Update 361 (JDK 8u361)

January 17, 2023

The full version string for this update release is 8u361-b09 (where "b" means "build"). The version number is 8u361.

 

IANA TZ Data 2022d, 2022e, 2022f

JDK 8u361 contains IANA time zone data 2022d, 2022e, 2022f.
  • Palestine transitions are now Saturdays at 02:00.
  • Simplify three Ukraine zones into one.
  • Jordan and Syria switch from +02/+03 with DST to year-round +03.
  • Mexico will no longer observe DST except near the US border.
  • Chihuahua moves to year-round -06 on 2022-10-30.
  • Fiji no longer observes DST.
  • Move links to 'backward'.
  • In vanguard form, GMT is now a Zone and Etc/GMT a link.
  • zic now supports links to links, and vanguard form uses this.
  • Simplify four Ontario zones.
  • Fix a Y2438 bug when reading TZif data.
  • Enable 64-bit time_t on 32-bit glibc platforms.
  • Omit large-file support when no longer needed.
  • In C code, use some C23 features if available.
  • Remove no-longer-needed workaround for Qt bug 53071.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u361 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u361-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u361) be used after the next critical patch update scheduled for April 18, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u361) on 2023-05-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/java.security
 Support for RSASSA-PSS in OCSP Response (JDK-8274471)

An OCSP response signed with the RSASSA-PSS algorithm is now supported.

 

Known Issues

hotspot/runtime
 JVM Will Fail to Initialize on Some cgroups v1 Systems (JDK-8302716)

After updating to JDK 8u361, applications may fail to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem.

The JVM will fail to initialize on Linux systems where /proc/self/mountinfo does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.

A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).

 

Other Notes

hotspot/runtime
 CPU Shares Ignored When Computing Active Processor Count (JDK-8281181)

Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.

Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.

javafx/fxml
 FXML JavaScript Engine Disabled by Default (JDK-8294779 (not public))

The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.

It can be enabled by setting the system property: -Djavafx.allowjs=true

core-libs/java.lang
 Incorrect Handling of Quoted Arguments in ProcessBuilder (JDK-8282008)

ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\", would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.

core-libs/java.net
 Make HttpURLConnection Default Keep Alive Timeout Configurable (JDK-8278067)

Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server and http.keepAlive.time.proxy respectively. More information about them can be found in Networking Properties.

tools/visualvm
 VisualVM tool no longer bundled (JDK-8294184)

This version of the JDK no longer includes a copy of Java VisualVM. VisualVM is now available as a separate download from https://visualvm.github.io.

other-libs/corba
 CORBA _DynAnyFactoryStub readObject Accepts Only Stringified ior in IOR: URI format (JDK-8285021 (not public))

The readObject method of _DynAnyFactoryStub has been amended, such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format, only. As DynAnyFactory is a locally or ORB constrained type, it is not useful that serialized data should contain corbaname or corbaloc URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to a DynAnyFactory IOR, as such, using a corbaname to reference an instance of DynAnyFactory is not meaningful.

A system property is introduced, org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck, which when set to true, will revert the _DynAnyFactoryStub::readObject to its current behavior and bypass the additional IOR checks.

security-libs/javax.net.ssl
 Change in SSLEngine.closeInbound() Behavior (JDK-8273553)

The SunJSSE close notification checks for SSLEngine to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.

Specifically, if an application tries to close its SSLEngine inbound side using SSLEngine.closeInbound() without having received a close notification message from its peer, the SSLEngine will no longer:

  1. trigger the transmission of a TLS fatal-level alert to the peer, and
  2. invalidate the current TLS session

The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.

In addition, the internal transport context for the SSLEngine will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus value on the SSLEngine. Any outstanding outbound data must still be obtained (SSLEngine.wrap()) and sent in order to gracefully close the connection.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u361 release:

# BugId Component Summary
1JDK-8240756client-libs/2d[macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
2JDK-8212677client-libs/java.awtX11 default visual support for IM status window on VNC
3JDK-8231445client-libs/java.awtcheck ZALLOC return values in awt coding
4JDK-8284033client-libs/java.awtLeak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
5JDK-8277497client-libs/javax.accessibilityLast column cell in the JTable row is read as empty cell
6JDK-8280950core-libs/java.utilRandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
7JDK-8281183core-libs/java.utilRandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
8JDK-8294307core-libs/java.util:i18nISO 4217 Amendment 173 Update
9JDK-8215571core-svc/debuggerjdb does not include jdk.* in the default class filter
10JDK-8197387core-svc/toolsjcmd started by "root" must be allowed to access all VM processes
11JDK-8294294docs/guidesDocument jdk.xml.xpathExprGrpLimit, jdk.xml.xpathExprOpLimit, and jdk.xml.xpathTotalOpLimit in the JAXP Security Guide
12JDK-8145458docs/hotspotJDK 8 man page incorrectly states -XX:ThreadStackSize=size sets the thread stack size (in bytes).
13JDK-8217359hotspot/compilerC2 compiler triggers SIGSEGV after transformation in ConvI2LNode::Ideal
14JDK-8255058hotspot/compilerC1: assert(is_virtual()) failed: type check
15JDK-8253816hotspot/compilerSupport macOS W^X
16JDK-8253795hotspot/compilerImplementation of JEP 391: macOS/AArch64 Port
17JDK-8168712hotspot/compiler[AOT] assert(false) failed: DEBUG MESSAGE: InterpreterMacroAssembler::call_VM_base: last_sp != NULL
18JDK-8261336hotspot/compilerIGV: enhance default filters
19JDK-8253817hotspot/runtimeSupport macOS Aarch64 ABI in Interpreter
20JDK-8200109hotspot/runtimeNMT: diff_malloc_site assert(early->flags() == current->flags(), "Must be the same memory type")
21JDK-8238676hotspot/runtimejni crashes on accessing it from process exit hook
22JDK-8230305hotspot/runtimeCgroups v2: Container awareness
23JDK-8027429hotspot/runtimeAdd diagnostic command VM.info to get hs_err print-out
24JDK-8253714hotspot/runtime[cgroups v2] Soft memory limit incorrectly using memory.high
25JDK-8253727hotspot/runtime[cgroups v2] Memory and swap limits reported incorrectly
26JDK-8255716hotspot/runtimeAArch64: Regression: JVM crashes if manually offline a core
27JDK-8191846hotspot/svcjstat prints debug message when debugging is disabled
28JDK-8038392hotspot/svcGenerating prelink cache breaks JAVA 'jinfo' utility normal behaviour
29JDK-8087557javafx/accessibility[Win] [Accessibility, Dialogs] Alert Dialog content is not fully read by Screen Reader
30JDK-8284281javafx/accessibility[Accessibility] [Win] [Narrator] Exceptions with TextArea & TextField when deleted last char
31JDK-8291087javafx/accessibilityWrong position of focus of screen reader on Windows with screen scale > 1
32JDK-8293795javafx/accessibility[Accessibility] [Win] [Narrator] Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField
33JDK-8289542javafx/graphicsUpdate JPEG Image Decoding Software to 9e
34JDK-8293971javafx/mediaLoading new Media from resources can sometimes fail when loading from FXML
35JDK-8289541javafx/webUpdate ICU4C to 71.1
36JDK-8257722security-libs/java.securityImprove "keytool -printcert -jarfile" output
37JDK-8273553security-libs/javax.net.sslsun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368

Java SE 8u351 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u351 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u351 b34

Bug Fixes

BugId Category Subcategory Summary
JDK-8294307 core-libs java.util:i18n ISO 4217 Amendment 173 Update
JDK-8296239 core-libs java.util:i18n ISO 4217 Amendment 174 Update
JDK-8295173 core-libs java.time (tz) Update Timezone Data to 2022e
JDK-8296108 core-libs java.time (tz) Update Timezone Data to 2022f

 

Changes in Java SE 8u351 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8278027 security-libs javax.crypto X509Key.decode exception while using JSafeJCE FIPS provider

 

Changes in Java SE 8u351 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8224671 hotspot compiler AArch64: mauve System.arraycopy test failure
JDK-8292695 hotspot runtime SIGQUIT and jcmd attaching mechanism does not work with signal chaining library
JDK-8202014 hotspot runtime Possible to receive signal before signal semaphore created

 

Changes in Java SE 8u351 b31

Bug Fixes

BugId Category Subcategory Summary
JDK-8291973 install install Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d
JDK-8293795 javafx accessibility Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField

Java SE 8u351 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u351 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u351 Perf b34

Bug Fixes

JBS Component Subcomponent Summary
JDK-8294307 core-libs java.util:i18n ISO 4217 Amendment 173 Update
JDK-8296239 core-libs java.util:i18n ISO 4217 Amendment 174 Update
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d
JDK-8295173 core-libs java.time (tz) Update Timezone Data to 2022e
JDK-8296108 core-libs java.time (tz) Update Timezone Data to 2022f

 

Changes in Java SE 8u351 Perf b33

Bug Fixes

JBS Component Subcomponent Summary
JDK-8278027 security-libs javax.crypto X509Key.decode exception while using JSafeJCE FIPS provider

 

Other Notes

JDK Flight Recorder

Enterprise Performance Pack supports JDK Flight Recorder (JFR).

JFR is a low-overhead data collection framework for troubleshooting Java applications and the HotSpot JVM in production. Recorded data can be opened in JDK Mission Control (JMC). To start recordings from within JMC, a new version of JMC is required. Currently, it is not released as part of the JDK but is available as a downloadable patch from Supported Java SE Downloads on MOS or from JDK Mission Control 8 Downloads. JFR comes with a supported API to produce and consume data programmatically.

Relevant Changes for JFR include JEP 328: Flight Recorder, JEP 349: JFR Event Streaming

 

Changes in Java SE 8u351 Perf

Bug Fixes

JDK 8u351 Enterprise Performance Pack includes the following fixes from JDK 17:
# JBS Component Subcomponent Summary
1 JDK-8282467 hotspot compiler add extra diagnostics for JDK-8268184
2 JDK-8284883 hotspot compiler JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
3 JDK-8285923 hotspot compiler [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
4 JDK-8282555 hotspot compiler Missing memory edge when spilling MoveF2I, MoveD2L etc
5 JDK-8286638 hotspot compiler C2: CmpU needs to do more precise over/underflow analysis
6JDK-8288303hotspotcompilerC1: Miscompilation due to broken Class.getModifiers intrinsic
7JDK-8270090hotspotcompilerC2: LCM may prioritize CheckCastPP nodes over projections
8JDK-8280696hotspotcompilerC2 compilation hits assert(is_dominator(c, n_ctrl)) failed
9JDK-8285820hotspotcompilerC2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
10JDK-8287091hotspotcompileraarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
11JDK-8287396hotspotcompilerLIR_Opr::vreg_number() and data() can return negative number
12JDK-8286625hotspotcompilerC2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
13JDK-8288467hotspotcompilerremove memory_operand assert for spilled instructions
14JDK-8276546hotspotcompiler[IR Framework] Whitelist and ignore CompileThreshold
15JDK-8279622hotspotcompilerC2: miscompilation of map pattern as a vector reduction
16JDK-8286177hotspotcompilerC2: "failed: non-reduction loop contains reduction nodes" assert failure
17JDK-8284944hotspotcompilerassert(cnt++ < 40) failed: infinite cycle in loop optimization
18JDK-8287223hotspotcompilerC1: Inlining attempt through MH::invokeBasic() with null receiver
19JDK-8272736hotspotcompiler[JVMCI] Add API for reading and writing JVMCI thread locals
20JDK-8284358hotspotcompilerUnreachable loop is not removed from C2 IR, leading to a broken graph
21JDK-8288360hotspotcompilerCI: ciInstanceKlass::implementor() is not consistent for well-known classes
22JDK-8286314hotspotcompilerTrampoline not created for far runtime targets outside small CodeCache
23JDK-8288781hotspotcompilerC1: LIR_OpVisitState::maxNumberOfOperands too small
24JDK-8289127hotspotcompilerApache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
25JDK-8283441hotspotcompilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
26JDK-8287432hotspotcompilerC2: assert(tn->in(0) != __null) failed: must have live top node
27JDK-8281297hotspotgcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
28JDK-8283597hotspotjvmti[REDO] Invalid generic signature for redefined classes
29JDK-8278753hotspotruntimeRuntime crashes with access violation during JNI_CreateJavaVM call
30JDK-8283469hotspotruntimeDon't use memset to initialize members in FileMapInfo and fix memory leak
31JDK-8268773hotspotruntimeImprovements related to: Failed to start thread - pthread_create failed (EAGAIN)
32JDK-8289477hotspotruntimeMemory corruption with CPU_ALLOC, CPU_FREE on muslc
33JDK-8289799hotspotruntimeBuild warning in methodData.cpp memset zero-length parameter
34JDK-8290417hotspotruntimeCDS cannot archive lamda proxy with useImplMethodHandle
35JDK-8287107hotspotruntimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
36JDK-8287741hotspotruntimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete

Java™ SE Development Kit 8, Update 351 (JDK 8u351)

October 18, 2022

The full version string for this update release is 8u351-b10 (where "b" means "build"). The version number is 8u351.

 

IANA TZ Data 2022b, 2022c

JDK 8u351 contains IANA time zone data 2022b, 2022c.

  • Chile's DST is delayed by a week in September 2022.
  • Iran no longer observes DST after 2022.
  • Rename Europe/Kiev to Europe/Kyiv.
  • New zic -R option
  • Vanguard form now uses %z.
  • Finish moving duplicate-since-1970 zones to 'backzone'.
  • New build option PACKRATLIST.
  • New tailored_tarballs target, replacing rearguard_tarballs.
  • Work around awk bug in FreeBSD, macOS, etc.
  • Improve tzselect on intercontinental Zones.
For more information, refer to Timezone Data Versions in the Java Runtime.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u351 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u351-b10
7 7u361-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u351) be used after the next critical patch update scheduled for January 17, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u351) on 2023-02-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/java.security
 Upgrade the Default PKCS12 MAC Algorithm (JDK-8267880)

The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.

For compatibility, use the keystore.pkcs12.legacy system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

hotspot/runtime
 os::set_native_thread_name() cleanups (JDK-7102541)

On platforms that support the concept of a thread name on their native threads, the java.lang.Thread.setName() method will also set that native thread name. However, this will only occur when called by the current thread, and only for threads started through the java.lang.Thread class (not for native threads that have attached via JNI). The presence of a native thread name can be useful for debugging and monitoring purposes. Some platforms may limit the native thread name to a length much shorter than that used by the java.lang.Thread, which may result in some threads having the same native name.

 

Other Notes

install/install
 Enable Java Access Bridge Check Box Option in Control Panel Is Not Available with JDK 11 Installer (JDK-8208637)

The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation.

However, Java Access Bridge can still be enabled and disabled by following these steps:

  1. Copy %JAVAHOME%\bin\windowsaccessbridge-64.dll to %WINDOWSHOME%\SYSTEM32. A reboot might be required after this step.
  2. Run %JAVAHOME%\bin\jabswitch /enable and %JAVAHOME%\bin\jabswitch /disable.

Note: %WINDOWSHOME% is the directory where Microsoft Windows is installed (for example, C:\WINDOWS) %JAVAHOME% is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11)

security-libs/java.security
 Disabled SHA-1 Signed JARs (JDK-8269039)

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

-  Signed by "CN="Signer""

     Digest algorithm: SHA-1 (disabled)
     Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or override it by using the java.security.properties system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

security-libs/org.ietf.jgss:krb5
 Deprecate 3DES and RC4 in Kerberos (JDK-8139348)

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

core-libs/java.lang
 Phantom references are automatically cleared as soft and weak references (JDK-8071507)

This enhancement changes phantom references to be automatically cleared by the garbage collector as soft and weak references.

An object becomes phantom reachable after it has been finalized. This change may cause the phantom reachable objects to be GC'ed earlier - previously the referent is kept alive until PhantomReference objects are GC'ed or cleared by the application. This potential behavioral change might only impact existing code that would depend on PhantomReference being enqueued rather than when the referent be freed from the heap.

core-libs/java.lang
 java.lang.ref.Reference.enqueue method clears the reference object before enqueuing (JDK-8175797)

java.lang.ref.Reference.enqueue method clears the reference object before it is added to the registered queue. When the enqueue method is called, the reference object is cleared and get() method will return null in JDK 9.

Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear method to avoid memory leak because its referent is no longer referenced. In other words the get method is expected not to be called in common cases once the enqueuemethod is called. In the case when the get method from an enqueued reference object and existing code attempts to access members of the referent, NullPointerException may be thrown. Such code will need to be updated.

core-libs/java.lang
 java.lang.ref.Reference Does Not Support Cloning (JDK-8201793)

java.lang.ref.Reference::clone method always throws CloneNotSupportedException. Reference objects cannot be meaningfully cloned. To create a new Reference object, call the constructor to create a Reference object with the same referent and reference queue instead.

core-libs/java.time
 Update Timezone Data to 2022c (JDK-8294042)

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b.

core-libs/java.lang
 System Property java.specification.maintenance.version Set to 4 (JDK-8290849)

This JDK implements Maintenance Release 4 of the Java SE 8 specification (JSR 337). Implementing this maintenance release is indicated by the new system property java.specification.maintenance.version having the value of "4".

core-libs/java.net
 New System Property to Limit the Number of Open Connections to com.sun.net.httpserver.HttpServer (JDK-8286918 (not public))

A new system property named jdk.httpserver.maxConnections has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u351 release:

# BugId Component Subcomponent Summary
1JDK-8260616client-libsRemoving remaining JNF dependencies in the java.desktop module
2JDK-8270216client-libsjava.awt[macOS] Update named used for Java run loop mode
3JDK-8272602client-libsjava.awt[macOS] not all KEY_PRESSED events sent when control modifier is used
4JDK-8261352client-libsjavax.accessibilityCreate implementation for component peer for all the components who should be ignored in a11y interactions
5JDK-8263420client-libsjavax.accessibilityIncorrect function name in NSAccessibilityStaticText native peer implementation
6JDK-8261198client-libsjavax.accessibility[macOS] Incorrect JNI parameters in number conversion in A11Y code
7JDK-8262981client-libsjavax.accessibilityCreate implementation for NSAccessibilitySlider protocol
8JDK-8287740client-libsjavax.accessibilityNSAccessibilityShowMenuAction not working for text editors
9JDK-8275071client-libsjavax.accessibility[macos] A11y cursor gets stuck when combobox is closed
10JDK-8274383client-libsjavax.accessibilityJNI call of getAccessibleSelection on a wrong thread
11JDK-8267387client-libsjavax.accessibilityCreate implementation for NSAccessibilityOutline protocol
12JDK-8267388client-libsjavax.accessibilityCreate implementation for NSAccessibilityTable protocol
13JDK-8262031client-libsjavax.accessibilityCreate implementation for NSAccessibilityNavigableStaticText protocol
14JDK-8275809client-libsjavax.accessibilitycrash in [CommonComponentAccessibility getCAccessible:withEnv:]
15JDK-8273678client-libsjavax.accessibilityTableAccessibility and TableRowAccessibility miss autorelease
16JDK-8271071client-libsjavax.accessibilityaccessibility of a table on macOS lacks cell navigation
17JDK-8267066client-libsjavax.accessibilityNew NSAccessibility peers should return they roles and subroles directly
18JDK-8275720client-libsjavax.accessibilityCommonComponentAccessibility.createWithParent isWrapped causes mem leak
19JDK-8267385client-libsjavax.accessibilityCreate NSAccessibilityElement implementation for JavaComponentAccessibility
20JDK-8275819client-libsjavax.accessibility[TableRowAccessibility accessibilityChildren] method is ineffective
21JDK-8284690client-libsjavax.accessibility[macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
22JDK-8286266client-libsjavax.accessibility[macos] Voice over moving JTable column to be the first column JVM crashes
23JDK-8284014client-libsjavax.accessibilityMenu items with submenus in JPopupMenu are not spoken on macOS
24JDK-8283383client-libsjavax.accessibility[macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
25JDK-8278609client-libsjavax.accessibility[macos] accessibility frame is misplaced on a secondary monitor on macOS
26JDK-8274735client-libsjavax.imageiojavax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
27JDK-8256109client-libsjavax.swingCreate implementation for NSAccessibilityButton protocol
28JDK-8256108client-libsjavax.swingCreate implementation for NSAccessibilityElement protocol peer
29JDK-8256126client-libsjavax.swingCreate implementation for NSAccessibilityImage protocol peer
30JDK-8256110client-libsjavax.swingCreate implementation for NSAccessibilityStepper protocol
31JDK-8256111client-libsjavax.swingCreate implementation for NSAccessibilityStaticText protocol
32JDK-8261350client-libsjavax.swingCreate implementation for NSAccessibilityCheckBox protocol peer
33JDK-8261351client-libsjavax.swingCreate implementation for NSAccessibilityRadioButton protocol
34JDK-8264299client-libsjavax.swingCreate implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles
35JDK-8264300client-libsjavax.swingCreate implementation for NSAccessibilityScrollBar protocol peer
36JDK-8264290client-libsjavax.swingCreate implementation for NSAccessibilityComponentGroup protocol peer
37JDK-8264304client-libsjavax.swingCreate implementation for NSAccessibilityToolbar protocol peer
38JDK-8264302client-libsjavax.swingCreate implementation for Accessibility native peer for Splitpane java role
39JDK-8264305client-libsjavax.swingCreate implementation for native accessibility peer for Statusbar java role
40JDK-8264287client-libsjavax.swingCreate implementation for NSAccessibilityComboBox protocol peer
41JDK-8264303client-libsjavax.swingCreate implementation for NSAccessibilityTabGroup protocol peer
42JDK-8264297client-libsjavax.swingCreate implementation for NSAccessibilityProgressIndicator protocol peer
43JDK-8264294client-libsjavax.swingCreate implementation for NSAccessibilityMenuBar protocol peer
44JDK-8264298client-libsjavax.swingCreate implementation for NSAccessibilityRow protocol peer
45JDK-8264286client-libsjavax.swingCreate implementation for NSAccessibilityColumn protocol peer
46JDK-8264291client-libsjavax.swingCreate implementation for NSAccessibilityCell protocol peer
47JDK-8264292client-libsjavax.swingCreate implementation for NSAccessibilityList protocol peer
48JDK-8264293client-libsjavax.swingCreate implementation for NSAccessibilityMenu protocol peer
49JDK-8264295client-libsjavax.swingCreate implementation for NSAccessibilityMenuItem protocol peer
50JDK-8264296client-libsjavax.swingCreate implementation for NSAccessibilityPopUpButton protocol peer
51JDK-8257620core-libsDo not use objc_msgSend_stret to get macOS version
52JDK-8071507core-libsjava.lang(ref) Clear phantom reference as soft and weak references do
53JDK-8287132core-libsjava.langRetire Runtime.runFinalizersOnExit so that it always throws UOE
54JDK-8178832core-libsjava.lang(ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
55JDK-8175797core-libsjava.lang(ref) Reference::enqueue method should clear the reference object before enqueuing
56JDK-8193780core-libsjava.lang(ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
57JDK-8285497core-libsjava.langAdd system property for Java SE specification maintenance version
58JDK-8201793core-libsjava.lang(ref) Reference object should not support cloning
59JDK-8287917core-libsjava.lang:class_loadingSystem.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
60JDK-8288769core-libsjava.util.jarRevert unintentional change to deflate.c
61JDK-8283277core-libsjava.util:i18nISO 4217 Amendment 171 Update
62JDK-8289549core-libsjava.util:i18nISO 4217 Amendment 172 Update
63JDK-8277368core-libsjavax.scriptMetaspace OOM thrown due to the leak of Nashorn ScriptEngine
64JDK-6447817docsAdd additional Service Attributes to Standard Algorithm Names guide
65JDK-8291414docsguidesFix the incorrect wording about delayed provider selection in the PKCS11 documentation
66JDK-8261071hotspotcompilerAArch64: Refactor interpreter native wrappers
67JDK-8234930hotspotcompilerUse MAP_JIT when allocating pages for code cache on macOS
68JDK-8253015hotspotcompilerAarch64: Move linux code out from generic CPU feature detection
69JDK-8188066hotspotgc(ref) Examine the reachability of JNI WeakGlobalRef and interaction with phantom refs
70JDK-8143847hotspotgcRemove REF_CLEANER reference category
71JDK-8285621hotspotjfrXcheck:jni warnings during JFR initialization
72JDK-6885993hotspotruntimeNamed Thread: introduce print() and print_on(outputStream* st) methods
73JDK-7102541hotspotruntimeRFE: os::set_native_thread_name() cleanups
74JDK-8261075hotspotruntimeCreate stubRoutines.inline.hpp with SafeFetch implementation
75JDK-8151322hotspotruntimeImplement os::set_native_thread_name() on Solaris
76JDK-8061999hotspotruntimeEnhance VM option parsing to allow options to be specified in a file
77JDK-8078521hotspotsvcAARCH64: Add AArch64 SA support
78JDK-8289587javafxwebIllegalArgumentException: Color.rgb's red parameter (-16776961) expects color values 0-255
79JDK-8088420javafxwebJavaFX WebView memory leak via EventListener
80JDK-8285881javafxwebUpdate WebKit to 614.1
81JDK-8292609javafxwebCherry-pick WebKit 614.1 stabilization fixes
82JDK-8268427security-libsjava.securityImprove AlgorithmConstraints:checkAlgorithm performance
83JDK-8186143security-libsjava.securitykeytool -ext option doesn't accept wildcards for DNS subject alternative names
84JDK-8267880security-libsjava.securityUpgrade the default PKCS12 MAC algorithm
85JDK-8263404security-libsjava.securityRsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
86JDK-8269039security-libsjava.securityDisable SHA-1 Signed JARs
87JDK-8275887security-libsjava.securityjarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
88JDK-8270317security-libsjavax.net.sslLarge Allocation in CipherSuite
89JDK-8284694security-libsjavax.net.sslAvoid evaluating SSLAlgorithmConstraints twice
90JDK-8286211security-libsjavax.smartcardioUpdate PCSC-Lite for Suse Linux to 1.9.5
91JDK-8285398security-libsjdk.securityCache the results of constraint checks
92JDK-8074835security-libsorg.ietf.jgssResolve disabled warnings for libj2gss
93JDK-8074836security-libsorg.ietf.jgss:krb5Resolve disabled warnings for libosxkrb5
94JDK-8139348security-libsorg.ietf.jgss:krb5Deprecate 3DES and RC4 in Kerberos
95JDK-8289486xmljaxpImprove XSLT XPath operators count efficiency


Enterprise Performance Pack - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Enterprise Performance Pack BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in 8u345-PERF-b31

Bug Fixes

BugId Category Subcategory Description
JDK-8292260 hotspot compiler C2 Compilation Errors Unpredictably Crashes

Java SE Subscription Enterprise Performance Pack Release Notes

The Java SE Subscription Enterprise Performance Pack (EPP) is a commercial feature release of the Java SE platform. It contains new features and enhancements in many functional areas. It is currently available only through My Oracle Support. It is available as part of an Oracle Java SE Subscription and Oracle Cloud Infrastructure (OCI) Subscription. The Release Notes below describe the features, important changes, enhancements, and other information about the Enterprise Performance Pack.

Enterprise Performance Pack runtime brings improved performance, new features, and enhancements from the Java Virtual Machine from JDK 17 to JDK 8. It reduces the memory footprint for Java SE 8 workloads. It is ideal if you want or need to use Java SE 8 and you are running those workloads at scale. If you need to develop applications, Oracle recommends that you use the full JDK.

Enterprise Performance Pack is for server-side, headless systems (systems that operate without a graphical user interface or peripheral devices like a keyboard or a mouse) running 64-bit Linux on Intel or ARM.

Links to other sources of information about the Enterprise Performance Pack are also provided below:

 

The full version string for this update release is 1.8.0_345-perf-97-b06 (where "b" means "build"). The version number is 8u345.

 

IANA Data 2022a

The Enterprise Performance Pack contains IANA time zone data version 2022a. For more information, refer to Timezone Data Versions in the JRE Software.

TOP


New Features and Information

This section describes Enterprise Performance Pack features and important information. In some cases, the descriptions provide links to additional detailed information about an issue or a change.

New Garbage Collector

Enterprise Performance Pack supports the latest garbage collector, ZGC.

The Z Garbage Collector, also known as ZGC, is a scalable low latency garbage collector (JEP 333). At its core, ZGC is a concurrent garbage collector, meaning that all heavy lifting work (marking, compaction, reference processing, string table cleaning, etc) is done while Java threads continue to execute. This greatly limits the negative impact that garbage collection has on application response times.

Applications moving from Parallel GC, CMS GC, or G1 GC to ZGC might observe higher CPU utilization and might require an increase in Java heap space. The tuning options for ZGC in the presence of observing allocation stalls are: increasing the max Java heap size (-Xmx), or setting -XX:SoftMaxHeapSize to a value less than -Xmx, or increasing the number of concurrent GC threads and disabling dynamic GC threads (-XX:ConcGCThreads=n -XX:-UseDynamicGCThreads), or some combination of those three.

