This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 8.
BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.
The following sections summarize changes made in all Java SE 8u431 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8215757 | hotspot | compiler | C2: PhaseIdealLoop::create_new_if_for_predicate() computes wrong IDOM |
JDK-8219448 | hotspot | compiler | split-if update_uses accesses stale idom data |
Release date: October 15, 2024
The full version string for this update release is 1.8.0_431-perf-b11 (where "b" means "build"). The version number is 1.8.0_431-perf.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u431 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_431-perf-b11 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u431) be used after the next critical patch update scheduled for January 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u431) on 2025-02-21. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The java.security.debug
system property now accepts arguments which add thread ID, thread name, caller information, and timestamp information to debug statements for all components or a specific component.
+timestamp
can be appended to debug options to print a timestamp for that debug option. +thread
can be appended to debug options to print thread and caller information for that debug option.
Examples: -Djava.security.debug=all+timestamp+thread
adds timestamp and thread information to every debug statement generated.
-Djava.security.debug=properties+timestamp
adds timestamp information to every debug statement generated for the properties
component.
You can also specify -Djava.security.debug=help
which will display a complete list of supported components and arguments.
See Printing Thread and Timestamp Information for more information.
Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.
Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}
), results in the older Java entries in the "java" and "javac" groups not being deleted.
The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java
or keytool
without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.
Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.
The following root certificates have been added to the cacerts truststore:
+ SSL.com
+ ssltlsrootecc2022
DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+ SSL.com
+ ssltlsrootrsa2022
DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
This JDK release relaxes the specification of java.awt.Robot
to account for possible platform and desktop environment access restrictions or limitations.
In the JDK, java.text.MessageFormat
now has an implementation limit for the ArgumentIndex
pattern element. The hard limit for the value is 10,000.
If an ArgumentIndex
value is equal to or exceeds the upper limit, an IllegalArgumentException
will now be thrown by
MessageFormats
constructorsapplyPattern(String pattern)
instance methodformat(String pattern, Object... arguments)
static methodDe-serializing a MessageFormat
object with an ArgumentIndex
value at or over the limit will throw an InvalidObjectException
.
The showSettings
launcher option no longer prints available locales information by default, when -XshowSettings
is used. The -XshowSettings:locale
option will continue to print all settings related to available locales.
New, default limits have been added to HTTP in the JDK.
The JDK built-in implementation of the URL protocol handler for HTTP (HttpURLConnection
) now has a default limit on the maximum response headers size that will be accepted from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.
The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize
system property on the command line, or in the conf/net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The JDK built-in implementation of the com.sun.net.httpserver.HttpServer
implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer
limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize
system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8005885 | hotspot/compiler | enhance PrintCodeCache to print more data |
2 | JDK-8329126 | hotspot/compiler | No native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462 |
Release date: October 15, 2024
The full version string for this update release is 1.8.0_431-b10 (where "b" means "build"). The version number is 8u431.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u431 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_431-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u431) be used after the next critical patch update scheduled for January 21, 2025.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u431) on 2025-02-21. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.
Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}
) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}
), results in the older Java entries in the "java" and "javac" groups not being deleted.
The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java
or keytool
without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.
Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.
New, default limits have been added to HTTP in the JDK.
The JDK built-in implementation of the URL protocol handler for HTTP (HttpURLConnection
) now has a default limit on the maximum response headers size that will be accepted from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.
The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize
system property on the command line, or in the conf/net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.
The JDK built-in implementation of the com.sun.net.httpserver.HttpServer
implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer
limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize
system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.
The following root certificates have been added to the cacerts truststore:
+ SSL.com
+ ssltlsrootecc2022
DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US
+ SSL.com
+ ssltlsrootrsa2022
DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US
The TLS_ECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file. The TLS_ECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLS_ECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLS_ECDH_" will fail with an SSLHandshakeException
. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms
security property.
Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.
The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.
TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.
The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.
An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:
TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),
OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net
If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies
security property in the java.security
configuration file.
The restrictions are imposed on the following Entrust Root certificates included in the JDK:
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US |
73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C |
CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5 |
CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39 |
CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US |
DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88 |
CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net |
6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77 |
CN=AffirmTrust Commercial, O=AffirmTrust, C=US |
03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7 |
CN=AffirmTrust Networking, O=AffirmTrust, C=US |
0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B |
CN=AffirmTrust Premium, O=AffirmTrust, C=US |
70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A |
CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US |
BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23 |
You can also use the keytool
utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.
This JDK release relaxes the specification of java.awt.Robot
to account for possible platform and desktop environment access restrictions or limitations.
This JDK implements Maintenance Release 6 of the Java SE 8 specification JSR 337. This is indicated by the system property java.specification.maintenance.version
having the value of "6"
.
In the JDK, java.text.MessageFormat
now has an implementation limit for the ArgumentIndex
pattern element. The hard limit for the value is 10,000.
If an ArgumentIndex
value is equal to or exceeds the upper limit, an IllegalArgumentException
will now be thrown by
MessageFormats
constructorsapplyPattern(String pattern)
instance methodformat(String pattern, Object... arguments)
static methodDe-serializing a MessageFormat
object with an ArgumentIndex
value at or over the limit will throw an InvalidObjectException
.
Library | New Version | Module | JBS |
---|---|---|---|
GIFlib | 5.2.2 | JDK-8328999 | |
Libpng | 1.6.43 | JDK-8329004 | |
Libxml2 | 2.12.17 | JDK-8332539 | |
WebKit | 619.1 | JDK-8328994 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u431 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8325179 | client-libs/javax.swing | Race in BasicDirectoryModel.validateFileCache |
2 | JDK-8328953 | client-libs/javax.swing | JEditorPane.read throws ChangedCharSetException |
3 | JDK-8330415 | core-libs/java.lang | Update system property for Java SE specification maintenance version |
4 | JDK-8267938 | core-libs/java.net | (sctp) SCTP channel factory methods should check platform support |
5 | JDK-8299058 | core-libs/java.net | AssertionError in sun.net.httpserver.ServerImpl when connection is idle |
6 | JDK-8332424 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-05-16 |
7 | JDK-8334418 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-06-14 |
8 | JDK-8334653 | core-libs/java.util:i18n | ISO 4217 Amendment 177 Update |
9 | JDK-8337230 | docs/guides | Update JSSE security and system properties in Customizing JSSE |
10 | JDK-8202948 | hotspot/compiler | C2: assert(init_offset >= 0) failed: positive offset from object start |
11 | JDK-8330462 | javafx/accessibility | StringIndexOutOfBoundException when typing anything into TextField |
12 | JDK-8331881 | javafx/web | WebView: Update Public Suffix List to 1cbd6e7 |
13 | JDK-8329011 | javafx/web | Update SQLite to 3.45.3 |
14 | JDK-8338306 | javafx/web | WebView Drag and Drop fails with WebKit 619.1 |
15 | JDK-8338307 | javafx/web | Additional WebKit 619.1 fixes from WebKitGTK 2.44.3 |
16 | JDK-8331765 | javafx/web | Websocket callbacks are not executed after WebKit 617.1 update |
17 | JDK-8261433 | security-libs/javax.crypto:pkcs11 | Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit |
18 | JDK-8219991 | security-libs/javax.net.ssl | New fix of the deadlock in sun.security.ssl.SSLSocketImpl |
19 | JDK-8341059 | security-libs/javax.net.ssl | Change Entrust TLS distrust date to November 12, 2024 |
The following sections summarize changes made in all Java SE 8u421 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8336952 (not public) | install | jre msi installer can fail if run after using MSI Advertise option |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8336107 (not public) | install | JDK rpm upgrade from 11.0.23 to 11.0.25 leaves "orphan" alternatives entry |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8331765 | javafx | web | Websocket callbacks are not executed after WebKit 617.1 update |
JDK-8333859 | core-libs | java.util.jar | Pack200.newUnpacker().unpack() throws IOException |
JDK-8333447 (not public) | install | install | "alternatives" uninstallation results into intermittent “Java not available” issues |
The following sections summarize changes made in Java SE 8u421 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8333859 | core-libs | java.util.jar | Pack200.newUnpacker().unpack() throws IOException |
Release date: July 16, 2024
The full version string for this update release is 8u421-perf-b07 (where "b" means "build"). The version number is 8u421-perf.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u421 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 8u421-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u421) be used after the next critical patch update scheduled for October 15, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u421) on 2024-11-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The following root certificates have been added to the cacerts truststore:
+ GlobalSign
+ globalsignr46
DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
+ GlobalSign
+ globalsigne46
DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
DTLS 1.0 has been disabled by default, by adding "DTLSv1.0" to the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file. DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. Any attempts to use DTLSv1.0 will fail with an SSLHandshakeException
. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the jdk.tls.disabledAlgorithms
security property.
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8321599 | hotspot/compiler | Data loss in AVX3 Base64 decoding |
2 | JDK-8310844 | hotspot/compiler | [AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate |
3 | JDK-8324050 | hotspot/compiler | Issue store-store barrier after re-materializing objects during deoptimization |
4 | JDK-8326638 | hotspot/compiler | Crash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop |
5 | JDK-8319372 | hotspot/compiler | C2 compilation fails with "Bad immediate dominator info" |
6 | JDK-8282414 | hotspot/compiler | x86: Enhance the assembler to generate more compact instructions |
7 | JDK-8298129 | hotspot/jfr | Let checkpoint event sizes grow beyond u4 limit |
8 | JDK-8298649 | hotspot/jfr | JFR: RemoteRecordingStream support for checkpoint event sizes beyond u4 |
9 | JDK-8286740 | hotspot/jfr | JFR: Active Setting event emitted incorrectly |
10 | JDK-8326106 | hotspot/jfr | Write and clear stack trace table outside of safepoint |
11 | JDK-8298472 | hotspot/runtime | AArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options |
12 | JDK-8278241 | hotspot/runtime | Implement JVM SpinPause on linux-aarch64 |
13 | JDK-8296437 | hotspot/runtime | NMT incurs costs if disabled |
14 | JDK-8327036 | hotspot/runtime | [macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0 |
15 | JDK-8319048 | hotspot/runtime | Monitor deflation unlink phase prolongs time to safepoint |
16 | JDK-8324933 | hotspot/runtime | ConcurrentHashTable::statistics_calculate synchronization is expensive |
Release date: July 16, 2024
The full version string for this update release is 8u421-b09 (where "b" means "build"). The version number is 8u421.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u421 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 8u421-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u421) be used after the next critical patch update scheduled for October 15, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u421) on 2024-11-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Debug log files for Java Updater
and JCP
have been added to the directory $HOME/Library/Application Support/Oracle/Java/Java Updater/
for macOS x64 and aarch64. Logs for Java Updater
and JCP
are separated into two log files: JavaUpdaterLog.txt
and JCPUpdateLog.txt
.
JavaUpdaterLog.txt
is generated and logs debug lines if it does not already exist when Java Updater
is run. Likewise, JCPUpdateLog.txt
is generated and logs debug lines if it does not already exist when Java Control Panel is run.
If a log file already exists for Java Updater
or JCP
, the newly logged debug lines are appended at the end of the log file. Each log session has a header with a timestamp of when the application was run.
-XshowSettings
Launcher Option
(JDK-8281658)
The -XshowSettings
launcher has a new security
category. Settings from security properties, security providers and TLS related settings are displayed with this option. A security sub-category can be passed as an argument to the security category option. See the output from java -X
:
-XshowSettings:security
show all security settings and continue
-XshowSettings:security:*sub-category*
show settings for the specified security sub-category and continue. Possible *sub-category* arguments for this option include:
all: show all security settings and continue
properties: show security properties and continue
providers: show static security provider settings and continue
tls: show TLS related security settings and continue
Third party security provider details will be reported if they are included in the application class path or module path and such providers are configured in the java.security
file.
On Windows, once the feature “Use certificates and keys in browser keystore” is enabled (which it is by default), Java WebStart and Java Plugin can access the certificates that are currently trusted by the local machine. There is no guarantee that the full list of trusted certificates is available, since the certificates are dynamically loaded. As a result, Java applets and Java WebStart applications might experience signature validation and secure connection issues caused by a lack of relevant certificates since the Deployment framework can only access the certificates that are 'active' at the time of an application's launch.
To allow the java
, javaw
, and javaws
executables to be run from any location, the JRE 8 Windows installers copy java.exe
, javaw.exe
, and javaws.exe
helper files into the following directory:
C:\Program Files (x86)\Common Files\Oracle\Java\java8path
Also, the system PATH variable is updated to include this location.
These helper files are lightweight executables that launch the latest version installed. They pass any commandline arguments along to the real executables in the bin directory. They are not specificially tied to a version other than the FileVersion of the exe. The installers will leave the latest versions of the shims in this location until the last Java 8 is uninstalled.
Note: In 8u411 and later releases, the directory name was changed from "javapath" to "java8path" to ensure compatibility with newer JDK family versions.
Delete nonfunctional desktop integration functionality from Linux installers. The installers will stop depositing files in /usr/share/icons
, /usr/share/mime
, and /usr/share/applications
subtrees.
STATIC=1
Argument to the JRE Installer
(JDK-8313223 (not public))
This fix will add the STATIC=1
installer argument and deprecating the RETAIN_ALL_VERSIONS=1
installer argument. Passing STATIC=1
will protect older JRE 8 versions from being uninstalled during a manual upgrade or an auto-update.
The "Obsoletes" tag has been removed from "jdk-1.8" and "jre-1.8" RPM packages.
New stub "jdk1.8" and "jre1.8" RPM packages have been provided. These are the pre-8u371 names without a dash. These packages do not install any files, but require corresponding update releases for "jdk-1.8" and "jre-1.8" packages, the post-8u371 name with the dash, respectively.
Users who only have 8u371 or newer RPM packages installed do not need to use the new stub "jdk1.8" or "jre1.8" RPM packages, and will not be affected by this change.
Users who install the new stub "jdk1.8" package and would like to downgrade it to 8u361 or an older version, will need to first manually uninstall the "jdk-1.8" package before the downgrade to prevent the side-by-side installation of older and newer Java 8 JDK RPM packages. The same applies to the "jre1.8" and "jre-1.8" packages.
If the "jdk-1.8" package is stored in an RPM repository, maintainers of the repository need to place an additional stub "jdk1.8" package next to "jdk-1.8" in that RPM repository. The same applies to the "jre1.8" and "jre-1.8" packages.
Users who install the "jdk-1.8" package from something other than an RPM repository need to specify paths to the RPM files with "jdk1.8" and "jdk-1.8" packages in a single update command if they would like to upgrade from 8u361 or older "jdk1.8" package. The same applies to the "jre1.8" and "jre-1.8" packages.
The following root certificates have been added to the cacerts truststore:
+ GlobalSign
+ globalsignr46
DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE
+ GlobalSign
+ globalsigne46
DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE
RPATH
Instead of RUNPATH
(JDK-8326891)
Native executables and libraries on Linux have switched to using RPATH
instead of RUNPATH
in this release.
JDK native executables and libraries use embedded runtime search paths to locate other internal JDK native libraries. On Linux these can be defined as either RPATH
or RUNPATH
. The main difference is that the dynamic linker considers RPATH
before the LD_LIBRARY_PATH
environment variable, while RUNPATH
is only considered after LD_LIBRARY_PATH
.
By making the change to using RPATH
, it is no longer possible to replace JDK internal native libraries using LD_LIBRARY_PATH
.
The installation directory name of the Oracle JDK in RPM and DEB packages has changed from /usr/lib/jvm/jdk-1.8-oracle-${ARCH}
to /usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}
.