See Enterprise Performance Pack documentation for more information about JVM options and Enterprise Performance Pack configuration.

Unified Logging

Enterprise Performance Pack supports a common logging system for all components of the JVM. This provides line-at-a-time, human readable log messages enabled at the command line through the -Xlog flag. See Printing JVM Information in the Enterprise Performance Pack User's Guide for more details.

Relevant Changes for Unified Logging:  Use Unified Logging for GC logging (JDK-8145092)     print_tracing_info Uses Unified Logging (JDK-8184286)     Deprecated Tracing Flags Are Obsolete and Must Be Replaced With Unified Logging Equivalents (JDK-8256718)

Compact Strings

This is a space-efficient internal representation of strings, which reduces memory footprint and garbage collection activity. See Compact Strings in the Java Virtual Machine Guide of JDK 17 for more details.

Relevant Changes for Compact Strings:  JEP 254: Compact Strings (JDK-8054307)

 

 New Class Hierarchy Analysis Implementation in the HotSpot JVM (JDK-8266074)

A new Class Hierarchy Analysis implementation is introduced in the HotSpot JVM. It features enhanced handling of abstract and default methods which improves inlining decisions made by the JIT-compilers. The new implementation supersedes the original one and is turned on by default.

To help diagnose possible issues related to the new implementation, the original implementation can be turned on by specifying the -XX:+UnlockDiagnosticVMOptions -XX:-UseVtableBasedCHA command-line flags.

The original implementation may be removed in a future release.

 

TOP


Important Enhancements

This section describes Enterprise Performance Pack enhancements. In some cases, the descriptions provide links to additional detailed information about an issue or a change.

Garbage Collectors

Enterprise Performance Pack's Garbage First (G1) collector should not require additional tuning or re-tuning; it's the default garbage collector. Moving from CMS GC to G1 should follow the guidance suggested in the Enterprise Performance Pack User's Guide. Only G1 supports String Deduplication. This feature continuously checks for duplicate String objects during garbage collection thus reducing overall heap size.

Since Enterprise Performance Pack has the Compact Strings feature which reduces the amount of Java heap space occupied by Java Strings, improved performance with Parallel GC may be realized by re-tuning Java heap sizes.

Relevant Changes for Garbage Collectors:  Parallel GC Enables Adaptive Parallel Reference Processing by Default (JDK-8204686)     G1 Enables Adaptive Parallel Reference Processing by Default (JDK-8205043)     JEP 345: NUMA-Aware Memory Allocation for G1 (JDK-8210473)     Parallel GC Improvements (JDK-8224666)     Improvements in Serial GC Young pause time report (JDK-8215221)     JEP 307: Parallel Full GC for G1 (JDK-8172890)     Concurrently Uncommit Memory in G1 (JDK-8236926)     Improved Ergonomics for G1 Heap Region Size (JDK-8241670)     Improve Ergonomics for Sparse PRT Entry Size (JDK-8223162)     New PerfCounters for STW Phases on Concurrent GC Are Available (JDK-8153333)     G1 May Uncommit Memory During Marking Cycle (JDK-6490394)     Garbage Collectors Adaptively Scale the Number of Threads by Default (JDK-8198510)     JEP 363: Remove the Concurrent Mark and Sweep (CMS) Garbage Collector (JDK-8229049)     Various GC combinations have now been removed (JDK-8044022)     JEP 366: Deprecate the ParallelScavenge + SerialOld GC Combination (JDK-8233301)     UseAutoGCSelectPolicy has been deprecated (JDK-8166461)

The java Command

Enterprise Performance Pack includes several runtime options from JDK 17. However, some options from JDK 8 are not available in Enterprise Performance Pack. For example, Enterprise Performance Pack uses Unified JVM Logging, which replaces options that print details about the JVM with -Xlog:gc options. See the Enterprise Performance Pack documentation for more information about the changes made to the JVM options.

Runtime Options

A number of runtime options have been added or removed from the Enterprise Performance Pack. See the Changes to JVM Runtime Options section of the Enterprise Performance Pack User's Guide.

Relevant Changes for Runtime Options:  Flags Controlling C1 Inlining Have New Names (JDK-8235673)     Improved CompileCommand Flag (JDK-8256508)     Improve the Behavior of MaxRAM Settings and UseCompressedOops (JDK-8222252)     VM Options AdaptiveSizePausePolicy and ParallelGCRetainPLAB are obsolete (JDK-8073861)     Added -XX:+AdjustStackSizeForTLS Flag (JDK-8225035)     Obsolete -XX:UseAdaptiveGCBoundary (JDK-8228991)     Removal of Obsolete -X Options (JDK-8179018)     Obsolete Support for Commercial Features (JDK-8202331)     Obsoleted -XX:+/-MonitorInUseLists (JDK-8211384)     Deprecated Java Options -Xverify:none and -noverify (JDK-8214719)     Command-Line Flag -XX:+ExtensiveErrorReports (JDK-8211845)

Class Data Sharing

This feature helps reduce the startup time and memory footprint between multiple Java Virtual Machines. See the Class Data Sharing section of the Java Virtual Machine Guide of JDK 17 for more information.

Relevant Changes for Class Data Sharing:  CDS Behavior Change With Non-existent Files During Archive Creation (JDK-8227370)

 

 Phantom References Are Now Automatically Cleared Just as Soft and Weak References (JDK-8071507)

This enhancement causes phantom references to be automatically cleared by the garbage collector just as soft and weak references are.

An object becomes phantom reachable after it has been finalized. This change may cause phantom reachable objects to be garbage collected earlier. Previously, the referent was kept alive until the associated PhantomReference objects were collected or cleared by the application. This behavioral change should only impact existing code that depends on a PhantomReference being enqueued rather than when the referent is freed from the heap.

 The java.lang.ref.Reference.enqueue Method Clears the Reference Object before Enqueuing (JDK-8175797)

The java.lang.ref.Reference.enqueue method clears the reference object before it is added to the registered queue. When the enqueue method is called, the reference object is cleared and the get() method will return null in Enterprise Performance Pack and later releases.

Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear method to avoid a memory leak because its referent is no longer referenced. In other words, the get method is not expected to be called in common cases once the enqueue method has been called. In the case when the get method from an enqueued reference object and existing code attempts to access members of the referent, a NullPointerException may be thrown. Such code will need to be updated.

 java.lang.ref.Reference Does Not Support Cloning (JDK-8201793)

The java.lang.ref.Reference::clone method always throws a CloneNotSupportedException. Therefore, Reference objects cannot be meaningfully cloned. To copy a Reference object, call the constructor to create a new Reference object with the same referent and reference queue instead.

 sun.misc.Unsafe.defineAnonymousClass No Longer Supports Constant-pool Patching (JDK-8288640, not public)

In Java SE Subscription Enterprise Performance Pack, constant pool patching of classes created by calling the unsupported sun.misc.Unsafe.defineAnonymousClass method is not enabled and could cause your application to crash. The cpPatches argument to defineAnonymousClass should be null.

 Removal of Rarely Used sun.misc.Unsafe Methods (JDK-8054494)

In Java SE Subscription Enterprise Performance Pack, the methods monitorEnter, monitorExit, and tryMonitorEnter have been removed from the unsupported sun.misc.Unsafe class. These methods are not used within the JDK itself and are very rarely used outside of the JDK.

 The sun.misc.Version VM Version API Reports 25.x (JDK-8285776, not public)

The Java SE 8 Enterprise Performance Pack follows the versioning format defined by JEP 322, and reports the actual VM version of 17.x, when, for example, java -version is invoked. However, for compatibility purposes, the sun.misc.Version methods jvmMajorVersion() and jvmMinorVersion() instead report the same VM version as Java SE 8 i.e. 25.x. This ensures that application code checking for a Java 8 runtime by looking for a major version greater than, or equal to, 25, will work correctly even though the actual VM version is 17.

 

TOP


Other Changes

The following notes describe additional changes and information about this release. In some cases, the following descriptions provide links to additional detailed information about an issue or a change.

Monitoring Tools

  • jcmd: JFR diagnostic commands are not available
  • JDK Mission Control (JMC): Although JMC extensively uses JFR (which is not available in Enterprise Performance Pack), you can still use JMC for other purposes such as real-time JMX monitoring
  • jvisualvm: jvisualvm is not included in Enterprise Performance Pack

See Running Tools and Using Libraries on Enterprise Performance Pack for more information.

Application Class Data Sharing (AppCDS)

Application Class Data Sharing (AppCDS) extends class data sharing (CDS) to enable application classes to be placed in a shared archive. See the Application Class Data Sharing section of the java command page.

Relevant Changes for AppCDS:  JEP 310: Application Class-Data Sharing (JEP 310)

 

 Stack Overflow Can Cause Segfaults on Linux (JDK-8182777)

Some linux kernel versions (including, but not limited to 3.13.0-121-generic and 4.4.0-81-generic) are known to contain an incorrect fix for a linux kernel stack overflow issue (See CVE-2017-1000364). The incorrect fix can trigger crashes in the Java Virtual Machine. Upgrading the kernel to a version that includes the corrected fix addresses the problem.

 Enforce Format Checks for NameAndType Strings (JDK-8161224)

This change enforces the unqualified name format checks for NameAndType strings as outlined in the JVM specification sections 4.4.6 and 4.2.2, meaning that some illegal names and descriptors that users may be utilizing in their classfiles will now be caught with a Class Format Error. This includes format checking for all strings under non-referenced NameAndType's. Users will see a change if they (A) are using Java classfile version 6 or below and have an illegal NameAndType descriptor with no Methodref or Fieldref reference to it; or (B) are using any Java classfile version and have an illegal NameAndType name with no Methodref or Fieldref reference to it.

In both (A) and (B) the users will now receive a ClassFormatError for those illegal strings, which is an enforcement of unqualified name formats as delineated in JVMS 4.2.2.

 Binary Format for HPROF Updated (JDK-8144732)

When dumping the heap in binary format, HPROF format 1.0.2 is always used now. Previously, format 1.0.1 was used for heaps smaller than 2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the serviceability agent.

 More Registers Available When Running Without Compressed References on x86_64 (JDK-8217909)

When running with compressed references on x86_64, one of the CPU registers holds the heap base pointer to be used for references encoding/decoding. This register is not available for register allocation.

Simple implementations before this release made this register unavailable (and thus unused) even if compressed references were disabled. In this release, the implementation was revised to put this unused register back into the available registers pool. Configurations with large heaps and/or -XX:-UseCompressedOops benefit from this improvement.

 NotifyFramePop Request Is Not Cleared If JVMTI_EVENT_FRAME_POP Is Disabled (JDK-8187289)

In the previous release, a NotifyFramePop request was only cleared when the JVMTI_EVENT_FRAME_POP was enabled. Now it is always cleared when the corresponding frame is popped, regardless of whether the JVMTI_EVENT_FRAME_POP is enabled or not.

 Make JVMTI Table Concurrent (JDK-8212879)

For improved performance, JVM/TI ObjectFree events are no longer posted within GC pauses. The events are still posted as requested, and will be posted before ObjectFree events are enabled or disabled with SetNotificationMode. SetNotificationMode can be used to explicitly flush ObjectFree events, if needed.

 Change to Default Value for BiasedLockingStartupDelay (JDK-8180421)

The default value for BiasedLockingStartupDelay has been changed to 0. The flag BiasedLockingStartupDelay previously had the default value 4000 which delayed the use of biased locking with 4 s (4000 ms). The reason for this delay was performance but recent performance runs show no difference between the 4000 ms delay and no delay. Since having the delay will cause other parts of the VM to do extra work, having the default set to 0 makes more sense.

 The JNI function DetachCurrentThread Must Tolerate Pending Exceptions (JDK-8155881)

The JNI function DetachCurrentThread has been added to the list of JNI functions that can safely be called with an exception pending. The HotSpot Virtual Machine has always supported this as it reports that the exception occurred in a similar manner to the default handling of uncaught exceptions at the Java level. Other implementations are not obligated to do anything with the pending exception.

 JNIDetachReleasesMonitors Is Obsolete (JDK-8131045)

The -XX:-JNIDetachReleasesMonitors flag requested that the VM run in a pre-JDK 6 compatibility mode with regard to not releasing monitors when a JNI attached thread detaches. This option is obsolete in JDK 9, and is ignored, as the VM always conforms to the JNI Specification and releases monitors. Use of this option will result in a warning being issued in JDK 9 and it may be removed completely in a future release.

 Object Monitors No Longer Keep Strong References to Their Associated Object (JDK-8247281)

When synchronization is performed on an object, an association is established between the object and the object monitor that implements the synchronization. In the past, the reference from a monitor to its associated object was a strong reference. These strong references would be observable through JVM TI functions that walk the heap (reported as JVMTI_HEAP_ROOT_MONITOR or JVMTI_HEAP_REFERENCE_MONITOR) and in heap dumps (reported as HPROF_GC_ROOT_MONITOR_USED). As of this release, a weak reference is used. These are not observable to JVM TI or heap dumps. Consequently, JVMTI_HEAP_ROOT_MONITOR, JVMTI_HEAP_REFERENCE_MONITOR and HPROF_GC_ROOT_MONITOR_USED are longer reported.

 Removal of FlatProfiler (JDK-8173715)

The FlatProfiler, deprecated in JDK 9, has been made obsolete by removing the implementation code. The FlatProfiler was enabled by setting the -Xprof VM argument. The -Xprof flag remains recognized in this release; however, setting it will print out a warning message.

 Parts of the Signal-Chaining API Are Deprecated (JDK-8257572)

The signal-chaining facility was introduced in JDK 1.4 and supported three different Linux signal-handling API's: sigset, signal and sigaction. Only sigaction is a cross-platform, supported, API for multi-threaded processes. Both signal and sigset are considered obsolete on those platforms that still define them. Consequently, the use of signal and sigset with the signal-chaining facility are now deprecated, and support for their use will be removed in a future release.


Java SE 8u341 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u341 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u341 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8291973 install install JavaSE 8 RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash

 

Changes in Java SE 8u341 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8197387 core-svc tools jcmd Started by "root" Must Be Allowed to Access All VM Processes
JDK-8072439 hotspot runtime Further refinement of the fix JDK-8047720 - Xprof hangs on Solaris
JDK-8087557 javafx accessibility Alert Dialog Content Is Not Fully Read by Screen Reader
JDK-8291087 javafx accessibility Wrong Position of Focus of Screen Reader on Windows with Screen Scale > 1
JDK-8197387 javafx accessibility Exceptions with TextArea & TextField when Deleted Last Char

 

Changes in Java SE 8u341 b31

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 8, Update 341 (JDK 8u341)

July 19, 2022

The full version string for this update release is 8u341-b10 (where "b" means "build"). The version number is 8u341.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u341 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u341-b10
7 7u351-b07

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u341) be used after the next critical patch update scheduled for October 18, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u341) on 2022-11-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.net.ssl
 Enable TLSv1.3 by Default on JDK 8u for Client Roles

The TLSv1.3 implementation is available in JDK 8u from 8u261 and enabled by default for server roles but disabled by default for client roles. From this release onwards, TLSv1.3 is now also enabled by default for client roles. You can find more details in the Additional Information section of the Oracle JRE and JDK Cryptographic Roadmap.

Note that TLS 1.3 is not directly compatible with previous versions. Enabling it on the client may introduce compatibility issues on either the server or the client side. Here are some more details on potential compatibility issues that you should be aware of:

  • TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there may be compatibility issues when upgrading to TLS 1.3.
  • The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application may use non-supported signature algorithms.
  • The DSA signature algorithm is not supported in TLS 1.3. If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.
  • The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions. If an application hard-codes cipher suites which are no longer supported, it may not be able to use TLS 1.3 without modifying the application code, for example TLS_AES_128_GCM_SHA256 (1.3 and later) versus TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (1.2 and earlier).
  • The TLS 1.3 session resumption and key update behaviors are different from TLS 1.2 and prior versions. The compatibility should be minimal, but it could be a risk if an application depends on the handshake details of the TLS protocols.
  • TLS 1.3 requires that the implementation support new cryptographic algorithms which previous versions of TLS did not, such as RSASSA-PSS. If your application is configured to use 3rd party JCE provider(s) which do not support the required algorithms, you may get handshake failures.
See JDK-8245263

core-libs/java.net
 HTTPS Channel Binding Support for Java GSS/Kerberos

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:

jdk.https.negotiate.cbt (default: "never")

This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:

  • "never". This is also the default value if the property is not set. In this case, CBTs are never sent.
  • "always". CBTs are sent for all Kerberos authentication attempts over HTTPS.
  • "domain:" Each domain in the list specifies destination host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com, or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations that don't match one of the list entries

The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.

See JDK-8279842

Other Notes

core-libs/java.net
 Update java.net.InetAddress to Detect Ambiguous IPv4 Address Literals

The java.net.InetAddress class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress class methods are updated to throw an java.net.UnknownHostException for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".

See JDK-8277608 (not public)
 JDK Bundle Extensions Truncated When Downloading Using Firefox 102

On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:

  • manually add a file extension to the file name after download.
  • use a different browser

See JDK-8277093
core-libs/java.io:serialization
 Vector Should Throw ClassNotFoundException for a Missing Class of an Element

java.util.Vector is updated to correctly report ClassNotFoundException that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object) when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException is thrown that does not provide information about the missing class.

See JDK-8277093

core-libs/java.util.jar
 Default JDK Compressor Will Be Closed when IOException Is Encountered

DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

See JDK-8193682
hotspot/runtime
 OperatingSystemMXBean.getProcessCpuLoad Is Now Container Aware

For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.

See JDK-8269851

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u341 release:

# BugId Component Subcomponent Summary
1JDK-8259869client-libs[macOS] Remove desktop module dependencies on JNF Reference APIs
2JDK-8274751client-libsjava.awtDrag And Drop hangs on Windows
3JDK-8272806client-libsjava.awt[macOS] "Apple AWT Internal Exception" when input method is changed
4JDK-8133713client-libsjavax.accessibility[macosx] Accessible JTables always reported as empty
5JDK-8277922client-libsjavax.accessibilityUnable to click JCheckBox in JTable through Java Access Bridge
6JDK-7124301client-libsjavax.accessibility[macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
7JDK-7124298client-libsjavax.accessibility[macosx] Nothing heard from VoiceOver when tabbing between a nested tab group and a parent tab group
8JDK-7124293client-libsjavax.accessibility[macosx] VoiceOver reads percentages rather than the actual values for sliders.
9JDK-8277093core-libsjava.io:serializationVector should throw ClassNotFoundException for a missing class of an element
10JDK-8279842core-libsjava.netHTTPS Channel Binding support for Java GSS/Kerberos
11JDK-8282293core-libsjava.netDomain value for system property jdk.https.negotiate.cbt should be case-insensitive
12JDK-8288033core-libsjava.nio(dc) DatagramChannel.disconnect uses disconnectx which is not supported on macOS 10.8.3
13JDK-8285515core-libsjava.nio(dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
14JDK-8258795core-libsjava.util:i18nUpdate IANA Language Subtag Registry to Version 2021-05-11
15JDK-8247469core-svcjavax.managementgetSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
16JDK-8273747deploywebstartGrant JWS JavaFX apps access to Windows trust store
17JDK-8283886docsguidesFix broken links in the security guide of JDK 8u docs
18JDK-6584403docsguidesRequest to add a CA/CSR certificate cookbook to JSSE Reference Guide
19JDK-8173625installinstallJRE 8u121 fails to install with blank dialog box (username with character #)
20JDK-8090477javafxcontrolsCustomizable visibility timing for Tooltip
21JDK-8205915javafxcontrols[macOS] Accelerator assigned to button in dialog fires menuItem in owning stage
22JDK-8222211javafxgraphicsCreating animated gif image from non FX App thread causes exception
23JDK-8280840javafxmediaUpdate libFFI to 3.4.2
24JDK-8283403javafxmediaUpdate Glib to 2.72.0
25JDK-8283218javafxmediaUpdate GStreamer to 1.20.1
26JDK-8282054javafxmediaMediaplayer not working with HTTP Live Stream link with query parameter appended with file extension m3u8
27JDK-8286256javafxwebUpdate libxml2 to 2.9.14
28JDK-8283328javafxwebUpdate libxml2 to 2.9.13
29JDK-8286257javafxwebUpdate libxslt to 1.1.35
30JDK-8282134javafxwebCertain regex can cause a JS trap in WebView
31JDK-8281459javafxwebWebKit 613.1 build broken on M1
32JDK-8280841javafxwebUpdate SQLite to 3.37.2
33JDK-8284184javafxwebCrash in GraphicsContextJava::drawLinesForText on https://us.yahoo.com/
34JDK-8278759javafxwebPointerEvent: buttons property set to 0 when mouse down
35JDK-8277734javafxwebWebView: Update Public Suffix List to 3c213aa
36JDK-8278851security-libsjava.securityCorrect signer logic for jars signed with multiple digest algorithms
37JDK-8245263security-libsjavax.net.sslEnable TLSv1.3 by default on JDK 8u for Client roles
38JDK-8274524security-libsjavax.net.sslSSLSocket.close() hangs if it is called during the ssl handshake
39JDK-8275082security-libsjavax.xml.cryptoUpdate XML Security for Java to 2.3.0
40JDK-8279520security-libsorg.ietf.jgssSPNEGO has not passed channel binding info into the underlying mechanism
41JDK-8157391toolsjdeps left JarFile open
42JDK-8284132toolsFXLauncherTest.java fails on headless macos


Java SE 8u333 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u333 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u333 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8288212 core-libs java.net WLS12.2.1.3/JDK8u281 high throughput servlet performance

 

Changes in Java SE 8u333 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8279842 core-libs java.net HTTPS Channel Binding support for Java GSS/Kerberos
JDK-8088420 javafx web JavaFX WebView memory leak via EventListener

 

Changes in Java SE 8u333 b31

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 8, Patch 8u333 (JDK 8u333)

May 2, 2022

The full version string for this update release is 8u333-b02 (where "b" means "build"). The version number is 8u333.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 8u331.

JRE Family Version JRE Security Baseline (Full Version String)
8 8u331-b09
7 7u341-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u333) be used after the next critical patch update scheduled for July 19, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u333) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

Changes

core-libs/java.io
 New System Property to Disable Windows Alternate Data Stream Support in java.io.File

The Windows implementation of java.io.File allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS has been added to control this behavior. To disable ADS support in java.io.File, the system property jdk.io.File.enableADS should be set to false (case ignored). Stricter path checking however prevents the use of special devices such as NUL:

See JDK-8285445

 

 

Bug Fixes

This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:

BugId Category Subcategory Summary
JDK-8284920 xml javax.xml.path Incorrect Token type causes XPath expression to return incorrect results
JDK-8284548 xml jaxp Invalid XPath expression causes StringIndexOutOfBoundsException


Java SE 8u331 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u331 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u331 b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8277922 client-libs javax.accessibility Unable to click JCheckBox in JTable through Java Access Bridge
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a

Java™ SE Development Kit 8, Update 331 (JDK 8u331)

April 19, 2022

The full version string for this update release is 8u331-b09 (where "b" means "build"). The version number is 8u331.

 

IANA TZ Data 2021e

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u331 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u331-b09
7 7u341-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u331) be used after the next critical patch update scheduled for July 19, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u331) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

xml/jaxp
 New XML Processing Limits

Three processing limits have been added. These are:

  • jdk.xml.xpathExprGrpLimit

Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

  • jdk.xml.xpathExprOpLimit

Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

  • jdk.xml.xpathTotalOpLimit

Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

  • jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

  • All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory. For example,

        TransformerFactory factory = TransformerFactory.newInstance();

        factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");

For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties configuration file located in the conf directory of the Java installation. For example,

        System.setProperty("jdk.xml.xpathExprGrpLimit", "20");

or in the jaxp.properties file,

        jdk.xml.xpathExprGrpLimit=20

 

There are two known issues:

  1. An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
  2. An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.
JDK-8270504 (not public)

Other Notes

security-libs/java.security
 Only Expose Certificates With Proper Trust Settings as Trusted Certificate Entries in macOS KeychainStore

On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry method or the keytool -importcert command on a KeychainStore keystore now fails with a KeyStoreException. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.

JDK-8278449 (not public)

security-libs/java.security
 Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280

The gencert command of the keytool utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.

See JDK-8257497

core-libs/javax.naming
 Parsing of URL Strings in Built-in JNDI Providers Is More Strict

The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:

  -Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict"    (to control "ldap:" URLs)

  -Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict"     (to control "dns:" URLs)
  -Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict"     (to control "rmi:" URLs)
  -Dcom.sun.jndi.corbaURLParsing="legacy" | "compat" | "strict"   (to control "iiop:" and "iiopname:" URLs) 

 

The default value is "compat" for all of the three providers.

  • The "legacy" mode turns the new validation off.
  • The "compat" mode limits incompatibilities.
  • The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid.

In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI constructors or its factory method to build URLs rather than handcrafting URL strings.

If an illegal URL string is found, a java.lang.IllegalArgumentException or a javax.naming.NamingException (or a subclass of it) is raised.

JDK-8278972 (not public)

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8259343 client-libs [macOS] Update JNI error handling in Cocoa code.
2 JDK-8251840 client-libs java.awt Java_sun_awt_X11_XToolkit_getDefaultScreenData should not be in make/mapfiles/libawt_xawt/mapfile-vers
3 JDK-8259237 client-libs javax.swing Demo selection changes with left/right arrow key. No need to press space for selection.
4 JDK-8074883 client-libs javax.swing Tab key should move to focused button in a button group
5 JDK-8258554 client-libs javax.swing javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
6 JDK-8272105 client-libs javax.swing TestButtonGroupFocusTraversal.java fails in 8u
7 JDK-8275703 core-libs java.lang System.loadLibrary fails on Big Sur for libraries hidden from filesystem
8 JDK-8274779 core-libs java.net HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
9 JDK-8209178 core-libs java.net Proxied HttpsURLConnection doesn't send BODY when retrying POST request
10 JDK-8272473 core-libs java.time Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
11 JDK-8279618 core-libs java.util Deserializing HashMap throws access denied suppressAccessChecks
12 JDK-8274658 core-libs java.util:i18n ISO 4217 Amendment 170 Update
13 JDK-8277795 core-libs javax.naming ldap connection timeout not honoured under contention
14 JDK-8266187 core-svc java.lang.instrument Memory leak in appendBootClassPath()
15 JDK-8273575 core-svc java.lang.instrument memory leak in appendBootClassPath(), paths must be deallocated
16 JDK-8276957 docs guides Fix broken JDK8 documentation links
17 JDK-8166140 hotspot compiler C1: Possible integer overflow in LIRGenerator::generate_address on several platforms
18 JDK-8183543 hotspot compiler Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"
19 JDK-8132306 hotspot gc java/lang/ref/ReferenceEnqueue.java fails with "RuntimeException: Error: poll() returned null; expected ref object"
20 JDK-8273341 hotspot runtime Update Siphash to version 1.0
21 JDK-8189641 javafx accessibility [Accessibility, windows] NPE when navigating to ComboBox with empty string
22 JDK-8151974 javafx accessibility Invisible controls are still accessible by screen readers.
23 JDK-8089884 javafx controls TextInputControls capturing function key events
24 JDK-8274022 javafx controls Additional Memory Leak in ControlAcceleratorSupport
25 JDK-8244075 javafx controls Accelerator of ContextMenu's MenuItem is not removed when ContextMenu is removed from Scene
26 JDK-8276847 javafx web JSException: ReferenceError: Can't find variable: IntersectionObserver
27 JDK-8278980 javafx web Update WebKit to 613.1
28 JDK-8281711 javafx web Cherry-pick WebKit 613.1 stabilization fixes
29 JDK-8282099 javafx web Cherry-pick WebKit 613.1 stabilization fixes (2)
30 JDK-8242544 javafx window-toolkit CMD+ENTER key event crashes the application when invoked on dialog
31 JDK-8257497 security-libs java.security Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
32 JDK-8274736 security-libs java.security Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
33 JDK-8241248 security-libs javax.net.ssl NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
34 JDK-8275811 security-libs javax.net.ssl Incorrect instance to dispose
35 JDK-8141508 tools javac java.lang.invoke.LambdaConversionException: Invalid receiver type ...
36 JDK-8255035 xml jaxp Update BCEL to Version 6.5.0
37 JDK-8276141 xml jaxp XPathFactory set/getProperty method


Java SE 8u321 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u321 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u321 b35

Bug Fixes

BugId Component Subcomponent Summary
JDK-8278472 client-libs java.awt:i18n Invalid value set to CANDIDATEFORM structure
JDK-8278186 security-libs javax.xml.crypto org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
JDK-8255199 security-libs javax.xml.crypto Catching a few NumberFormatExceptions in xmldsig
JDK-8275082 security-libs javax.xml.crypto Update XML Security for Java to 2.3.0
JDK-8090477 javafx controls Customizable visibility timing for Tooltip

 

Changes in Java SE 8u321 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8247469 core-svc javax.management getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
JDK-8265836 core-svc java.lang.management OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
JDK-8268103 core-svc java.lang.management JNI functions incorrectly return a double after JDK-8265836

 

Changes in Java SE 8u321 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8141508 tools javac java.lang.invoke.LambdaConversionException: Invalid receiver type
JDK-8209178 core-libs java.net Proxied HttpsURLConnection doesn't send BODY when retrying POST request
JDK-8279618 core-libs java.util Deserializing HashMap throws access denied suppressAccessChecks
JDK-8273747 deploy webstart Grant JWS JavaFX apps access to Windows trust store

 

 

Changes in Java SE 8u321 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8279118 core-libs java.net ServerSocket.close bind exception with ResourceManagement
JDK-8151974 javafx accessibility Invisible controls are still accessible by screen readers.

 


Java™ SE Development Kit 8, Update 321 (JDK 8u321)

January 18, 2022

The full version string for this update release is 8u321-b07 (where "b" means "build"). The version number is 8u321.

 

IANA TZ Data 2021b, 2021c, 2021d, 2021e

JDK 8u321 contains IANA time zone data 2021b, 2021c, 2021d, 2021e.
  • Jordan now starts DST on February's last Thursday.
  • Samoa no longer observes DST.
  • Merge more location-based Zones whose timestamps agree since 1970.
  • Move some backward-compatibility links to 'backward'.
  • Rename Pacific/Enderbury to Pacific/Kanton.
  • Correct many pre-1993 transitions in Malawi, Portugal, etc.
  • zic now creates each output file or link atomically.
  • zic -L no longer omits the POSIX TZ string in its output.
  • zic fixes for truncation and leap second table expiration.
  • zic now follows POSIX for TZ strings using all-year DST.
  • Fix some localtime crashes and bugs in obscure cases.
  • zdump -v now outputs more-useful boundary cases.
  • tzfile.5 better matches a draft successor to RFC 8536.
  • A new file SECURITY.
  • Revert most 2021b changes to 'backward'.
  • Fix 'zic -b fat' bug in pre-1970 32-bit data.
  • Fix two Link line typos.
  • Distribute SECURITY file.

This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.

  • Fiji suspends DST for the 2021/2022 season.
  • 'zic -r' marks unspecified timestamps with "-00".
  • Palestine will fall back 10-29 (not 10-30) at 01:00.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u321 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u321-b07
7 7u331-b06

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u321) be used after the next critical patch update scheduled for April 19, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u321) on 2022-05-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.crypto:pkcs11
 New SunPKCS11 Configuration Properties

SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.

The 3 new attributes for SunPKCS11 provider configuration file are:

  1. destroyTokenAfterLogout (boolean, defaults to false)

    If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.

  2. cleaner.shortInterval (integer, defaults to 2000, in milliseconds)

    This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).

  3. cleaner.longInterval (integer, defaults to 60000, in milliseconds)

    This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.

See JDK-8240256

security-libs/javax.net.ssl
 Configurable Extensions With System Properties

Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.

Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.

See JDK-8217633

 

Removed Features and Options

security-libs/java.security
 Removed Google's GlobalSign Root Certificate

The following root certificate from Google has been removed from the cacerts keystore:

+ alias name "globalsignr2ca [jdk]"

  Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

See JDK-8225083

 

 

Other Notes

core-libs/java.time
 Update Timezone Data to 2021c

IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b

See JDK-8274407

security-libs/javax.net.ssl
 SocketExceptions Are Not Wrapped Into SSLExceptions in SSLSocketImpl

This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.

See JDK-8259662

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8263846 client-libs Bad JNI lookup getFocusOwner in accessibility code on Mac OS X
2 JDK-8155742 client-libs [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
3 JDK-8249548 client-libs backward focus traversal gets stuck in button group
4 JDK-8259232 client-libs 2d Bad JNI lookup during printing
5 JDK-6801613 client-libs 2d Cross-platform pageDialog and printDialog top margin entry broken
6 JDK-8042713 client-libs 2d [macosx] Print dialog does not update attribute set with page range
7 JDK-8257853 client-libs java.awt Remove dependencies on JNF's JNI utility functions in AWT and 2D code
8 JDK-8259585 client-libs java.awt [macOS] Bad JNI lookup error : Accessible actions do not work on macOS
9 JDK-8038631 client-libs java.awt Create wrapper for awt.Robot with additional functionality
10 JDK-6722236 client-libs java.awt 3 Choice regression testcases are failing from 6u10_b26 build onwards
11 JDK-8041928 client-libs java.awt MouseEvent.getModifiersEx gives wrong result
12 JDK-8275131 client-libs java.awt Exceptions after a touchpad gesture on macOS
13 JDK-8263490 client-libs java.awt:i18n [macos] Crash occurs on JPasswordField with activated InputMethod
14 JDK-8274326 client-libs javax.accessibility [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
15 JDK-8274056 client-libs javax.accessibility JavaAccessibilityUtilities leaks JNI objects
16 JDK-8274381 client-libs javax.accessibility missing CAccessibility definitions in JNI code
17 JDK-8259729 client-libs javax.accessibility Missed JNFInstanceOf -> IsInstanceOf conversion
18 JDK-8208640 client-libs javax.accessibility [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard.
19 JDK-8208747 client-libs javax.accessibility [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on
20 JDK-8194873 client-libs javax.swing right ALT key hotkeys no longer work in Swing components
21 JDK-8182577 client-libs javax.swing Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel
22 JDK-8269850 core-libs Most JDK releases report macOS version 12 as 10.16 instead of 12.0
23 JDK-8190482 core-libs InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride
24 JDK-8143317 core-libs jdk/lambda/vm/InterfaceAccessFlagsTest.java fails with IncompatibleClassChangeError
25 JDK-8253702 core-libs java.lang BigSur version number reported as 10.16, should be 11.nn
26 JDK-8202788 core-libs java.nio Explicitly reclaim cached thread-local direct buffers at thread exit
27 JDK-8276536 core-libs java.time Update TimeZoneNames files to follow the changes made by JDK-8275766
28 JDK-8273924 core-libs java.util:i18n ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
29 JDK-8187649 core-libs java.util:i18n ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
30 JDK-8273819 docs guides Update JSSE Reference Guide with new properties to disable TLS extensions
31 JDK-8139247 hotspot compiler Improper locking of MethodData::_extra_data_lock
32 JDK-8057038 hotspot compiler Speculative traps not robust when compilation and class unloading are concurrent
33 JDK-8253353 hotspot compiler Crash in C2: guarantee(n != NULL) failed: No Node
34 JDK-8069034 hotspot gc gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure
35 JDK-8071530 hotspot runtime Update OS detection code to reflect Windows 10 version change
36 JDK-8273229 hotspot runtime Update OS detection code to recognize Windows Server 2022
37 JDK-8274840 hotspot runtime Update OS detection code to recognize Windows 11
38 JDK-8273342 hotspot runtime Null pointer dereference in classFileParser.cpp:2817
39 JDK-8266404 hotspot runtime Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report
40 JDK-8219562 hotspot runtime Line of code in osContainer_linux.cpp#L102 appears unreachable
41 JDK-8186902 hotspot svc jcmd GC.run should not be blocked by DisableExplicitGC
42 JDK-8263807 javafx controls Button types of a DialogPane are set twice, returns a wrong button
43 JDK-8261460 javafx controls Incorrect CSS applied to ContextMenu on DialogPane
44 JDK-8178297 javafx controls TableView scrolls slightly when adding new elements
45 JDK-8269538 javafx controls StackOverflowError when pressing F10 within SpinnerSkin
46 JDK-8208088 javafx controls Memory Leak in ControlAcceleratorSupport
47 JDK-8275138 javafx web WebView: UserAgent string is empty for first request
48 JDK-8274929 javafx window-toolkit Crash while reading specific clipboard content
49 JDK-8275723 javafx window-toolkit Crash on macOS 12 in GlassRunnable::dealloc
50 JDK-8192988 security-libs java.security keytool should support -storepasswd for pkcs12 keystores
51 JDK-8225083 security-libs java.security Remove Google certificate that is expiring in December 2021
52 JDK-8273826 security-libs java.security Correct Manifest file name and NPE checks
53 JDK-8277224 security-libs java.security sun.security.pkcs.PKCS9Attributes.toString() throws NPE
54 JDK-8269034 security-libs javax.crypto:pkcs11 AccessControlException for SunPKCS11 daemon threads
55 JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
56 JDK-8098580 security-libs javax.crypto:pkcs11 drainRefQueueBounds() puts pressure on pool.size()
57 JDK-8270344 security-libs javax.net.ssl Session resumption errors
58 JDK-8217633 security-libs javax.net.ssl Configurable extensions with system properties
59 JDK-8268965 security-libs javax.net.ssl TCP Connection Reset when connecting simple socket to SSL server
60 JDK-8259662 security-libs javax.net.ssl Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
61 JDK-8169416 security-libs javax.net.ssl SSLSessionImpl finalize overhead
62 JDK-8147051 xml javax.xml.stream StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator


Java SE 8u311 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u311 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

Changes in Java SE 8u311 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8182577 client-libs javax.swing Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel
JDK-8241248 security-libs javax.net.ssl NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)

 

Changes in Java SE 8u311 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8274929 javafx window-toolkit Crash while reading specific clipboard content
JDK-8089884 javafx controls TextInputControls capturing function key events
JDK-8253353 hotspot compiler Crash in C2: guarantee(n != NULL) failed: No Node
JDK-8275766 core-libs java.time (tz) Update Timezone Data to 2021e

 

Changes in Java SE 8u311 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8275138 javafx web WebView: UserAgent string is empty for first request
JDK-8274779 core-libs java.net HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
JDK-8273229 hotspot runtime Update OS detection code to recognize Windows Server 2022
JDK-8274840 hotspot runtime Update OS detection code to recognize Windows 11
JDK-8041928 client-libs java.awt MouseEvent.getModifiersEx gives wrong result
JDK-8275723 javafx window-toolkit Crash on macOS 12 in GlassRunnable::dealloc
JDK-8274407 core-libs java.time (tz) Update Timezone Data to 2021c

 

Changes in Java SE 8u311 b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8269538 javafx controls StackOverflowError when pressing F10 within SpinnerSkin
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8098580 security-libs javax.crypto:pkcs11 drainRefQueueBounds() puts pressure on pool.size()
JDK-8190482 core-libs InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride
JDK-8169416 security-libs javax.net.ssl SSLSessionImpl finalize overhead

Java™ SE Development Kit 8, Update 311 (JDK 8u311)

October 19, 2021

The full version string for this update release is 8u311-b11 (where "b" means "build"). The version number is 8u311.

IANA TZ Data 2021a

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u311 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u311-b11
7 7u321-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u311) be used after the next critical patch update scheduled for January 18, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u311) on 2022-02-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

client-libs/2d
 Marlin Renderer in JDK 8u

Starting from version 8u311, the Marlin graphics rasterizer and its artifacts will be built and distributed as a part of the JDK/JRE bundles. It is not the default rendering engine, however there is an option to enable it by setting the following system property:

sun.java2d.renderer=sun.java2d.marlin.MarlinRenderingEngine

See JDK-8143849

core-libs/java.io:serialization
 Context-specific Deserialization Filter Subset

Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.

The behavior is opt-in based on the presence of the jdk.serialFilterFactory system property on the command line or the jdk.serialFilterFactory security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.

The JVM-wide filter factory is a java.util.function.BinaryOperator<sun.misc.ObjectInputFilter> function invoked when each ObjectInputStream is constructed and when the stream-specific filter is set using sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter). The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream constructors, the first parameter is null and the second parameter is the static JVM-wide filter. When invoked from sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter), the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter requested.

A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.

Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.

JDK-8268680 (not public)

Removed Features and Options

security-libs/java.security
 Removed IdenTrust Root Certificate

The following root certificate from IdenTrust has been removed from the cacerts keystore:

+ alias name "identrustdstx3 [jdk]"

  Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
See JDK-8225082

Other Notes

core-libs/java.lang
 Release Doesn't Correctly Recognize Windows 11

This release doesn't correctly identify Windows 11. The property os.name is set to Windows 10 on Windows 11. In HotSpot error logs, the OS is identified as Windows 10; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.

See JDK-8274840

security-libs/javax.net.ssl
 Updated the Default Enabled Cipher Suites Preference

The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted.

For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256.

For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows:

  • Cipher suites that do not preserve forward secrecy have been moved lower in priority than those that do support forward secrecy.
  • Cipher suites that use SHA-1 have been moved lower in priority.

core-libs/java.net
 Modified HttpURLConnection Behavior When a Suitable Proxy Is Not Found

The behavior of HttpURLConnection when using ProxySelector has been modified in this JDK release. HttpURLConnection used to fall back to a direct connection attempt if the configured proxy(s) failed to make a connection. Beginning with this release, the default behavior has been changed to no longer use a direct connection when the first proxy connection attempt fails.

A new system property, sun.net.http.fallbackToDirect, can be set to a value of "true" should an application need to fall back to the old behavior (fall back to a direct connection when the first proxy connection attempt fails).

See JDK-8161016

core-libs/javax.naming
 System Property to Control Reconstruction of Reference Address Objects by JDK's Built-in JNDI LDAP Implementation

The scope of the com.sun.jndi.ldap.object.trustSerialData system property has been extended to control the deserialization of java objects from the javaReferenceAddress LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData and javaReferenceAddress LDAP attributes.

To prevent deserialization of java objects from these attributes, the system property can be set to false. By default, the deserialization of java objects from javaSerializedData and javaReferenceAddress attributes is allowed.

JDK-8267712 (not public)

hotspot/runtime
 Release Doesn't Correctly Recognize Windows Server

This release doesn't correctly identify Windows Server. The property os.name is set to Windows 2019 on Windows Server 2022. In HotSpot error logs, the OS is identified as Windows 10.0 for Windows Server releases 2016, 2019, and 2022; however, the HotSpot error log does show the Build number. Windows Server 2016 has Build 14393 or above, Windows Server 2019 has Build 17763 or above, and Windows Server 2022 has Build 20348 or above.

See JDK-8273229

security-libs/javax.crypto:pkcs11
 SunPKCS11 Initialization With NSS When External FIPS Modules Are in Security Modules Database

The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module".

This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.

See JDK-8238555

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8148886 client-libs SEGV in sun.java2d.marlin.Renderer._endRendering
2 JDK-8149338 client-libs 2d JVM Crash caused by Marlin renderer not handling NaN coordinates
3 JDK-8144938 client-libs 2d Handle properly coordinate overflow in Marlin Renderer
4 JDK-8180055 client-libs 2d Upgrade the Marlin renderer in Java2D
5 JDK-8202580 client-libs 2d Dashed BasicStroke randomly painted incorrectly, may freeze application
6 JDK-8210335 client-libs 2d Clipping problems with complex affine transforms: negative scaling factors or small scaling factors
7 JDK-8228711 client-libs 2d Path rendered incorrectly when it goes outside the clipping region
8 JDK-8230728 client-libs 2d Thin stroked shapes are not rendered if affine transform has flip bit
9 JDK-8145055 client-libs 2d Marlin renderer causes unaligned write accesses
10 JDK-8244088 client-libs 2d [Regression] Switch of Gnome theme ends up in deadlocked UI
11 JDK-8262392 client-libs 2d Update Mesa 3-D Headers to version 21.0.3
12 JDK-8262731 client-libs 2d [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
13 JDK-8198885 client-libs 2d Upgrade Marlin (java2d) to 0.9.1
14 JDK-8273358 client-libs 2d macOS Monterey does not have the font Times needed by Serif
15 JDK-8269984 client-libs java.awt [macos] JTabbedPane title looks like disabled
16 JDK-8129940 client-libs javax.swing JRadioButton does not honor non-standard FocusTraversalKeys
17 JDK-8251377 client-libs javax.swing [macos11] JTabbedPane selected tab text is barely legible
18 JDK-8269931 client-libs javax.swing ButtonGroupLayoutTraversalTest.java fails on macOS
19 JDK-8268518 client-libs javax.swing Add headful keyword to LayoutFocusTraversalPolicy.java
20 JDK-8154043 client-libs javax.swing Fields not reachable anymore by tab-key, because of new tabbing behaviour of radio button groups.
21 JDK-8035424 core-libs java.lang:reflect Performance problem in sun.reflect.generics.parser.SignatureParser
22 JDK-8161016 core-libs java.net Strange behavior of URLConnection with proxy
23 JDK-8183369 core-libs java.net RFC unconformity of HttpURLConnection with proxy
24 JDK-8067744 hotspot compiler XMM/SSE float register values corrupted by JNI_CreateVM call in JRE 8 (Windows)
25 JDK-8268366 hotspot compiler Incorrect calculation of has_fpu_registers in C1 linear scan
26 JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
27 JDK-8269304 hotspot compiler Regression ~5% in spec2005 in b27
28 JDK-8065895 hotspot runtime Synchronous signals during error reporting may terminate or hang VM process
29 JDK-8261397 hotspot runtime try catch Method failing to work when dividing an integer by 0
30 JDK-8262396 javafx graphics Update Mesa 3-D Headers to version 21.0.3
31 JDK-8266860 javafx media [macos] Incorrect duration reported for HLS live streams
32 JDK-8264737 javafx media JavaFX media stream stops playing after reconnecting via Remote Desktop
33 JDK-8267819 javafx media CoInitialize/CoUninitialize should be called on same thread
34 JDK-8268219 javafx media hlsprogressbuffer should provide PTS after GStreamer update
35 JDK-8269147 javafx media Update GStreamer to version 1.18.4
36 JDK-8268718 javafx media [macos] Video stops, but audio continues to play when stopTime is reached
37 JDK-8269131 javafx web Update libxml2 to version 2.9.12
38 JDK-8270479 javafx web WebKit 612.1 build fails with Visual Studio 2017
39 JDK-8272329 javafx web Cherry pick GTK WebKit 2.32.3 changes
40 JDK-8268849 javafx web Update to 612.1 version of WebKit
41 JDK-8274107 javafx web Cherry pick GTK WebKit 2.32.4 changes
42 JDK-8231558 javafx window-toolkit [macos] Platform.exit causes assertion error on macOS 10.15 or later
43 JDK-8268158 security-libs Partial backport of JDK-8214074
44 JDK-8156584 security-libs java.security Initialization race in sun.security.x509.AlgorithmId.get
45 JDK-8268128 security-libs java.security ProviderConfig deadlock in JDK 8u291
46 JDK-8225082 security-libs java.security Remove IdenTrust certificate that is expiring in September 2021
47 JDK-8238555 security-libs javax.crypto:pkcs11 Allow initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB
48 JDK-8163326 security-libs javax.net.ssl Update the default enabled cipher suites preference
49 JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability
50 JDK-8255255 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.2.1
51 JDK-8260690 tools jconsole JConsole User Guide Link from the Help menu is not accessible by keyboard
52 JDK-8268213 xml jax-ws Racecondition at ContextClassloaderLocal.java:45


Java SE 8u301 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u301 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u301 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-6801613 client-libs 2d Cross-platform pageDialog and printDialog top margin entry broken
JDK-8268965 security-libs javax.net.ssl TCP Connection Reset when connecting simple socket to SSL server

 

Changes in Java SE 8u301 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8261287 (Confidential) client-libs 2d Ductus renderer does not work properly on aarch64, all graphics primitives appear broken
JDK-8271206 (Confidential) deploy webstart Passing system property jnlp.sis.session requires multi-clicks
JDK-8271087 (Confidential) install install [macos] postinstall script should provide verbose output
JDK-8271854 core-libs java.nio Explicitly reclaim cached thread-local direct buffers at thread exit
JDK-8205540 core-svc debugger test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 commands

 

Changes in Java SE 8u301 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8268213 xml jax-ws Racecondition at ContextClassloaderLocal.java:45

Java™ SE Development Kit 8, Update 301 (JDK 8u301)

July 20, 2021

The full version string for this update release is 8u301-b09 (where "b" means "build"). The version number is 8u301.

IANA TZ Data 2021a

JDK 8u301 contains IANA time zone data 2021a.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u301 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u301-b09
7 7u311-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u301) be used after the next critical patch update scheduled for October 19, 2021.

Java SE Subscription customers managing JRE updates/installs for large numbers of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u301) on 2021-11-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/org.ietf.jgss:krb5
 Support cross-realm MSSFU

The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.

By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.

[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94

See JDK-8005819

security-libs/java.security
 Customizing PKCS12 keystore Generation

New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security file.

Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256

See JDK-8076190

Removed Features and Options

security-libs/java.security
 Removed Root Certificates with 1024-bit Keys

The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts keystore:

+ alias name "thawtepremiumserverca [jdk]"

  Distinguished Name: EMAILADDRESS=premium-server@thawte.com, 
  CN=Thawte Premium Server CA, OU=Certification Services Division, 
  O=Thawte Consulting cc, 
  L=Cape Town, ST=Western Cape, C=ZA

+ alias name "verisignclass2g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, 
  OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
  OU=Class 2 Public Primary Certification Authority - G2, 
  O="VeriSign, Inc.", C=US

+ alias name "verisignclass3ca [jdk]"
  Distinguished Name: OU=Class 3 Public Primary Certification Authority, 
  O="VeriSign, Inc.", C=US

+ alias name "verisignclass3g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, 
  OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
  OU=Class 3 Public Primary Certification Authority - G2, 
  O="VeriSign, Inc.", C=US

+ alias name "verisigntsaca [jdk]"
  Distinguished Name: CN=Thawte Timestamping CA, 
  OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

+ alias name "gtecybertrustglobalca [jdk]"
  Distinguished Name:CN=GTE CyberTrust Global Root, 
  OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US 


See JDK-8243559

security-libs/java.security
 Removed Telia Company's Sonera Class2 CA certificate

The following root certificate has been removed from the cacerts truststore:

+ Telia Company

  + soneraclass2ca
    DN: CN=Sonera Class2 CA, O=Sonera, C=FI
See JDK-8225081

Other Notes

install/install
 Updated List of Capabilities Provided by JDK RPMs

The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs.

There are other rpms providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other RPMs to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.

JDK-8263575 (not public)

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

deploy/webstart
 Java WebStart Protocol Registration After macOS Upgrade

On the macOS platform, custom URL protocol handlers such as Java WebStart (jnlp and jnlps URI schemes) are deregistered after an OS upgrade. If the Java WebStart application uses jnlp or jnlps URI scheme(s), it is recommended that you check their registration status after the OS upgrade. The registration status of the custom URL protocol handlers can be obtained via the 'lsregister' command.

For example:

lsregister -dump URLSchemeBinding | sort | grep 'jnlp|java|jar'

The Java WebStart protocol handler is registered and no-further action is required if the output of the above command contains the following lines:

jnlp: Java Network Launch Protocol (0x4680) (0x4682)
jnlps: Secure Java Network Launch Protocol (0x4684) (0x4686)

Otherwise, it is necessary to upgrade or reinstall the JRE in order to register the Java WebStart protocol.

JDK-8273858 (not public)

security-libs/java.security
 Upgraded the Default PKCS12 Encryption Algorithms

The default encryption algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

See JDK-8153005

security-libs/java.security
 Disable SHA-1 JARs

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

See JDK-8196415

security-libs/javax.net.ssl
 Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.

See JDK-8254631

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8249142 client-libs java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
2 JDK-8166673 client-libs The new implementation of Robot.waitForIdle() may hang
3 JDK-8263311 client-libs 2d Watch registry changes for remote printers update instead of polling
4 JDK-8262829 client-libs 2d Native crash in Win32PrintServiceLookup.getAllPrinterNames()
5 JDK-8260380 client-libs 2d Upgrade to LittleCMS 2.12
6 JDK-6847157 client-libs 2d java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
7 JDK-8225105 client-libs java.awt java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10
8 JDK-8198335 client-libs java.awt java/awt/FullScreen/UninitializedDisplayModeChangeTest/UninitializedDisplayModeChangeTest.java fails in headless mode
9 JDK-6544871 client-libs java.awt java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
10 JDK-8196019 client-libs java.awt java/awt/Window/Grab/GrabTest.java fails on Windows
11 JDK-8224821 client-libs java.awt java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64
12 JDK-8215105 client-libs java.awt java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
13 JDK-8261231 client-libs java.awt Windows IME was disabled after DnD operation
14 JDK-7185258 client-libs java.awt [macOS] Deadlock in SunToolKit.realSync()
15 JDK-8240518 client-libs java.awt Incorrect JNU_ReleaseStringPlatformChars in Windows Print
16 JDK-8004148 client-libs java.awt NPE in sun.awt.SunToolkit.getWindowDeactivationTime
17 JDK-8262446 client-libs java.awt DragAndDrop hangs on Windows
18 JDK-8159898 client-libs java.beans Negative array size in java/beans/Introspector/Test8027905.java
19 JDK-8178403 client-libs javax.sound DirectAudio in JavaSound may hang and leak
20 JDK-8159135 client-libs javax.swing [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail
21 JDK-8264328 client-libs javax.swing Broken license in javax/swing/JComboBox/8072767/bug8072767.java
22 JDK-8240690 client-libs javax.swing Race condition between EDT and BasicDirectoryModel.FilesLoader.run0()
23 JDK-8239312 client-libs javax.swing [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
24 JDK-8196100 client-libs javax.swing javax/swing/text/JTextComponent/5074573/bug5074573.java fails
25 JDK-8177809 core-libs java.io File.lastModified() is losing milliseconds (always ends in 000)
26 JDK-8178161 core-libs java.net Default multicast interface on Mac
27 JDK-8263917 core-libs java.rmi Backout of 8049202 in 8u
28 JDK-8252883 core-libs java.util.logging AccessDeniedException caused by delayed file deletion on Windows
29 JDK-8262110 core-libs java.util:i18n DST starts from incorrect time in 2038
30 JDK-8255086 core-libs java.util:i18n Update the root locale display names
31 JDK-8247432 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-09-29
32 JDK-8241082 core-libs java.util:i18n Upgrade IANA Language Subtag Registry data to 03-16-2020 version
33 JDK-8242010 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-04-01
34 JDK-8073446 core-libs java.util:i18n TimeZone getOffset API does not return a DST offset between years 2038-2137
35 JDK-8258753 core-libs javax.naming StartTlsResponse.close() hangs due to synchronization issues
36 JDK-8247707 deploy plugin UAC prompt of unknown publisher after upgrading java 8u241
37 JDK-7123987 docs Request Documentation on JNLP/JNI with in 32-bit and 64-bit windows
38 JDK-8216154 hotspot compiler C4819 warnings at HotSpot sources on Windows
39 JDK-8211233 hotspot compiler MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better
40 JDK-8209420 hotspot compiler Track membars for volatile accesses so they can be properly optimized
41 JDK-8132148 hotspot gc G1 hs_err region dump legend out of sync with region values
42 JDK-8166607 hotspot gc G1 needs klass_or_null_acquire
43 JDK-8166862 hotspot gc CMS needs klass_or_null_acquire
44 JDK-8166229 hotspot gc Eliminate ParNew's use of klass_or_null()
45 JDK-8166663 hotspot gc Simplify oops_on_card_seq_iterate_careful
46 JDK-8166583 hotspot gc Add oopDesc::klass_or_null_acquire()
47 JDK-8165808 hotspot gc Add release barriers when allocating objects with concurrent collection
48 JDK-8260704 hotspot gc ParallelGC: oldgen expansion needs release-store for _end
49 JDK-8259271 hotspot gc gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
50 JDK-8257746 hotspot runtime Regression introduced with JDK-8250984 - memory might be null in some machines
51 JDK-8203345 javafx accessibility Memory leak in VirtualFlow when screen reader is enabled
52 JDK-8160554 javafx controls Wrong unit measure in CornerRadiiConverter
53 JDK-8185854 javafx controls NPE on non-editable ComboBox in TabPane with custom Skin
54 JDK-8266966 javafx controls Wrong CSS properties are applied to other nodes after fix for JDK-8204568
55 JDK-8204568 javafx controls Relative CSS-Attributes don't work all time
56 JDK-8239589 javafx graphics JavaFX UI will not repaint after reconnecting via Remote Desktop
57 JDK-8259046 javafx graphics ViewPainter.ROOT_PATHS holds reference to Scene causing memory leak
58 JDK-8258986 javafx graphics getColor throws IOOBE when PixelReader reads the same pixel twice
59 JDK-8259356 javafx media MediaPlayer's seek freezes video
60 JDK-8262365 javafx media Update GStreamer to version 1.18.3
61 JDK-8262366 javafx media Update glib to version 2.66.7
62 JDK-8268152 javafx media gstmpegaudioparse does not provides timestamps for HLS MP3 streams
63 JDK-8260246 javafx samples Ensemble: Update version of Lucene to 7.7.3
64 JDK-8259680 javafx scenegraph Need API to query states of CAPS LOCK and NUM LOCK keys
65 JDK-8264990 javafx web WebEngine crashes with segfault when not loaded through system classloader
66 JDK-8259555 javafx web Webkit crashes on Apple Silicon
67 JDK-8263788 javafx web JavaFX application freezes completely after some time when using the WebView
68 JDK-8261927 javafx web WebKit build fails with Visual Studio 2017
69 JDK-8260245 javafx web Update ICU4C to version 68.2
70 JDK-8251555 javafx window-toolkit Remove unused focusedWindow field in glass Window to avoid leak
71 JDK-8263169 javafx window-toolkit [macOS] JavaFX windows open as tabs when system preference for documents is set
72 JDK-8266293 security-libs Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
73 JDK-8263817 security-libs java.security java.util.MissingResourceException if add cert with GOST key in cacerts
74 JDK-8218553 security-libs java.security Enhance keystore load debug output
75 JDK-8243559 security-libs java.security Remove root certificates with 1024-bit keys
76 JDK-8225081 security-libs java.security Remove Telia Company CA certificate expiring in April 2021
77 JDK-8153005 security-libs java.security Upgrade the default PKCS12 encryption/MAC algorithms
78 JDK-8267599 security-libs java.security Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
79 JDK-8214513 security-libs java.security A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11
80 JDK-8202837 security-libs java.security PBES2 AlgorithmId encoding error in PKCS12 KeyStore
81 JDK-8267100 security-libs java.security [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
82 JDK-8196415 security-libs java.security Disable SHA-1 Signed JARs
83 JDK-8076190 security-libs java.security Customizing the generation of a PKCS12 keystore
84 JDK-8260300 security-libs javax.net.ssl Restrict TLS signature schemes in 8u
85 JDK-8254631 security-libs javax.net.ssl Better support ALPN byte wire values in SunJSSE
86 JDK-8005819 security-libs org.ietf.jgss:krb5 Support cross-realm MSSFU
87 JDK-8180478 tools tools/launcher/MultipleJRE.sh fails on Windows because of extra-''
88 JDK-8260568 xml Xerces version string output does not match actual version in JDK
89 JDK-8235368 xml jaxp Update BCEL to Version 6.4.1
90 JDK-8213734 xml org.xml.sax SAXParser.parse(File, ..) does not close resources when Exception occurs.