The installation directory name of the Oracle JRE in RPM and DEB packages has changed from /usr/lib/jvm/jre-1.8-oracle-${ARCH}
to /usr/lib/jvm/jre-${VERSION}-oracle-${ARCH}
.
Every update release will be installed in a separate directory on Linux platforms.
Installers will create a /usr/java/jdk-1.8-oracle-${ARCH}
link pointing to the installation directory to allow programs to find the latest JDK8 version.
Installers will create a /usr/java/jre-1.8-oracle-${ARCH}
link pointing to the installation directory to allow programs to find the latest JRE8 version.
The JRE will be installed in the following location, C:\Program Files\Java\jre$fullversion
, where $fullversion
is the technical version of the JRE. For instance, 8u421 will install into C:\Program Files\Java\jre1.8.0_421
.
"C:\Program Files"
will be adjusted to "C:\Program Files (x86)"
for 32-bit Java.
For 64-bit installs, a junction will be created at C:\Program Files\Java\latest\jre-1.8
. It will point to the latest 64-bit JRE of the Java 8 family.
For 32-bit installs, a junction will be created at C:\Program Files (x86)\Java\latest\jre-1.8
. It will point to the latest 32-bit JRE of the Java 8 family.
This change of the JRE installation directories will also be reflected in the public JRE that is shipped with the JDK installer. Such changes were part of STATIC support implementation introduced in the 8u421 release.
Library | New Version | Module | JBS |
---|---|---|---|
ICU4C | 74.2 | javafx | JDK-8324326 |
LCMS | 2.16 | java.desktop | JDK-8321489 |
JPEG Image Decoding Software | 9f | java.desktop | JDK-8324233 |
Zlib Data Compression Library | 1.3.1 | java.base | JDK-8324632 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u421 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8317771 | client-libs/javax.accessibility | [macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma |
2 | JDK-8296878 | client-libs/javax.swing | Document Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters |
3 | JDK-8218917 | client-libs/javax.swing | KeyEvent.getModifiers() returns inconsistent values for ALT keys |
4 | JDK-8322239 | client-libs/javax.swing | [macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane |
5 | JDK-8318599 | core-libs/java.net | HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809 |
6 | JDK-8180310 | core-libs/java.rmi | [testlibrary] TestSocketFactory null pointer when updating match bytes |
7 | JDK-8324632 | core-libs/java.util.jar | Update Zlib Data Compression Library to Version 1.3.1 |
8 | JDK-8315117 | core-libs/java.util.jar | Update Zlib Data Compression Library to Version 1.3 |
9 | JDK-8318322 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-10-16 |
10 | JDK-8304761 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-03-22 |
11 | JDK-8302512 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-02-14 |
12 | JDK-8306031 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-04-13 |
13 | JDK-8308021 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-05-11 |
14 | JDK-8327631 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2024-03-07 |
15 | JDK-8313702 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2023-08-02 |
16 | JDK-8325029 | core-libs/javax.naming | Connection.java now requires custom socket factories to implement javax.net.SocketFactory |
17 | JDK-8285835 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work |
18 | JDK-8287432 | hotspot/compiler | C2: assert(tn->in(0) != __null) failed: must have live top node |
19 | JDK-8197901 | hotspot/runtime | Crash during GC when logging level is debug |
20 | JDK-8059924 | hotspot/runtime | com/sun/management/DiagnosticCommandMBean/DcmdMBeanPermissionsTest.java: assert(Universe::verify_in_progress() || !SafepointSynchronize::is_at_safepoint()) failed: invariant |
21 | JDK-8329705 | javafx/accessibility | Add missing Application thread checks to platform specific a11y methods |
22 | JDK-8309374 | javafx/accessibility | Accessibility Focus Rectangle on ListItem is not drawn when ListView is shown for first time |
23 | JDK-8311492 | javafx/graphics | FontSmoothingType LCD produces wrong color when transparency is used |
24 | JDK-8324233 | javafx/graphics | Update JPEG Image Decoding Software to 9f |
25 | JDK-8324326 | javafx/web | Update ICU4C to 74.2 |
26 | JDK-8327177 | javafx/window-toolkit | macOS: wrong GlobalRef deleted in GlassMenu |
27 | JDK-8326643 | security-libs/java.security | JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message |
28 | JDK-8312383 | security-libs/javax.net.ssl | Log X509ExtendedKeyManager implementation class name in TLS/SSL connection |
29 | JDK-8247907 | security-libs/javax.xml.crypto | XMLDsig logging does not work |
30 | JDK-8303809 | security-libs/org.ietf.jgss | Dispose context in SPNEGO NegotiatorImpl |
The following sections summarize changes made in all Java SE 8u411 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
Fixes from the prior BPR are included in this version.
Release date: April 16, 2024
The full version string for this update release is 8u411-perf-b08 (where "b" means "build"). The version number is 8u411-perf.
JDK 8u411 contains IANA time zone data 2024a which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u411 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 8u411-perf-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u411) be used after the next critical patch update scheduled for July 16, 2024.
Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider Java Management Service (JMS).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u411-perf) on 2024-08-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1
, SHA3_256_RSA_MGF1
, SHA3_384_RSA_MGF1
, and SHA3_512_RSA_MGF1
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.
Additionally, support for the following EdDSA signatures has been added: ED25519
and ED448
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here()
function by default. However, we recommend avoiding the use of the here()
function in new signatures and replacing existing signatures that use the here()
function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here()
function by setting the security property jdk.xml.dsig.hereFunctionSupported
to "false".
The java.awt.SystemTray
API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.
Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported()
will return false where ever the JDK determines the platform bug is likely to be present.
The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.
The following root certificates have been added to the cacerts truststore:
+ Certainly
+ certainlyrootr1
DN: CN=Certainly Root R1, O=Certainly, C=US
+ Certainly
+ certainlyroote1
DN: CN=Certainly Root E1, O=Certainly, C=US
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8271118 | hotspot/compiler | C2: StressGCM should have higher priority than frequency-based policy |
2 | JDK-8316679 | hotspot/compiler | C2 SuperWord: wrong result, load should not be moved before store if not comparable |
3 | JDK-8274060 | hotspot/compiler | C2: Incorrect computation after JDK-8273454 |
4 | JDK-8273454 | hotspot/compiler | C2: Transform (-a)*(-b) into a*b |
5 | JDK-8315920 | hotspot/compiler | C2: "control input must dominate current control" assert failure |
6 | JDK-8297968 | hotspot/compiler | Crash in PrintOptoAssembly |
7 | JDK-8321215 | hotspot/compiler | Incorrect x86 instruction encoding for VSIB addressing mode |
8 | JDK-8316414 | hotspot/compiler | C2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86 |
9 | JDK-8320209 | hotspot/compiler | VectorMaskGen clobbers rflags on x86_64 |
10 | JDK-8318889 | hotspot/compiler | C2: add bailout after assert Bad graph detected in build_loop_late |
11 | JDK-8317507 | hotspot/compiler | C2 compilation fails with "Exceeded _node_regs array" |
12 | JDK-8277919 | hotspot/jfr | OldObjectSample event causing bloat in the class constant pool in JFR recording |
13 | JDK-8287113 | hotspot/jfr | JFR: Periodic task thread uses period for method sampling events |
14 | JDK-8322321 | hotspot/runtime | Add man page doc for -XX:+VerifySharedSpaces |
15 | JDK-8312585 | hotspot/runtime | Rename DisableTHPStackMitigation flag to THPStackMitigation |
16 | JDK-8312182 | hotspot/runtime | THPs cause huge RSS due to thread start timing issue |
17 | JDK-8312620 | hotspot/runtime | WSL Linux build crashes after JDK-8310233 |
18 | JDK-8312394 | hotspot/runtime | [linux] SIGSEGV if kernel was built without hugepage support |
19 | JDK-8323243 | hotspot/runtime | JNI invocation of an abstract instance method corrupts the stack |
Release date: April 16, 2024
The full version string for this update release is 8u411-b09 (where "b" means "build"). The version number is 8u411.
JDK 8u411 contains IANA time zone data 2024a which contains the following changes:
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u411 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 8u411-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u411) be used after the next critical patch update scheduled for July 16, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u411) on 2024-08-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1
, SHA3_256_RSA_MGF1
, SHA3_384_RSA_MGF1
, and SHA3_512_RSA_MGF1
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.
Additionally, support for the following EdDSA signatures has been added: ED25519
and ED448
. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod
in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here()
function by default. However, we recommend avoiding the use of the here()
function in new signatures and replacing existing signatures that use the here()
function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here()
function by setting the security property jdk.xml.dsig.hereFunctionSupported
to "false".
The java.awt.SystemTray
API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.
Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported()
will return false where ever the JDK determines the platform bug is likely to be present.
The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.
The following root certificates have been added to the cacerts truststore:
+ Certainly
+ certainlyrootr1
DN: CN=Certainly Root R1, O=Certainly, C=US
+ Certainly
+ certainlyroote1
DN: CN=Certainly Root E1, O=Certainly, C=US
The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy
security property.
If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation
property to Boolean.FALSE
with the DOMValidateContext.setProperty()
API.
Library | New Version | Module | JBS |
---|---|---|---|
Libxslt | 1.1.39 | javafx | JDK-8318388 |
WebKit | 617.1 | javafx | JDK-8318614 |
Glib | 2.78.1 | javafx | JDK-8318386 |
GStreamer | 1.22.6 | javafx | JDK-8318387 |
libpng | 1.6.40 | java.desktop | JDK-8316030 |
Joni | 2.2.1 | jdk.scripting.nashorn | JDK-8322094 |
Xalan Java | 2.7.3 | java.xml | JDK-8305814 |
XML Security for Java | 3.0.3 | java.xml.crypto | JDK-8319124 |
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u411 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8318951 | client-libs/2d | Additional negative value check in JPEG decoding |
2 | JDK-8152924 | core-libs/java.util.concurrent | Improve scalability of CompletableFuture with large number of dependents |
3 | JDK-8186464 | core-libs/java.util.jar | ZipFile cannot read some InfoZip ZIP64 zip files |
4 | JDK-8321480 | core-libs/java.util:i18n | ISO 4217 Amendment 176 Update |
5 | JDK-8260556 | docs/guides | Update Security Guide for Enable XML Signature secure validation mode by default |
6 | JDK-8244207 | hotspot/compiler | Simplify usage of Compile::print_method() when debugging with gdb and enable its use with rr |
7 | JDK-8144856 | hotspot/compiler | fix assert in CompiledStaticCall::set_to_interpreted |
8 | JDK-8236772 | hotspot/compiler | Fix build for windows 32-bit after 8212160 and 8234331. |
9 | JDK-8231430 | hotspot/compiler | C2: Memory stomp in max_array_length() for T_ILLEGAL type |
10 | JDK-8318889 | hotspot/compiler | C2: add bailout after assert Bad graph detected in build_loop_late |
11 | JDK-8317507 | hotspot/compiler | C2 compilation fails with "Exceeded _node_regs array" |
12 | JDK-8147611 | hotspot/gc | G1 - Missing memory barrier in start_cset_region_for_worker |
13 | JDK-8061467 | hotspot/gc | Bad page size passed to setup_large_pages() on Solaris |
14 | JDK-8212160 | hotspot/jvmti | JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value" |
15 | JDK-8227277 | hotspot/jvmti | HeapInspection::find_instances_at_safepoint walks dead objects |
16 | JDK-8236124 | hotspot/jvmti | Minimal VM slowdebug build failed after JDK-8212160 |
17 | JDK-8322321 | hotspot/runtime | Add man page doc for -XX:+VerifySharedSpaces |
18 | JDK-8059586 | hotspot/runtime | hs_err report should treat redirected core pattern. |
19 | JDK-8323243 | hotspot/runtime | JNI invocation of an abstract instance method corrupts the stack |
20 | JDK-8067447 | hotspot/svc | Factor out the shared implementation of the VM flags manipulation code |
21 | JDK-8284544 | javafx/accessibility | [Win] Name-Property of Spinner cannot be changed |
22 | JDK-8319079 | javafx/graphics | Missing range checks in decora |
23 | JDK-8320267 | javafx/web | WebView crashes on macOS 11 with WebKit 616.1 |
24 | JDK-8320260 | javafx/web | WebView: Update Public Suffix List to b5bf572 |
25 | JDK-8323879 | javafx/web | constructor Path(Path) which takes another Path object fail to draw on canvas html |
26 | JDK-8324337 | javafx/web | Cherry-pick WebKit 617.1 stabilization fixes |
27 | JDK-8322703 | javafx/web | Intermittent crash in WebView in a JFXPanel from IME calls on macOS |
28 | JDK-8325258 | javafx/web | Additional WebKit 617.1 fixes from WebKitGTK 2.42.5 |
29 | JDK-8323880 | javafx/web | Caret rendered at wrong position in case of a click event on RTL text |
30 | JDK-8326989 | javafx/web | Text selection issues on WebView after WebKit 617.1 |
31 | JDK-8221261 | javafx/window-toolkit | Deadlock on macOS in JFXPanel app when handling IME calls |
32 | JDK-8319669 | javafx/window-toolkit | [macos14] Running any JavaFX app prints Secure coding warning |
33 | JDK-8319727 | other-libs/corba:idl | Harden BufferManagerReadStream underflow logic |
34 | JDK-8307185 | security-libs/javax.crypto:pkcs11 | pkcs11 native libraries make JNI calls into java code while holding GC lock |
35 | JDK-8255867 | security-libs/javax.net.ssl | SignatureScheme JSSE property does not preserve ordering in handshake messages |
36 | JDK-8308245 | tools/javac | Add -proc:full to describe current default annotation processing policy |
37 | JDK-8317815 | xml/jaxp | Xerces-J - Version.java did not get updated in JDK-8282280 |
The following sections summarize changes made in all Java SE 8u401 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8326643 | security-libs | java.security | JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8325580 (not public) | install | install | Remove "alternatives --remove" call from Java rpm installer |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8309374 | javafx | accessibility | Accessibility Focus Rectangle on ListItem is not drawn when ListView is shown for first time |
JDK-8311492 | javafx | graphics | FontSmoothingType LCD produces wrong color when transparency is used |
JDK-8325150 | core-libs | java.time | (tz) Update Timezone Data to 2024a |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8227277 | hotspot | jvmti | HeapInspection::find_instances_at_safepoint walks dead objects |
JDK-8322725 | core-libs | java.time | (tz) Update Timezone Data to 2023d |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8284544 | javafx | accessibility | [Win] Name-Property of Spinner cannot be changed |
JDK-8319727 | other-libs | corba:idl | Harden BufferManagerReadStream underflow logic |
The following sections summarize changes made in Java SE 8u401 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
This BPR contains all of the fixes included in the previous JDK 8 Enterprise Performance Pack BPR.
January 16, 2024
The full version string for this update release is 8u401-perf-b10 (where "b" means "build"). The version number is 8u401-perf.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u401 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 8u401-perf-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u401) be used after the next critical patch update scheduled for April 16, 2024.
Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider Java Management Service (JMS).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u401-perf) on 2024-05-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
A new system property named org.jcp.xml.dsig.secureValidation
has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext
property value.
Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.
When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.
This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine
or -XX:TieredStopAtLevel=[1,2,3]
.
The following root certificates have been added to the cacerts truststore:
+ DigiCert, Inc.
+ digicertcseccrootg5
DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicertcsrsarootg5
DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlseccrootg5
DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlsrsarootg5
DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
The following root certificates have been added to the cacerts truststore:
+ eMudhra Technologies Limited
+ emsignrootcag1
DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsigneccrootcag3
DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsignrootcag2
DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
The following root certificate has been added to the cacerts truststore:
+ Let's Encrypt
+ letsencryptisrgx2
DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US
X509KeyManager.chooseClientAlias
Once for All Key Types
(JDK-8262186)
The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias()
only once during handshaking for client authentication, even if there are multiple algorithms requested .