Java SE 8u291 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u291 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u291 b35

Bug Fixes

BugId Component Subcomponent Summary
JDK-8268128 security-libs java.security ProviderConfig deadlock in JDK 8u291

 

 

Changes in Java SE 8u291 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability
JDK-8266943 (Confidential) install install Request to reinstate MacOS JRE pkg.dmg binary bundle
JDK-8267429 (Confidential) infrastructure release_eng MacOS JRE pkg.dmg binary bundle reinstated

 

 

Changes in Java SE 8u291 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8258753 core-libs javax.naming StartTlsResponse.close() hangs due to synchronization issues
JDK-8263788 javafx web JavaFX application freezes completely after some time when using the WebView
JDK-8185854 javafx controls NPE on non-editable ComboBox in TabPane with custom Skin
JDK-8260300 security-libs javax.net.ssl Restrict TLS signature schemes in 8u

 

 

Changes in Java SE 8u291 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8239589 javafx graphics JavaFX UI will not repaint after reconnecting via Remote Desktop

Java™ SE Development Kit 8, Update 291 (JDK 8u291)

April 20, 2021

The full version string for this update release is 1.8.0_291-b10 (where "b" means "build"). The version number is 8u291.

IANA TZ Data 2020e, 2020f, 2021a

JDK 8u291 contains IANA time zone data 2020e, 2020f, 2021a.

  • * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
  • * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u291 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_291-b10
7 1.7.0_301-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u291) be used after the next critical patch update scheduled for July 20, 2021.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u291) on 2021-08-20. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Other Notes

core-libs/javax.naming
 New System and Security Properties to Control Reconstruction of Remote Objects by JDK's Built-in JNDI RMI and LDAP Implementations

jdk.jndi.object.factoriesFilter: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.

com.sun.jndi.ldap.object.trustSerialData: This system property allows control of the deserialization of java objects from the javaSerializedData LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false value. By default, deserialization of java objects from the javaSerializedData attribute is allowed.

JDK-8244473 (not public)

security-libs/java.security
 Added 2 HARICA Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ HARICA

  + haricarootca2015
    DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

  + haricaeccrootca2015
    DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
See JDK-8256421

install/install
 Default java Version Is Not Updated for Double Click jar Execution

Oracle JRE installers will update the PATH environment variable with their directory behind any already put in place by other Oracle JDK installers.

See JDK-8259215

security-libs/javax.net.ssl
 Disable TLS 1.0 and 1.1

TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file.

See JDK-8202343

deploy
 Disable TLS 1.0 and 1.1 for Java Plugin Applets and Java Web Start Applications

TLS 1.0 and 1.1 have been disabled. These protocols are NOT used by Java Plugin applets and Java Web Start applications by default. In case of any issues there is an option to re-enable the protocols via Java Control Panel.

JDK-8255892 (not public)

core-libs/java.lang
 Less Ambiguous Processing of ProcessBuilder Quotes on Windows

In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands property can be set to true: jdk.lang.Process.allowAmbiguousCommands=true or false. If left unset, it is the same as setting it to true.

JDK-8250568 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8244621 client-libs 2d [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11
2 JDK-8258805 client-libs java.awt Japanese characters not entered by mouse click on Windows 10
3 JDK-8212678 client-libs java.awt Windows IME related patch
4 JDK-8239137 client-libs javax.accessibility JAWS does not always announce the value of JSliders in JColorChooser
5 JDK-8249588 client-libs javax.accessibility libwindowsaccessbridge issues on 64bit Windows
6 JDK-8255880 client-libs javax.swing UI of Swing components is not redrawn after their internal state changed
7 JDK-8250627 core-libs Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
8 JDK-8251397 core-libs java.lang NPE on ClassValue.ClassValueMap.cacheArray
9 JDK-7146776 core-libs java.net Deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
10 JDK-8247766 hotspot compiler AArch64: guarantee(val < (1U << nbits)) failed: Field too big for insn
11JDK-8252482hotspotcompilerdisable cbcond instructions on SPARC64
12 JDK-8243290 hotspot runtime Improve diagnostic messages for class verification and redefinition failures
13 JDK-8257168 hotspot runtime Use SkippedException instead of RuntimeException for docker not able to pull the repository
14 JDK-8260159 install install Typo in Javapath.cpp
15 JDK-8260190 install install Incomplete JDK-8259215 fix
16 JDK-8259215 install install Default Java version is not updated for double click jar execution
17 JDK-8242565 security-libs java.security Policy initialization issues when the denyAfter constraint is enabled
18 JDK-8244154 security-libs javax.crypto:pkcs11 Update SunPKCS11 provider with PKCS11 v3.0 header files
19 JDK-8240871 security-libs javax.net.ssl SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3
20 JDK-8257997 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
21 JDK-8253368 security-libs javax.net.ssl TLS connection always receives close_notify exception
22 JDK-8202343 security-libs javax.net.ssl Disable TLS 1.0 and 1.1
23 JDK-8256818 security-libs javax.net.ssl SSLSocket that is never bound or connected leaks socket resources
24 JDK-8257670 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
25 JDK-8255559 security-libs javax.xml.crypto Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
26 JDK-8261970 xml reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271
27 JDK-8256685 xml jaxp Behavior change in XML since JDK 8u271
28 JDK-8249867 xml jaxp XML declaration is not followed by a newline


Java SE 8u281 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u281 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u281 b35

Bug Fixes

BugId Component Subcomponent Summary
JDK-8204568 javafx controls Relative CSS-Attributes don't work all time
JDK-8262829 client-libs 2d Native crash in Win32PrintServiceLookup.getAllPrinterNames()
JDK-8262940 (Confidential) install [macOS] Java Webstart protocol schemes not registered by JRE installer on macOS
JDK-8247707 deploy plugin UAC prompt of unknown publisher after upgrading java 8u241
JDK-8263575 (Confidential) install install Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates
JDK-8263842 (Confidential) install install Clean up "Provides" tag of OracleJDK/JRE rpms

 

Changes in Java SE 8u281 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8261970 xml reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271

 

Changes in Java SE 8u281 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259680 javafx scenegraph Need API to query states of CAPS LOCK and NUM LOCK keys
JDK-8258803 xml WLS/Tuxedo error in encoding post JDK upgrade
JDK-8261209 xml jaxp isStandalone property: remove dependency on pretty-print
JDK-8249867 xml jaxp xml declaration is not followed by a newline

 

Changes in Java SE 8u281 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259048 core-libs java.time (tz) Upgrade time-zone data to tzdata2020f
JDK-8259215 install install default java version is not updated for double click jar execution

 

Changes in Java SE 8u281 b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8256925 (Confidential) security-libs java.security Regression with JDK-8236464 in Oracle 8u271
JDK-8256818 security-libs javax.net.ssl SSLSocket that is never bound or connected leaks socket resources
JDK-8257670 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
JDK-8257884 security-libs javax.net.ssl Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test
JDK-8257997 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
JDK-8256004 (Confidential) deploy plugin DRS: Can not run applet in DRS with java 6 after 8u261 upgrade
JDK-8258373 client-libs javax.swing Update the text handling in the JPasswordField
JDK-8253368 security-libs javax.net.ssl TLS connection always receives close_notify exception

Java™ SE Development Kit 8, Update 281 (JDK 8u281)

January 19, 2021

The full version string for this update release is 1.8.0_281-b09 (where "b" means "build"). The version number is 8u281.

IANA Data 2020d

JDK 8u281 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u281 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_281-b09
7 1.7.0_291-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u281) be used after the next critical patch update scheduled for April 20, 2021.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u281) on May 15, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/java.security
 -groupname Option Added to keytool Key Pair Generation

A new -groupname option has been added to keytool -genkeypair so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1 will generate an EC key pair by using the secp384r1 curve. Because there might be multiple curves with the same size, using the -groupname option is preferred over the -keysize option.

See JDK-8213400

security-libs/javax.xml.crypto
 Apache Santuario Library Updated to Version 2.1.4

The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size has been introduced.

This new system property sets the pool size of the internal DocumentBuilder cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size system property used in Apache Santuario and has the same default value of 20.

See JDK-8231507

security-libs/javax.net.ssl
 Support for certificate_authorities Extension

The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.

Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension system property to true. The default value of the property is false.

Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension is set to true and the client trusts more CAs than the server implementation limit.

See JDK-8206925

Other Notes

 

deploy/deployment_toolkit
 Disk Access From Java Control Panel on macOS

Starting from macOS Catalina 10.15, applications do not have access to the Desktop, Documents and Downloads folders. So, if you use JavaControlPanel app to access files at the locations specified above, (such as load certificates from the Downloads folder) you must either move the files to another location or grant the required permissions to the JavaControlPanel app.

The steps to required to grant the permissions to JavaControlPanel are provided below:

1. On your Mac, open the Apple menu, click System Preferences, click Security & Privacy, then click Privacy.

2. Select Full Disk Access and click +.

3. In Applications, navigate to the System Preferences app (Applications > System Preferences), and click Open.

Note: You must grant permissions to the System Preferences app because the JavaControlPanel app is a part of that application on macOS.

JDK-8265416 (not public)

core-libs/java.time
 JDK time-zone data upgraded to tzdata2020d

The JDK update incorporates tzdata2020d. The main change is

  • Palestine ends DST earlier than predicted, on 2020-10-24.

Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.

See JDK-8255226

core-libs/java.time
 JDK time-zone data upgraded to tzdata2020c

The JDK update incorporates tzdata2020c. The main change is

  • Fiji starts DST later than usual, on 2020-12-20.

Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.

See JDK-8254982

core-libs/java.time
 US/Pacific-New Zone Name Removed as Part of tzdata2020b

Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew and systemv have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew data file is no longer available for use.

Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html

See JDK-8254177

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8209113 client-libs 2d Use WeakReference for lastFontStrike for created Fonts
2 JDK-8245400 client-libs 2d Upgrade to LittleCMS 2.11
3 JDK-8198334 client-libs java.awt java/awt/FileDialog/8003399/bug8003399.java fails in headless mode
4 JDK-8232114 client-libs java.awt JVM crashed at imjpapi.dll in native code
5 JDK-8252470 client-libs java.awt java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
6 JDK-8240633 client-libs javax.swing Memory leaks in the implementations of FileChooserUI
7 JDK-8253072 core-libs XERCES version is displayed incorrect
8 JDK-8069211 core-libs java.nio (zipfs) ZipFileSystem creates corrupted zip if entry output stream gets closed more than once
9 JDK-8242480 core-svc java.lang.management Negative value may be returned by getFreeSwapSpaceSize() in the docker
10 JDK-8252789 deploy deployment_toolkit Empty client certificate issue during TLS handshake
11 JDK-8253695 docs guides JDK 8 Install Guide - 8u RPM Installer Failed to Install on SUSE When Updating Alternatives
12 JDK-8255558 docs guides InstallGuide: Update documentation of JDK RPM installation steps
13 JDK-8250665 globalization locale-data Wrong translation for the month of May in ar_JO, ar_LB and ar_SY
14 JDK-8146612 hotspot compiler C2: Precedence edges specification violated
15 JDK-8160006 hotspot compiler Fix AArch64 after changes made by 8151661
16 JDK-8214862 hotspot compiler assert(proj != __null) at compile.cpp:3251
17 JDK-8248214 hotspot gc Add paddings for TaskQueueSuper to reduce false-sharing cache contention
18 JDK-8185348 hotspot jvmti Major performance regression in GetMethodDeclaringClass and other JVMTI Method functions
19 JDK-8140091 hotspot runtime remove VMStructs cast_uint64_t workaround for GCC 4.1.1 bug
20 JDK-8148854 hotspot runtime Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent
21 JDK-8217338 hotspot runtime [Containers] Improve systemd slice memory limit support
22 JDK-8217766 hotspot runtime Container Support doesn't work for some Join Controllers combinations
23 JDK-8221408 hotspot runtime Windows 32bit build build errors/warnings in hotspot
24 JDK-8221725 hotspot runtime AArch64 build failures after JDK-8221408 (Windows 32bit build build errors/warnings in hotspot)
25 JDK-8227006 hotspot runtime [linux] Runtime.availableProcessors execution time increased by factor of 100
26 JDK-8246648 hotspot runtime issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480
27 JDK-8247839 javafx graphics Wrong position of GUI elements using multiple HiDPI displays in JavaFX 8
28 JDK-8252060 javafx media gstreamer fails to build with gcc 10
29 JDK-8254100 javafx other FX: Update copyright year in docs, readme files to 2021
30 JDK-8181775 javafx web JavaFX WebView does not calculate border-radius properly
31 JDK-8234471 javafx web Canvas in webview displayed with wrong scale on Windows
32 JDK-8251241 javafx window-toolkit macOS: iconify property doesn't change after minimize when resizable is false
33 JDK-8244151 security-libs javax.smartcardio Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26

Java SE 8u271 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u271 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u271 b37

Bug Fixes

BugId Component Subcomponent Summary
JDK-8256818 security-libs javax.net.ssl SSLSocket that is never bound or connected leaks socket resources
JDK-8257670 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
JDK-8257997 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
JDK-8255908 core-libs ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem
JDK-8250627 core-libs Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
JDK-8256685 xml jaxp Behavior change in XML since jdk1.8.0_271
JDK-8238579 core-libs java.net HttpsURLConnection drops the timeout and hangs forever in read
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8250984 hotspot runtime Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities

 

 

Changes in Java SE 8u271 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8255559 security-libs javax.xml.crypto Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()

 

Changes in Java SE 8u271 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8253502 (Confidential) hotspot svc No certificates in "Request Authentication" dialog after upgrading to 8u261
JDK-8252455 (Confidential) core-libs java.net Performance issue caused by 8232854
JDK-8206925 security-libs javax.net.ssl Support the certificate_authorities extension
JDK-8250676 (Confidential) hotspot svc JFR recording MonitorEnter events - Stack trace caching

 

Changes in Java SE 8u271 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.

Java™ SE Development Kit 8, Update 271 (JDK 8u271)

October 20, 2020

The full version string for this update release is 1.8.0_271-b09 (where "b" means "build"). The version number is 8u271.

IANA Data 2020a

JDK 8u271 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u271 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_271-b09
7 1.7.0_281-b06

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u271) be used after the next critical patch update scheduled for January 19, 2021.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u271) on February 20, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/java.security
 Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default

Weak named curves are disabled by default by adding them to the following disabledAlgorithms security properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed below.

With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves, is implemented that can list the named curves common to all of the disabledAlgorithms properties. To use the new property in the disabledAlgorithms properties, precede the full property name with the keyword include. Users can still add individual named curves to disabledAlgorithms properties separate from this new property. No other properties can be included in the disabledAlgorithms properties.

To restore the named curves, remove the include jdk.disabled.namedCurves either from specific or from all disabledAlgorithms security properties. To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves property.

Curves that are disabled through jdk.disabled.namedCurves include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448

See JDK-8233228

security-libs/org.ietf.jgss:krb5
 Support for Kerberos Cross-Realm Referrals (RFC 6806)

The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.

As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).

Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals security or system property to any positive value.

See further information in JDK-8223172.

See JDK-8215032

security-libs/javax.net.ssl
 Improve Certificate Chain Handling

A new system property, jdk.tls.maxHandshakeMessageSize, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).

A new system property, jdk.tls.maxCertificateChainLength, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.

JDK-8245417 (not public)

security-libs/java.security
 Tools Warn If Weak Algorithms Are Used

The keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms security property in the java.security configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.

See JDK-8172404

security-libs/org.ietf.jgss:krb5
 Support for canonicalize in krb5.conf

The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.

The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).

See JDK-8239385

Removed Features and Options

deploy/plugin
 Java Plugin is Removed from JDK 8u for Linux, Solaris, and MacOS Platforms

NPAPI is considered to be a vulnerable plugin and has been disabled in many browsers. No browsers currently support Java Plugin, which is NPAPI-based, on Linux, Solaris, and MacOS platforms.

Starting from 8u271, the part of Java Plugin responsible for integration and interaction with a browser (in particular libnpjp2 library) and an associated artifact will not be built and is not part of the JRE distribution on Linux, Solaris, and MacOS platforms.

JDK-8240210 (not public)

Other notes

core-libs/javax.naming
 Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear Connections

A new environment property, jdk.jndi.ldap.mechsAllowedToSendCredentials, has been added to control which LDAP authentication mechanisms are allowed to send credentials over clear LDAP connections - a connection not secured with TLS. An encrypted LDAP connection is a connection opened by using ldaps scheme, or a connection opened by using ldap scheme and then upgraded to TLS with a STARTTLS extended operation.

The value of the property, which is by default not set, is a comma separated list of the mechanism names that are permitted to authenticate over a clear connection. If a value is not specified for the property, then all mechanisms are allowed. If the specified value is an empty list, then no mechanisms are allowed (except for none and anonymous). The default value for this property is 'null' ( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials") returns 'null'). To explicitly permit all mechanisms to authenticate over a clear connection, the property value can be set to "all". If a connection is downgraded from encrypted to clear, then only the mechanisms that are explicitly permitted are allowed.

The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.

Note: none and anonymous authentication mechanisms are exempted from these rules and are always allowed regardless of the property value.

JDK-8237990 (not public)

security-libs/java.security
 Added 3 SSL Corporation Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ SSL Corporation

  + sslrootrsaca
    DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrootevrsaca
    DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrooteccca
    DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
See JDK-8243320

security-libs/java.security
 Added Entrust Root Certification Authority - G4 certificate

The following root certificate has been added to the cacerts truststore:

+ Entrust

  + entrustrootcag4
    DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", 
        OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
See JDK-8243321

install
 8u RPM Installer Failed to Install on SUSE When Updating Alternatives

Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java and javac. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac group with alternatives framework. All links unique to the javac group have been moved into the java group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.

The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command:

/usr/sbin/alternatives --auto java

JDK-8240919 (not public)

install
 [macos] Invisible (or Hidden) Text in the Installer Window Using Mac's Dark Mode

Some text in the Installer window is hidden/invisible when using Dark mode on macOS. To workaround this issue, switch to Light mode when running the installer. This issue should be resolved by JDK-8249683.

See JDK-8249683

core-libs/java.io:serialization
 Enhanced Support of Proxy Class

The deserialization of java.lang.reflect.Proxy objects can be limited by setting the system property jdk.serialProxyInterfaceLimit. The limit is the maximum number of interfaces allowed per Proxy in the stream. Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.

JDK-8236862 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8198406 client-libs 2d Test TestAATMorxFont is unstable
2 JDK-8220150 client-libs 2d [macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
3 JDK-8236996 client-libs 2d Incorrect Roboto font rendering on Windows with subpixel antialiasing
4 JDK-8244818 client-libs 2d [macos] Java2D Queue Flusher crash while moving application window to external monitor
5 JDK-6966205 client-libs java.awt closed/sun/awt/font/DeriveFont.java failed with compilation error
6 JDK-8183286 client-libs java.awt Some java/awt and javax/swing tests miss headful jtreg keyword
7 JDK-8198612 client-libs java.awt Headful closed tests should not be run in headless mode
8 JDK-8030123 client-libs java.beans java/beans/Introspector/Test8027648.java fails
9 JDK-8060027 client-libs java.beans Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java
10 JDK-8156579 client-libs java.beans Two JavaBeans tests failed
11 JDK-8156581 client-libs java.beans Cleanup of ProblemList.txt
12 JDK-8249278 client-libs javax.accessibility Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
13 JDK-8183341 client-libs javax.imageio Better cleanup for javax/imageio/AllowSearch.java
14 JDK-8183349 client-libs javax.imageio Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
15 JDK-8183351 client-libs javax.imageio Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh
16 JDK-7109623 client-libs javax.sound javax/sound/sampled/DirectAudio/bug6372428.java failed
17 JDK-8047222 client-libs javax.sound Test closed/javax/sound/sampled/Clip/bug6251460.java fails if run with 32-bit java on Windows 64-bit host
18 JDK-8148983 client-libs javax.sound Fix extra comma in changes for JDK-8148916
19 JDK-8153725 client-libs javax.sound Problem list javax/sound/sampled/DirectAudio/bug6400879.java for Linux
20 JDK-8156169 client-libs javax.sound Some sound tests rarely hangs because of incorrect synchronization
21 JDK-8160217 client-libs javax.sound JavaSound should clean up resources better
22 JDK-6962725 client-libs javax.swing Regtest javax/swing/JFileChooser/6738668/bug6738668.java fails under Linux
23 JDK-8198004 client-libs javax.swing javax/swing/JFileChooser/6868611/bug6868611.java throws error
24 JDK-8198321 client-libs javax.swing javax/swing/JEditorPane/5076514/bug5076514.java fails
25 JDK-8249251 client-libs javax.swing [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
26 JDK-8168517 core-libs java.lang java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed"
27 JDK-8151788 core-libs java.net NullPointerException from ntlm.Client.type3
28 JDK-8192953 core-svc java.lang.management sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied
29 JDK-8242884 deploy plugin 8u241 32 bit SSV Helper causes long load time and page load on IE11
30 JDK-8145096 hotspot compiler Undefined behaviour in HotSpot
31 JDK-8215265 hotspot compiler C2: range check elimination may allow illegal out of bound access
32 JDK-8023697 hotspot runtime failed class resolution reports different class name in detail message for the first and subsequent times
33 JDK-8048933 hotspot runtime -XX:+TraceExceptions output should include the message
34 JDK-8064319 hotspot runtime Need to enable -XX:+TraceExceptions in release builds
35 JDK-8235243 hotspot runtime handle VS2017 15.9 and VS2019 in abstract_vm_version
36 JDK-8240295 hotspot runtime hs_err elapsed time in seconds is not accurate enough
37 JDK-8193800 javafx controls TreeTableView selection changes on sorting
38 JDK-8129582 javafx graphics Controls slow considerably when displaying RTL-languages text on Linux
39 JDK-8246204 javafx graphics No 3D support for newer Intel graphics drivers on Linux
40 JDK-8246348 javafx graphics Crash in libpango on Ubuntu 20.04 with some unicode chars
41 JDK-8239095 javafx media Upgrade libFFI to the latest 3.3 version
42 JDK-8248365 javafx media Debug build crashes on Windows when playing media file
43 JDK-8252107 javafx media Media pipeline initialization can crash if audio or video bin state change fails
44 JDK-8191758 javafx web Match WebKit's font weight rendering with JavaFX
45 JDK-8208169 javafx web can not print selected pages of web page
46 JDK-8245284 javafx web Update to 610.1 version of WebKit
47 JDK-8246357 javafx web Allow static build of webkit library on linux
48 JDK-8247963 javafx web Update SQLite to version 3.32.3
49 JDK-8249839 javafx web Cherry pick GTK WebKit 2.28.3 changes
50 JDK-8252381 javafx web Cherry pick GTK WebKit 2.28.4 changes
51 JDK-8248490 javafx window-toolkit [macOS] Undecorated stage does not minimize
52 JDK-8141457 security-libs java.security keytool default cert fingerprint algorithm should be SHA-256
53 JDK-8211049 security-libs java.security Second parameter of "initialize" method is not used
54 JDK-8242556 security-libs java.security Cannot load RSASSA-PSS public key with non-null params from byte array
55 JDK-8245151 security-libs java.security jarsigner should not raise duplicate warnings on verification
56 JDK-8205111 security-libs javax.net.ssl Develop new Test to verify different key types for supported TLS protocols.
57 JDK-8215443 security-libs javax.net.ssl The use of TransportContext.fatal() leads to bad coding style
58 JDK-8236464 security-libs javax.net.ssl SO_LINGER option is ignored by SSLSocket in JDK 11
59 JDK-8226719 security-libs org.ietf.jgss Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message"
60 JDK-8227381 security-libs org.ietf.jgss GSS login fails with PREAUTH_FAILED
61 JDK-8227437 security-libs org.ietf.jgss:krb5 S4U2proxy cannot continue because server's TGT cannot be found
62 JDK-8246193 security-libs org.ietf.jgss:krb5 Possible NPE in ENC-PA-REP search in AS-REQ
63 JDK-8250582 security-libs org.ietf.jgss:krb5 Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
64 JDK-8249717 tools javac langtools tests are failing on Windows in jdk8u-cpu
65 JDK-8248348 xml jaxp Regression caused by the update to BCEL 6.0

Java SE 8u261 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u261 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u261 b36

Bug Fixes

BugId Component Subcomponent Summary
8252789 deploy deployment_toolkit Empty client certificate issue during TLS handshake
8249183 client-libs java.awt JVM crash in "AwtFrame::WmSize" method
8249846 core-libs java.util.concurrent Change of behavior after JDK-8237117: Better ForkJoinPool behavior
8252861 deploy Disable TLSv1.3 by default on deploy configurations

Changes in Java SE 8u261 b34

Bug Fixes

BugId Component Subcomponent Summary
8247839 javafx graphics Wrong position of GUI elements using multiple HiDPI displays in JavaFX 8
8193800 javafx controls TreeTableView selection changes on sorting

Changes in Java SE 8u261 b33

Bug Fixes

BugId Component Subcomponent Summary
8248505 security-libs java.security Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
8248990 (Confidential) docs guides Remove link to old license page from JDK 8 troubleshooting guide
8248523 (Confidential) docs guides In TLS overview page, change JDK 11 to JDK 8
8235932 (Confidential) docs guides Backport TLS 1.3 documentation for JDK 8u MR3
8245624 (Confidential) embedded hotspot Arm support missing for JDK-8176100
8062947 core-libs javax.naming Fix exception message to correctly represent LDAP connection failure
8217606 core-libs javax.naming LdapContext#reconnect always opens a new connection
8151678 core-libs javax.naming com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect
8243138 core-libs javax.naming Enhance BaseLdapServer to support starttls extended request
8247925 (Confidential) xml jaxp JDK8u251- XSL transformer fails with TransformerConfigurationException

Java™ SE Development Kit 8, Update 261 (JDK 8u261)

July 14, 2020

The full version string for this update release is 1.8.0_261-b12 (where "b" means "build"). The version number is 8u261.

IANA Data 2020a

JDK 8u261 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u261 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_261-b12
7 1.7.0_271-b10

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u261) be used after the next critical patch update scheduled for October 20, 2020.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u261) on November 17, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

hotspot/runtime
 JDK/JRE Runtime Windows Visual Studio Library (DLL) Dependency Changes

As part of ongoing maintenance, the Microsoft Visual Studio 2017 tool chain will be used to build JDK 7 and JDK 8 for Windows. JDK 8u261, in the July 2020 CPU, was built with Visual Studio 2017. With the release of the January 2021 CPU, JDK 7u291 will move to Visual Studio 2017.

Moving to Visual Studio 2017 for JDK 7 and JDK 8 requires changing the runtime library that the JDK/JRE depends on. Before this change, JDK/JRE implementations used and shipped the Microsoft Visual C++ 2010 SP1 Redistributable Package (x86/x64) that included MSVCR100.dll [a][b]. Microsoft Visual Studio 2017 uses a different set of libraries/DLLs.