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8299658 | hotspot/compiler | C1 compilation crashes in LinearScan::resolve_exception_edge |
2 | JDK-8301489 | hotspot/compiler | C1: ShortLoopOptimizer might lift instructions before their inputs |
3 | JDK-8313626 | hotspot/compiler | C2 crash due to unexpected exception control flow |
4 | JDK-8313402 | hotspot/compiler | C1: Incorrect LoadIndexed value numbering |
5 | JDK-8312909 | hotspot/compiler | C1 should not inline through interface calls with non-subtype receiver |
6 | JDK-8303279 | hotspot/compiler | C2: crash in SubTypeCheckNode::sub() at IGVN split if |
7 | JDK-8304954 | hotspot/compiler | SegmentedCodeCache fails when using large pages |
8 | JDK-8316178 | hotspot/compiler | Better diagnostic header for CodeBlobs |
9 | JDK-8315377 | hotspot/compiler | C2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes? |
10 | JDK-8316514 | hotspot/compiler | Better diagnostic header for VtableStub |
11 | JDK-8314024 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info |
12 | JDK-8313262 | hotspot/compiler | C2: Sinking node may cause required cast to be dropped |
13 | JDK-8312440 | hotspot/compiler | assert(cast != nullptr) failed: must have added a cast to pin the node |
14 | JDK-8313756 | hotspot/compiler | [BACKOUT] 8308682: Enhance AES performance |
15 | JDK-8313760 | hotspot/compiler | [REDO] Enhance AES performance |
16 | JDK-8308103 | hotspot/compiler | Massive (up to ~30x) increase in C2 compilation time since JDK 17 |
17 | JDK-8307683 | hotspot/compiler | Loop Predication should not hoist range checks with trap on success projection by negating their condition |
18 | JDK-8309119 | hotspot/compiler | [17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication |
19 | JDK-8275333 | hotspot/gc | Print count in "Too many recored phases?" assert |
20 | JDK-8316906 | hotspot/gc | Clarify TLABWasteTargetPercent flag |
21 | JDK-8270894 | hotspot/runtime | Use acquire semantics in ObjectSynchronizer::read_stable_mark() |
22 | JDK-8305994 | hotspot/runtime | Guarantee eventual async monitor deflation |
23 | JDK-8309228 | hotspot/runtime | Clarify EXPERIMENTAL flags comment in hotspot/share/runtime/globals.hpp |
24 | JDK-8306825 | hotspot/runtime | Monitor deflation might be accidentally disabled by zero intervals |
25 | JDK-8279545 | hotspot/runtime | Buffer overrun in reverse_words of sharedRuntime_x86_64.cpp:3517 |
26 | JDK-8283326 | hotspot/runtime | Implement SafeFetch statically |
27 | JDK-8314679 | hotspot/svc-agent | SA fails to properly attach to JVM after having just detached from a different JVM |
January 16, 2024
The full version string for this update release is 8u401-b10 (where "b" means "build"). The version number is 8u401.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime at the time of the release of JDK 8u401 are specified in the following table:
Java Family Version | Security Baseline (Full Version String) |
---|---|
8 | 8u401-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u401) be used after the next critical patch update scheduled for April 16, 2024.
Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u401) on 2024-05-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
A new system property named org.jcp.xml.dsig.secureValidation
has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext
property value.
Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.
A new JDK Flight Recorder (JFR) event has been added to monitor deserialization of objects. When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named java/deserialization
, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object.
The new Deserialization Event captures:
Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.
When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.
This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine
or -XX:TieredStopAtLevel=[1,2,3]
.
jdk.jar.maxSignatureFileSize
(JDK-8312489)
The system property, jdk.jar.maxSignatureFileSize
, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).
The following root certificates have been added to the cacerts truststore:
+ DigiCert, Inc.
+ digicertcseccrootg5
DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicertcsrsarootg5
DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlseccrootg5
DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US
+ DigiCert, Inc.
+ digicerttlsrsarootg5
DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US
The following root certificates have been added to the cacerts truststore:
+ eMudhra Technologies Limited
+ emsignrootcag1
DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsigneccrootcag3
DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
+ eMudhra Technologies Limited
+ emsignrootcag2
DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN
The following root certificate has been added to the cacerts truststore:
+ Telia Root CA v2
+ teliarootcav2
DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI
The following root certificate has been added to the cacerts truststore:
+ Let's Encrypt
+ letsencryptisrgx2
DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US
X509KeyManager.chooseClientAlias
Once for All Key Types
(JDK-8262186)
The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias()
only once during handshaking for client authentication, even if there are multiple algorithms requested .
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u401 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8286481 | client-libs/java.awt | Exception printed to stdout on Windows when storing transparent image in clipboard |
2 | JDK-6176679 | client-libs/java.awt | Application freezes when copying an animated gif image to the system clipboard |
3 | JDK-8153090 | client-libs/javax.swing | TAB key cannot change input focus after the radio button in the Color Selection dialog |
4 | JDK-8313657 | core-libs/javax.naming | com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors |
5 | JDK-8314063 | core-libs/javax.naming | The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection |
6 | JDK-8302577 | docs/guides | Update JSSE Guide for JDK-8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit |
7 | JDK-8283441 | hotspot/compiler | C2: segmentation fault in ciMethodBlocks::make_block_at(int) |
8 | JDK-8059735 | hotspot/compiler | make_not_entrant_or_zombie sees zombies |
9 | JDK-8075922 | hotspot/compiler | assert(t == t_no_spec) fails in phaseX.cpp |
10 | JDK-8067247 | hotspot/compiler | Crash: assert(method_holder->data() == 0 ...) failed: a) MT-unsafe modification of inline cache |
11 | JDK-8086053 | hotspot/compiler | Address inconsistencies regarding ZeroTLAB |
12 | JDK-8169177 | hotspot/gc | aarch64: SIGSEGV when "-XX:+ZeroTLAB" is specified along with GC options |
13 | JDK-8149343 | hotspot/gc | assert(rp->num_q() == no_of_gc_workers) failed: sanity |
14 | JDK-8316906 | hotspot/gc | Clarify TLABWasteTargetPercent flag |
15 | JDK-8032223 | hotspot/jvmti | nsk/regression/b4663146 gets assert(SafepointSynchronize::is_at_safepoint() || JvmtiEnv::is_thread_fully_suspended(get_thread(), false, &debug_bits)) |
16 | JDK-8165496 | hotspot/jvmti | assert(_exception_caught == false) failed: _exception_caught is out of phase |
17 | JDK-8193386 | hotspot/runtime | CompressedClassSize too large with MaxMetaspace |
18 | JDK-8194246 | hotspot/runtime | JVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class |
19 | JDK-8163146 | hotspot/runtime | Remove os::check_heap on Windows |
20 | JDK-8227815 | hotspot/svc | Minimal VM: set_state is not a member of AttachListener |
21 | JDK-8313856 | javafx/graphics | Replace VLA with malloc in pango |
22 | JDK-8317508 | javafx/media | Provide media support for libavcodec version 60 |
23 | JDK-8313900 | javafx/media | Possible NULL pointer access in NativeAudioSpectrum and NativeVideoBuffer |
24 | JDK-8311097 | javafx/web | Synchron XMLHttpRequest not receiving data |
25 | JDK-8315074 | javafx/window-toolkit | Possible null pointer access in native glass |
26 | JDK-8315958 | javafx/window-toolkit | Missing range checks in GlassPasteboard |
27 | JDK-8315657 | javafx/window-toolkit | Application window not activated in macOS 14 Sonoma |
28 | JDK-8319066 | javafx/window-toolkit | Application window not always activated in macOS 14 Sonoma |
29 | JDK-8320597 | security-libs/java.security | RSA signature verification fails on signed data that does not encode params correctly |
30 | JDK-8302017 | security-libs/java.security | Allocate BadPaddingException only if it will be thrown |
31 | JDK-8284910 | security-libs/javax.security | Buffer clean in PasswordCallback |
The following sections summarize changes made in all Java SE 8u391 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8054022 | core-libs | java.net | HttpURLConnection timeouts with Expect: 100-Continue and no chunking |
JDK-8306784 | install | install | No default java after 8u371 upgrade |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8312489 | security-libs | java.security | Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar |
Fixes from the prior BPR are included in this version.
The following sections summarize changes made in Java SE 8u391 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
This BPR contains all of the fixes included in the previous JDK 8 Enterprise Performance Pack BPR.
October 17, 2023
The full version string for this update release is 8u391-perf-b13 (where "b" means "build"). The version number is 8u391-perf.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u391-perf-b13 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime()
method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8274243 | hotspot | compiler | Implement fast-path for ASCII-compatible CharsetEncoders on aarch64 |
2 | JDK-8299544 | hotspot | compiler | Improve performance of CRC32C intrinsics (non-AVX-512) for small inputs |
3 | JDK-8153837 | hotspot | compiler | AArch64: Handle special cases for MaxINode & MinINode |
4 | JDK-8272586 | hotspot | compiler | emit abstract machine code in hs-err logs |
5 | JDK-8308192 | hotspot | compiler | Error in parsing replay file when staticfield is an array of single dimension |
6 | JDK-8309266 | hotspot | compiler | C2: assert(final_con == (jlong)final_int) failed: final value should be integer |
7 | JDK-8300584 | hotspot | compiler | Accelerate AVX-512 CRC32C for small buffers |
8 | JDK-8274986 | hotspot | compiler | max code printed in hs-err logs should be configurable |
9 | JDK-8310126 | hotspot | compiler | C1: Missing receiver null check in Reference::get intrinsic |
10 | JDK-8284760 | hotspot | compiler | Correct type/array element offset in LibraryCallKit::get_state_from_digest_object() |
11 | JDK-8299158 | hotspot | compiler | Improve MD5 intrinsic on AArch64 |
12 | JDK-8303154 | hotspot | compiler | Investigate and improve instruction cache flushing during compilation |
13 | JDK-8252990 | hotspot | compiler | Intrinsify Unsafe.storeStoreFence |
14 | JDK-8305088 | hotspot | compiler | SIGSEGV in Method::is_method_handle_intrinsic |
15 | JDK-8296545 | hotspot | compiler | C2 Blackholes should allow load optimizations |
16 | JDK-8292713 | hotspot | compiler | Unsafe.allocateInstance should be intrinsified without UseUnalignedAccesses |
17 | JDK-8302736 | hotspot | compiler | Major performance regression in Math.log on aarch64 |
18 | JDK-8307572 | hotspot | compiler | AArch64: Vector registers are clobbered by some macroassemblers |
19 | JDK-8280396 | hotspot | gc | G1: Full gc mark stack draining should prefer to make work available to other threads |
20 | JDK-8308643 | hotspot | gc | Incorrect value of 'used' jvmstat counter |
21 | JDK-8284532 | hotspot | jfr | Memory leak in BitSet::BitMapFragmentTable in JFR leak profiler |
22 | JDK-8283520 | hotspot | jfr | JFR: Memory leak in dcmd_arena |
23 | JDK-8307526 | hotspot | jfr | [JFR] Better handling of tampered JFR repository |
24 | JDK-8309862 | hotspot | jfr | Unsafe list operations in JfrStringPool |
25 | JDK-8307331 | hotspot | jvmti | Correctly update line maps when class redefine rewrites bytecodes |
26 | JDK-8306428 | hotspot | runtime | RunThese30M.java crashed with assert(early->flag() == current->flag() || early->flag() == mtNone) |
27 | JDK-8297887 | hotspot | runtime | Update Siphash |
28 | JDK-8305425 | hotspot | runtime | Thread.isAlive0 doesn't need to call into the VM |
29 | JDK-8269466 | hotspot | runtime | Factor out the common code for initializing and starting internal VM JavaThreads |
30 | JDK-8287854 | hotspot | runtime | Dangling reference in ClassVerifier::verify_class |
31 | JDK-8303215 | hotspot | runtime | Make thread stacks not use huge pages |
32 | JDK-8290067 | hotspot | runtime | Show stack dimensions in UL logging when attaching threads |
33 | JDK-8283849 | hotspot | svc | AsyncGetCallTrace may crash JVM on guarantee |
34 | JDK-8301170 | hotspot | svc | perfMemory_windows.cpp add free_security_attr to early returns |
35 | JDK-8295657 | hotspot | svc-agent | SA: Allow larger object alignments |
October 17, 2023
The full version string for this update release is 8u391-b13 (where "b" means "build"). The version number is 8u391.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u391-b13 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
jdk.SecurityProviderService
(JDK-8254711)
A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm)
calls.
The new event name is jdk.SecurityProviderService
and contains the following fields:
Field name | Field Description |
---|---|
type | Type of Service |
algorithm | Algorithm Name |
provider | Security Provider |
This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
-XshowSettings:locale
Output Now Includes Tzdata Version
(JDK-8305950)
The -XshowSettings
launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale
showSettings option.
Example output using -X:showSettings:locale
:
.....
Locale settings:
default locale = English
default display locale = English
default format locale = English
tzdata version = 2023c
.....
Media playback does not work on Ubuntu 23.10. This affects most media formats such as MP4 with H.264/H.265, MP3, AAC, and HTTP Live Streaming. This is because JavaFX Media does not support libavcodec version 60. Support for libavcodec version 60 will be added with JDK-8317508. As a workaround, install libavcodec version 59 compiled with support for at least the following:
The following root certificate from SECOM Trust System has been removed from the cacerts
keystore:
+ alias name "secomscrootca1 [jdk]"
Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Platform support for Linux ARM32 in JDK 8 has been removed. As a result, the ARM32 Hard Float ABI download will not be available. Operating Systems that supported ARM32 have reached their End of Life, thus there is no known OS support available.
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignarootca
DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
java.security.manager
System Property
(JDK-8301118)
In JDK 12, two new token options for the java.security.manager
system property, "allow" and "disallow", were introduced.
Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager
, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.
Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager
Error and the application will not start up.
From this release onward, the "allow" and "disallow" options for the java.security.manager
system property will be ignored.
The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.
As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize
system property to 1024 (at their own risk).
This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.
In 8u371, the behavior of the JRE installer was changed from installing the JRE in a full-version-specific directory to installing the JRE into a common shared directory. It also removed all older JRE versions in that same family.
In JDK 8u391, a new argument, RETAIN_ALL_VERSIONS=1
, was introduced for the MSI installer. If the argument is used, the JRE will install into a jre$fullversion
directory. Other JREs of the Java SE 8 family will not be automatically removed. More information can be found in the MSI Enterprise JRE Installer Guide for Windows.
CORBA _DynAnyStub
and Associated Subclasses readObject
Accepts Only Stringified IORs in IOR: URI format
(JDK-8303384 (not public))
The readObject
method changes made to _DynAnyFactoryStub
in JDK-8285021, have been extended to a set of stub classes that have been categoriezed as pseudo IDL interfaces. These include:
org.omg.DynamicAny._DynArrayStub,
org.omg.DynamicAny._DynEnumStub,
org.omg.DynamicAny._DynFixedStub,
org.omg.DynamicAny._DynSequenceStub,
org.omg.DynamicAny._DynStructStub,
org.omg.DynamicAny._DynUnionStub,
org.omg.DynamicAny._DynValueStub,
org.omg.DynamicAny._DynAnyStub,
For each of these stub classes, the readObject
method has been amended such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI
format only. As the above stub classes are termed, locally or as ORB constrained types, it is not useful that serialized data should contain corbaname
or corbaloc
URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to an IOR of these stub classes. As such, using a corbaname
to reference an instance of these locally constrained stub classes is not meaningful.
A system property is introduced, com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR
, which when set to true, will revert the readObject
method to its current behavior and disable the additional IOR checks. The default value of this system property is false. This system property can also be used to disable the IOR check performed in the org.omg.DynamicAny._DynAnyFactoryStub readObject
method. As such, with respect to _DynAnyFactory
, it complements the system property org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck
introduced in JDK-8285021.
Additionally, the readObject
method of the remote CORBA service stub classes:
org.omg.CosNaming._NamingContextStub.java,
org.omg.CosNaming._BindingIteratorStub.java,
org.omg.CosNaming._NamingContextExtStub.java,
org.omg.PortableServer._ServantActivatorStub.java,
org.omg.PortableServer._ServantLocatorStub.java,
com.sun.corba.se.spi.activation._ServerManagerStub.java,
com.sun.corba.se.spi.activation._ActivatorStub.java,
com.sun.corba.se.spi.activation._RepositoryStub.java,
com.sun.corba.se.spi.activation._InitialNameServiceStub.java,
com.sun.corba.se.spi.activation._LocatorStub.java,
com.sun.corba.se.spi.activation._ServerStub.java,
included in the JDK, have been similarly amended to include an IOR check when reading a stringified IOR from serialised data. To enable the IOR check, and prohibit corbaname
or corbaloc
URLs in a stringified IOR, the setting of the com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR
system property to true is required.
A system property is introduced, com.sun.CORBA.IDL.Stubs.allowCorbanameInIOR
, which when set to false, will activate an IOR check when reading a stringified IOR from serialised data and constrain a stringified IOR to that of IOR: URI
format. Thus, prohibiting corbaname
or corbaloc
as a valid stringified IOR format. The default value of this system property is true. That is, corbaname
or corbaloc
are allowed in stringified IORs.
For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder()
method.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u391 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8311689 | client-libs/java.awt | Wrong visible amount in Adjustable of ScrollPane |
2 | JDK-8310054 | client-libs/java.awt | ScrollPane insets are incorrect |
3 | JDK-8297923 | client-libs/java.awt | java.awt.ScrollPane broken after multiple scroll up/down |
4 | JDK-8305815 | client-libs/java.awt | Update Libpng to 1.6.39 |
5 | JDK-8305517 | core-libs/java.net | Memory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress() |
6 | JDK-8300098 | core-libs/java.util.concurrent | java/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3 |
7 | JDK-8234808 | core-svc/debugger | jdb quoted option parsing broken |
8 | JDK-8290451 | hotspot/compiler | Incorrect result when switching to C2 OSR compilation from C1 |
9 | JDK-8213419 | hotspot/compiler | C2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1 |
10 | JDK-8183910 | hotspot/gc | gc/arguments/TestAggressiveHeap.java fails intermittently |
11 | JDK-8257239 | hotspot/gc | [8u] G1: guarantee(!obj->is_forwarded()) failed: Object must not be forwarded |
12 | JDK-8182703 | hotspot/gc | Correct G1 barrier queue lock orderings |
13 | JDK-8207011 | hotspot/runtime | Remove uses of the register storage class specifier |
14 | JDK-8297887 | hotspot/runtime | Update Siphash |
15 | JDK-8284542 | javafx/accessibility | [Accessibility] [Win] Missing attribute for toggle state of CheckBox in CheckBoxTreeItem |
16 | JDK-8309508 | javafx/graphics | Possible memory leak in JPEG image loader |
17 | JDK-8306328 | javafx/media | Update libFFI to 3.4.4 |
18 | JDK-8306918 | javafx/web | WebView: Update Public Suffix List to 88467c9 |
19 | JDK-8303748 | javafx/web | WebKit build fails with Visual Studio 2022 17.5.0 |
20 | JDK-8306329 | javafx/web | Update ICU4C to 73.1 |
21 | JDK-8310681 | javafx/web | Update WebKit to 616.1 |
22 | JDK-8313177 | javafx/web | Web Workers timeout with Webkit 616.1 |
23 | JDK-8314212 | javafx/web | Crash when loading cnn.com in WebView |
24 | JDK-8313711 | javafx/web | Cherry-pick WebKit 616.1 stabilization fixes |
25 | JDK-8313181 | javafx/web | Enabling modern media controls on webkit 616.1 does not load button images on HTML5 video Element |
26 | JDK-8144781 | javafx/window-toolkit | Assertion failure in debug build running any JavaFX program on Mac |
27 | JDK-8296452 | security-libs/javax.crypto | Solaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error |
28 | JDK-8236671 | security-libs/javax.crypto | NullPointerException in JKS keystore |
29 | JDK-8232950 | security-libs/javax.crypto:pkcs11 | SUNPKCS11 Provider incorrectly check key length for PSS Signatures. |
30 | JDK-8183107 | security-libs/javax.crypto:pkcs11 | PKCS11 regression regarding checkKeySize |
The following sections summarize changes made in all Java SE 8u381 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-6176679 | client-libs | java.awt | Application freezes when copying an animated gif image to the system clipboard |
JDK-8286481 | client-libs | java.awt | Exception printed to stdout on Windows when storing transparent image in clipboard |
JDK-8314188 (not public) | install | install | [macOS] Installation complete confirmation message not displayed |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8306899 (not public) | install | install | JRE 8u371 MSI unable to install side-by-side JREs |
JDK-8311244 (not public) | hotspot | gc | frequent crashes at g1CollectedHeap.cpp:5923 after updating to JDK8u371 |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8284542 | jfx | accessibility | Missing attribute for toggle state of CheckBox in CheckBoxTreeItem |
JDK-8309557 (not public) | install | Update the JRE 8 Description in RPM packages |
The following sections summarize changes made in Java SE 8u381 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8314063 | core-libs | javax.naming | The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection |
JDK-8313657 | core-libs | javax.naming | com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors |
JDK-8314929 (not public) | hotspot | jfr | Fix 8286707 JFR: Don't commit JFR internal jdk.JavaMonitorWait events |
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.
This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.
In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0
. The usage of such flags is not recommended.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8280007 | hotspot | compiler | Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 |
2 | JDK-8299179 | hotspot | compiler | ArrayFill with store on backedge needs to reduce length by 1 |
3 | JDK-8302595 | hotspot | compiler | use-after-free related to GraphKit::clone_map |
4 | JDK-8299959 | hotspot | compiler | C2: CmpU::Value must filter overflow computation against local sub computation |
5 | JDK-8303564 | hotspot | compiler | C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi |
6 | JDK-8303508 | hotspot | compiler | Vector.lane() gets wrong value on x86 |
7 | JDK-8299570 | hotspot | compiler | [JVMCI] Insufficient error handling when CodeBuffer is exhausted |
8 | JDK-8300079 | hotspot | compiler | SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument |
9 | JDK-8299259 | hotspot | compiler | C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE |
10 | JDK-8296318 | hotspot | compiler | use-def assert: special case undetected loops nested in infinite loops |
11 | JDK-8296412 | hotspot | compiler | Special case infinite loops with unmerged backedges in IdealLoopTree::check_safepts |
12 | JDK-8297730 | hotspot | compiler | C2: Arraycopy intrinsic throws incorrect exception |
13 | JDK-8301491 | hotspot | compiler | C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument |
14 | JDK-8303588 | hotspot | compiler | [JVMCI] make JVMCI source directories conform with standard layout |
15 | JDK-8201516 | hotspot | compiler | DebugNonSafepoints generates incorrect information |
16 | JDK-8302508 | hotspot | compiler | Add timestamp to the output TraceCompilerThreads |
17 | JDK-8289748 | hotspot | compiler | C2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM |
18 | JDK-8308884 | hotspot | compiler | [17u/11u] Backout JDK-8297951 |
19 | JDK-8303511 | hotspot | compiler | C2: assert(get_ctrl(n) == cle_out) during unrolling |
20 | JDK-8291456 | hotspot | jvmti | com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 |
21 | JDK-8280784 | hotspot | runtime | VM_Cleanup unnecessarily processes all thread oops |
22 | JDK-8294677 | hotspot | runtime | chunklevel::MAX_CHUNK_WORD_SIZE too small for some applications |
23 | JDK-8277946 | hotspot | runtime | NMT: Remove VM.native_memory shutdown jcmd command option |
24 | JDK-8301123 | hotspot | runtime | Enable Symbol refcounting underflow checks in PRODUCT |
25 | JDK-8295974 | hotspot | runtime | jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames |
26 | JDK-8287007 | hotspot | runtime | [cgroups] Consistently use stringStream throughout parsing code |
27 | JDK-8278965 | hotspot | runtime | crash in SymbolTable::do_lookup |
28 | JDK-8301749 | hotspot | runtime | Tracking malloc pooled memory size |
July 18, 2023
The full version string for this update release is 8u381-b09 (where "b" means "build"). The version number is 8u381.
JDK 8u381 contains IANA time zone data 2023c which contains the following changes since the previous update.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u381 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u381-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u381) be used after the next critical patch update scheduled for October 17, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u381) on 2023-11-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 35 code points (U+9FCD
- U+9FEF
) from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 1
requirements.
The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset
implementation for this new standard has now replaced the prior 2000
standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030
, is introduced. By setting its value to 2000
, the previous JDK releases' mappings for the GB18030 Charset
are used, which are based on the 2000
standard.
The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 108 code points from CJK Unified Ideographs Extension E
block from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 2
requirements.
RSA private and public keys in PKCS#1 format can now be accepted by JDK providers, such as the RSA KeyFactory.impl
from the SunRsaSign provider. The RSA private or public key object should have the PKCS#1 format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA private key and public key.
Installing into the same, shared jdk-(family)
directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse
issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.
Internal Error (g1CollectedHeap.cpp:5923)
after Upgrading to JDK 8u371 or JDK 8u381
(JDK-8311244 (not public))
There is the possibility of an application crash with the following error:
# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx # guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be
This affects JDK 8u371 and JDK 8u381 runtimes using G1 GC on all supported platforms.
The failure is now corrected in the JDK 8u381 b32 Bundle Patch Release available via My Oracle Support.
Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe
command to not be found. For example:
java.exe
will now not work from all places. It will only work directly from the bin
directory.
java.exe
will not work unless you specify the full path to the bin directory of your JRE.
There are 2 workarounds:
java.exe
in the \bin
directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe
JDK 8u381 includes several enhancements and fixes to improve the cgroup v1 and v2 support for containers. The improvements include accurately detecting the resource limits of containers, correctly reporting the collected container metrics, printing additional container information, and improving application stability in containerized environments.
Some of the notable stability enhancements are:
JDK-8292083: Java applications may experience out-of-memory errors and run the risk of being killed by the OOM killer when running in a containerized environment where the container is configured with a higher memory limit than the available physical memory on the host system. JDK 8u381 addresses this stability issue. In the previous release, this situation can be avoided by using either -XX:-UseContainerSupport
, or -XX:MaxRAM=<physical memory>
, or by setting a memory limit for your container that is lower than the physical memory.
JDK-8286030: This release addresses an issue where Java applications may encounter a fatal error when the same /tmp
directory is shared across multiple containers. In earlier releases, this crash can be avoided by mounting /tmp
to different locations for different containers. Alternatively, the '-XX:-UsePerfData' JVM option can be used to prevent JVMs running within different containers from writing performance data to the shared /tmp
folder and thus avoid this issue.
Added an "Obsoletes" tag to JDK 8 RPM packages to allow automatic upgrades from older JDK 8 RPM packages.
jdk-1.8
package obsoletes jdk1.8
package.jre-1.8
package obsoletes jre1.8
package.jdk-1.8-headful
package obsoletes jdk1.8
package.jre-1.8-headful
package obsoletes jre1.8
package.No "Obsoletes" tag was added to the jdk-1.8-headless
package to prevent upgrading from the full to headless JDK.
The changes allow automatic upgrades for JDK 8 RPM packages starting from the 8u151 update when jdk1.8
and jre1.8
package names were first introduced. Older JDK 8 updates will not be eligible for automatic upgrades to 8u381 and newer updates.
Due to the limitations of "Obsoletes" tag downgrades from 8u381 to older versions are not supported.
/usr/java/default
Symlink on Linux Restored
(JDK-8306690)
A regression where the /usr/java/default
symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default
symlink if it doesn't exist, targeting the /usr/java/latest
symlink.
The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.
An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.
An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.
All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.
The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.
The following root certificate has been added to the cacerts truststore:
+ TWCA
+ twcaglobalrootca
DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
The following root certificates have been added to the cacerts truststore:
+ Google Trust Services LLC
+ gtsrootcar1
DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US
+ Google Trust Services LLC
+ gtsrootcar2
DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US
+ Google Trust Services LLC
+ gtsrootecccar3
DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US
+ Google Trust Services LLC
+ gtsrootecccar4
DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US
The following root certificates have been added to the cacerts truststore:
+ Microsoft Corporation
+ microsoftecc2017
DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
+ Microsoft Corporation
+ microsoftrsa2017
DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
java.specification.maintenance.version
Set to 5
(JDK-8303028)
This JDK implements Maintenance Release 5 of the Java SE 8 specification (JSR 337). This is indicated by the system property java.specification.maintenance.version
having the value of "5"
.
Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.
This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.
In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0
. The usage of such flags is not recommended.
A behavioral change has been made when the default conf/security/java.security
security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError
.
Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.