Native applications (including JNI) that have depended on and assumed the presence of MSCVR100.dll in the JDK/JRE directory will fail to run. When this happens, users will see an error such as:

"The code execution cannot proceed because MSVCR100.dll was not found. Reinstalling the program may fix this problem."

These applications should be rebuilt and shipped with modern C++ runtime dependencies that use a later instance of Visual Studio. Applications should not depend on DLLs included with the JDK/JRE that are not documented in the product as offering support for the specification or other functionality in Java SE.

[a] http://support.microsoft.com/kb/2019667

[b] https://docs.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2020

JDK-8246783 (not public)

security-libs/javax.net.ssl
 TLS Support for RSASSA-PSS Signature Algorithms

Added support for RSASSA-PSS signature algorithms in JSSE implementation.

See JDK-8166595

security-libs/javax.net.ssl
 JEP 332: Transport Layer Security (TLS) 1.3

JDK 8u261 includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). For more details including a list of the features that are supported, refer to the Java Secure Socket Extension (JSSE) Reference Guide documentation and JEP 332.

For TLS 1.3, the following new standard algorithm names are defined:

  1. TLS protocol version name: TLSv1.3
  2. SSLContext algorithm name: TLSv1.3
  3. TLS cipher suite names for TLS 1.3: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384

TLS 1.3 is disabled for default SSLContext("SSL" or "TLS") for client end-point.

The TLS 1.3 protocol can be enabled using several mechanisms already available in the JDK. For example, TLS 1.3 protocol can be enabled on SSL/TLS connections using SSLSocket/SSLEngine/SSLServerSocket APIs and system properties by the following:

  1. sslSocket.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2"});
  2. Setting up and using a TLSv1.3 based SSLContext : SSLContext ctx = SSLContext.getInstance("TLSv1.3");
  3. Using the SSLParameters API: sslParameters.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
  4. The jdk.tls.client.protocols system property can also be used to control the protocols in use for a TLS connection. One may launch their application with this property. For example, java -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2" enables TLSv1.3 and TLSv1.2 on client SSLSockets.
  5. The https.protocols system property can also be used to control the protocols on connection obtained through use of the HttpsURLConnection class or URL.openStream() operations. For example, -Dhttps.protocols=TLSv1.3,TLSv1.2.

A new system property, jdk.tls.server.protocols, has been added to configure the default enabled protocol suite in the server side of the SunJSSE provider.

A new security property, jdk.tls.keyLimits, has been added for TLS 1.3. When the specified amount of data of a specific algorithm has been processed, a post-handshake Key and IV Update is triggered to derive new keys.

Note that TLS 1.3 is not directly compatible with previous versions. Although TLS 1.3 can be implemented with a backward-compatibility mode, there are still several compatibility risks to take into account when upgrading to TLS 1.3:

  1. TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there might be compatibility issues when upgrading to TLS 1.3. A new system property, jdk.tls.acknowledgeCloseNotify, is added. The default value of the system property is "false". If the system property is set to "true", a corresponding close_notify alert will be sent when receiving a close_notify alert, and the connection will be duplex closed.
  2. The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application can use unsupported signature algorithms.
  3. The DSA signature algorithm is not supported in TLS 1.3. If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.
  4. The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions. If an application hard-codes cipher suites that are no longer supported, it cannot use TLS 1.3 without modifying the application code.
  5. The TLS 1.3 session resumption and key update behaviors are different from TLS 1.2 and prior versions. The compatibility impact should be minimal; however, there could be a risk if an application depends on the handshake details of the TLS protocols.
  6. The legacy com.sun.net.ssl.dhKeyExchangeFix system property has been removed from the new TLS implementation.

Improved JSSE debug logging format has been introduced to record the logger name, the logger level, the thread ID, the thread name, the time and the caller for each log item. Use the javax.net.debug=all system property to get full debug logs.

See JDK-8145252

security-libs/javax.crypto
 JCE Jurisdiction Policy Files updated

Since January 2018 (8u161, 7u171) unlimited Java Cryptography Extension (JCE) Jurisdiction Policy files have been bundled with the JDK and enabled by default (see JDK Cryptographic Roadmap).

The certificate for the old stand alone jar has expired, and if used the following exception will be seen:

Caused By: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.) at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:336) at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378) at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323) at javax.crypto.JceSecurity.access$000(JceSecurity.java:50) at javax.crypto.JceSecurity$1.run(JceSecurity.java:85) at java.security.AccessController.doPrivileged(Native Method) at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)

If still required for older releases the re-signed files can be found at https://www.oracle.com/java/technologies/oracle-java-archive-downloads.html

JDK-8245319 (not public)

security-libs/javax.net.ssl
 New System Properties to Configure the TLS Signature Schemes

Two new system properties have been added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes has been added for the TLS client side, and jdk.tls.server.SignatureSchemes has been added for the server side.

Each system property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.

The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.

See JDK-8242141

security-libs/javax.net.ssl
 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS

The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process the supported_groups TLS extension or the named groups in the extension, applications can either customize the supported group names with jdk.tls.namedGroups, or turn off the FFDHE mechanisms by setting the System Property jsse.enableFFDHE to false.

See JDK-8140436

infrastructure
 Toolchain Upgrade to Xcode 10.1

Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.

JDK-8232007 (not public)

Removed Features and Options

security-libs/java.security
Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts keystore:

  • alias name "keynectisrootca [jdk]"

    Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

See JDK-8225068

Other Notes

javafx/media
 Media Playback Does Not Work on Ubuntu 20.04

Media playback does not work on Ubuntu 20.04. This affects all media formats (such as, mp4, mp3, wav, etc.). In some cases, an error will be thrown. In other cases, the media player will switch to the ready state, but playback will not start. There is no workaround for this issue. This issue should be resolved by JDK-8239095.

JDK-8245501 (not public)

core-libs/java.util:collections
 Better Listing of Arrays

The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection). In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.

JDK-8231800 (not public)

security-libs/javax.net.ssl
 Problem looking up Client Certificates in keystore

Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements javax.net.ssl.X509KeyManager, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType String array in the first call to chooseClientAlias: String chooseClientAlias​(String[] keyType, Principal[] issuers, Socket socket)

See JDK-8261624

install/install
 Java Mission Control Is No Longer Bundled With the JDK

This version of the JDK no longer includes Java Mission Control (JMC). The jmc launcher has been removed from the JDK bin directory, and the missioncontrol directory has been removed from the JDK lib directory. The .jfr file association is not registered by JDK installers. JMC is now available as a separate download. Please visit https://www.oracle.com/javase/jmc for more information.

JDK-8244662 (not public)

docs/release_notes
 SSL Handshake Issues Encountered Post Upgrade to 8u261

JDK 8u261 release includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). The following are descriptions of "Known Issues" which an application might encounter during a SSL handshake, post upgrade to Oracle JDK/JRE 8u261:

  1. SSL handshake fails on client side with an exception message "Received fatal alert: handshake_failure"
javax.net.ssl|SEVERE|C8|....|TransportContext.java:319|Fatal (HANDSHAKE_FAILURE): Received fatal

alert: handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:187)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1198)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1107)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:372)

Cause: One possible cause is old server intolerance to FFDHE arguments. As per TLS RFC 7919 on server behavior If a compatible TLS server receives a Supported Groups extension from a client that includes any FFDHE group (i.e., any codepoint between 256 and 511, inclusive, even if unknown to the server), and if none of the client-proposed FFDHE groups are known and acceptable to the server, then the server MUST NOT select an FFDHE cipher suite. In this case, the server SHOULD select an acceptable non-FFDHE cipher suite from the client's offered list. If the extension is present with FFDHE groups, none of the client's offered groups are acceptable by the server, and none of the client's proposed non-FFDHE cipher suites are acceptable to the server, the server MUST end the connection with a fatal TLS alert of type insufficient_security(71).

Solution: In Oracle JDK 8u261, Finite Field Diffie-Hellman Ephemeral (FFDHE) is enabled by default. User can disable FFDHE via security property "-Djsse.enableFFDHE=false on the server (See JDK-8252716)

  1. Post upgrade to 8u261 client application encounters close_notify exception during a ClientHello SSL handshake.
javax.net.ssl.SSLProtocolException: Received close_notify during handshake


       at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
        at sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at sun.security.ssl.SSLTransport.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown

Cause: In case of an SSL abbreviated handshake (session resumption) SSL client is adding extra extensions than the agreed protocol's supported extensions. While it is TLS RFC complaint, some old non-compliant server implementations may reject this ClientHello.

Solution: As a work around specify System property -Djdk.tls.client.protocols= or use setEnabledProtocols API to set on the client end to mitigate the issue.

  1. On upgrade to 8u261, under certain conditions user application may observe higher CPU utilization and slower response time.

Following method reference count would increase in memory profilers

   HashMap$Node[] java.util.HashMap.resize()

   void sun.security.ssl.SSLSessionContextImpl.put(SSLSessionImpl)
   void sun.security.util.MemoryCache.put(Object, Object)
   Object java.util.HashMap.put(Object, Object)
   Object java.util.HashMap.putVal(int, Object, Object, boolean, boolean)
   HashMap$Node[] java.util.HashMap.resize()

Cause: In 8u261, System Property SSLSessionContext.getSessionCacheSize default value was changed from 0 to 20480 ( see JDK-8210985 ) The change was made since with larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.

Solution: Revert back to JDK 8u251 behaviour by setting System Property "-Djavax.net.ssl.sessionCacheSize=0" (set number of entries in the SSL session cache to infinite)

  1. TLS connection issues with applications using javax.net.ssl.SSLEngine

Cause: The internal implementation of the SSLEngine and associated classes has been reworked with the introduction of TLS v1.3 support. Buffer usage has been improved in the SSLEngine area.

Solution: If an SSLEngine application encounters issues after upgrading to JDK 8u261 or later, refer to the Java 8 API to ensure application code is correct. In particular, applications using SSLEngine should not just depend on SSLEngineResult.Status.BUFFER_UNDERFLOW or SSLEngineResult.Status.BUFFER_OVERFLOW results in order to flush pending data. Buffers should always be flushed after an SSLEngine wrap operation if such a call produces data (where SSLEngineResult.Status.OK may be returned).

  1. Post upgrading client machine with 8u261, during a SSL handshake, the "Request Authentication" popup dialog does not display any certificates if user has set deployment System Property deployment.security.clientauth.keystore.auto=false

Cause: If deployment.security.clientauth.keystore.auto=false in the deployment.properties file Java Plugin and Java Web Start show “Request Authentication” dialog regardless the number of available certificates. However due to some modifications introduced by TLS 1.3 framework sometimes the list of available certificates might be empty.

Solution: There are two possible ways to resolve the issue:

  1. Set deployment System Property deployment.security.clientauth.keystore.auto=true

  2. Upgrade to new version 8u281 of Oracle JDK contained the fix for the issue

(see JDK-8253502 )

  1. Post upgrade to 8u261, during a SSL handshake, user may observe the following "Warning" message in the log
javax.net.ssl|WARNING|03|Finalizer|2020-08-31 09:42:20.203 EDT|null:-1|SSLSocket duplex close failed (

"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.duplexCloseOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.close(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.finalize(Unknown Source)
at java.lang.System$2.invokeFinalize(Unknown Source)
at java.lang.ref.Finalizer.runFinalizer(Unknown Source)
at java.lang.ref.Finalizer.access$100(Unknown Source)
at java.lang.ref.Finalizer$FinalizerThread.run(Unknown Source)}

Cause: JDK 8u261 introduced a new format for TLS logging. Additional data is now captured per event and logged. Exceptions handled by the JDK TLS library code may print verbose information about the cause of such exceptions when logging is enabled.

Solution: User can safely ignore these Warning messages

  1. Ensure you 3rd party libraries are fully patched. Examples: Bouncy Castle, Apache, OpenSSL, Jetty

Symptoms: New/Unexpected issues from 3rd party library software being used in conjunction with the JDK.

Cause: The new TLS implementation introduces significant changes to the internal, underlying, design of the JDK TLS security libraries. The new design has exposed some bugs in 3rd party software libraries. For the most part, these issues have already been patched in such 3rd party libraries.

Examples include: Apache http-core Bouncy Castle Jetty

Solution: It's good practice to ensure that 3rd party library products being used in conjunction with the JDK TLS API are patched and up to date.

JDK-8258585 (not public)

deploy/plugin
 Possible Hang of Internet Explorer 11 With JDK 8u261 on Windows 7

On Windows 7, the Internet Explorer 11 (IE 11) JavaScript engine does not interact properly with Java Applets because, beginning with 8u261, the JDK/JRE is compiled with VisualStudio 2017. For example, an application that uses the JavaScript methods setTimeout() and setInterval() may cause IE 11 to hang when a modal dialog is shown by a Java Applet.

JDK-8244937 (not public)

install
 8u RPM Installer Failed to Install on SUSE When Updating Alternatives

Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java and javac. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac group with alternatives framework. All links unique to the javac group have been moved into the java group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.

The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command: /usr/sbin/alternatives --auto java

JDK-8240919 (not public)

core-svc/java.lang.management
 OperatingSystemMXBean Methods Inside a Container Return Container Specific Data

When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data:

  • getFreePhysicalMemorySize()
  • getTotalPhysicalMemorySize()
  • getFreeSwapSpaceSize()
  • getTotalSwapSpaceSize()
  • getSystemCpuLoad()
See JDK-8226575

security-libs
 Default SSL Session Cache Size Updated to 20480

The default SSL session cache size has been updated to 20480 in this JDK release

See JDK-8210985

security-libs/javax.net.ssl
 BoringSSL Rejects JSSE TLS 1.3 HTTPS Connections When status_request Extension Is Disabled

BoringSSL is an SSL library deployed on some popular websites such as those run by Google/YouTube. An interoperability issue with the BoringSSL library can lead to a connection failure if TLSv1.3 is presented as the only enabled protocol in the ClientHello message and the certificate status_request extension is disabled. Enabling the certificate status_request extension by setting the jdk.tls.client.enableStatusRequestExtension system property to true will provide mitigation in such scenarios.

See JDK-8241360

core-libs/java.io:serialization
 Improved Serialization Handling

When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter the method must be called before reading any objects from the stream. If the methods readObject or readUnshared are called, the setObjectInputFilter method throws IllegalStateException.

JDK-8234836 (not public)

security-libs/javax.net.ssl
 Increase the priorities of GCM cipher suites

In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider.

In the SunJSSE provider, the following ciphersuites are now the most preferred by default:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.

See JDK-8028518

client-libs/javax.swing
Deprecated NSWindowStyleMaskTexturedBackground
After an upgrade of the macOS SDK used to build the JDK, the behavior of the apple.awt.brushMetalLook and textured Swing properties has changed. When these properties are set, the title of the frame is still visible. It is recommended that the apple.awt.transparentTitleBar property be set to true to make the title of the frame invisible again. The apple.awt.fullWindowContent property can also be used.

Please note that Textured window support was implemented by using the NSTexturedBackgroundWindowMask value of NSWindowStyleMask. However, this was deprecated in macOS 10.12 along with NSWindowStyleMaskTexturedBackground, which was deprecated in macOS 10.14.

For additional information, refer to the following documentation:

See JDK-8240995

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8130737 client-libs 2d [macosx] AffineTransformOp can't handle child raster with non-zero x-offset
2 JDK-8211301 client-libs java.awt [macos] support full window content options
3 JDK-8214046 client-libs java.awt [macosx] Undecorated Frame does not Iconify when set to
4 JDK-8231438 client-libs java.awt [macOS] Dark mode for the desktop is not supported
5 JDK-8242498 client-libs java.awt Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
6 JDK-8226253 client-libs javax.accessibility JAWS reports wrong number of radio buttons when buttons are hidden
7 JDK-8238842 client-libs javax.imageio AIOOBE in GIFImageReader.initializeStringTable
8 JDK-8194298 core-libs java.net Add support for per Socket configuration of TCP keepalive
9 JDK-8232854 core-libs java.net URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails
10 JDK-8044365 core-libs java.nio (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
11 JDK-8229888 core-libs java.nio (zipfs) Updating an existing zip file does not preserve original permissions
12 JDK-8146356 core-libs java.time java.time.format.TextStyle.FULL_STANDALONE does not work well while formatting months.
13 JDK-8165936 core-libs java.util:i18n Potential Heap buffer overflow when seaching timezone info files
14 JDK-8228477 core-libs java.util:i18n Have calendar revert to default names if no standalone resources exist
15 JDK-8214440 core-libs javax.naming ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate"
16 JDK-8193137 core-libs jdk.nashorn Nashorn crashes when given an empty script file.
17 JDK-8226575 core-svc java.lang.management OperatingSystemMXBean should be made container aware
18 JDK-8239332 deploy plugin LiveConnect netscape.javascript.JSException: No such property "outerWidthX" on JavaScript object
19 JDK-8170074 docs guides Typos on "How Classes are Found" web page on Oracle site
20 JDK-8240337 docs guides JDK 8 Developer Guides index.html page has incorrect links
21 JDK-8241531 docs guides Update copyright page for JDK 8 docs
22 JDK-8243337 docs guides Java Print Service API User's Guide contains typos and formatting errors
23 JDK-8243584 docs guides Malformed HTML in the Serialization section of the JDK 8 developer guides
24 JDK-8181872 hotspot compiler C1: possible overflow when strength reducing integer multiply by constant
25 JDK-8062808 hotspot gc Turn on the -Wreturn-type warning
26 JDK-8064786 hotspot gc Fix debug build after 8062808: Turn on the -Wreturn-type warning
27 JDK-8141056 hotspot gc Erroneous assignment in HeapRegionSet.cpp
28 JDK-8176100 hotspot gc [REDO][REDO] G1 Needs pre barrier on dereference of weak JNI handles
29 JDK-8191393 hotspot gc Random crashes during cfree+0x1c
30 JDK-8225716 hotspot gc G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding
31 JDK-8231779 hotspot gc crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
32 JDK-8041626 hotspot jfr Shutdown tracing event
33 JDK-8213617 hotspot jfr JFR should record the PID of the recorded process
34 JDK-8035493 hotspot jvmti JVMTI PopFrame capability must instruct compilers not to prune locals
35 JDK-8060721 hotspot runtime Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler
36 JDK-8076475 hotspot runtime Misuses of strncpy/strncat
37 JDK-8187667 hotspot runtime Disable deprecation warning for readdir_r
38 JDK-8223671 infrastructure   The latest Java 8 is not ready to use in applications on future macOS versions
39 JDK-8237820 infrastructure build remove clang version check for optimization bug workaround from 8u
40 JDK-8240780 infrastructure build [8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds
41 JDK-8232811 javafx controls Dialog's preferred size no longer accommodates multi-line strings
42 JDK-8189092 javafx graphics ArrayIndexOutOfBoundsException on Linux in getCachedGlyph
43 JDK-8212034 javafx graphics Potential memory leaks in jpegLoader.c in error case
44 JDK-8234916 javafx graphics [macos 10.15] Garbled text running with native-image
45 JDK-8237782 javafx graphics Only read advances up to the minimum of the numHorMetrics or the available font data.
46 JDK-8237833 javafx graphics Check glyph size before adding to glyph texture cache.
47 JDK-8239107 javafx graphics Update libjpeg to version 9d
48 JDK-8241370 javafx graphics Crash in JPEGImageLoader after fix for JDK-8212034
49 JDK-8202393 javafx media App Transport Security blocks http media on macOS with JDK build using new compilers
50 JDK-8236832 javafx media [macos 10.15] JavaFX Application hangs on video play on Catalina
51 JDK-8240694 javafx media [macos 10.15] JavaFX Media hangs on some video files on Catalina
52 JDK-8241629 javafx media [macos10.15] Long startup delay playing media over https on Catalina
53 JDK-8242530 javafx media [macos] Some audio files miss spectrum data when another audio file plays first
54 JDK-8238434 javafx samples Ensemble: Update version of Lucene to 7.7.2
55 JDK-8132880 javafx scenegraph Unpredictable behaviour when trying to set negative scene width or height
56 JDK-8223298 javafx web SVG patterns are drawn wrong
57 JDK-8237889 javafx web Update libxml2 to version 2.9.10
58 JDK-8237944 javafx web webview native cl "-m32" unknown option for windows 32-bit build
59 JDK-8242209 javafx web Increase web native thread stack size for x86 mode
60 JDK-8244579 javafx web Windows "User Objects" leakage with WebView
61 JDK-8181476 javafx window-toolkit [macos] Stages with StageStyle.UTILITY are always on-top when initialized without an owner
62 JDK-8234474 javafx window-toolkit [macos 10.15] Crash in file dialog in sandbox mode
63 JDK-8236685 javafx window-toolkit [macOs] Remove obsolete file dialog subclasses
64 JDK-8236971 javafx window-toolkit [macos] Gestures handled incorrectly due to missing events
65 JDK-7092821 security-libs java.security java.security.Provider.getService() is synchronized and became scalability bottleneck
66 JDK-8028431 security-libs java.security NullPointerException in DerValue.equals(DerValue)
67 JDK-8028591 security-libs java.security NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
68 JDK-8181841 security-libs java.security A TSA server returns timestamp with precision higher than milliseconds
69 JDK-8228613 security-libs java.security java.security.Provider#getServices order is no longer deterministic
70 JDK-8231387 security-libs java.security java.security.Provider.getService returns random result due to race condition with mutating methods in the same class
71 JDK-8238452 security-libs java.security Keytool generates wrong expiration date if validity is set to 2050/01/01
72 JDK-8177784 security-libs javax.crypto Use CounterMode intrinsic for AES/GCM
73 JDK-8179098 security-libs javax.crypto Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
74 JDK-8201633 security-libs javax.crypto Problems with AES-GCM native acceleration
75 JDK-8220165 security-libs javax.crypto Encryption using GCM results in RuntimeException: input length out of bound
76 JDK-8233954 security-libs javax.crypto UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
77 JDK-8165275 security-libs javax.crypto:pkcs11 Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
78 JDK-4919790 security-libs javax.net.ssl Errors in alert ssl message does not reflect the actual certificate status
79 JDK-7013776 security-libs javax.net.ssl Multithreaded JSSE application debug information is hard to read
80 JDK-8028518 security-libs javax.net.ssl Increase the priorities of GCM cipher suites
81 JDK-8145854 security-libs javax.net.ssl SSLContextImpl.statusResponseManager should be generated if required
82 JDK-8166595 security-libs javax.net.ssl TLS Support for RSASSA-PSS Signature Algorithms
83 JDK-8185576 security-libs javax.net.ssl New handshake implementation
84 JDK-8206355 security-libs javax.net.ssl SSLSessionImpl.getLocalPrincipal() throws NPE
85 JDK-8206929 security-libs javax.net.ssl Check session context for TLS 1.3 session resumption
86 JDK-8207009 security-libs javax.net.ssl TLS 1.3 half-close and synchronization issues
87 JDK-8207029 security-libs javax.net.ssl Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21
88 JDK-8207058 security-libs javax.net.ssl Backport System Property jdk.tls.server.protocols
89 JDK-8207223 security-libs javax.net.ssl SSL Handshake failures are reported with more generic SSLException
90 JDK-8207317 security-libs javax.net.ssl SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
91 JDK-8208166 security-libs javax.net.ssl Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
92 JDK-8209333 security-libs javax.net.ssl Socket reset issue for TLS 1.3 socket close
93 JDK-8209916 security-libs javax.net.ssl NPE in SupportedGroupsExtension
94 JDK-8209965 security-libs javax.net.ssl The "supported_groups" extension in ServerHellos
95 JDK-8210334 security-libs javax.net.ssl TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
96 JDK-8210846 security-libs javax.net.ssl TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
97 JDK-8210974 security-libs javax.net.ssl No extensions debug log for ClientHello
98 JDK-8210985 security-libs javax.net.ssl Update the default SSL session cache size to 20480
99 JDK-8210989 security-libs javax.net.ssl RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
100 JDK-8211339 security-libs javax.net.ssl NPE during SSL handshake caused by HostnameChecker
101 JDK-8211806 security-libs javax.net.ssl TLS 1.3 handshake server name indication is missing on a session resume
102 JDK-8211866 security-libs javax.net.ssl TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
103 JDK-8212738 security-libs javax.net.ssl Incorrectly named signature scheme ecdsa_secp512r1_sha512
104 JDK-8212885 security-libs javax.net.ssl TLS 1.3 resumed session does not retain peer certificate chain
105 JDK-8213202 security-libs javax.net.ssl Possible race condition in TLS 1.3 session resumption
106 JDK-8213782 security-libs javax.net.ssl NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers
107 JDK-8214098 security-libs javax.net.ssl sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards.
108 JDK-8214129 security-libs javax.net.ssl SSL session resumption/SNI with TLS1.2 causes StackOverflowError
109 JDK-8214339 security-libs javax.net.ssl SSLSocketImpl erroneously wraps SocketException
110 JDK-8214688 security-libs javax.net.ssl TLS 1.3 session resumption with hello retry request failed with "illegal_parameter"
111 JDK-8215524 security-libs javax.net.ssl Finished message validation failure should be decrypt_error alert
112 JDK-8215711 security-libs javax.net.ssl Missing key_share extension for (EC)DHE key exchange should alert missing_extension
113 JDK-8215790 security-libs javax.net.ssl Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
114 JDK-8216045 security-libs javax.net.ssl The size of key_exchange may be wrong on FFDHE
115 JDK-8216326 security-libs javax.net.ssl SSLSocket stream close() does not close the associated socket
116 JDK-8217610 security-libs javax.net.ssl TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
117 JDK-8219389 security-libs javax.net.ssl Delegated task created by SSLEngine throws BufferUnderflowException
118 JDK-8221253 security-libs javax.net.ssl TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes
119 JDK-8223482 security-libs javax.net.ssl Unsupported ciphersuites may be offered by a TLS client
120 JDK-8223940 security-libs javax.net.ssl Private key not supported by chosen signature algorithm
121 JDK-8225766 security-libs javax.net.ssl Curve in certificate should not affect signature scheme when using TLSv1.3
122 JDK-8228757 security-libs javax.net.ssl Fail fast if the handshake type is unknown
123 JDK-8235263 security-libs javax.net.ssl Revert TLS 1.3 change that wrapped IOExceptions
124 JDK-8235311 security-libs javax.net.ssl Tag mismatch may alert bad_record_mac
125 JDK-8235874 security-libs javax.net.ssl The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property.
126 JDK-8236039 security-libs javax.net.ssl JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
127 JDK-8237474 security-libs javax.net.ssl Default SSLEngine should create in server role
128 JDK-8239798 security-libs javax.net.ssl SSLSocket closes socket both socket endpoints on a SocketTimeoutException
129 JDK-8242141 security-libs javax.net.ssl New System Properties to configure the TLS signature schemes
130 JDK-8242294 security-libs javax.net.ssl JSSE Client does not throw SSLException when an alert occurs during handshaking
131 JDK-8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
132 JDK-8224157 xml jaxp BCEL: update to version 6.3.1
133 JDK-8238164 xml jaxp Update Apache Xerces to version 2.12.0 in JDK 8u


Java SE 8u251 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u251 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u251 b36

Bug Fixes

BugId Component Subcomponent Summary
8244579 javafx web Windows "User Objects" leakage with WebView

Changes in Java SE 8u251 b35

Bug Fixes

BugId Component Subcomponent Summary
8242884 deploy plugin 8u241 32 bit SSV Helper causes long load time and page load on IE11
8151788 core-libs java.net NullPointerException from ntlm.Client.type3
8210147 core-libs java.net adjust some WSAGetLastError usages in windows network coding

Changes in Java SE 8u251 b34

Bug Fixes

BugId Component Subcomponent Summary
8241966 (Confidential) install Add Oracle copyright to modified Sparkle 1.23.0 files
8241965 (Confidential) install Update THIRD_PARTY_README for Sparkle 1.23.0
8241814 (Confidential) install auto_update [macos] 8u251b60 AU missing "Remind Me" button
8241410 (Confidential) infrastructure 8u251 b60 Mac notarized build is missing the ant-javafx.jar
8241399 (Confidential) client-libs java.awt jdk8 build broken on macOS 10.7 and sdk 10.8
8240780 infrastructure build[8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds
8239919 hotspot [8u] enable parentheses-equality warnings in HotSpot
8239808 (Confidential) install auto_update Change URL In <cntry-lookup> Tag In mac-XXX-XX.xml
8239400 hotspot [8u] clean up delete-non-virtual-dtor warnings in HotSpot
8239223 hotspot [8u] enable Wparentheses warnings in HotSpot
8239112 hotspot [8u] clean up empty-body warnings in HotSpot
8239053 hotspot runtime [8u] clean up undefined-var-template warnings
8238852 (Confidential) install install [macos] AU to NEXTVER failed when AU from 8u251 to future
8238700 (Confidential) infrastructure build Signing reliability change not fully working on 8u
8238225 infrastructure build Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary
8237820 infrastructure build remove clang version check for optimization bug workaround from 8u
8236971 javafx window-toolkit [macos] Gestures handled incorrectly due to missing events
8236956 (Confidential) security-libs javax.net.ssl Backport test lib files from JDK-8228967
8235687 infrastructure build Contents/MacOS/libjli.dylib cannot be a symlink
8232580 (Confidential) infrastructure build Sign Macosx binaries with hardened runtime enabled
8232087 (Confidential) security-libs org.ietf.jgss Migrate KDC from sca00jvo/burge0401/sca00kte/sca00lol/adc1140258/sca00joh to new OCI hosts
8231438 client-libs java.awt [macOS] Dark mode for the desktop is not supported
8231092 (Confidential) infrastructure build Implement Apple notarization support in the build
8230555 (Confidential) security-libs javax.net.ssl OCI migration on IIS
8226306 (Confidential) infrastructure build Improve signing reliability
8214046 client-libs java.awt [macosx] Undecorated Frame does not Iconify when set to
8213838 (Confidential) install Upgrade sparkle to 1.23.0
8202393 javafx media App Transport Security blocks http media on macOS with JDK build using new compilers
8200550 hotspot gc Xcode 9.3 produce warning -Wexpansion-to-defined
8196724 infrastructure build Change macosx deployment target to 10.9
8196538 (Confidential) infrastructure build Fix compilation errors when using Xcode 9.2/Macosx 10.13 in deploy and install
8181872 hotspot compiler C1: possible overflow when strength reducing integer multiply by constant
8152856 hotspot runtime Xcode 7.3 -Wshift-negative-value compile failure on Mac OS X
8141056 hotspot gc Erroneous assignment in HeapRegionSet.cpp
8060721 hotspot runtime Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler
8043646 client-libs java.awt libosxapp.dylib fails to build on Mac OS 10.9 with clang
8030680 hotspot compiler 292 cleanup from default method code assessment
7188942 (Confidential) client-libs 2d Remove support of pbuffers in OGL Java2d pipeline

Changes in Java SE 8u251 b33

Bug Fixes

BugId Component Subcomponent Summary
8239444 (Confidential) security-libs java.security High contention java.security.Provider.getService()-JDK-7092821
7092821 security-libs java.security java.security.Provider.getService() is synchronized and became scalability bottleneck
8231387 security-libs java.security java.security.Provider.getService returns random result due to race condition with mutating methods in the same class
8228613 security-libs java.security java.security.Provider#getServices order is no longer deterministic
8239946 (Confidential) security-libs javax.crypto Update JarVerifier class with new signing cert details
8240439 (Confidential) core-libs java.net java.net.PlainDatagramSocketImpl.receive0 seems to fail for UDP traffic spontaneously

Changes in Java SE 8u251 b32

Bug Fixes

BugId Component Subcomponent Summary
8240694 javafx media [macos 10.15] JavaFX Media hangs on some video files on Catalina
8241629 javafx media Long startup delay playing media over https on Catalina
8176100 hotspot gc [REDO][REDO] G1 Needs pre barrier on dereference of weak JNI handles

Changes in Java SE 8u251 b31

Bug Fixes

BugId Component Subcomponent Summary
8231779 hotspot gc crash HeapWord*ParallelScavengeHeap::failed_mem_allocate

Java™ SE Development Kit 8, Update 251 (JDK 8u251)

April 14, 2020

The full version string for this update release is 1.8.0_251-b08 (where "b" means "build"). The version number is 8u251. This JDK 8 Update release implements JSR 337 Maintenance Release 3 (approved Feb 2020).