A new system property, jdk.jar.maxSignatureFileSize
, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u381 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8304636 | client-libs/java.awt | java/awt/Mouse/EnterExitEvents/DragWindowTest.java fails with Compilation Error on JDK 8u |
2 | JDK-8189604 | client-libs/java.awt | possible hang in sun.awt.shell.Win32ShellFolder2$KnownFolderDefinition::<clinit> |
3 | JDK-8159956 | client-libs/java.awt | EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins |
4 | JDK-8302151 | client-libs/javax.imageio | BMPImageReader throws an exception reading BMP images |
5 | JDK-8003399 | client-libs/javax.swing | JFileChooser gives wrong path to selected file when saving to Libraries folder on Windows 7 |
6 | JDK-8017487 | client-libs/javax.swing | filechooser in Windows-Libraries folder: columns are mixed up |
7 | JDK-8284756 | core-libs | [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem |
8 | JDK-8212528 | core-libs | Wrong cgroup subsystem being used for some CPU Container Metrics |
9 | JDK-8275735 | core-libs | [linux] Remove deprecated Metrics api (kernel memory limit) |
10 | JDK-8305681 | core-libs/java.lang | Allow additional characters for GB18030-2022 (Level 2) support |
11 | JDK-8241786 | core-libs/java.net | Improve heuristic to determine default network interface on macOS |
12 | JDK-8211382 | core-libs/java.nio.charsets | ISO2022JP and GB18030 NIO converter issues |
13 | JDK-8301119 | core-libs/java.nio.charsets | Support for GB18030-2022 |
14 | JDK-8172347 | core-libs/java.rmi | Refactoring src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java to improve testability of rmiregistry |
15 | JDK-8212970 | core-libs/java.time | TZ database in "vanguard" format support |
16 | JDK-8305400 | core-libs/java.util:i18n | ISO 4217 Amendment 175 Update |
17 | JDK-8254001 | core-svc | [Metrics] Enhance parsing of cgroup interface files for version detection |
18 | JDK-8293540 | core-svc | [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts |
19 | JDK-8292541 | core-svc/java.lang.management | [Metrics] Reported memory limit may exceed physical machine memory |
20 | JDK-8301282 | docs/guides | JMX simple and delegation security samples don't work because of missing access control entries |
21 | JDK-8293821 | docs/guides | JDK LTS backports for Doc Tasks for JEP C206/C208: Modernize Oracle JDK Linux RPMs and installers on Windows and macOS |
22 | JDK-8233023 | hotspot/compiler | assert(Opcode() == mem->Opcode() || phase->C->get_alias_index(adr_type()) == Compile::AliasIdxRaw) failed: no mismatched stores, except on raw memory |
23 | JDK-8210389 | hotspot/compiler | C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc |
24 | JDK-8217230 | hotspot/compiler | assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() |
25 | JDK-8062258 | hotspot/compiler | compiler/debug/TraceIterativeGVN.java segfaults in trace_PhaseIterGVN |
26 | JDK-8281297 | hotspot/gc | TestStressG1Humongous fails with guarantee(is_range_uncommitted) |
27 | JDK-8167196 | hotspot/gc | WhiteBox methods should throw an exception if used with inappropriate collector. |
28 | JDK-8264593 | hotspot/runtime | debug.cpp utilities should be available in product builds. |
29 | JDK-8281274 | hotspot/runtime | deal with ActiveProcessorCount in os::Linux::print_container_info |
30 | JDK-8266490 | hotspot/runtime | Extend the OSContainer API to support the pids controller of cgroups |
31 | JDK-8273526 | hotspot/runtime | Extend the OSContainer API pids controller with pids.current |
32 | JDK-8231610 | hotspot/runtime | Relocate the CDS archive if it cannot be mapped to the requested address |
33 | JDK-8287741 | hotspot/runtime | Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete |
34 | JDK-8287107 | hotspot/runtime | CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller |
35 | JDK-8286030 | hotspot/runtime | Avoid JVM crash when containers share the same /tmp dir |
36 | JDK-8287011 | hotspot/runtime | Improve container information |
37 | JDK-8293472 | hotspot/runtime | Incorrect container resource limit detection if manual cgroup fs mounts present |
38 | JDK-8292083 | hotspot/runtime | Detected container memory limit may exceed physical machine memory |
39 | JDK-8272124 | hotspot/runtime | Cgroup v1 initialization causes NullPointerException when cgroup path contains colon |
40 | JDK-8281517 | install/install | Improve the error message shown when a user tries to install the aarch64 bundle on an intel mac |
41 | JDK-8284662 | javafx/accessibility | [Win][Accessibility][ListCell] Screen reader fails to read ListView/ComboBox item count if > 100 |
42 | JDK-8251862 | javafx/graphics | Wrong position of Popup windows at the intersection of 2 screens |
43 | JDK-8301009 | javafx/web | Update libxml2 to 2.10.3 |
44 | JDK-8306115 | javafx/web | Update libxml2 to 2.10.4 |
45 | JDK-8304441 | javafx/window-toolkit | [macos] Crash when putting invalid unicode char on clipboard |
46 | JDK-8296654 | javafx/window-toolkit | [macos] Crash when launching JavaFX app with JDK that targets SDK 13 |
47 | JDK-8292297 | security-libs/java.security | Fix up loading of override java.security properties file |
48 | JDK-8173181 | security-libs/java.security | Empty string alias in KeyStore throws StringIndexOutOfBoundsException for getEntry() |
49 | JDK-8293858 | security-libs/java.security | Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG |
50 | JDK-8294906 | security-libs/javax.crypto:pkcs11 | Memory leak in PKCS11 NSS TLS server |
51 | JDK-8274205 | security-libs/org.ietf.jgss:krb5 | Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC |
52 | JDK-8301269 | xml/jaxp | Update Commons BCEL to Version 6.7.0 |
The following sections summarize changes made in all Java SE 8u371 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8307400 (not public) | install | install | The new Java 8u371 RPMs break the standard RHEL OS update mechanism |
JDK-8307777 (not public) | install | install | JDK rpm packages have wrong license |
JDK-8307831 (not public) | install | install | Move dependency on libfreetype.so.6 from JDK8 headless to headful jdk |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8159956 | client-libs | java.awt | EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins |
JDK-8305113 | core-libs | java.time | (tz) Update Timezone Data to 2023c |
JDK-8212970 | core-libs | java.time | TZ database in "vanguard" format support |
JDK-8306690 | install | install | Restore missing /usr/java/default symlink on Linux |
JDK-8305976 | install | install | Installation of OL-specific x64 jdk rpms pulls in i686 dependencies |
JDK-8305177 (not public) | infrastructure | build | Perf and milestone suffix missing in rpm bundle names |
JDK-8302112 (not public) | hotspot | test | remove windows 2012 from task definitions |
Fixes from the prior BPR are included in this version.
The following sections summarize changes made in Java SE 8u371 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8303215 | hotspot | runtime | Make thread stacks not use huge pages |
JDK-8303776 (not public) | hotspot | compiler | Disable UseDynamicNumberOfCompilerThreads by default in Emmett |
JDK-8301749 | hotspot | runtime | Tracking malloc pooled memory size |
JDK-8302508 | hotspot | compiler | Add timestamp to the output TraceCompilerThreads |
JDK-8229147 | hotspot | runtime | Linux os::create_thread() overcounts guardpage size with newer glibc (>=2.27) |
JDK-8285987 | core-libs | java.lang | executing shell scripts without #! fails on Alpine linux |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8309862 | hotspot | jfr | Unsafe list operations in JfrStringPool |
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8159956 | client-libs | java.awt | EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins |
JDK-8305113 | core-libs | java.time | (tz) Update Timezone Data to 2023c |
JDK-8212970 | core-libs | java.time | TZ database in "vanguard" format support |
JDK-8306690 | install | install | Restore missing /usr/java/default symlink on Linux |
JDK-8305976 | install | install | Installation of OL-specific x64 jdk rpms pulls in i686 dependencies |
JDK-8305177 (not public) | infrastructure | build | Perf and milestone suffix missing in rpm bundle names |
JDK-8302112 (not public) | hotspot | test | remove windows 2012 from task definitions |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8303452 (not public) | hotspot | jfr | [JFR] Larger strings arent added to string pool |
# | BugId | Component/Subcomponent | Summary |
---|---|---|---|
1 | JDK-8297656 | performance/hotspot | AArch64: Enable AES/GCM Intrinsics |
2 | JDK-8268276 | hotspot/compiler | Base64 Decoding optimization for x86 using AVX-512 |
3 | JDK-8269404 | hotspot/compiler | Base64 Encoding optimization enhancements for x86 using AVX-512 |
4 | JDK-8273108 | hotspot/compiler | RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 |
5 | JDK-8273459 | hotspot/compiler | Update code segment alignment to 64 bytes |
6 | JDK-8296958 | hotspot/compiler | [JVMCI] add API for retrieving ConstantValue attributes |
7 | JDK-8296961 | hotspot/compiler | [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField |
8 | JDK-8296960 | hotspot/compiler | [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool |
9 | JDK-8296967 | hotspot/compiler | [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod |
10 | JDK-8282528 | hotspot/compiler | AArch64: Incorrect replicate2L_zero rule |
11 | JDK-8277137 | hotspot/compiler | Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 |
12 | JDK-8294902 | hotspot/compiler | Undefined Behavior in C2 regalloc with null references |
13 | JDK-8290322 | hotspot/compiler | Optimize Vector.rearrange over byte vectors for AVX512BW targets. |
14 | JDK-8295066 | hotspot/compiler | Folding of loads is broken in C2 after JDK-8242115 |
15 | JDK-8296912 | hotspot/compiler | C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 |
16 | JDK-8294538 | hotspot/compiler | missing is_unloading() check in SharedRuntime::fixup_callers_callsite() |
17 | JDK-8292602 | hotspot/compiler | ZGC: C2 late barrier analysis uses invalid dominator information |
18 | JDK-8292660 | hotspot/compiler | C2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly |
19 | JDK-8292285 | hotspot/compiler | C2: remove unreachable block after NeverBranch-to-Goto conversion |
20 | JDK-8290964 | hotspot/compiler | C2 compilation fails with assert "non-reduction loop contains reduction nodes" |
21 | JDK-8281122 | hotspot/compiler | [IR Framework] Cleanup IR matching code in preparation for JDK-8280378 |
22 | JDK-8276064 | hotspot/compiler | CheckCastPP with raw oop input floats below a safepoint |
23 | JDK-8296924 | hotspot/compiler | C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address |
24 | JDK-8290850 | hotspot/compiler | C2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph |
25 | JDK-8297431 | hotspot/compiler | [JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception |
26 | JDK-8296136 | hotspot/compiler | Use correct register in aarch64_enc_fast_unlock() |
27 | JDK-8285835 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work |
28 | JDK-8295788 | hotspot/compiler | C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" |
29 | JDK-8297951 | hotspot/compiler | C2: Create skeleton predicates for all If nodes in loop predication |
30 | JDK-8297264 | hotspot/compiler | C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top |
31 | JDK-8295116 | hotspot/compiler | C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead |
32 | JDK-8296389 | hotspot/compiler | C2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors |
33 | JDK-8242115 | hotspot/compiler | C2 SATB barriers are not safepoint-safe |
34 | JDK-8292301 | hotspot/compiler | [REDO v2] C2 crash when allocating array of size too large |
35 | JDK-8272985 | hotspot/gc | Reference discovery is confused about atomicity and degree of parallelism |
36 | JDK-8296733 | hotspot/jfr | JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect |
37 | JDK-8283199 | hotspot/runtime | Linux os::cpu_microcode_revision() stalls cold startup |
38 | JDK-8287011 | hotspot/runtime | Improve container information |
39 | JDK-8271506 | hotspot/runtime | Add ResourceHashtable support for deleting selected entries |
40 | JDK-8294160 | hotspot/runtime | misc crash dump improvements |
41 | JDK-8286030 | hotspot/runtime | Avoid JVM crash when containers share the same /tmp dir |
42 | JDK-8048190 | hotspot/runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
43 | JDK-8293472 | hotspot/runtime | Incorrect container resource limit detection if manual cgroup fs mounts present |
44 | JDK-8262386 | hotspot/svc-agent | resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out |
April 18, 2023
The full version string for this update release is 8u371-b11 (where "b" means "build"). The version number is 8u371.
JDK 8u371 contains IANA time zone data 2022g which contains the following changes since the previous update.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u371 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u371-b11 |
Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u371) after the next critical patch update release, scheduled for July 18, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u371) on 2023-08-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
A native GSS-API library named sspi_bridge.dll
has been added to the JDK on the Windows platform. The library is client-side only and uses the default credentials. It will be loaded when the sun.security.jgss.native
system property is set to "true". A user can still load a third-party native GSS-API library by setting the sun.security.jgss.lib
system property to its path.
Native GSS automatically uses cached credentials from operating systems, thus the javax.security.auth.useSubjectCredsOnly
system property should be set to false.
com.sun.security.auth.module.Krb5LoginModule
does not call native JGSS. Avoid using com.sun.security.auth.module.Krb5LoginModule
from JAAS config.
The AppleScript engine implementing the javax.script engine API has been removed without replacement. The AppleScript engine has worked inconsistently. The services configuration (META-INF/services)
file was missing and only worked by accident when installing JDK 7 or JDK 8 on systems that had Apple's version of AppleScriptEngine.jar already on the system.
The com.apple.concurrent.Dispatch
API was a Mac-only API. It was carried into JDK 7u4 with the port of Apple's JDK 6 code. Developers are encouraged to use the standard java.util.concurrent.Executor
and java.util.concurrent.ExecutorService
APIs instead.
This issue prevents yum
from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum
but with the x86_64 architecture.
After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:
rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo
It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install
command to ensure the installation of the required packages.
Fixed a regression where the /usr/java/default
symlink is not created by RPM installers on Linux platforms. Now, installers will create the /usr/java/default
symlink if it doesn't exist, targeting the /usr/java/latest
symlink.
After upgrading to JDK 8u371 or later, there is the possibility of an application crash. The error log has a stack trace that starts with the following:
# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx # guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be
The above error may impact applications using G1 GC on all supported platforms.
Those who encounter the above error are encouraged to create a Service Request through My Oracle Support so that we can provide an interim solution to resolve the error.
Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object>
tag which allows for subclasses of java.awt.Component
to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true
.
The installation directory name of the Oracle JRE in an RPM package has changed from /usr/java/jre-1.8.0_${UPDATE}-${ARCH}
to /usr/lib/jvm/jre-1.8-oracle-${ARCH}
. The installation directory name of the Oracle JDK in an RPM package has changed from /usr/java/jdk-1.8.0_${UPDATE}-${ARCH}
to /usr/lib/jvm/jdk-1.8-oracle-${ARCH}
. Thus the 8u371 and 8u381 releases of JDK for x64 will both be installed in the /usr/lib/jvm/jdk-1.8-oracle-x64
directory and the JRE for x64 will both be installed in the /usr/lib/jvm/jre-1.8-oracle-x64
directory. Both JDK and JRE RPM packages will create /usr/java/jdk-1.8.0-${ARCH}
and /usr/java/jre-1.8.0-${ARCH}
links respectively pointing to the installation directories for backward compatibility.
For the x86_64
platform, the value of the ${ARCH}
suffix has changed from amd64
to x64
. For the x86_32
platform, the value of the ${ARCH}
has changed from i586
to x86
.
The JRE RPM package name has changed from jre1.8
to jre-1.8
to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JRE and then install the new JRE. For example, sudo rpm -e jre1.8; sudo rpm -i jre-8u371-linux-x64.rpm
. The JDK RPM package name has changed from jdk1.8
to jdk-1.8
to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JDK and then install the new JDK. For example, sudo rpm -e jdk1.8; sudo rpm -i jdk-8u371-linux-x64.rpm
.
Communication with the alternatives framework for the JDK RPM package has changed. JDK RPM packages of prior versions registered a single java
group of commands with the alternatives framework. The JDK 1.8 RPM package registers java
and javac
groups with the alternatives framework. The java
group is for commands used to run applications: java
, javaws
, jcontrol
, jjs
, keytool
, orbd
, pack200
, policytool
, rmic
, rmid
, rmiregistry
, servertool
, tnameserv
, unpack200
. The javac
group is used for all other commands. The set of commands registered by the package has not changed.
Three new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-1.8-headless
, jdk-1.8-headful
, and jre-1.8-headful
. These packages are available in OL7, OL8, and OL9 repositories. They are not available for download from oracle.com.
jdk-1.8-headless
is a Headless Java Runtime for running non-GUI applications.jdk-1.8-headful
is a Headful Java Runtime with Development Tools for developing and running applications of all types.jre-1.8-headful
is a Headful Java Runtime for running applications of all types.The combination of the OL-specific jdk-1.8-headless
and jdk-1.8-headful
packages provides the same JDK image and the same capabilities as the jdk-1.8
oracle.com package. The jre-1.8-headful
package provides the same JRE image and the same capabilities as the jre-1.8
oracle.com package. OL-specific JDK and JRE RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist}
suffix. The value of the Release property of all RPM packages contains the value of the build number instead of the milestone.
Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE%
instead of %Program Files%\Java\jdk-%VNUM%
. That is, all updates of the same release must share one installation directory. It will not be possible to install older versions of a family if there is a newer JRE of that family already installed.
Thus the JDK 8u371 and JDK 8u381 releases will both install into %Program Files%\Java\jdk-1.8
by default, and they both cannot be installed at the same time.
Note: The Java 8u371 feature JDK-8293762 will now only allow one JRE of each family to be installed at one time. The REMOVEOLDERJRES=1
feature will no longer be supported with the standalone MSI. This is by design, as we only allow one JRE of each family of Java. The newer JREs will auto-upgrade older JREs of the same family.
The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk1.8.0_${UPDATE}.jdk
to /Library/Java/JavaVirtualMachines/jdk-1.8.jdk
. Thus the 8u371 and 8u381 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-1.8.jdk
installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 8 update releases shipped prior to this release, JDK 8u371, will not be uninstalled during installation of JDK 8u371 or later.
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignaca
DN: CN=Certigna, O=Dhimyotis, C=FR
SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.
After this update, if SSLv3 is removed from the jdk.tls.disabledAlgorithms
security property, the SSLSocket.getEnabledProtocols()
, SSLServerSocket.getEnabledProtocols()
, SSLEngine.getEnabledProtocols()
and SSLParameters.getProtocols()
APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.
If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the jdk.tls.client.protocols
or jdk.tls.server.protocols
system properties or with the SSLSocket.setEnabledProtocols()
, SSLServerSocket.setEnabledProtocols()
and SSLEngine.setEnabledProtocols()
APIs.
After updating to JDK 8u361, applications failed to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException
occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem
.
The JVM sometimes failed to initialize on Linux systems where /proc/self/mountinfo
does not contain any mounted filesystem or controllers for cgroup.
For background information, see also My Oracle Support see KM Doc ID 2923131.1.
As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.
If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes. More information can be found in “C++ binary compatibility between Visual Studio versions”.
Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:
Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.
Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe
command to not be found. For example:
java.exe
will now not work from all places. It will only work directly from the bin
directory.
java.exe
will not work unless you specify the full path to the bin directory of your JRE.
There are 2 workarounds:
java.exe
in the \bin
directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u371 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8285399 | client-libs/2d | JNI exception pending in awt_GraphicsEnv.c:1432 |
2 | JDK-8284023 | client-libs/java.awt | java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo |
3 | JDK-8296496 | client-libs/java.awt | Overzealous check in sizecalc.h prevents large memory allocation |
4 | JDK-8295685 | client-libs/java.awt | Update Libpng to 1.6.38 |
5 | JDK-8294378 | core-libs/java.net | URLPermission constructor exception when using tr locale |
6 | JDK-8297569 | core-libs/java.net | URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 |
7 | JDK-8299439 | core-libs/java.text | java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR |
8 | JDK-8295530 | core-libs/java.util.jar | Update Zlib Data Compression Library to Version 1.2.13 |
9 | JDK-8287180 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-08-08 |
10 | JDK-8267038 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-03-02 |
11 | JDK-8296239 | core-libs/java.util:i18n | ISO 4217 Amendment 174 Update |
12 | JDK-8241900 | hotspot/compiler | Loop unswitching may cause dependence on null check to be lost |
13 | JDK-8179954 | hotspot/compiler | AArch64: C1 and C2 volatile accesses are not sequentially consistent |
14 | JDK-8210387 | hotspot/compiler | C2 compilation fails with "assert(node->_last_del == _last) failed: must have deleted the edge just produced" |
15 | JDK-8248552 | hotspot/compiler | C2 crashes with SIGFPE due to division by zero |
16 | JDK-8069191 | hotspot/compiler | moving predicate out of loops may cause array accesses to bypass null check |
17 | JDK-8250825 | hotspot/compiler | C2 crashes with assert(field != __null) failed: missing field |
18 | JDK-8255466 | hotspot/compiler | C2 crashes at ciObject::get_oop() const+0x0 |
19 | JDK-8272985 | hotspot/gc | Reference discovery is confused about atomicity and degree of parallelism |
20 | JDK-8005165 | hotspot/runtime | Remove CPU-dependent code in self-patching vtables |
21 | JDK-8271506 | hotspot/runtime | Add ResourceHashtable support for deleting selected entries |
22 | JDK-8253797 | hotspot/runtime | [cgroups v2] Account for the fact that swap accounting is disabled on some systems |
23 | JDK-8239785 | hotspot/runtime | Cgroups: Incorrect detection logic on old systems in hotspot |
24 | JDK-8239559 | hotspot/runtime | Cgroups: Incorrect detection logic on some systems |
25 | JDK-8048190 | hotspot/runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
26 | JDK-8197859 | hotspot/runtime | VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp |
27 | JDK-8254997 | hotspot/runtime | Remove unimplemented OSContainer::read_memory_limit_in_bytes |
28 | JDK-8252359 | hotspot/runtime | HotSpot Not Identifying it is Running in a Container |
29 | JDK-8253435 | hotspot/runtime | Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist |
30 | JDK-8284633 | hotspot/runtime | CompressedClassPointers.java fails on macos-aarch64 |
31 | JDK-8220658 | hotspot/runtime | Improve the readability of container information in the error log |
32 | JDK-8291763 | hotspot/runtime | Include virtualization information in hs_err crash log on Solaris |
33 | JDK-8289424 | hotspot/runtime | Include LD_HWCAP in hs_err log output |
34 | JDK-8298349 | install/install | /usr/java/latest points to wrong JDK |
35 | JDK-8298330 | install/install | /usr/java/latest is missing after one of JDK rpms is uninstalled |
36 | JDK-8149508 | javafx/controls | Performance issue when scrolling ListView due to excess CSS processing |
37 | JDK-8294400 | javafx/media | Provide media support for libavcodec version 59 |
38 | JDK-8257895 | javafx/media | Allow building of JavaFX media libs for Apple Silicon |
39 | JDK-8298167 | javafx/web | Opacity in WebView not working anymore |
40 | JDK-8295755 | javafx/web | Update SQLite to 3.39.4 |
41 | JDK-8303217 | javafx/web | Webview loaded webpage is not showing play, volume related buttons for embeded Audio/Video elements |
42 | JDK-8301022 | javafx/web | Video distortion is observed while playing youtube video |
43 | JDK-8300954 | javafx/web | HTML default Range input control not rendered |
44 | JDK-8301712 | javafx/web | [linux] Crash on exit from WebKit 615.1 |
45 | JDK-8302684 | javafx/web | Cherry-pick WebKit 615.1 stabilization fixes (2) |
46 | JDK-8302294 | javafx/web | Cherry-pick WebKit 615.1 stabilization fixes |
47 | JDK-8299977 | javafx/web | Update WebKit to 615.1 |
48 | JDK-8242151 | security-libs/java.security | Improve OID mapping and reuse among JDK security providers for aliases registration |
49 | JDK-8242897 | security-libs/java.security | KeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException |
50 | JDK-8280890 | security-libs/java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
51 | JDK-8200468 | security-libs/org.ietf.jgss | Port the native GSS-API bridge to Windows |
52 | JDK-8253829 | security-libs/org.ietf.jgss | Wrong length compared in SSPI bridge |
53 | JDK-8225687 | security-libs/org.ietf.jgss | Newly added sspi.cpp in JDK-6722928 still contains some small errors |
54 | JDK-8175000 | tools/launcher | jexec fails to execute simple helloworld.jar |
The following sections summarize changes made in all Java SE 8u361 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8299439 | core-libs | java.text | java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR |
JDK-8017487 | client-libs | javax.swing | filechooser in Windows-Libraries folder: columns are mixed up |
JDK-8301318 (Confidential) | deploy | webstart | Few JVM arguments are not supported in JAVAWS/JNLP |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8274205 | security-libs | org.ietf.jgss:krb5 | Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC |
JDK-8284662 | javafx | accessibility | Screen reader fails to read ListView/ComboBox item count if > 100 |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8251862 | javafx | graphics | Wrong position of Popup windows at the intersection of 2 screens |
JDK-8149508 | javafx | controls | Performance issue when scrolling ListView due to excess CSS processing |
JDK-8299741 | install | autoupdate | A temporary file is left in 'locallow' temp directory after Java Update |
The JVM will fail to initialize on Linux systems where /proc/self/mountinfo
does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.
A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8089986 | javafx | controls | Menu beeps when mnemonics is used |
JDK-7131823 | client-libs | javax.imageio | bug in GIFImageReader |
JDK-6357887 | client-libs | 2d | selected printertray is ignored under linux |
JDK-8239559 | hotspot | runtime | Cgroups: Incorrect detection logic on some systems |
JDK-8239785 | hotspot | runtime | Cgroups: Incorrect detection logic on old systems in hotspot |
JDK-8048190 | hotspot | runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
JDK-8271506 | hotspot | runtime | Add ResourceHashtable support for deleting selected entries |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8205959 | core-libs | java.net | Do not restart close if errno is EINTR |
JDK-8280890 | security-libs | java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
JDK-8299628 (Confidential) | javafx | graphics | BMP top-down images fail to load after JDK-8289336 |
JDK-8297804 | core-libs | java.time | (tz) Update Timezone Data to 2022g |
The following sections summarize changes made in Java SE 8u361 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-6357887 | client-libs | 2d | selected printertray is ignored under linux |
JDK-7131823 | client-libs | javax.imageio | bug in GIFImageReader |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8205959 | core-libs | java.net | Do not restart close if errno is EINTR |
JDK-8280890 | security-libs | java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
JDK-8297804 | core-libs | java.time | (tz) Update Timezone Data to 2022g |
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8293319 | hotspot | compiler | [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if |
2 | JDK-8280511 | hotspot | compiler | AArch64: Combine shift and negate to a single instruction |
3 | JDK-8276108 | hotspot | compiler | Wrong instruction generation in aarch64 backend |
4 | JDK-8251216 | hotspot | compiler | Implement MD5 intrinsics on AArch64 |
5 | JDK-8186670 | hotspot | compiler | Implement _onSpinWait() intrinsic for AArch64 |
6 | JDK-8290781 | hotspot | compiler | Segfault at PhaseIdealLoop::clone_loop_handle_data_uses |
7 | JDK-8282347 | hotspot | compiler | AARCH64: Untaken branch in has_negatives stub |
8 | JDK-8282049 | hotspot | compiler | AArch64: Use ZR for integer zero immediate volatile stores |
9 | JDK-8291775 | hotspot | compiler | C2: assert(r != __null && r->is_Region()) failed: this phi must have a region |
10 | JDK-8290711 | hotspot | compiler | assert(false) failed: infinite loop in PhaseIterGVN::optimize |
11 | JDK-8287349 | hotspot | compiler | AArch64: Merge LDR instructions to improve C1 OSR performance |
12 | JDK-8277411 | hotspot | compiler | C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check |
13 | JDK-8277358 | hotspot | compiler | Accelerate CRC32-C |
14 | JDK-8291599 | hotspot | compiler | Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 |
15 | JDK-8290705 | hotspot | compiler | StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" |
16 | JDK-8290529 | hotspot | compiler | C2: assert(BoolTest(btest).is_canonical()) failure |
17 | JDK-8288445 | hotspot | compiler | AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding |
18 | JDK-8280872 | hotspot | compiler | Reorder code cache segments to improve code density |
19 | JDK-8272094 | hotspot | compiler | compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" |
20 | JDK-8293816 | hotspot | compiler | CI: ciBytecodeStream::get_klass() is not consistent |
21 | JDK-8293044 | hotspot | compiler | C1: Missing access check on non-accessible class |
22 | JDK-8292158 | hotspot | compiler | AES-CTR cipher state corruption with AVX-512 |
23 | JDK-8270947 | hotspot | compiler | AArch64: C1: use zero_words to initialize all objects |
24 | JDK-8287425 | hotspot | compiler | Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path |
25 | JDK-8290451 | hotspot | compiler | Incorrect result when switching to C2 OSR compilation from C1 |
26 | JDK-8268779 | hotspot | gc | ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" |
27 | JDK-8278389 | hotspot | gc | SuspendibleThreadSet::_suspend_all should be volatile/atomic |
28 | JDK-8288754 | hotspot | gc | GCC 12 fails to build zReferenceProcessor.cpp |
29 | JDK-8279398 | hotspot | jfr | jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" |
30 | JDK-8268297 | hotspot | jfr | jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out |
31 | JDK-8291459 | hotspot | runtime | JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) |
32 | JDK-8292083 | hotspot | runtime | Detected container memory limit may exceed physical machine memory |
33 | JDK-8293156 | hotspot | svc | Dcmd VM.classloaders fails to print the full hierarchy |
January 17, 2023
The full version string for this update release is 8u361-b09 (where "b" means "build"). The version number is 8u361.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u361 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u361-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u361) be used after the next critical patch update scheduled for April 18, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u361) on 2023-05-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
After updating to JDK 8u361, applications may fail to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException
occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem
.
The JVM will fail to initialize on Linux systems where /proc/self/mountinfo
does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.
A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).
Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.
Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares
command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.
The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.
It can be enabled by setting the system property: -Djavafx.allowjs=true
ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\"
, would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.
Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server
and http.keepAlive.time.proxy
respectively. More information about them can be found in Networking Properties.
This version of the JDK no longer includes a copy of Java VisualVM. VisualVM is now available as a separate download from https://visualvm.github.io.
The readObject
method of _DynAnyFactoryStub
has been amended, such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format, only. As DynAnyFactory
is a locally or ORB constrained type, it is not useful that serialized data should contain corbaname or corbaloc URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to a DynAnyFactory
IOR, as such, using a corbaname to reference an instance of DynAnyFactory
is not meaningful.
A system property is introduced, org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck
, which when set to true, will revert the _DynAnyFactoryStub::readObject
to its current behavior and bypass the additional IOR checks.
The SunJSSE close notification checks for SSLEngine
to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.
Specifically, if an application tries to close its SSLEngine
inbound side using SSLEngine.closeInbound()
without having received a close notification message from its peer, the SSLEngine
will no longer:
The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException
. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.