IANA Data 2019c

JDK 8u251 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u251 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_251-b08
7 1.7.0_261-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u251) be used after the next critical patch update scheduled for July 14, 2020.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u251) on August 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.net.ssl
TLS Application-Layer Protocol Negotiation Extension
JEP 244 has enhanced the Java Secure Socket Extension (JSSE) to provide support for the TLS Application-Layer Protocol Negotiation (ALPN) Extension (RFC 7301). New methods have been added to the javax.net.ssl classes SSLEngine, SSLSocket, and SSLParameters to allow clients and servers to negotiate an application layer value as part of the TLS handshake.

This API change was required by JSR 337 MR 3.

See JDK-8051498

security-libs/javax.crypto
RSASSA-PSS Signature Support Added to SunMSCAPI
The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider.

See JDK-8205445

security-libs/java.security
Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature
The SunRsaSign and SunJCE providers have been enhanced with support for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS signature and OAEP using FIPS 180-4 digest algorithms. New constructors and methods have been added to relevant JCA/JCE classes under the java.security.spec and javax.crypto.spec packages for supporting additional RSASSA-PSS parameters.

This API change was required by JSR 337 MR 3.

See JDK-8146293

 

Other notes

javafx/web
WebEngine Limits JavaScript Method Calls for Certain Classes
JavaScript programs that are run in the context of a web page loaded by WebEngine can communicate with Java objects passed from the application to the JavaScript program. JavaScript programs that reference java.lang.Class objects are now limited to the following methods:


     
getCanonicalName
getEnumConstants
getFields
getMethods
getName
getPackageName
getSimpleName
getSuperclass
getTypeName
getTypeParameters
isAssignableFrom
isArray
isEnum
isInstance
isInterface
isLocalClass
isMemberClass
isPrimitive
isSynthetic
toGenericString
toString

No methods can be called on the following classes:


  
java.lang.ClassLoader
java.lang.Module
java.lang.Runtime
java.lang.System

java.lang.invoke.*
java.lang.module.*
java.lang.reflect.*
java.security.*
sun.misc.*

JDK-8236798 (not public)

security-libs/javax.xml.crypto
New Oracle Specific JDK 8 Updates System Property to Fallback to Legacy Base64 Encoding Format
Oracle JDK 8u231 upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue where XML signature using Base64 encoding resulted in appending &#xd or &#13 to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without &#xd or &#13.

Therefore, a new Oracle JDK 8 Updates only system property, - com.sun.org.apache.xml.internal.security.lineFeedOnly, is made available to fall back to legacy Base64 encoded format.

Users can set this flag in one of two ways:

  1. -Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
  2. System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")

This new system property is disabled by default. It has no effect on default behavior nor when com.sun.org.apache.xml.internal.security.ignoreLineBreaks property is set.

Later JDK family versions might only support the recommended property: com.sun.org.apache.xml.internal.security.ignoreLineBreaks

See JDK-8236645

 

security-libs/javax.crypto
Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA, SHA256withECDSA, etc.) are also supported.

See JDK-8026953

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8232154 client-libs 2d Update Mesa 3-D Headers to version 19.2.1
2 JDK-8214578 client-libs java.awt [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings
3 JDK-8230597 client-libs java.awt Update GIFlib library to the 5.2.1
4 JDK-8230926 client-libs java.awt [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout
5 JDK-4949105 client-libs javax.accessibility Access Bridge lacks html tags parsing
6 JDK-8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications
7 JDK-8224475 client-libs javax.swing JTextPane does not show images in HTML rendering
8 JDK-8226892 client-libs javax.swing ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
9 JDK-8230235 client-libs javax.swing Rendering HTML with empty img attribute and documentBaseKey cause Exception
10 JDK-8235744 client-libs javax.swing PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64
11 JDK-8229022 core-libs java.io BufferedReader performance can be improved by using StringBuilder
12 JDK-6996807 core-libs java.io:serialization FieldReflectorKey hash code computation can be improved
13 JDK-8067796 core-libs java.lang (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null
14 JDK-8208715 core-libs java.lang Conversion of milliseconds to nanoseconds in UNIXProcess contains bug.
15 JDK-8051853 core-libs java.net new URI("x/").resolve("..").getSchemeSpecificPart() returns null!
16 JDK-8230856 core-libs java.net Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return
17 JDK-8233022 core-libs java.net [test] backout accidental change to SetLoopbackMode.java
18 JDK-8232003 core-libs java.nio (fs) Files.write can leak file descriptor in the exception case
19 JDK-8237368 core-libs java.rmi Problem with NullPointerException in RMI TCPEndpoint.read
20 JDK-8227127 core-libs java.text Era designator not displayed correctly using the COMPAT provider
21 JDK-8234466 core-libs java.util.jar Class loading deadlock involving X509Factory#commitEvent()
22 JDK-8066652 core-libs java.util:i18n Default TimeZone is GMT not local if user.timezone is invalid on Mac OS
23 JDK-8225435 core-libs java.util:i18n Upgrade IANA Language Subtag Registry to the latest for JDK14
24 JDK-8033215 hotspot compiler clang: node.cpp:284 IDX_INIT macro use uninitialized field _out
25 JDK-8146792 hotspot compiler Predicate moved after partial peel may lead to broken graph
26 JDK-8231988 hotspot compiler Unexpected test result caused by C2 IdealLoopTree::do_remove_empty_loop
27 JDK-8222122 hotspot jfr Provision to disable XML validation in .jfc file in JFR
28 JDK-8215355 hotspot runtime Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1)
29 JDK-8229345 hotspot runtime Memory leak due to vtable stubs not being shared on SPARC
30 JDK-8146293 security-libs java.security Add support for RSASSA-PSS Signature algorithm
31 JDK-8175029 security-libs java.security StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider)
32 JDK-8206171 security-libs java.security Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized
33 JDK-8214096 security-libs java.security sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
34 JDK-8215694 security-libs java.security keytool cannot generate RSASSA-PSS certificates
35 JDK-8225180 security-libs java.security SignedObject with invalid Key not throwing the InvalidKeyException in Windows
36 JDK-8225745 security-libs java.security NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
37 JDK-8236470 security-libs java.security Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId
38 JDK-8193262 security-libs javax.crypto JNI array not released in libsunmscapi convertToLittleEndian
39 JDK-8205445 security-libs javax.crypto Add RSASSA-PSS Signature support to SunMSCAPI
40 JDK-8221407 security-libs javax.crypto Windows 32bit build error in libsunmscapi/security.cpp
41 JDK-8223003 security-libs javax.crypto SunMSCAPI keys are not cleaned up
42 JDK-8145849 security-libs javax.net.ssl ALPN: getHandshakeApplicationProtocol() always return null
43 JDK-8158978 security-libs javax.net.ssl ALPN not working when values are set directly on a SSLServerSocket
44 JDK-8170282 security-libs javax.net.ssl Enable ALPN parameters to be supplied during the TLS handshake
45 JDK-8171443 security-libs javax.net.ssl (spec) An ALPN callback function may also ignore ALPN
46 JDK-8216039 security-libs javax.net.ssl TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
47 JDK-8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
48 JDK-8207760 xml javax.xml.transform SAXException: Invalid UTF-16 surrogate detected: d83c ?
49 JDK-8046274 xml jaxp Removing dependency on jakarta-regexp
50 JDK-8163121 xml jaxp BCEL: update to the latest 6.0 release
51 JDK-8233548 xml jaxp Update CUP to v0.11b

Java SE 8u241 Bundled Patch Release (BPR) - Bug Fixes and Updates

Java SE 8u241 BPRs, are based on the current Java SE 8u241 release and are available for Java SE Subscription customers.

For more information on installation and licensing of Java SE Products, visit Java SE Products Overview.

Find information about Java SE Subscriptions at Oracle Java SE Subscriptions.

The following sections summarize changes made in all Java SE 8u241 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u241 b33

Bug Fixes

BugId Component Subcomponent Summary
8163251 security-libs javax.smartcardio Hard coded loop limit prevents reading of smart card data greater than 8k
8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
8239033 (Confidential) security-libs javax.xml.crypto Oracle JDK 8u Base64XmlEncode.java test fails for windows platform
8236832 javafx media [macos 10.15] JavaFX Application hangs on video play on Catalina
8239803 (Confidential) javafx build [macOS 10.15] Wrong SDK recorded in dylib files prevents notarization
8160768 core-libs javax.naming Add capability to custom resolve host/domain names within the default JNDI LDAP provider

Changes in Java SE 8u241 b32

Bug Fixes

BugId Component Subcomponent Summary
8234468 security-libs java.security Application startup failed on JRE 8u231

Changes in Java SE 8u241 b31

Bug Fixes

BugId Component Subcomponent Summary
8193445 javafx controls JavaFX CSS is applied redundantly leading to significant performance degradation

Java™ SE Development Kit 8, Update 241 (JDK 8u241)

January 14, 2020

The full version string for this update release is 1.8.0_241-b07 (where "b" means "build"). The version number is 8u241.

IANA Data 2019c

JDK 8u241 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u241 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_241-b07
7 1.7.0_251-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u241) be used after the next critical patch update scheduled for April 14, 2020. 

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u241) on May 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features 

 

security-libs/javax.security
 Allow SASL Mechanisms to Be Restricted

A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.

See JDK-8200400

security-libs/javax.crypto:pkcs11
 SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40

The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

See JDK-8080462

 

Other notes

 

security-libs/java.security
 New Checks on Trust Anchor Certificates

New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.

A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.

The default value of this property, if not set, is "false".

Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).

This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.

JDK-8230318 (not public)

security-libs/java.security
 Exact Match Required for Trusted TLS Server Certificate 

A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.

JDK-8227758 (not public)

security-libs/java.security
 Added LuxTrust Global Root 2 Certificate 

The following root certificate has been added to the cacerts truststore:



+ LuxTrust
     + luxtrustglobalroot2ca
 
         DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU

See JDK-8232019

security-libs/java.security
 Added 4 Amazon Root CA Certificates

The following root certificates have been added to the cacerts truststore:



+ Amazon
     + amazonrootca1
         DN: CN=Amazon Root CA 1, O=Amazon, C=US
 
     + amazonrootca2
         DN: CN=Amazon Root CA 2, O=Amazon, C=US
 
     + amazonrootca3
         DN: CN=Amazon Root CA 3, O=Amazon, C=US
 
     + amazonrootca4
         DN: CN=Amazon Root CA 4, O=Amazon, C=US

See JDK-8233223

core-libs/java.rmi
 Improve Registry Support

The java.rmi.Remote marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:

  • Methods declared in interfaces that directly or indirectly extend java.rmi.Remote can be invoked remotely
  • Methods declared in interfaces that do not extend Remote directly or indirectly cannot be invoked remotely

This affects remote objects in the java.rmi.registry.Registry and any other remote object.

JDK-8230967 (not public)

 

Bug Fixes

The following are some of the notable bug fixes included in this release:

 

client-libs/2d
 Support for OpenType CFF Fonts

Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf fonts) into the standard logical fonts (such as "Dialog" and "SansSerif"). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.

Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.

Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.

See JDK-8209672

core-libs/java.io:serialization
 Better Serial Filter Handling

The jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with java.lang.System.setProperty has no effect.

JDK-8231422 (not public)

 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8080465 client-libs   The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel".
2 JDK-8185538 client-libs 2d JDK 9 is really slow initialising some OTF/CFF fonts.
3 JDK-8146238 client-libs 2d [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts
4 JDK-8209672 client-libs 2d Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init
5 JDK-8225101 client-libs java.awt Crash at sun.awt.X11.XlibWrapper.XkbGetUpdatedMap when change keybord map
6 JDK-8230782 client-libs java.awt Robot.createScreenCapture() fails if ???awt.robot.gtk??? is set to false
7 JDK-8221246 client-libs java.awt NullPointerException within Win32ShellFolder2
8 JDK-8213119 client-libs java.awt [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails
9 JDK-8225505 client-libs javax.swing ctrl-F1 does not show the tooltip of a menu item (JMenuItems)
10 JDK-8134424 core-libs java.io:serialization BlockDataInputStream.readUTFBody: size local StringBuffer with the given length
11 JDK-8185898 core-libs java.net setRequestProperty(key, null) results in HTTP header without colon in request
12 JDK-8230085 core-libs java.nio (fs) FileStore::isReadOnly is always true on macOS Catalina
13 JDK-8223490 core-libs java.util Optimize search algorithm for determining default time zone
14 JDK-8227018 core-libs java.util.concurrent CompletableFuture should not call Runtime.availableProcessors on fast path
15 JDK-8204290 core-libs jdk.nashorn Add check to limit number of capture groups
16 JDK-8232984 core-libs jdk.nashorn Upgrading Joni License version to 2.1.16
17 JDK-8204288 core-libs jdk.nashorn Matching the end of a string followed by an empty greedy regex and a word boundary fails
18 JDK-8230303 core-svc debugger JDB hangs when running monitor command
19 JDK-8179348 deploy webstart User friendly warning when Java WebStart Temporary Internet Files is disabled.
20 JDK-8133949 deploy webstart deploy-test build broken by fix to JDK-6921877
21 JDK-6921877 deploy webstart JCP JNLP Shortcut settings for JDK 9
22 JDK-7024585 deploy webstart enhance the list of secure jnlp vm-args for plugin and web start
23 JDK-8223925 docs   No document covering default property files and system properties of the Preferences API
24 JDK-8060000 docs guides Endpoint identification algorithm is not only in TLS 1.2
25 JDK-8207028 docs guides JSSE TrustManagerFactory ignores custom value of deployment.system.security.cacerts property
26 JDK-8227326 docs guides Broken link to JNLP specifications in Java Web Start documentation
27 JDK-8077316 docs guides JRE Installer Options Page should include JDK
28 JDK-8171356 docs tools providerpath option should be added to all keytool commands which specify provider information's
29 JDK-8143925 hotspot compiler enhancing CounterMode.crypt() for AESCrypt.implEncryptBlock()
30 JDK-8146581 hotspot compiler Minor corrections to the patch submitted for earlier bug id - 8143925
31 JDK-8171974 hotspot compiler Fix for R10 Register clobbering with usage of ExternalAddress
32 JDK-8131778 hotspot compiler java disables UseAES flag when using VIS=2 on sparc
33 JDK-8225141 hotspot compiler Better handling of classes in error state by fast class initialization checks
34 JDK-8229420 hotspot gc [Redo] jstat reports incorrect values for OU for CMS GC
35 JDK-8048556 hotspot gc Unnecessary GCLocker-initiated young GCs
36 JDK-8226798 hotspot runtime JVM crash in klassItable::initialize_itable_for_interface(int, InstanceKlass*, bool, Thread*)
37 JDK-8041620 hotspot runtime Solaris Studio 12.4 C++ 5.13 change in behavior for placing friend declarations within surrounding scope
38 JDK-8231854 javafx other Change Mercurial to git in various README files
39 JDK-8231590 javafx other Update location of jfx repo to GitHub in third-party legal files
40 JDK-8232522 javafx other FX: Update copyright year in docs, readme files to 2020
41 JDK-8231126 javafx web libxslt.md has incorrect version string
42 JDK-8224636 javafx web CSS "pointer-events" property "stroke" is not respected for SVG renderings
43 JDK-8218640 javafx web Update ICU4C to version 64.2
44 JDK-8173956 security-libs java.security KeyStore regression due to default keystore being changed to PKCS12
45 JDK-8195667 security-libs javax.crypto:pkcs11 ProblemList PKCS11 tests Secmod/AddTrustedCert.java and tls/TestKeyMaterial.java due to JDK-8180837
46 JDK-8080462 security-libs javax.crypto:pkcs11 Update SunPKCS11 provider with PKCS11 v2.40 support
47 JDK-8228835 security-libs javax.crypto:pkcs11 Memory leak in PKCS11 provider when using AES GCM
48 JDK-8229243 security-libs javax.crypto:pkcs11 SunPKCS11-Solaris provider tests failing on Solaris 11.4
49 JDK-8225695 security-libs javax.crypto:pkcs11 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)
50 JDK-8133489 security-libs javax.net.ssl Better messaging for PKIX path validation matching
51 JDK-8229767 security-libs javax.security Typo in java.security: Sasl.createClient and Sasl.createServer
52 JDK-8200400 security-libs javax.security Allow Sasl mechanisms to be restricted
53 JDK-8226607 security-libs javax.smartcardio Inconsistent info between pcsclite.md and MUSCLE headers
54 JDK-8201627 security-libs org.ietf.jgss:krb5 Kerberos sequence number issues

Java SE 8u231 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u231 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u231 b34

Bug Fixes

BugId Component Subcomponent Summary
8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications
8134424 core-libs java.io:serialization BlockDataInputStream.readUTFBody: size local StringBuffer with the given length
8077707
(Confidential)
client-libs javax.accessibility jdk9 b58 cannot run any graphical application on Win 8 with JAWS running

Changes in Java SE 8u231 b33

Bug Fixes

BugId Component Subcomponent Summary
8185538 client-libs 2d JDK 9 is really slow initialising some OTF/CFF fonts.
8223490 core-libs java.util Optimize search algorithm for determining default time zone
8209672
(Confidential)
client-libs 2d Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init
8080465
(Confidential)
client-libs   The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel".

Changes in Java SE 8u231 b32

Bug Fixes

BugId Component Subcomponent Summary
8230085 core-libs java.nio (fs) FileStore::isReadOnly is always true on macOS Catalina
8146238 client-libs 2d [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts
8230303 core-svc debugger JDB hangs when running monitor command

Java™ SE Development Kit 8, Update 231 (JDK 8u231)

October 15, 2019

The full version string for this update release is 1.8.0_231-b11 (where "b" means "build"). The version number is 8u231.

IANA Data 2019b

JDK 8u231 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u231 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_231-b11
7 1.7.0_241-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u231) be used after the next critical patch update scheduled for January 14, 2020. 

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u231) on February 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/javax.crypto
 New jdk.jceks.iterationCount System Property 

A new system property has been introduced to control the iteration count value used for the jceks keystore. The default value remains at 200000 but values between 10000 and 5000000 may be specified. The new system property name is jdk.jceks.iterationCount and the value supplied should be an integer in the accepted range. The default value will be used if a parsing error is encountered.

JDK-8223269 (not public)

security-libs/java.security
 New Java Flight Recorder (JFR) Security Events 

Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

  • java/security_property

    • Records Security.setProperty(String key, String value) method calls
  • java/tls_handshake

    • Records TLS handshake activity. The event fields include:
      • Peer hostname
      • Peer port
      • TLS protocol version negotiated
      • TLS cipher suite negotiated
      • Certificate id of peer client
  • java/x509_validation

    • Records details of X.509 certificates negotiated in successful X.509 validation (chain of trust)
  • java/x509_certificate

    • Records details of X.509 Certificates. The event fields include:
      • Certificate algorithm
      • Certificate serial number
      • Certificate subject
      • Certificate issuer
      • Key type
      • Key length
      • Certificate id
      • Validity of certificate

See JDK-8148188

Removed Features and Options

javafx/graphics
 Removal of T2K Rasterizer and ICU Layout Engine From JavaFX 

The T2K rasterizer and ICU layout engine have been removed from JavaFX.

See JDK-8187147

Other notes

client-libs
 [client-libs and javaFX] GTK3 Is Now the Default on Linux/Unix 

Newer versions of Linux, Solaris, and other Unix flavor desktop environments use GTK3, while still supporting GTK2.

Previously, the JDK would default to loading the older GTK2 libraries. However, in this release, it defaults to loading GTK3 libraries. Loading is typically triggered by using the Swing GTK Look And Feel.

The old behavior can be restored by using the system property: -Djdk.gtk.version=2.2

See JDK-8222496

docs
 Using the JDK or JRE on macOS Catalina (10.15)

Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see http:/java/technologies/javase/jdk-jre-macos-catalina.html.

JDK-8230057 (not public)

security-libs/javax.net.ssl
 Remove Obsolete NIST EC Curves from the Default TLS Algorithms

This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.

To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:



java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, 
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ... 

JDK-8228825 (not public)

security-libs/javax.xml.crypto
Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto module has been updated to version 2.1.3 of Apache Santuario. New features include:

  • Added support for embedding elliptic curve public keys in the KeyValue element

See JDK-8219013

security-libs/javax.xml.crypto
 Updated xmldsig Implementation to Apache Santuario 2.1.1

The XMLDSig provider implementation in the java.xml.crypto module has been updated to version 2.1.1 of Apache Santuario. New features include:

  • Support for the SHA-224 and SHA-3 DigestMethod algorithms specified in RFC 6931.
  • Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.

See JDK-8177334

security-libs/javax.crypto
 System Property jdk.security.useLegacyECC is Turned Off by Default

The system property jdk.security.useLegacyECC, which was introduced in the update releases 7u231 and 8u221, is turned off by default.

This option allows control of which implementation of ECC is in use.

When the system property, jdk.security.useLegacyECC, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line. Setting the option to true or the empty string is not recommended.

If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.

JDK-8224499 (not public)

security-libs/javax.xml.crypto
 com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property

An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in &#xd or &#13 being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

An application may continue working with the encoded output data containing the carriage return character (&#xd or &#13) if the application coding logic allows such output.

The com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property may be set to a value of true if an application is unable to handle encoded output data including the carriage return character (&#xd or &#13).

Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.

See JDK-8219013

core-libs/java.lang
 Runtime.exec and ProcessBuilder Argument Restrictions 

Runtime.exec and ProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.

In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands to false.

In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands to true.

Applications using Runtime.exec or ProcessBuilder with a security manager to invoke .bat or .cmd and command names that do not end in ".exe" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.

For .exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands property is "false" or there is no security manager and property is not "false".

JDK-8221858 (not public)

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8222496 client-libs   [8u] Switch on GTK3 as a default GTK L&F in client-libs
2 JDK-8217676 client-libs   Upgrade libpng to 1.6.37
3 JDK-8219914 client-libs   Change the environment variable for Java Access Bridge logging to have a directory
4 JDK-8222108 client-libs 2d Reduce minRefreshTime for updating remote printer list on Windows
5 JDK-8196681 client-libs javax.accessibility Java Access Bridge logging and debug flags dynamically controlled
6 JDK-8226964 client-libs javax.swing [Yaru] GTK L&F: There is no difference between menu selected and de-selected
7 JDK-8225423 client-libs javax.swing GTK L&F: JSplitPane: There is no divider shown
8 JDK-8214702 client-libs javax.swing Wrong text position for whitespaced string in printing Swing text
9 JDK-8216401 core-libs   Allow "file:" URLs in Class-Path of local JARs
10 JDK-8151486 core-libs java.lang Class.forName causes memory leak
11 JDK-8197930 core-libs java.lang JNI exception pending in initializeEncoding of jni_util.c
12 JDK-8225425 core-libs java.net java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries
13 JDK-8214687 core-libs java.util:collections Optimize Collections.nCopies().hashCode() and equals()
14 JDK-8222980 core-libs java.util:i18n Upgrade IANA Language Subtag Registry to Version 2019-04-03
15 JDK-8219890 core-libs java.util:i18n Calendar.getDisplayName() returns empty string for new Japanese Era on some locales
16 JDK-8203324 core-libs java.util:i18n Use out of scope in getMacOSXLocale of java_props_macosx.c:120
17 JDK-8139965 core-libs javax.naming Hang seen when using com.sun.jndi.ldap.search.replyQueueSize
18 JDK-8217581 docs tools JDK 8 javadoc man page does not list correct values for -source
19 JDK-8206879 globalization locale-data Currency decimal marker incorrect for Peru
20 JDK-8202414 hotspot compiler Unsafe write after primitive array creation may result in array length change
21 JDK-8219807 hotspot compiler C2 crash in IfNode::up_one_dom(Node*, bool)
22 JDK-8218721 hotspot compiler C1's CEE optimization produces safepoint poll with invalid debug information
23 JDK-8130341 hotspot compiler GHASH 32bit intrinsics has AEADBadTagException
24 JDK-8080157 hotspot compiler assert(allocates2(pc)) failed: not in CodeBuffer memory
25 JDK-8187147 javafx graphics Remove T2K from JavaFX in JDK 10
26 JDK-8201539 javafx graphics Crash in DirectWrite CreateBitmap code when running TestFX test suite
27 JDK-8213510 javafx media [Windows] MediaPlayer does not play some mp3 with artwork stream in mjpeg
28 JDK-8222780 javafx media Visual Studio does not open media vs_projects files
29 JDK-8223046 javafx samples AudioClip sample does not work in Ensemble when run via web-start
30 JDK-8230361 javafx web [web] Cookies are not enabled in WebKit v608.1
31 JDK-8229328 javafx web [windows] PlatformFileHandle type should be JGObject rather than void *
32 JDK-8227431 javafx web [Windows] Fix assertion failure on X86 32-bit when enabling CLOOP based JavaScript interpreter
33 JDK-8227079 javafx web Cherry pick GTK WebKit 2.24.3 changes
34 JDK-8222912 javafx web Websocket client doesn't work in WebView
35 JDK-8219362 javafx web Update to 608.1 version of WebKit
36 JDK-8225203 javafx web Update SQLite to version 3.28.0
37 JDK-8222788 javafx web javafx.web build fails on XCode 10.2
38 JDK-8222497 javafx window-toolkit [8u] Switch on GTK3 as a default GTK L&F in javafx
39 JDK-8226537 javafx window-toolkit Multi-level Stage::initOwner can crash gnome-shell or X.org server
40 JDK-8211302 javafx window-toolkit DragAndDrop no longer works with GTK3
41 JDK-8212060 javafx window-toolkit [GTK3] Stage sometimes shown at top-left before moving to correct position
42 JDK-8147502 security-libs java.security Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
43 JDK-8148188 security-libs java.security Enhance the security libraries to record events of interest
44 JDK-8226543 security-libs javax.crypto Reduce GC pressure during message digest calculations in password-based encryption
45 JDK-8073108 security-libs javax.crypto Use x86 and SPARC CPU instructions for GHASH acceleration
46 JDK-8218780 security-libs javax.smartcardio Update MUSCLE PCSC-Lite header files
47 JDK-8229868 security-libs javax.xml.crypto Update Apache Santuario TPRM version
48 JDK-8218629 security-libs javax.xml.crypto XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10
49 JDK-8217878 security-libs javax.xml.crypto ENVELOPING XML signature no longer works in JDK 11
50 JDK-8219013 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.1.3
51 JDK-8177334 security-libs javax.xml.crypto Update xmldsig implementation to Apache Santuario 2.1.1

Java SE 8u221 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u221 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u221 b36

Bug Fixes

BugId Component Subcomponent Summary
8221246 client-libs java.awt NullPointerException within Win32ShellFolder2

Changes in Java SE 8u221 b35

Bug Fixes

BugId Component Subcomponent Summary
8080157 hotspot compiler assert(allocates2(pc)) failed: not in CodeBuffer memory
8130341 hotspot compiler GHASH 32bit intrinsics has AEADBadTagException
8073108 security-libs javax.crypto Use x86 and SPARC CPU instructions for GHASH acceleration
8048556 hotspot gc Unnecessary GCLocker-initiated young GCs

Changes in Java SE 8u221 b34

Bug Fixes

BugId Component Subcomponent Summary
8226895
(Confidential)
xml jaxp Problems when validating XML with STax

Changes in Java SE 8u221 b33

Bug Fixes

BugId Component Subcomponent Summary
8226543 security-libs javax.crypto Reduce GC pressure during message digest calculations in password-based encryption
8139965 core-libs javax.naming Hang seen when using com.sun.jndi.ldap.search.replyQueueSize
8225615
(Confidential)
deploy packager Need javapackager to work with Inno Setup 6.x
8223727
(Confidential)
core-libs javax.naming com/sun/jndi/ldap/privconn/RunTest.java failed due to hang in LdapRequest.getReplyBer

Changes in Java SE 8u221 b32

Please note that fixes from prior BPR are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8219914 client-libs   Change the environment variable for Java Access Bridge logging to have a directory
8196681 client-libs javax.accessibility Java Access Bridge logging and debug flags dynamically controlled

Java™ SE Development Kit 8, Update 221 (JDK 8u221)

July 16, 2019

The full version string for this update release is 1.8.0_221-b11 (where "b" means "build"). The version number is 8u221.