In addition, the internal transport context for the SSLEngine
will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus
value on the SSLEngine
. Any outstanding outbound data must still be obtained (SSLEngine.wrap()
) and sent in order to gracefully close the connection.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u361 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8240756 | client-libs/2d | [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled |
2 | JDK-8212677 | client-libs/java.awt | X11 default visual support for IM status window on VNC |
3 | JDK-8231445 | client-libs/java.awt | check ZALLOC return values in awt coding |
4 | JDK-8284033 | client-libs/java.awt | Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c |
5 | JDK-8277497 | client-libs/javax.accessibility | Last column cell in the JTable row is read as empty cell |
6 | JDK-8280950 | core-libs/java.util | RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix |
7 | JDK-8281183 | core-libs/java.util | RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 |
8 | JDK-8294307 | core-libs/java.util:i18n | ISO 4217 Amendment 173 Update |
9 | JDK-8215571 | core-svc/debugger | jdb does not include jdk.* in the default class filter |
10 | JDK-8197387 | core-svc/tools | jcmd started by "root" must be allowed to access all VM processes |
11 | JDK-8294294 | docs/guides | Document jdk.xml.xpathExprGrpLimit, jdk.xml.xpathExprOpLimit, and jdk.xml.xpathTotalOpLimit in the JAXP Security Guide |
12 | JDK-8145458 | docs/hotspot | JDK 8 man page incorrectly states -XX:ThreadStackSize=size sets the thread stack size (in bytes). |
13 | JDK-8217359 | hotspot/compiler | C2 compiler triggers SIGSEGV after transformation in ConvI2LNode::Ideal |
14 | JDK-8255058 | hotspot/compiler | C1: assert(is_virtual()) failed: type check |
15 | JDK-8253816 | hotspot/compiler | Support macOS W^X |
16 | JDK-8253795 | hotspot/compiler | Implementation of JEP 391: macOS/AArch64 Port |
17 | JDK-8168712 | hotspot/compiler | [AOT] assert(false) failed: DEBUG MESSAGE: InterpreterMacroAssembler::call_VM_base: last_sp != NULL |
18 | JDK-8261336 | hotspot/compiler | IGV: enhance default filters |
19 | JDK-8253817 | hotspot/runtime | Support macOS Aarch64 ABI in Interpreter |
20 | JDK-8200109 | hotspot/runtime | NMT: diff_malloc_site assert(early->flags() == current->flags(), "Must be the same memory type") |
21 | JDK-8238676 | hotspot/runtime | jni crashes on accessing it from process exit hook |
22 | JDK-8230305 | hotspot/runtime | Cgroups v2: Container awareness |
23 | JDK-8027429 | hotspot/runtime | Add diagnostic command VM.info to get hs_err print-out |
24 | JDK-8253714 | hotspot/runtime | [cgroups v2] Soft memory limit incorrectly using memory.high |
25 | JDK-8253727 | hotspot/runtime | [cgroups v2] Memory and swap limits reported incorrectly |
26 | JDK-8255716 | hotspot/runtime | AArch64: Regression: JVM crashes if manually offline a core |
27 | JDK-8191846 | hotspot/svc | jstat prints debug message when debugging is disabled |
28 | JDK-8038392 | hotspot/svc | Generating prelink cache breaks JAVA 'jinfo' utility normal behaviour |
29 | JDK-8087557 | javafx/accessibility | [Win] [Accessibility, Dialogs] Alert Dialog content is not fully read by Screen Reader |
30 | JDK-8284281 | javafx/accessibility | [Accessibility] [Win] [Narrator] Exceptions with TextArea & TextField when deleted last char |
31 | JDK-8291087 | javafx/accessibility | Wrong position of focus of screen reader on Windows with screen scale > 1 |
32 | JDK-8293795 | javafx/accessibility | [Accessibility] [Win] [Narrator] Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField |
33 | JDK-8289542 | javafx/graphics | Update JPEG Image Decoding Software to 9e |
34 | JDK-8293971 | javafx/media | Loading new Media from resources can sometimes fail when loading from FXML |
35 | JDK-8289541 | javafx/web | Update ICU4C to 71.1 |
36 | JDK-8257722 | security-libs/java.security | Improve "keytool -printcert -jarfile" output |
37 | JDK-8273553 | security-libs/javax.net.ssl | sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 |
The following sections summarize changes made in all Java SE 8u351 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8294307 | core-libs | java.util:i18n | ISO 4217 Amendment 173 Update |
JDK-8296239 | core-libs | java.util:i18n | ISO 4217 Amendment 174 Update |
JDK-8295173 | core-libs | java.time | (tz) Update Timezone Data to 2022e |
JDK-8296108 | core-libs | java.time | (tz) Update Timezone Data to 2022f |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8278027 | security-libs | javax.crypto | X509Key.decode exception while using JSafeJCE FIPS provider |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8224671 | hotspot | compiler | AArch64: mauve System.arraycopy test failure |
JDK-8292695 | hotspot | runtime | SIGQUIT and jcmd attaching mechanism does not work with signal chaining library |
JDK-8202014 | hotspot | runtime | Possible to receive signal before signal semaphore created |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8291973 | install | install | Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash |
JDK-8294357 | core-libs | java.time | (tz) Update Timezone Data to 2022d |
JDK-8293795 | javafx | accessibility | Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField |
The following sections summarize changes made in Java SE 8u351 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
JBS | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8294307 | core-libs | java.util:i18n | ISO 4217 Amendment 173 Update |
JDK-8296239 | core-libs | java.util:i18n | ISO 4217 Amendment 174 Update |
JDK-8294357 | core-libs | java.time | (tz) Update Timezone Data to 2022d |
JDK-8295173 | core-libs | java.time | (tz) Update Timezone Data to 2022e |
JDK-8296108 | core-libs | java.time | (tz) Update Timezone Data to 2022f |
JBS | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8278027 | security-libs | javax.crypto | X509Key.decode exception while using JSafeJCE FIPS provider |
Enterprise Performance Pack supports JDK Flight Recorder (JFR).
JFR is a low-overhead data collection framework for troubleshooting Java applications and the HotSpot JVM in production. Recorded data can be opened in JDK Mission Control (JMC). To start recordings from within JMC, a new version of JMC is required. Currently, it is not released as part of the JDK but is available as a downloadable patch from Supported Java SE Downloads on MOS or from JDK Mission Control 8 Downloads. JFR comes with a supported API to produce and consume data programmatically.
Relevant Changes for JFR include JEP 328: Flight Recorder, JEP 349: JFR Event Streaming
# | JBS | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8282467 | hotspot | compiler | add extra diagnostics for JDK-8268184 |
2 | JDK-8284883 | hotspot | compiler | JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 |
3 | JDK-8285923 | hotspot | compiler | [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities |
4 | JDK-8282555 | hotspot | compiler | Missing memory edge when spilling MoveF2I, MoveD2L etc |
5 | JDK-8286638 | hotspot | compiler | C2: CmpU needs to do more precise over/underflow analysis |
6 | JDK-8288303 | hotspot | compiler | C1: Miscompilation due to broken Class.getModifiers intrinsic |
7 | JDK-8270090 | hotspot | compiler | C2: LCM may prioritize CheckCastPP nodes over projections |
8 | JDK-8280696 | hotspot | compiler | C2 compilation hits assert(is_dominator(c, n_ctrl)) failed |
9 | JDK-8285820 | hotspot | compiler | C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 |
10 | JDK-8287091 | hotspot | compiler | aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn |
11 | JDK-8287396 | hotspot | compiler | LIR_Opr::vreg_number() and data() can return negative number |
12 | JDK-8286625 | hotspot | compiler | C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect |
13 | JDK-8288467 | hotspot | compiler | remove memory_operand assert for spilled instructions |
14 | JDK-8276546 | hotspot | compiler | [IR Framework] Whitelist and ignore CompileThreshold |
15 | JDK-8279622 | hotspot | compiler | C2: miscompilation of map pattern as a vector reduction |
16 | JDK-8286177 | hotspot | compiler | C2: "failed: non-reduction loop contains reduction nodes" assert failure |
17 | JDK-8284944 | hotspot | compiler | assert(cnt++ < 40) failed: infinite cycle in loop optimization |
18 | JDK-8287223 | hotspot | compiler | C1: Inlining attempt through MH::invokeBasic() with null receiver |
19 | JDK-8272736 | hotspot | compiler | [JVMCI] Add API for reading and writing JVMCI thread locals |
20 | JDK-8284358 | hotspot | compiler | Unreachable loop is not removed from C2 IR, leading to a broken graph |
21 | JDK-8288360 | hotspot | compiler | CI: ciInstanceKlass::implementor() is not consistent for well-known classes |
22 | JDK-8286314 | hotspot | compiler | Trampoline not created for far runtime targets outside small CodeCache |
23 | JDK-8288781 | hotspot | compiler | C1: LIR_OpVisitState::maxNumberOfOperands too small |
24 | JDK-8289127 | hotspot | compiler | Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible |
25 | JDK-8283441 | hotspot | compiler | C2: segmentation fault in ciMethodBlocks::make_block_at(int) |
26 | JDK-8287432 | hotspot | compiler | C2: assert(tn->in(0) != __null) failed: must have live top node |
27 | JDK-8281297 | hotspot | gc | TestStressG1Humongous fails with guarantee(is_range_uncommitted) |
28 | JDK-8283597 | hotspot | jvmti | [REDO] Invalid generic signature for redefined classes |
29 | JDK-8278753 | hotspot | runtime | Runtime crashes with access violation during JNI_CreateJavaVM call |
30 | JDK-8283469 | hotspot | runtime | Don't use memset to initialize members in FileMapInfo and fix memory leak |
31 | JDK-8268773 | hotspot | runtime | Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) |
32 | JDK-8289477 | hotspot | runtime | Memory corruption with CPU_ALLOC, CPU_FREE on muslc |
33 | JDK-8289799 | hotspot | runtime | Build warning in methodData.cpp memset zero-length parameter |
34 | JDK-8290417 | hotspot | runtime | CDS cannot archive lamda proxy with useImplMethodHandle |
35 | JDK-8287107 | hotspot | runtime | CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller |
36 | JDK-8287741 | hotspot | runtime | Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete |
October 18, 2022
The full version string for this update release is 8u351-b10 (where "b" means "build"). The version number is 8u351.
JDK 8u351 contains IANA time zone data 2022b, 2022c.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u351 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u351-b10 |
7 | 7u361-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u351) be used after the next critical patch update scheduled for January 17, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u351) on 2023-02-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.
For compatibility, use the keystore.pkcs12.legacy
system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
On platforms that support the concept of a thread name on their native threads, the java.lang.Thread.setName()
method will also set that native thread name. However, this will only occur when called by the current thread, and only for threads started through the java.lang.Thread
class (not for native threads that have attached via JNI). The presence of a native thread name can be useful for debugging and monitoring purposes. Some platforms may limit the native thread name to a length much shorter than that used by the java.lang.Thread
, which may result in some threads having the same native name.
The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation.
However, Java Access Bridge can still be enabled and disabled by following these steps:
%JAVAHOME%\bin\windowsaccessbridge-64.dll
to %WINDOWSHOME%\SYSTEM32
. A reboot might be required after this step.%JAVAHOME%\bin\jabswitch /enable
and %JAVAHOME%\bin\jabswitch /disable
.Note: %WINDOWSHOME%
is the directory where Microsoft Windows is installed (for example, C:\WINDOWS
) %JAVAHOME%
is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11
)
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.
To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:
This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.
For example:
- Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or override it by using the java.security.properties
system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
The des3-hmac-sha1
and rc4-hmac
Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true
in the krb5.conf
configuration file to re-enable them (along with other weak etypes including des-cbc-crc
and des-cbc-md5
) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes
, default_tgs_enctypes
, or permitted_enctypes
settings.
This enhancement changes phantom references to be automatically cleared by the garbage collector as soft and weak references.
An object becomes phantom reachable after it has been finalized. This change may cause the phantom reachable objects to be GC'ed earlier - previously the referent is kept alive until PhantomReference objects are GC'ed or cleared by the application. This potential behavioral change might only impact existing code that would depend on PhantomReference being enqueued rather than when the referent be freed from the heap.
java.lang.ref.Reference.enqueue
method clears the reference object before it is added to the registered queue. When the enqueue
method is called, the reference object is cleared and get()
method will return null in JDK 9.
Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear
method to avoid memory leak because its referent is no longer referenced. In other words the get
method is expected not to be called in common cases once the enqueue
method is called. In the case when the get
method from an enqueued reference object and existing code attempts to access members of the referent, NullPointerException
may be thrown. Such code will need to be updated.
java.lang.ref.Reference::clone
method always throws CloneNotSupportedException
. Reference
objects cannot be meaningfully cloned. To create a new Reference object, call the constructor to create a Reference
object with the same referent and reference queue instead.
This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.
As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.
For more details, refer to the announcement of 2022b.
This JDK implements Maintenance Release 4 of the Java SE 8 specification (JSR 337). Implementing this maintenance release is indicated by the new system property java.specification.maintenance.version
having the value of "4"
.