IANA Data 2018i

JDK 8u221 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u221 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_221-b11
7 1.7.0_231-b08

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u221) will expire with the release of the next critical patch update scheduled for October 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u221) on November 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

hotspot/runtime

HotSpot Windows OS Detection Correctly Identifies Windows Server 2019

Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name system property and the hs_err_pid file.

See JDK-8211106

Removed Features and Options

security-libs/java.security

Removal of Two DocuSign Root CA Certificates

Two DocuSign root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "certplusclass2primaryca [jdk]"

    Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR

  • alias name "certplusclass3pprimaryca [jdk]"

    Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR

See JDK-8223499

security-libs/java.security

Removal of Two Comodo Root CA Certificates

Two Comodo root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "utnuserfirstclientauthemailca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

  • alias name "utnuserfirsthardwareca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

See JDK-8222136

security-libs/java.security

Removal of T-Systems Deutsche Telekom Root CA 2 Certificate

The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts keystore:

  • alias name "deutschetelekomrootca2 [jdk]"

    Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE

See JDK-8222137

Other notes

install

Java Access Bridge Installation Workaround

There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

  • Stop JAWS before running the Java installer.
  • Uninstall the existing JRE(s) before installing the new version of Java.
  • Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

JDK-8223293 (not public)

security-libs/javax.crypto

System Property to Switch Between Implementations of ECC

A new boolean system property, jdk.security.useLegacyECC, has been introduced that enables switching between implementations of ECC.

When the system property, jdk.security.useLegacyECC, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line.

If the option is explicitly set to "false", the provider decides which implementation of ECC is used.

The default value of the option is "true". Note that the default value might change in a future update release of the JDK.

JDK-8217763 (not public)

client-libs/2d

Missing Glyphs in AWT/Swing Components Due to Lack of CJK TrueType Fonts in RHEL 8

Red Hat Enterprise Linux 8 no longer includes packages which provided TrueType fonts used by JDK for CJK (Chinese, Japanese, and Korean) languages.

Text display for those languages will therefore result in missing glyphs.

See JDK-8209672 for a resolution to this issue.

See JDK-8230150

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8214252 client-libs   Expanded & Collapsed nodes of a JTree look the same on GTK3
2 JDK-8153732 client-libs 2d Windows remote printer changes do not reflect in lookupPrintServices()
3 JDK-8212202 client-libs 2d [Windows] Exception if no printers are installed.
4 JDK-8218020 client-libs 2d Fix version number in mesa.md 3rd party legal file
5 JDK-8215210 client-libs 2d [macos] Hangul text does not shape to the precomposed form on JDK8u
6 JDK-8218605 client-libs 2d Startup Splash Screen of SwingSet2 flashes in smaller coordinates before appearing in the final size
7 JDK-8214765 client-libs java.awt All TrayIcon MessageType icons does not show up with gtk3 option set
8 JDK-8204142 client-libs java.awt AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts.
9 JDK-8210886 client-libs java.awt Remove references in xwindows.md to non-existent files.
10 JDK-8214109 client-libs java.awt XToolkit is not correctly displayed color on 16-bit high color setting
11 JDK-8213183 client-libs java.awt:i18n InputMethod cannot be used after its restarting
12 JDK-8214253 client-libs javax.swing Tooltip is transparent rather than having a black background
13 JDK-8214112 client-libs javax.swing The whole text in target JPasswordField image are not selected.
14 JDK-8214111 client-libs javax.swing There is no icon in all JOptionPane target image
15 JDK-8220349 client-libs javax.swing The fix done for JDK-8214253 have caused issues in JTree behaviour
16 JDK-8218674 client-libs javax.swing HTML Tooltip with "img src=" on component doesn't show
17 JDK-8196775 core-libs java.net java/net/Socket/asyncClose/Race.java failed intermittently on Windows with ConnectException: Connection refused
18 JDK-8044047 core-libs java.util.stream Missing null pointer checks for streams
19 JDK-8213294 core-libs java.util:i18n Upgrade IANA LSR data
20 JDK-8040211 core-libs java.util:i18n Update LSR datafile for BCP 47
21 JDK-8191404 core-libs java.util:i18n Upgrading JDK with latest available LSR data from IANA.
22 JDK-8203872 core-libs java.util:i18n Upgrading JDK with latest available LSR data from IANA.
23 JDK-8214935 core-libs java.util:i18n Upgrade IANA LSR data
24 JDK-8218781 core-libs java.util:i18n Localized names for Japanese Era Reiwa in COMPAT provider
25 JDK-8209775 core-libs java.util:i18n ISO 4217 Amendment #169 Update
26 JDK-8210153 core-libs java.util:i18n localized currency symbol of VES
27 JDK-8209951 hotspot compiler Problematic sparc intrinsic: com.sun.crypto.provider.CipherBlockChaining
28 JDK-8211106 hotspot runtime [windows] Update OS detection code to recognize Windows Server 2019
29 JDK-8134030 hotspot svc test/serviceability/dcmd/gc/HeapDumpTest fails to verify the dump
30 JDK-8202884 hotspot svc-agent SA: Attach/detach might fail on Linux if debugee application create/destroy threads during attaching
31 JDK-8222812 install install java usage unit tests are failing
32 JDK-8212742 install uninstall More information link at Java Uninstall tool for MAC point to Windows page instructions
33 JDK-8215686 javafx build FX build fails using gradle 5
34 JDK-8217942 javafx build Upgrade to libxslt 1.1.33
35 JDK-8219008 javafx graphics Update OpenGL Headers to version 4.6
36 JDK-8204060 javafx graphics [Canvas] Add API in GraphicsContext to control image smoothing
37 JDK-8215894 javafx media Provide media support for libav version 58
38 JDK-8133841 javafx media Full HD video can not be played on standard 1080p screen in portrait mode
39 JDK-8222217 javafx media FX build fails on 32-bit Windows after fix for JDK-8133841
40 JDK-8218174 javafx other Add missing license file for Mesa header files
41 JDK-8222883 javafx samples Ensemble: Update version of Lucene to 7.7.1
42 JDK-8219734 javafx web [WebView] Get rid of macOS SDK private API usage
43 JDK-8215775 javafx web Scrollbars from web pages appear to be absolute, overlapping everything
44 JDK-8220147 javafx web Cherry pick GTK WebKit 2.22.7 changes
45 JDK-8219917 javafx web [WebView] Sub-resource integrity check fails on Windows and Linux
46 JDK-8151225 security-libs java.security Mark SpecTest.java as intermittently failing
47 JDK-8222137 security-libs java.security Remove T-Systems root CA certificate
48 JDK-8223499 security-libs java.security Remove two DocuSign root certificates that are expiring
49 JDK-8222136 security-libs java.security Remove two Comodo root CA certificates that are expiring
50 JDK-8181594 security-libs javax.crypto Efficient and constant-time modular arithmetic
51 JDK-8203228 security-libs javax.crypto Branch-free output conversion for X25519 and X448
52 JDK-8201317 security-libs javax.crypto X25519/X448 code improvements
53 JDK-8208648 security-libs javax.crypto ECC Field Arithmetic Enhancements
54 JDK-8204909 security-libs javax.crypto Improved ECC Implementation
55 JDK-8193830 xml jaxp Xalan Update: Xalan Java 2.7.2

Java SE 8u212 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u212 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u212 b34

Please note that fixes in 8u212 b34 are included in 8u221-b32.

Bug Fixes

BugId Component Subcomponent Summary
8208666 client-libs 2d Missing glyphs from custom made font when rendering on Graphics2D
8178870 hotspot jvmti instrumentation.retransformClasses cause coredump
8155951 hotspot jvmti VM crash in nsk/jvmti/RedefineClasses/StressRedefine: assert failed: Corrupted constant pool
8151066 hotspot jvmti assert(0 <= i && i < length()) failed: index out of bounds
8221986
(Confidential)
javafx build Intermittent FX Hudson build failure on Windows: cannot execute gperf

Changes in Java SE 8u212 b33

Bug Fixes

BugId Component Subcomponent Summary
8218674 client-libs javax.swing HTML Tooltip with "img src=" on component doesn't show
8223233
(Confidential)
install install 8u 211 32 bit MSI uninstalls Java 8u211 64 bit, which is above the security baseline

Changes in Java SE 8u212 b32

Bug Fixes

BugId Component Subcomponent Summary
8204060 javafx graphics [Canvas] Add API in GraphicsContext to control image smoothing
8221263 client-libs 2d [TEST_BUG] RemotePrinterStatusRefresh test is hard to use
8153732 client-libs 2d Windows remote printer changes do not reflect in lookupPrintServices()
8221412 client-libs 2d lookupPrintServices() does not always update the list of Windows remote printers
8212202 client-libs 2d [Windows] Exception if no printers are installed.
8194653 core-libs java.lang Deadlock involving FileSystems.getDefault and System.loadLibrary call
8219410
(Confidential)
javafx graphics [GraphicsContext] Backport doc changes

Changes in Java SE 8u212 b31

Please note that fixes from prior BPR (8u202 b34) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8221355 hotspot compiler Performance regression after JDK-8155635 backport into 8u

Java™ SE Development Kit 8, Update 212 (JDK 8u212)

April 16, 2019

The full version string for this update release is 1.8.0_212-b10 (where "b" means "build"). The version number is 8u212.

IANA Data 2018g

JDK 8u212 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u212 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_211-b12
7 1.7.0_221-b08
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u212) will expire with the release of the next critical patch update scheduled for July 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u212) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8215364 client-libs   JavaFX crashes on Ubuntu 18.04 with Wayland while using Swing-FX interop
2 JDK-8207070 client-libs java.awt Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor
3 JDK-8189926 javafx other [Mac] Pulse timer should pause when idle
4 JDK-8210411 javafx window-toolkit JavaFX crashes on Ubuntu 18.04 with Wayland
5 JDK-8211280 javafx window-toolkit JavaFX build fails on Linux with gcc8
6 JDK-8213952 security-libs java.security Relax DNSName restriction as per RFC 1123

Java™ SE Development Kit 8, Update 211 (JDK 8u211)

April 16, 2019

The full version string for this update release is 1.8.0_211-b12 (where "b" means "build"). The version number is 8u211.

IANA Data 2018g

JDK 8u211 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u211 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_211-b12
7 1.7.0_221-b08
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u211) will expire with the release of the next critical patch update scheduled for July 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u211) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

core-libs/java.time

 New Japanese Era Name Reiwa

An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3) or JapaneseEra.valueOf("Reiwa"). JDK 13 and later will have a new public field to represent this era.

The placeholder name, "NewEra", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")) will no longer work.

See JDK-8205432

core-libs/java.util:i18n

 Square Character Support for Japanese New Era 

The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.

See JDK-8211398

client-libs/2d

 High DPI Auto-Scaling on Windows

If the Windows desktop DPI of the default screen is configured via Display Settings to be 150% or greater (that is 144 dpi or greater), JDK will now ask Windows to auto-scale the entire UI of a Java application to be consistent with the rest of the Windows desktop UI.

Below that value Java applications will appear at the same size as they did in previous releases.

This threshold is chosen as a trade-off between compatibility and legibility of the UI. At higher DPI settings, without this auto-scaling, the Java UI may be just too small to be read comfortably.

There may be some negative consequences such as

  • Some elements of the UI may appear somewhat blurry, particularly if the scaling factor is a non-integral value (that is 1.5 rather than 2.0).
  • ClearType text is not effective when auto-scaling so grey scale anti-aliasing is used instead by the Swing toolkit.
  • Window sizing and positioning calculations may be adversely affected.

In the event that the negative consequences outweigh the benefits, an application can request the old behaviour by specifying:

-Dsun.java2d.dpiaware=true

Conversely, if the application would prefer to be auto-scaled even at lower DPI settings, then specify:

-Dsun.java2d.dpiaware=false

In the absence of either explicit setting, the default behaviour described above will apply.

JDK-8204512 (not public)

core-libs/java.lang

 New Currency Code Points Added

The Java SE 8 Platform spec for java.lang.Character now supports Unicode 6.2 plus an extension to allow new currency code points from Unicode 10.0.

The following currency code points have been added:



    0BB NORDIC MARK SIGN
    20BC  MANAT  SIGN
    20BD RUBLE SIGN
    20BE LARI SIGN
    20BF BITCOIN SIGN

See JDK-8217710

Known Issues

install

 Java Access Bridge Installation Workaround

There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

  • Stop JAWS before running the Java installer.
  • Uninstall the existing JRE(s) before installing the new version of Java.
  • Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

JDK-8223293 (not public)

hotspot/compiler

 Possible Performance Regression in JDK 8 Updates 202, 211, and 212

Due to a known issue with the fix for JDK-8155635, introduced in JDK 8 update 202, some applications may experience a performance regression (lower throughput and/or higher CPU consumption) when migrating from earlier releases. Examples of code that might trigger this regression include heavy use of sun.misc.Unsafe and the Reflection API. This performance regression is addressed in JDK-8221355.

See JDK-8221355

Changes

security-libs/java.security

 Added GlobalSign R6 Root Certificate 

The following root certificate has been added to the cacerts truststore:

  • GlobalSign
    • globalsignrootcar6

      DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6

JDK-8216577 (not public)

security-libs/javax.net.ssl

 Distrust TLS Server Certificates Anchored by Symantec Root CAs 

The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.

TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).

An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.

The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.

An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:

"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"

If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Symantec Root certificates included in the JDK:

Root Certificates distrusted after 2019-04-16

Distinguished Name SHA-256 Fingerprint
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A

CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US

37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C

CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66

CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4

CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US

A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12

CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F

CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US

A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57

CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B

CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44

CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79

CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF

CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

Subordinate Certificates distrusted after 2019-12-31

Distinguished Name SHA-256 Fingerprint
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US

AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B

CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US

A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED

If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.

See JDK-8207258

core-libs/java.time

 Support New Japanese Era in java.time.chrono.JapaneseEra 

The JapaneseEra class and its of(int), valueOf(String), and values() methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.

See JDK-8212941

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8213983 client-libs java.awt [macosx] Keyboard shortcut ???cmd +`??? stops working properly if popup window is displayed
2 JDK-8213583 client-libs java.awt Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files
3 JDK-8076164 client-libs javax.swing [JTextField] When input too long Thai character, cursor's behavior is odd
4 JDK-8132136 client-libs javax.swing [PIT] RTL orientation in JEditorPane is broken
5 JDK-8133108 client-libs javax.swing [PIT] Container size is wrong in JEditorPane
6 JDK-8187364 client-libs javax.swing Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component
7 JDK-8216396 core-libs java.lang Support new Japanese era and new currency code points in java.lang.Character for Java SE 8
8 JDK-8218915 core-libs java.lang Change isJavaIdentifierStart and isJavaIdentifierPart to handle new code points
9 JDK-8217710 core-libs java.lang Add 5 currency code points to Java SE 8uX
10 JDK-8180469 core-libs java.time Wrong short form text for supplemental Japanese era
11 JDK-8212941 core-libs java.time Support new Japanese era in java.time.chrono.JapaneseEra
12 JDK-8211398 core-libs java.util:i18n Square character support for the Japanese new era
13 JDK-8202088 core-libs java.util:i18n Japanese new era implementation
14 JDK-8207152 core-libs java.util:i18n Placeholder for Japanese new era should be two characters
15 JDK-8217609 core-libs java.util:i18n New era placeholder not recognized by java.text.SimpleDateFormat
16 JDK-8159886 deploy plugin Window of a newly launched Oracle Forms applet loses focus
17 JDK-8133984 hotspot runtime print_compressed_class_space() is only defined in 64-bit VM
18 JDK-8180904 hotspot test Hotspot tests running with -agentvm failing due to classpath
19 JDK-8187220 install install postinstall fails if there is a space in user name
20 JDK-8214185 javafx media Upgrade GStreamer to the latest (1.14.4) version
21 JDK-8200665 javafx samples Ensemble: Update SyntaxHighlighter to version 4.0.1
22 JDK-8207772 javafx web File API and FileReader should be supported in WebView
23 JDK-8213541 javafx web WebView does not handle HTTP response without ContentType
24 JDK-8215702 javafx web SVG gradients are not rendered
25 JDK-8215799 javafx web Complex text is not rendered by webkit on Windows
26 JDK-8214119 javafx web Update to 607.1 version of WebKit
27 JDK-8211399 javafx web libxslt fails to build with glibc 2.26
28 JDK-8211454 javafx web Update SQLite to version 3.26.0
29 JDK-8214452 javafx web Update libxml2 to version 2.9.9
30 JDK-8213806 javafx web WebView - JVM crashes for given HTML
31 JDK-8218611 javafx web [DRT] fast/xslt tests fails with Unsupported encoding windows-1251
32 JDK-8219539 javafx web Cherry pick GTK WebKit 2.22.6 changes
33 JDK-8133802 security-libs   replace some <tt> tags (obsolete in html5) in security-libs docs
34 JDK-8216280 security-libs java.security Allow later Symantec Policy distrust date for two Apple SubCAs
35 JDK-8215318 security-libs java.security Amend the Standard Algorithm Names specification to clarify that names can be defined in later versions
36 JDK-8029661 security-libs javax.net.ssl Support TLS v1.2 algorithm in SunPKCS11 provider
37 JDK-8207258 security-libs javax.net.ssl Distrust TLS server certificates anchored by Symantec Root CAs
38 JDK-8129988 security-libs javax.net.ssl JSSE should create a single instance of the cacerts KeyStore
39 JDK-8217579 security-libs javax.net.ssl TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
40 JDK-8203190 security-libs javax.net.ssl SessionId.hashCode generates too many collisions
41 JDK-8164656 security-libs org.ietf.jgss:krb5 krb5 does not retry if TCP connection timeouts

Java SE 8u202 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u202 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u202 b34

Bug Fixes

BugId Component Subcomponent Summary
8204142 client-libs java.awt AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts.
8217227
(Confidential)
deploy plugin Java Deployment Ruleset (DRS) not working for forms Web Start (webstart) configÂ
8221544
(Confidential)
deploy webstart StackOverflowError and JWS fails to launch for some client PCs in cluster config

Changes in Java SE 8u202 b32

Bug Fixes

BugId Component Subcomponent Summary
8213583 client-libs java.awt Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files
8207070 client-libs java.awt Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor
8027434 hotspot runtime "-XX:OnOutOfMemoryError" uses fork instead of vfork

Changes in Java SE 8u202 b31

Please note that fixes from the prior BPR (8u192 b35) are included in this version.


Java™ SE Development Kit 8, Update 202 (JDK 8u202)

January 15, 2019

The full version string for this update release is 1.8.0_202-b08 (where "b" means "build"). The version number is 8u202.

IANA Data 2018g

JDK 8u202 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u202 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_201-b09
7 1.7.0_211-b07
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u202) will expire with the release of the next critical patch update scheduled for April 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u202) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Known Issues

client-libs

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.

See JDK-8219072

Bug Fixes

The following are some of the notable bug fixes included in this release:

deploy/webstart

Changes in Update Process of Java Web Start Cached Objects

The update mechanism of cached Java Web Start objects has been slightly changed. Now Java Web Start issues HTTP HEAD request instead of GET to test whether the updates for cached object are available or not. The downloading of the updates did not change and keeps working in the same way as before.

JDK-8211746 (not public)

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8210384 client-libs 2d SunLayoutEngine.isAAT() font is expensive on MacOS
2 JDK-8191178 client-libs java.awt [macos] Problem with input of yen symbol
3 JDK-8130655 client-libs java.awt OS X: keyboard input in textfield is not possible if the window contained textfield is owned by EmbeddedFrame
4 JDK-8205479 client-libs java.awt OS X: requestFocus() does not work properly for embedded frame
5 JDK-8170937 client-libs java.awt Swing apps are slow if displaying from a remote source to many local displays
6 JDK-8207322 client-libs java.awt [Client-Libs] Backport GTK3 support on Linux to 8u
7 JDK-8201801 client-libs java.awt RTL language (Hebrew) is presented from left to right
8 JDK-8182461 client-libs javax.imageio IndexOutOfBoundsException when reading indexed color BMP
9 JDK-8207150 client-libs javax.sound Clip.isRunning() may return true after Clip.stop() was called
10 JDK-8202264 client-libs javax.sound Race condition in AudioClip.loop()
11 JDK-8206392 client-libs javax.swing [macosx] Cycling through windows (JFrames) does not work with keyboard shortcut
12 JDK-8208638 client-libs javax.swing Instead of circle rendered in appl window, but ellipse is produced JEditor Pane
13 JDK-8207060 core-libs java.io Memory leak when malloc fails within WITH_UNICODE_STRING block
14 JDK-8207750 core-libs java.io Native handle leak in java.io.WinNTFileSystem.list()
15 JDK-8200719 core-libs java.net Cannot connect to IPv6 host when exists any active network interface without IPv6 address
16 JDK-8202261 core-libs java.nio (fc) FileChannel.map and RandomAccessFile.setLength should not preallocate space
17 JDK-8207145 core-libs java.nio (fs) Native memory leak in WindowsNativeDispatcher.LookupPrivilegeValue0
18 JDK-8165852 core-libs java.nio (fs) Mount point not found for a file which is present in overlayfs
19 JDK-8139507 core-libs java.util WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs
20 JDK-8209184 core-libs java.util:i18n JCK Test Failure due to ResourceBundle
21 JDK-8210038 deploy webstart JNLP 'arch' attribute fails with NPE in SingleInstanceServiceImpl
22 JDK-8208183 hotspot   update HSDIS plugin license to UPL
23 JDK-8212709 hotspot   Backout backport of JDK-8211394 from jdk 8u-dev
24 JDK-8164920 hotspot compiler ppc: enhancement of CRC32 intrinsic
25 JDK-8209639 hotspot compiler assert failure in coalesce.cpp: attempted to spill a non-spillable item
26 JDK-8172850 hotspot compiler Anti-dependency on membar causes crash in register allocator due to invalid instruction scheduling
27 JDK-8155635 hotspot compiler C2: Mixed unsafe oop accesses break alias analysis
28 JDK-8131048 hotspot compiler ppc: implement CRC32 intrinsic
29 JDK-8211150 hotspot gc G1 Full GC not purging code root memory and hence causing memory leak
30 JDK-8064811 hotspot gc Use THREAD instead of CHECK_NULL in return statements
31 JDK-8211909 hotspot jvmti JDWP Transport Listener: dt_socket thread crash
32 JDK-8211387 hotspot runtime [Zero] atomic_copy64: Use ldrexd for atomic reads on ARMv7
33 JDK-8211124 hotspot runtime HotSpot vm_version.cpp should recognise updated VS2017
34 JDK-8205965 hotspot runtime SIGSEGV on write to NativeCallStack::EMPTY_STACK
35 JDK-8196882 hotspot runtime VS2017 Hotspot Defined vsnprintf Function Causes C2084 Already Defined Compilation Error
36 JDK-8209863 hotspot runtime Add a test to verify that -XX:+EnableTracing works
37 JDK-8211394 hotspot runtime CHECK_ must be used in the rhs of an assignment statement within a block (round 2)
38 JDK-8145788 hotspot svc JVM crashes with -XX:+EnableTracing
39 JDK-8208091 hotspot svc-agent SA: jhsdb jstack --mixed throws UnmappedAddressException on i686
40 JDK-8164383 hotspot svc-agent jhsdb dumps core on Solaris 12 when loading dumped core
41 JDK-8210219 javafx graphics GlassClipboard.cpp fails to compile with newer versions of VS2017
42 JDK-8148129 javafx web Implement Accelerated composition for WebView
43 JDK-8209457 javafx web [WebView] Canvas.toDataURL with image/jpeg MIME type fails
44 JDK-8202277 javafx web WebView image capture fails with standalone FX due to dependency on javafx.swing
45 JDK-8196968 javafx web One time crash on exit in JNIEnv_::CallObjectMethod
46 JDK-8207159 javafx web Update ICU to version 62.1
47 JDK-8212147 javafx window-toolkit [JavaFX] Backport GTK3 support on Linux to 8u
48 JDK-8156709 security-libs java.security Cannot call setSeed on NativePRNG on Mac if EGD is /dev/urandom
49 JDK-8187218 security-libs org.ietf.jgss GSSCredential.getRemainingLifetime() returns negative value for TTL > 24 days.
50 JDK-8131051 security-libs org.ietf.jgss:krb5 KDC might issue a renewable ticket even if not requested
51 JDK-8160928 tools javac javac incorrectly copies over interior type annotations to bridge method

Java™ SE Development Kit 8, Update 201 (JDK 8u201)

January 15, 2019

The full version string for this update release is 1.8.0_201-b09 (where "b" means "build"). The version number is 8u201.

IANA Data 2018g

JDK 8u201 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u201 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_201-b09
7 1.7.0_211-b07
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u201) will expire with the release of the next critical patch update scheduled for April 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u201) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Issues Fixed

core-libs/java.net
Restriction on Windows NTLM Transparent Authentication

This change limits the use of transparent HTTP authentication on Microsoft Windows for the NTLM scheme. In that scheme, the security credentials based on the currently logged in user's name and password are obtained directly from the operating system, without prompting the user.

A new networking system property, jdk.http.ntlm.transparentAuth, has been added with the following possible values:

  • "disabled" means transparent authentication is not used and the user application is always prompted for NTLM credentials. This is the default and preferred setting. NTLM authentication is still usable in this mode through the java.net.Authenticator class.
  • "trustedHosts" means transparent authentication is only used for hosts identified as trusted in the Windows networking configuration.
  • "allHosts" means transparent authentication is always used.

Any other value, or no value, is treated the same as "disabled". Care should be taken before enabling this mechanism.

See JDK-8209094

Changes

security-libs/javax.net.ssl

TLS anon and NULL Cipher Suites are Disabled

The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.

See JDK-8211883

security-libs/java.security

jarsigner Prints When a timestamp Will Expire

The jarsigner tool now shows more information about the lifetime of a timestamped JAR. New warning and error messages are displayed when a timestamp has expired or is expiring within one year.

See JDK-8191438

hotspot/runtime

Linux Native Code Checks 

Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.

JDK-8196902 (not public)

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8201818 client-libs 2d [macosx] Printing attributes break page size set via "java.awt.print.Book" object
2 JDK-8141491 core-libs java.nio Unaligned memory access in Bits.c
3 JDK-8171049 core-libs java.time Era.getDisplayName doesn't work with non-IsoChronology
4 JDK-8205330 core-libs javax.naming InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
5 JDK-8157913 deploy packager Launcher can not find path to libpackager.so
6 JDK-8213011 deploy plugin Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError
7 JDK-8212457 deploy webstart JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled
8 JDK-8212793 deploy webstart Fix for JDK-8189783 fails
9 JDK-8147555 docs   Document that % and " characters are not supported in keys and values of a property for Java Web Start
10 JDK-8161741 docs guides Typo within section "22.2.3 File Names"
11 JDK-8189182 install install JDK8 RPM postinstall scriptlet assumes /usr/share/man/man1 exists
12 JDK-8203884 javafx graphics Update libjpeg to version 9c
13 JDK-8214035 javafx graphics Unable to render cmyk jpeg image
14 JDK-8212158 javafx other FX: Update copyright year in docs, readme files to 2019
15 JDK-8209652 javafx samples Ensemble: Update version of Lucene to 7.4.0
16 JDK-8213837 javafx samples FX samples cannot load media from download.java.net over http
17 JDK-8211304 javafx window-toolkit [macOS] Crash on focus loss from dialog on macOS 10.14 Mojave
18 JDK-8027781 security-libs java.security New jarsigner timestamp warning is grammatically incorrect
19 JDK-8209129 security-libs javax.crypto Further improvements to cipher buffer management
20 JDK-8208583 security-libs javax.crypto Better management of internal KeyStore buffers
21 JDK-8207775 security-libs javax.crypto Better management of CipherCore buffers
22 JDK-8209862 security-libs javax.crypto CipherCore performance improvement
23 JDK-8211883 security-libs javax.net.ssl Disable anon and NULL cipher suites

Java SE 8u192 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u192 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR. Note that bug fixes in previous BPR (8u181-b37) are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u192 b35

Bug Fixes

BugId Component Subcomponent Summary
8213011 deploy plugin Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError
8187364 client-libs javax.swing Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component
8159886 deploy plugin Window of a newly launched Oracle Forms applet loses focus
8141491 core-libs java.nio Unaligned memory access in Bits.c
8029661 security-libs javax.net.ssl Support TLS v1.2 algorithm in SunPKCS11 provider
8129988 security-libs javax.net.ssl JSSE should create a single instance of the cacerts KeyStore
8203190 security-libs javax.net.ssl SessionId.hashCode generates too many collisions

Changes in Java SE 8u192 b33

Bug Fixes

BugId Component Subcomponent Summary
8212457 deploy webstart JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled

Changes in Java SE 8u192 b32

Bug Fixes

BugId Component Subcomponent Summary
8139507 core-libs java.util WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs
8170937 client-libs java.awt Swing apps are slow if displaying from a remote source to many local displays
8193879
(Confidential)
core-svc debugger Java debugger hangs on method invocation
8163083
(Confidential)
core-svc debugger SocketListeningConnector does not allow invocations with port 0

Changes in Java SE 8u192 b31

Please note that fixes from the prior BPR (8u181 b37) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8208638 client-libs javax.swing Instead of circle rendered in appl window, but ellipse is produced JEditor Pane

Java™ SE Development Kit 8, Update 192 (JDK 8u192)

October 16, 2018

The full version string for this update release is 1.8.0_192-b12 (where "b" means "build"). The version number is 8u192.

IANA Data 2018e

JDK 8u192 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u192 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_191-b12
7 1.7.0_201-b11
6 1.6.0_211-b11

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u192) will expire with the release of the next critical patch update scheduled for January 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u192) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features

security-libs/javax.net.ssl

Support for Customization of Default Enabled Cipher Suites via System Properties 

The system property jdk.tls.client.cipherSuites can be used to customize the default enabled cipher suites for the client side of SSL/TLS connections. In a similar way, the system property jdk.tls.server.cipherSuites can be used for customization on the server side.

The system properties contain a comma-separated list of supported cipher suite names that specify the default enabled cipher suites. All other supported cipher suites are disabled for this default setting. Unrecognized or unsupported cipher suite names specified in properties are ignored. Explicit setting of enabled cipher suites will override the system properties.

Please refer to the "Java Cryptography Architecture Standard Algorithm Name Documentation" for the standard JSSE cipher suite names, and the "Java Cryptography Architecture Oracle Providers Documentation" for the cipher suite names supported by the SunJSSE provider.

Note that the actual use of enabled cipher suites is restricted by algorithm constraints.

Note also that these system properties are currently supported by the JDK Reference Implementation. They are not guaranteed to be supported by other implementations.

Warning: These system properties can be used to configure weak cipher suites, or the configured cipher suites may become more weak over time. We do not recommend using the system properties unless you understand the security implications. Use them at your own risk.

See JDK-8162362

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8201240 client-libs 2d Improve releasing native resources of BufImgSurfaceData.ICMColorData
2 JDK-8188030 client-libs java.awt AWT java apps fail to start when some minimal fonts are present
3 JDK-8200353 client-libs java.awt Shift or Capslock not working in Textfield after accented keystrokes
4 JDK-8195738 client-libs java.awt scroll position in ScrollPane is reset after calling validate()
5 JDK-8188083 client-libs java.awt NullPointerExcpn-java.awt.image.FilteredImageSource.startProduction JDK-8079607
6 JDK-8150954 client-libs java.awt Taking screenshots on x11 composite desktop produce wrong result
7 JDK-8202696 client-libs javax.swing Remove exclusion range for phonetic chars in windows fontconfig.properties
8 JDK-8195095 client-libs javax.swing Images are not scaled correctly in JEditorPane
9 JDK-8206914 core-libs   add jdk8u-dev test failures to ProblemList.txt
10 JDK-8201369 core-libs java.net Inet4AddressImpl_getLocalHostName reverse lookup on Solaris only
11 JDK-8194412 core-libs java.time Adding 256 units of IsoFields.QUARTER_YEARS broken
12 JDK-8176192 core-libs javax.naming Incorrect usage of Iterator in Java 8 In com.sun.jndi.ldap.EventSupport.removeNamingListener
13 JDK-8156824 core-libs javax.naming com.sun.jndi.ldap.pool.PoolCleaner should clear its context class loader
14 JDK-8186646 core-libs jdk.nashorn Nashorn: "duplicate code" assertion when binding a vararg function that just passes arguments along
15 JDK-8201651 deploy plugin Better error handling during JNLP2Manager initialisation
16 JDK-8204508 deploy webstart Robot ScreenCapture fails on HiDPI system
17 JDK-8205343 deploy webstart bug in backport of JDK-8185002
18 JDK-8168415 deploy webstart ShowDocument fails with URL using jnlp or jnlps protocol
19 JDK-8193711 deploy webstart Launching JWS applet the default download progress dialog only shows if the java console is enabled
20 JDK-8195609 deploy webstart DRS - cert based run rule not working when running offline
21 JDK-8008321 hotspot compiler compile.cpp verify_graph_edges uses "bool" as "int"
22 JDK-8162540 hotspot compiler Crash in C2 escape analysis with assert: "node should be registered"
23 JDK-8194642 hotspot compiler Improve OOM error reporting for JDK8
24 JDK-8158012 hotspot compiler Use SW prefetch instructions instead of BIS for allocation prefetches on SPARC Core C4
25 JDK-8148175 hotspot compiler C1: G1 barriers don't preserve FP registers
26 JDK-8165489 hotspot gc Missing G1 barrier in Unsafe_GetObjectVolatile
27 JDK-8173013 hotspot gc JVMTI tagged object access needs G1 pre-barrier
28 JDK-8114823 hotspot gc G1 doesn't honor request to disable class unloading
29 JDK-8081323 hotspot jvmti ConstantPool::_resolved_references is missing in heap dump
30 JDK-8150426 hotspot runtime Wrong cast in metadata_at_put
31 JDK-8196884 hotspot runtime VS2017 Multiple Type Cast Conversion Compilation Errors
32 JDK-8196880 hotspot runtime VS2017 Addition of Global Delete Operator with Size Parameter Conflicts with Arena's Chunk Provided One
33 JDK-8197868 hotspot runtime VS2017 (C2065) 'timezone': Undeclared Identifier in share/runtime/os.cpp
34 JDK-8144201 hotspot runtime openjdk aarch64: jdk/test/com/sun/net/httpserver/Test6a.java fails with --enable-unlimited-crypto
35 JDK-8189170 hotspot runtime Add option to disable stack overflow checking in primordial thread for use with JNI_CreateJavaJVM
36 JDK-8206406 hotspot runtime StubCodeDesc constructor publishes partially-constructed objects on StubCodeDesc::_list
37 JDK-8186461 hotspot runtime Zero's atomic_copy64() should use SPE instructions on linux-powerpcspe
38 JDK-8185723 hotspot runtime Zero: segfaults on Power PC 32-bit
39 JDK-8026331 hotspot runtime hs_err improvement: Print if we have seen any OutOfMemoryErrors or StackOverflowErrors
40 JDK-8202600 hotspot runtime [Zero] Undefined behaviour in src/os_cpu/linux_zero/vm/os_linux_zero.cpp
41 JDK-6730115 hotspot svc Fastdebug VM crashes with "ExceptionMark destructor expects no pending exceptions" error
42 JDK-8204053 hotspot svc-agent libsaproc.so not linked with -z,noexecstack
43 JDK-8189677 javafx controls RadioMenuItem fires extra NULL value in property
44 JDK-8192800 javafx controls Table auto resize ignores column resize policy
45 JDK-8198354 javafx graphics [macOS] Corrupt Thai characters displayed in word wrapped label
46 JDK-8198316 javafx media MediaPlayer crashes when playing m3u8 files on macOS High Sierra 10.13.2
47 JDK-8202036 javafx other Update OpenJFX license files to match OpenJDK
48 JDK-8147476 javafx web Rendering issues with MathML token elements
49 JDK-8203845 performance   backport of JDK-8034788 inadvertently rolled back JDK-8187045 changes to toolchain.m4
50 JDK-8165463 security-libs   Native implementation of sunmscapi should use operator new (nothrow) for allocations
51 JDK-8185855 security-libs java.security Debug exception stacks should be clearer
52 JDK-8193171 security-libs java.security keytool -list displays "JKS" for a PKCS12 keystore.
53 JDK-8081792 security-libs javax.crypto buffer size calculation issue in NativeGCMCipher
54 JDK-8203182 security-libs javax.crypto:pkcs11 Release session if initialization of SunPKCS11 Signature fails
55 JDK-8162362 security-libs javax.net.ssl Introduce system property to control enabled ciphersuites

Java™ SE Development Kit 8, Update 191 (JDK 8u191)

October 16, 2018

The full version string for this update release is 1.8.0_191-b12 (where "b" means "build"). The version number is 8u191.

IANA Data 2018e

JDK 8u191 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u191 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_191-b12
7 1.7.0_201-b11
6 1.6.0_211-b11

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u191) will expire with the release of the next critical patch update scheduled for January 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u191) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features

infrastructure/build

Build Environment Update Linux x86/x64 Moved to gcc 7.3

On x86/x64 Linux, the toolchain used to build the JDK has been upgraded from GCC 4.3 to GCC 7.3.

JDK-8206409 (not public)

Changes

core-svc

Changed Central File System Location for usagetracker.properties File

The file system location in Windows for the usagetracker.properties file has been moved from %ProgramData%\Oracle\Java\ to %ProgramFiles%\Java\conf

There is no change in the file path for Linux, Solaris, or macOS.

JDK-8204901 (not public)

security-libs/javax.net.ssl

Disabled all DES TLS Cipher Suites

DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the java.security file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.

See JDK-8208350

security-libs/java.security

Removal of Several Symantec Root CAs

The following Symantec root certificates are no longer in use and have been removed:

  • Symantec
    • equifaxsecureca

      DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

    • equifaxsecureglobalebusinessca1

      DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

    • equifaxsecureebusinessca1

      DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

    • verisignclass1g3ca

      DN: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass2g3ca

      DN: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass1g2ca

      DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

    • verisignclass1ca

      DN: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

See JDK-8191031

security-libs/java.security

Removal of Baltimore Cybertrust Code Signing CA

The following Baltimore CyberTrust Code Signing root certificate is no longer in use and has been removed:

  • baltimorecodesigningca

    DN: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE

See JDK-8189949

security-libs/java.security

Removal of SECOM Root Certificate

The following SECOM root certificate is no longer in use and has been removed:

  • secomevrootca1

    DN: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP

See JDK-8191844

hotspot/runtime

Java Improvements for Docker Containers

The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:

  • JDK-8146115 Improve docker container detection and resource configuration usage

The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:

-XX:-UseContainerSupport

In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:

-XX:ActiveProcessorCount=count

This count overrides any other automatic CPU detection logic in the JVM.

  • JDK-8186248 Allow more flexibility in selecting Heap % of available RAM

Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:

  • -XX:InitialRAMPercentage
  • -XX:MaxRAMPercentage
  • -XX:MinRAMPercentage

These options replace the deprecated Fraction forms (-XX:InitialRAMFraction, -XX:MaxRAMFraction, and -XX:MinRAMFraction).

  • JDK-8179498 attach in linux should be relative to /proc/pid/root and namespace aware

This bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.

See JDK-8146115

security-libs/javax.crypto

Improved Cipher Inputs

The specification of javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.

JDK-8201756 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:

core-libs/javax.naming

LDAPS Communication Failure

Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ) may encounter an exception when establishing the connection.

The top most frames from Exception stack traces of applications encountering such issues might resemble the following:



javax.naming.ServiceUnavailableException: <server:port>; socket closed
at   com.sun.jndi.ldap.Connection.readReply(Unknown Source) 
at   com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
... 

See JDK-8211107

core-libs/java.net

Better HTTP Redirection Support

In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request.

JDK-8196902 (not public)

 

Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8152974 client-libs java.awt AWT hang occurrs when sequenced events arrive out of sequence
2 JDK-8208353 client-libs java.awt Upgrade JDK to libpng 1.6.35
3 JDK-8168628 core-libs java.nio (fc) SIGBUS when extending file size to map it
4 JDK-8171452 core-libs java.nio (ch) linux io_util_md: Operation not supported exception after 8168628
5 JDK-8211107 core-libs javax.naming LDAPS communication failure with jdk 1.8.0_181
6 JDK-8175871 docs guides Deployment.properties file example is incorrect
7 JDK-8198835 docs guides Typo in URL for XML section in developer guides
8 JDK-8173224 docs guides Document jdk.tls.legacyAlgorithms security property
9 JDK-8164480 hotspot compiler Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
10 JDK-8146115 hotspot runtime Improve docker container detection and resource configuration usage
11 JDK-8206875 install install [L10N]Truncation issue happens on the final dialog for pt on Mac
12 JDK-8209191 javafx graphics [macOS] Distorted complex text rendering
13 JDK-8199527 javafx media Upgrade GStreamer to 1.14
14 JDK-8209049 javafx web Cherry pick GTK WebKit 2.20.4 changes
15 JDK-8208622 javafx web [WebView] IllegalStateException when invoking print API with html form controls
16 JDK-8204856 javafx web WebEngine document becomes null after PAGE_REPLACED event
17 JDK-8208114 javafx web Drag and drop of text contents and URL links functionalities are broken in Webview
18 JDK-8203698 javafx web JavaFX WebView crashes when visiting certain web sites
19 JDK-8199474 javafx web Update to 606.1 version of WebKit
20 JDK-8200629 javafx web Update SQLite to version 3.23.0
21 JDK-8197987 javafx web Update libxslt to version 1.1.32
22 JDK-8193368 javafx web [OS X] Remove redundant files
23 JDK-8142927 other-libs other Feed some text to STDIN in ProcessTools.executeProcess()
24 JDK-8180289 security-libs java.security jarsigner treats timestamped signed jar invalid after the signer cert expires
25 JDK-8130132 security-libs java.security jarsigner should emit warning if weak algorithms or keysizes are used
26 JDK-8191031 security-libs java.security Remove several Symantec Root CAs
27 JDK-8191844 security-libs java.security Remove SECOM root (secomevrootca1)
28 JDK-8189949 security-libs java.security Remove Baltimore Cybertrust Code Signing CA
29 JDK-8074462 security-libs javax.net.ssl Handshake messages can be strictly ordered
30 JDK-8172529 security-libs jdk.security Use PKIXValidator in jarsigner
31 JDK-8197518 security-libs org.ietf.jgss Kerberos krb5 authentication: AuthList's put method leads to performance issue

Java SE 8u181 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u181 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u181 b37

Bug Fixes

BugId Component Subcomponent Summary
8211107 core-libs javax.naming LDAPS communication failure with jdk 1.8.0_181

Changes in Java SE 8u181 b36

Bug Fixes

BugId Component Subcomponent Summary
8204513
(Confidential)
deploy deployment_toolkit Context lost after resizing the browser window in applet with Forms

Changes in Java SE 8u181 b35

Bug Fixes

BugId Component Subcomponent Summary
8201818 client-libs 2d [macosx] Printing attributes break page size set via "java.awt.print.Book" object

Changes in Java SE 8u181 b34

Bug Fixes

BugId Component Subcomponent Summary
8208583 security-libs javax.crypto Better management of internal KeyStore buffers
8209129 security-libs javax.crypto Further improvements to cipher buffer management
8207775 security-libs javax.crypto Better management of CipherCore buffers

Changes in Java SE 8u181 b33

Bug Fixes

BugId Component Subcomponent Summary
8202696 client-libs javax.swing Remove exclusion range for phonetic chars in windows fontconfig.properties
8206242
(Confidential)
deploy webstart Java Web Start checks "user.dir" read permission when opening http connection

Changes in Java SE 8u181 b32

Please note that fixes from the prior BPR (8u172 b37) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8195095 client-libs javax.swing Images are not scaled correctly in JEditorPane

Java™ SE Development Kit 8, Update 181 (JDK 8u181)

July 17, 2018

The full version string for this update release is 1.8.0_181-b13 (where "b" means "build"). The version number is 8u181.

IANA Data 2018e

JDK 8u181 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u181 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_181-b13
7 1.7.0_191-b08
6 1.6.0_201-b07

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u181) will expire with the release of the next critical patch update scheduled for October 16, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u181) on November 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Removed Features and Options

other-libs/javadb

 Removal of Java DB 

Java DB, also known as Apache Derby, has been removed in this release.

We recommend that you obtain the latest Apache Derby directly from the Apache project at:

https://db.apache.org/derby

JDK-8197871 (not public)

Changes

core-libs/javax.naming

 Improve LDAP support

Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

core-libs/java.io:serialization

 Better stack walking

New access checks have been added during the object creation phase of deserialization. This should not affect ordinary uses of deserialization. However, reflective frameworks that make use of JDK-internal APIs may be impacted. The new checks can be disabled if necessary by setting the system property jdk.disableSerialConstructorChecks to the value "true". This must be done by adding the argument -Djdk.disableSerialConstructorChecks=true to the Java command line.

JDK-8197925 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:

core-svc/debugger

 Unable to use the JDWP API in JDK 8 to debug JDK >=9

The implementation of VirtualMachineImpl.canGetInstanceInfo() has been corrected, so it is now able to see JDK JVMs >= JDK 9.

This correction allows certain debugger agents to operate correctly without any action required from a user (developer).

See JDK-8197943

hotspot/gc

 JVM Crash during G1 GC 

A klass that has been considered unreachable by the concurrent marking of G1, can be looked up in the ClassLoaderData/SystemDictionary, and its _java_mirror or _class_loader fields can be stored in a root or any other reachable object making it alive again. Whenever a klass is resurrected in this manner, the SATB part of G1 needs to be notified about this, otherwise, the concurrent marking remark phase will erroneously unload that klass.

In this particular crash, while G1 was doing concurrent marking and had prepared its list of unreachable classes, JVMTI on a Java thread could traverse classes in the CLD and store thread-local JNIHandles for the java_mirror of the loaded classes. G1 did not have knowledge of these thread-local JNIHandles, and in the remark phase, it unloaded the classes per its prior knowledge of unreachable classes. When these JNIHandles were later scanned, it lead to a crash.

This fix for JDK-8187577 informs G1's SATB that a klass has been resurrected and it should not be unloaded.

See JDK-8187577

hotspot/gc

 Better stability with older NUMA libraries (-XX+UseNuma) 

A fix included in JDK 8 Update 152 introduced a regression that might cause the HotSpot JVM to crash during startup when the UseNUMA flag is used on Linux systems with versions of libnuma older than 2.0.9. This issue has been resolved.

See JDK-8198794

 

Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8201433 client-libs 2d Fix potential crash in BufImg_SetupICM
2 JDK-8198605 client-libs java.awt Touch keyboard is shown for a non-focusable text component
3 JDK-8198606 client-libs java.awt Touch keyboard does not hide, when a text component looses focus
4 JDK-8199748 client-libs java.awt Touch keyboard is not shown, if text component gets focus from other text component
5 JDK-8187635 client-libs java.awt On Windows Swing changes keyboard layout on a window activation
6 JDK-8203368 core-libs java.io:serialization ObjectInputStream filterCheck method throws NullPointerException
7 JDK-8202996 core-libs java.rmi Remove debug print statements from RMI fix
8 JDK-8197943 core-svc debugger Unable to use JDWP API in JDK 8 to debug JDK 9 VM
9 JDK-8194690 deploy   JRE bundled in App-V package will not start Java Web Start applications
10 JDK-8190689 deploy plugin Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
11 JDK-8201133 deploy webstart Security check failure for main jar downlaod with jnlp.versionEnabled and Deployment Rule Set feature
12 JDK-8189783 deploy webstart Java Web Start application with file extension association is removed from cache when invoked for the second time from browser
13 JDK-8187223 deploy webstart Long JNLP file is not parsed correctly and ends with javaws path
14 JDK-8199304 deploy webstart javaws.exe failed to launch UTF-8 encoded JNLP file
15 JDK-8038636 hotspot compiler speculative traps break when classes are redefined
16 JDK-8156137 hotspot compiler SIGSEGV in ReceiverTypeData::clean_weak_klass_links
17 JDK-8188223 hotspot compiler IfNode::range_check_trap_proj() should handle dying subgraph with single if proj
18 JDK-8169201 hotspot compiler Montgomery multiply intrinsic should use correct name
19 JDK-8187577 hotspot gc JVM crash during gc doing concurrent marking
20 JDK-8199406 hotspot gc Performance drop with Java JDK 1.8.0_162-b32
21 JDK-8055008 hotspot jvmti Clean up code that saves the previous versions of redefined classes
22 JDK-8057570 hotspot jvmti RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid
23 JDK-8198794 hotspot runtime Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3
24 JDK-8078628 hotspot runtime linux-zero does not build without precompiled header
25 JDK-8202065 install install jre/bin/javaw.exe is missing from server-jre for windows since 8u171
26 JDK-8199650 install install JDK installation uninstalls public JRE
27 JDK-8200418 javafx web webPage.executeCommand("removeFormat", null) removes the style of the body element
28 JDK-8196011 javafx web Intermittent crash when using WebView from JFXPanel application
29 JDK-8076117 security-libs java.security EndEntityChecker should not process custom extensions after PKIX validation
30 JDK-8170035 security-libs javax.net.ssl When determining the ciphersuite lists there is no debug output for disabled suites.
31 JDK-8074373 tools launcher NMT is not enabled if NMT option is specified after class path specifiers
32 JDK-8196491 xml jax-ws Newlines in JAXB string values of SOAP-requests are escaped to " "

Java SE 8u172 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u172 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u172 b37

Bug Fixes

BugId Component Subcomponent Summary
8189161 (Confidential) deploy deployment_toolkit JWS: Method required to clean up all running instances by jnlp.sis.sessionid
8189098 (Confidential) deploy webstart JWS: Request for a method to limit the number of JVMs running on the client

Changes in Java SE 8u172 b35

Bug Fixes

BugId Component Subcomponent Summary
8200359 core-libs java.time (tz) Upgrade time-zone data to tzdata2018d
8196491 xml jax-ws Newlines in JAXB string values of SOAP-requests are escaped to " "
8164480 hotspot compiler Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
8194690 deploy webstart JRE bundled in App-V package will not start Java Web Start applications
8199304 deploy webstart javaws.exe failed to launch UTF-8 encoded JNLP file
8196011 javafx web Intermittent crash when using WebView from JFXPanel applications

Changes in Java SE 8u172 b31

Please note that fixes from prior BPR (8u162 b37) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8198794 hotspot runtime Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3
8197518 security-libs org.ietf.jgss Kerberos krb5 authentication: AuthList's put method leads to performance issue
8199406 hotspot gc Performance drop with Java JDK 1.8.0_162-b32

Java™ SE Development Kit 8, Update 172 (JDK 8u172)

April 17, 2018

The full version string for this update release is 1.8.0_172-b11 (where "b" means "build"). The version number is 8u172.

IANA Data 2018c

JDK 8u172 contains IANA time zone data version 2018c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u172 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_171-b11
7 1.7.0_181-b09
6 1.6.0_191-b09

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u172) will expire with the release of the next critical patch update scheduled for July 17, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u172) on August 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Known Issues

docs/release_notes

Description for Toolkit.getImage() and Toolkit.createImage()

The changes made under JDK-8033530 introduced an inconsistency between the implementation for and the documentation of the following methods:

  • java.awt.Toolkit.getImage(URL u)
  • java.awt.Toolkit.createimage(URL u)

The description in the API document should read:

This method first checks if there is a security manager installed. If so, the method calls the security managers checkPermission() method with the corresponding permission to ensure that the access to the image or the image creation is allowed. If the connection to the specified URL requires either URLPermission or SocketPermission, then URLPermission is used for security checks.

JDK-8154405

Changes

client-libs/java.awt

Touch Keyboard for Swing/AWT Text Components

This release adds support for automatically showing the touch keyboard for Swing/AWT text components on Microsoft Windows 8 or later. A user can display the touch keyboard either by using a touch screen to tap the text component area or by using a mouse to click in the area, when a keyboard is not attached to a computer.

The system property awt.touchKeyboardAutoShowIsEnabled controls whether this functionality is enabled in the JDK. This functionality is enabled by default. However, if the functionality is not needed, the user can switch it off from the command line by setting the system property to false:

-Dawt.touchKeyboardAutoShowIsEnabled=false

See JDK-8166772

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8130400 client-libs 2d Test java/awt/image/DrawImage/IncorrectClipXorModeSurface2Surface.java fails with ClassCastException
2 JDK-8080444 client-libs demo Update SwingSet2 to use installed L&Fs instead of hard-coded list.
3 JDK-8147542 client-libs java.awt Linux: ClassCastException when repainting after display resolution change
4 JDK-8166772 client-libs java.awt Touch keyboard is not shown for text components on a screen touch
5 JDK-8188855 core-libs   Fix VS10 build after "8187658: Bigger buffer for GetAdaptersAddresses"
6 JDK-8154017 core-libs java.lang Shutdown hooks are racing against shutdown sequence, if System.exit()-calling thread is interrupted
7 JDK-8187658 core-libs java.net Bigger buffer for GetAdaptersAddresses
8 JDK-8165466 core-libs java.text DecimalFormat percentage format can contain unexpected %
9 JDK-8136356 core-libs java.util:i18n Add time zone mappings on Windows
10 JDK-8169424 core-libs javax.script src/share/sample/scripting/scriptpad/src/scripts/memory.sh missing #!
11 JDK-8079510 core-svc java.lang.management AIX: avoid UnsatisfiedLinkError by providing empty basic implementations of getSystemCpuLoad and getProcessCpuLoad
12 JDK-8177721 core-svc javax.management Improve diagnostics in sun.management.Agent#startAgent()
13 JDK-8185498 deploy plugin Console log shows that cert is expired (but TSA valid) although no certs in chain is expired.
14 JDK-8187822 hotspot compiler C2 conditonal move optimization might create broken graph
15 JDK-8170358 hotspot gc [REDO] 8k class metaspace chunks misallocated from 4k chunk freelist
16 JDK-8170395 hotspot gc Metaspace initialization queries the wrong chunk freelist
17 JDK-8187629 hotspot runtime NMT: Memory miscounting in compiler (C2)
18 JDK-8184991 hotspot runtime NMT detail diff should take memory type into account
19 JDK-8139673 hotspot runtime NMT stack traces in output should show mt component
20 JDK-8187685 hotspot runtime NMT: Tracking compiler memory usage of thread's resource area
21 JDK-8187331 hotspot runtime VirtualSpaceList tracks free space on wrong node
22 JDK-8055755 hotspot svc Information about loaded dynamic libraries is wrong on MacOSX.
23 JDK-8031304 hotspot svc Add dcmd to print all loaded dynamic libraries.
24 JDK-8059036 hotspot svc Implement Diagnostic Commands for heap and finalizerinfo
25 JDK-8044107 hotspot svc Add Diagnostic Command to list all ClassLoaders
26 JDK-8189265 javafx controls Closing stage does not free internal resources
27 JDK-8183100 javafx controls Styles not applied reliably after Java 8u92
28 JDK-8178275 javafx samples Ensemble: Upgrade version of Lucene to 7.1.0
29 JDK-8189280 javafx swing Memory leak in SwingNode if Stage is not shown
30 JDK-8185634 javafx swing Java Fx-Swing dialogs appearing behind main stage
31