A new system property named jdk.httpserver.maxConnections
has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer
to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u351 release:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8260616 | client-libs | Removing remaining JNF dependencies in the java.desktop module | |
2 | JDK-8270216 | client-libs | java.awt | [macOS] Update named used for Java run loop mode |
3 | JDK-8272602 | client-libs | java.awt | [macOS] not all KEY_PRESSED events sent when control modifier is used |
4 | JDK-8261352 | client-libs | javax.accessibility | Create implementation for component peer for all the components who should be ignored in a11y interactions |
5 | JDK-8263420 | client-libs | javax.accessibility | Incorrect function name in NSAccessibilityStaticText native peer implementation |
6 | JDK-8261198 | client-libs | javax.accessibility | [macOS] Incorrect JNI parameters in number conversion in A11Y code |
7 | JDK-8262981 | client-libs | javax.accessibility | Create implementation for NSAccessibilitySlider protocol |
8 | JDK-8287740 | client-libs | javax.accessibility | NSAccessibilityShowMenuAction not working for text editors |
9 | JDK-8275071 | client-libs | javax.accessibility | [macos] A11y cursor gets stuck when combobox is closed |
10 | JDK-8274383 | client-libs | javax.accessibility | JNI call of getAccessibleSelection on a wrong thread |
11 | JDK-8267387 | client-libs | javax.accessibility | Create implementation for NSAccessibilityOutline protocol |
12 | JDK-8267388 | client-libs | javax.accessibility | Create implementation for NSAccessibilityTable protocol |
13 | JDK-8262031 | client-libs | javax.accessibility | Create implementation for NSAccessibilityNavigableStaticText protocol |
14 | JDK-8275809 | client-libs | javax.accessibility | crash in [CommonComponentAccessibility getCAccessible:withEnv:] |
15 | JDK-8273678 | client-libs | javax.accessibility | TableAccessibility and TableRowAccessibility miss autorelease |
16 | JDK-8271071 | client-libs | javax.accessibility | accessibility of a table on macOS lacks cell navigation |
17 | JDK-8267066 | client-libs | javax.accessibility | New NSAccessibility peers should return they roles and subroles directly |
18 | JDK-8275720 | client-libs | javax.accessibility | CommonComponentAccessibility.createWithParent isWrapped causes mem leak |
19 | JDK-8267385 | client-libs | javax.accessibility | Create NSAccessibilityElement implementation for JavaComponentAccessibility |
20 | JDK-8275819 | client-libs | javax.accessibility | [TableRowAccessibility accessibilityChildren] method is ineffective |
21 | JDK-8284690 | client-libs | javax.accessibility | [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox |
22 | JDK-8286266 | client-libs | javax.accessibility | [macos] Voice over moving JTable column to be the first column JVM crashes |
23 | JDK-8284014 | client-libs | javax.accessibility | Menu items with submenus in JPopupMenu are not spoken on macOS |
24 | JDK-8283383 | client-libs | javax.accessibility | [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name |
25 | JDK-8278609 | client-libs | javax.accessibility | [macos] accessibility frame is misplaced on a secondary monitor on macOS |
26 | JDK-8274735 | client-libs | javax.imageio | javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image |
27 | JDK-8256109 | client-libs | javax.swing | Create implementation for NSAccessibilityButton protocol |
28 | JDK-8256108 | client-libs | javax.swing | Create implementation for NSAccessibilityElement protocol peer |
29 | JDK-8256126 | client-libs | javax.swing | Create implementation for NSAccessibilityImage protocol peer |
30 | JDK-8256110 | client-libs | javax.swing | Create implementation for NSAccessibilityStepper protocol |
31 | JDK-8256111 | client-libs | javax.swing | Create implementation for NSAccessibilityStaticText protocol |
32 | JDK-8261350 | client-libs | javax.swing | Create implementation for NSAccessibilityCheckBox protocol peer |
33 | JDK-8261351 | client-libs | javax.swing | Create implementation for NSAccessibilityRadioButton protocol |
34 | JDK-8264299 | client-libs | javax.swing | Create implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles |
35 | JDK-8264300 | client-libs | javax.swing | Create implementation for NSAccessibilityScrollBar protocol peer |
36 | JDK-8264290 | client-libs | javax.swing | Create implementation for NSAccessibilityComponentGroup protocol peer |
37 | JDK-8264304 | client-libs | javax.swing | Create implementation for NSAccessibilityToolbar protocol peer |
38 | JDK-8264302 | client-libs | javax.swing | Create implementation for Accessibility native peer for Splitpane java role |
39 | JDK-8264305 | client-libs | javax.swing | Create implementation for native accessibility peer for Statusbar java role |
40 | JDK-8264287 | client-libs | javax.swing | Create implementation for NSAccessibilityComboBox protocol peer |
41 | JDK-8264303 | client-libs | javax.swing | Create implementation for NSAccessibilityTabGroup protocol peer |
42 | JDK-8264297 | client-libs | javax.swing | Create implementation for NSAccessibilityProgressIndicator protocol peer |
43 | JDK-8264294 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuBar protocol peer |
44 | JDK-8264298 | client-libs | javax.swing | Create implementation for NSAccessibilityRow protocol peer |
45 | JDK-8264286 | client-libs | javax.swing | Create implementation for NSAccessibilityColumn protocol peer |
46 | JDK-8264291 | client-libs | javax.swing | Create implementation for NSAccessibilityCell protocol peer |
47 | JDK-8264292 | client-libs | javax.swing | Create implementation for NSAccessibilityList protocol peer |
48 | JDK-8264293 | client-libs | javax.swing | Create implementation for NSAccessibilityMenu protocol peer |
49 | JDK-8264295 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuItem protocol peer |
50 | JDK-8264296 | client-libs | javax.swing | Create implementation for NSAccessibilityPopUpButton protocol peer |
51 | JDK-8257620 | core-libs | Do not use objc_msgSend_stret to get macOS version | |
52 | JDK-8071507 | core-libs | java.lang | (ref) Clear phantom reference as soft and weak references do |
53 | JDK-8287132 | core-libs | java.lang | Retire Runtime.runFinalizersOnExit so that it always throws UOE |
54 | JDK-8178832 | core-libs | java.lang | (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored |
55 | JDK-8175797 | core-libs | java.lang | (ref) Reference::enqueue method should clear the reference object before enqueuing |
56 | JDK-8193780 | core-libs | java.lang | (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property |
57 | JDK-8285497 | core-libs | java.lang | Add system property for Java SE specification maintenance version |
58 | JDK-8201793 | core-libs | java.lang | (ref) Reference object should not support cloning |
59 | JDK-8287917 | core-libs | java.lang:class_loading | System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier |
60 | JDK-8288769 | core-libs | java.util.jar | Revert unintentional change to deflate.c |
61 | JDK-8283277 | core-libs | java.util:i18n | ISO 4217 Amendment 171 Update |
62 | JDK-8289549 | core-libs | java.util:i18n | ISO 4217 Amendment 172 Update |
63 | JDK-8277368 | core-libs | javax.script | Metaspace OOM thrown due to the leak of Nashorn ScriptEngine |
64 | JDK-6447817 | docs | Add additional Service Attributes to Standard Algorithm Names guide | |
65 | JDK-8291414 | docs | guides | Fix the incorrect wording about delayed provider selection in the PKCS11 documentation |
66 | JDK-8261071 | hotspot | compiler | AArch64: Refactor interpreter native wrappers |
67 | JDK-8234930 | hotspot | compiler | Use MAP_JIT when allocating pages for code cache on macOS |
68 | JDK-8253015 | hotspot | compiler | Aarch64: Move linux code out from generic CPU feature detection |
69 | JDK-8188066 | hotspot | gc | (ref) Examine the reachability of JNI WeakGlobalRef and interaction with phantom refs |
70 | JDK-8143847 | hotspot | gc | Remove REF_CLEANER reference category |
71 | JDK-8285621 | hotspot | jfr | Xcheck:jni warnings during JFR initialization |
72 | JDK-6885993 | hotspot | runtime | Named Thread: introduce print() and print_on(outputStream* st) methods |
73 | JDK-7102541 | hotspot | runtime | RFE: os::set_native_thread_name() cleanups |
74 | JDK-8261075 | hotspot | runtime | Create stubRoutines.inline.hpp with SafeFetch implementation |
75 | JDK-8151322 | hotspot | runtime | Implement os::set_native_thread_name() on Solaris |
76 | JDK-8061999 | hotspot | runtime | Enhance VM option parsing to allow options to be specified in a file |
77 | JDK-8078521 | hotspot | svc | AARCH64: Add AArch64 SA support |
78 | JDK-8289587 | javafx | web | IllegalArgumentException: Color.rgb's red parameter (-16776961) expects color values 0-255 |
79 | JDK-8088420 | javafx | web | JavaFX WebView memory leak via EventListener |
80 | JDK-8285881 | javafx | web | Update WebKit to 614.1 |
81 | JDK-8292609 | javafx | web | Cherry-pick WebKit 614.1 stabilization fixes |
82 | JDK-8268427 | security-libs | java.security | Improve AlgorithmConstraints:checkAlgorithm performance |
83 | JDK-8186143 | security-libs | java.security | keytool -ext option doesn't accept wildcards for DNS subject alternative names |
84 | JDK-8267880 | security-libs | java.security | Upgrade the default PKCS12 MAC algorithm |
85 | JDK-8263404 | security-libs | java.security | RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec |
86 | JDK-8269039 | security-libs | java.security | Disable SHA-1 Signed JARs |
87 | JDK-8275887 | security-libs | java.security | jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled |
88 | JDK-8270317 | security-libs | javax.net.ssl | Large Allocation in CipherSuite |
89 | JDK-8284694 | security-libs | javax.net.ssl | Avoid evaluating SSLAlgorithmConstraints twice |
90 | JDK-8286211 | security-libs | javax.smartcardio | Update PCSC-Lite for Suse Linux to 1.9.5 |
91 | JDK-8285398 | security-libs | jdk.security | Cache the results of constraint checks |
92 | JDK-8074835 | security-libs | org.ietf.jgss | Resolve disabled warnings for libj2gss |
93 | JDK-8074836 | security-libs | org.ietf.jgss:krb5 | Resolve disabled warnings for libosxkrb5 |
94 | JDK-8139348 | security-libs | org.ietf.jgss:krb5 | Deprecate 3DES and RC4 in Kerberos |
95 | JDK-8289486 | xml | jaxp | Improve XSLT XPath operators count efficiency |
The following sections summarize changes made in all Enterprise Performance Pack BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8292260 | hotspot | compiler | C2 Compilation Errors Unpredictably Crashes |
The Java SE Subscription Enterprise Performance Pack (EPP) is a commercial feature release of the Java SE platform. It contains new features and enhancements in many functional areas. It is currently available only through My Oracle Support. It is available as part of an Oracle Java SE Subscription and Oracle Cloud Infrastructure (OCI) Subscription. The Release Notes below describe the features, important changes, enhancements, and other information about the Enterprise Performance Pack.
Enterprise Performance Pack runtime brings improved performance, new features, and enhancements from the Java Virtual Machine from JDK 17 to JDK 8. It reduces the memory footprint for Java SE 8 workloads. It is ideal if you want or need to use Java SE 8 and you are running those workloads at scale. If you need to develop applications, Oracle recommends that you use the full JDK.
Enterprise Performance Pack is for server-side, headless systems (systems that operate without a graphical user interface or peripheral devices like a keyboard or a mouse) running 64-bit Linux on Intel or ARM.
Links to other sources of information about the Enterprise Performance Pack are also provided below:
The full version string for this update release is 1.8.0_345-perf-97-b06 (where "b" means "build"). The version number is 8u345.
IANA Data 2022a
The Enterprise Performance Pack contains IANA time zone data version 2022a. For more information, refer to Timezone Data Versions in the JRE Software.
This section describes Enterprise Performance Pack features and important information. In some cases, the descriptions provide links to additional detailed information about an issue or a change.
New Garbage Collector
Enterprise Performance Pack supports the latest garbage collector, ZGC.
The Z Garbage Collector, also known as ZGC, is a scalable low latency garbage collector (JEP 333). At its core, ZGC is a concurrent garbage collector, meaning that all heavy lifting work (marking, compaction, reference processing, string table cleaning, etc) is done while Java threads continue to execute. This greatly limits the negative impact that garbage collection has on application response times.
Applications moving from Parallel GC, CMS GC, or G1 GC to ZGC might observe higher CPU utilization and might require an increase in Java heap space. The tuning options for ZGC in the presence of observing allocation stalls are: increasing the max Java heap size (-Xmx), or setting -XX:SoftMaxHeapSize to a value less than -Xmx, or increasing the number of concurrent GC threads and disabling dynamic GC threads (-XX:ConcGCThreads=n -XX:-UseDynamicGCThreads), or some combination of those three.
See Enterprise Performance Pack documentation for more information about JVM options and Enterprise Performance Pack configuration.
Unified Logging
Enterprise Performance Pack supports a common logging system for all components of the JVM. This provides line-at-a-time, human readable log messages enabled at the command line through the -Xlog
flag. See Printing JVM Information in the Enterprise Performance Pack User's Guide for more details.
Relevant Changes for Unified Logging: ➜ Use Unified Logging for GC logging (JDK-8145092) ➜ print_tracing_info Uses Unified Logging (JDK-8184286) ➜ Deprecated Tracing Flags Are Obsolete and Must Be Replaced With Unified Logging Equivalents (JDK-8256718)
Compact Strings
This is a space-efficient internal representation of strings, which reduces memory footprint and garbage collection activity. See Compact Strings in the Java Virtual Machine Guide of JDK 17 for more details.
Relevant Changes for Compact Strings: ➜ JEP 254: Compact Strings (JDK-8054307)
A new Class Hierarchy Analysis implementation is introduced in the HotSpot JVM. It features enhanced handling of abstract and default methods which improves inlining decisions made by the JIT-compilers. The new implementation supersedes the original one and is turned on by default.
To help diagnose possible issues related to the new implementation, the original implementation can be turned on by specifying the -XX:+UnlockDiagnosticVMOptions -XX:-UseVtableBasedCHA
command-line flags.
The original implementation may be removed in a future release.
This section describes Enterprise Performance Pack enhancements. In some cases, the descriptions provide links to additional detailed information about an issue or a change.
Garbage Collectors
Enterprise Performance Pack's Garbage First (G1) collector should not require additional tuning or re-tuning; it's the default garbage collector. Moving from CMS GC to G1 should follow the guidance suggested in the Enterprise Performance Pack User's Guide. Only G1 supports String Deduplication. This feature continuously checks for duplicate String objects during garbage collection thus reducing overall heap size.
Since Enterprise Performance Pack has the Compact Strings feature which reduces the amount of Java heap space occupied by Java Strings, improved performance with Parallel GC may be realized by re-tuning Java heap sizes.
Relevant Changes for Garbage Collectors: ➜ Parallel GC Enables Adaptive Parallel Reference Processing by Default (JDK-8204686) ➜ G1 Enables Adaptive Parallel Reference Processing by Default (JDK-8205043) ➜ JEP 345: NUMA-Aware Memory Allocation for G1 (JDK-8210473) ➜ Parallel GC Improvements (JDK-8224666) ➜ Improvements in Serial GC Young pause time report (JDK-8215221) ➜ JEP 307: Parallel Full GC for G1 (JDK-8172890) ➜ Concurrently Uncommit Memory in G1 (JDK-8236926) ➜ Improved Ergonomics for G1 Heap Region Size (JDK-8241670) ➜ Improve Ergonomics for Sparse PRT Entry Size (JDK-8223162) ➜ New PerfCounters for STW Phases on Concurrent GC Are Available (JDK-8153333) ➜ G1 May Uncommit Memory During Marking Cycle (JDK-6490394) ➜ Garbage Collectors Adaptively Scale the Number of Threads by Default (JDK-8198510) ➜ JEP 363: Remove the Concurrent Mark and Sweep (CMS) Garbage Collector (JDK-8229049) ➜ Various GC combinations have now been removed (JDK-8044022) ➜ JEP 366: Deprecate the ParallelScavenge + SerialOld GC Combination (JDK-8233301) ➜ UseAutoGCSelectPolicy has been deprecated (JDK-8166461)
The java
Command
Enterprise Performance Pack includes several runtime options from JDK 17. However, some options from JDK 8 are not available in Enterprise Performance Pack. For example, Enterprise Performance Pack uses Unified JVM Logging, which replaces options that print details about the JVM with -Xlog:gc options. See the Enterprise Performance Pack documentation for more information about the changes made to the JVM options.
Runtime Options
A number of runtime options have been added or removed from the Enterprise Performance Pack. See the Changes to JVM Runtime Options section of the Enterprise Performance Pack User's Guide.
Relevant Changes for Runtime Options: ➜ Flags Controlling C1 Inlining Have New Names (JDK-8235673) ➜ Improved CompileCommand Flag (JDK-8256508) ➜ Improve the Behavior of MaxRAM Settings and UseCompressedOops (JDK-8222252) ➜ VM Options AdaptiveSizePausePolicy and ParallelGCRetainPLAB are obsolete (JDK-8073861) ➜ Added -XX:+AdjustStackSizeForTLS Flag (JDK-8225035) ➜ Obsolete -XX:UseAdaptiveGCBoundary (JDK-8228991) ➜ Removal of Obsolete -X Options (JDK-8179018) ➜ Obsolete Support for Commercial Features (JDK-8202331) ➜ Obsoleted -XX:+/-MonitorInUseLists (JDK-8211384) ➜ Deprecated Java Options -Xverify:none and -noverify (JDK-8214719) ➜ Command-Line Flag -XX:+ExtensiveErrorReports (JDK-8211845)
Class Data Sharing
This feature helps reduce the startup time and memory footprint between multiple Java Virtual Machines. See the Class Data Sharing section of the Java Virtual Machine Guide of JDK 17 for more information.
Relevant Changes for Class Data Sharing: ➜ CDS Behavior Change With Non-existent Files During Archive Creation (JDK-8227370)
This enhancement causes phantom references to be automatically cleared by the garbage collector just as soft and weak references are.
An object becomes phantom reachable after it has been finalized. This change may cause phantom reachable objects to be garbage collected earlier. Previously, the referent was kept alive until the associated PhantomReference
objects were collected or cleared by the application. This behavioral change should only impact existing code that depends on a PhantomReference
being enqueued rather than when the referent is freed from the heap.
The java.lang.ref.Reference.enqueue
method clears the reference object before it is added to the registered queue. When the enqueue
method is called, the reference object is cleared and the get()
method will return null in Enterprise Performance Pack and later releases.
Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear
method to avoid a memory leak because its referent is no longer referenced. In other words, the get
method is not expected to be called in common cases once the enqueue
method has been called. In the case when the get
method from an enqueued reference object and existing code attempts to access members of the referent, a NullPointerException
may be thrown. Such code will need to be updated.
The java.lang.ref.Reference::clone
method always throws a CloneNotSupportedException
. Therefore, Reference
objects cannot be meaningfully cloned. To copy a Reference
object, call the constructor to create a new Reference
object with the same referent and reference queue instead.
In Java SE Subscription Enterprise Performance Pack, constant pool patching of classes created by calling the unsupported sun.misc.Unsafe.defineAnonymousClass
method is not enabled and could cause your application to crash. The cpPatches
argument to defineAnonymousClass
should be null.
In Java SE Subscription Enterprise Performance Pack, the methods monitorEnter
, monitorExit
, and tryMonitorEnter
have been removed from the unsupported sun.misc.Unsafe
class. These methods are not used within the JDK itself and are very rarely used outside of the JDK.
The Java SE 8 Enterprise Performance Pack follows the versioning format defined by JEP 322, and reports the actual VM version of 17.x, when, for example, java -version
is invoked. However, for compatibility purposes, the sun.misc.Version
methods jvmMajorVersion()
and jvmMinorVersion()
instead report the same VM version as Java SE 8 i.e. 25.x. This ensures that application code checking for a Java 8 runtime by looking for a major version greater than, or equal to, 25, will work correctly even though the actual VM version is 17.
The following notes describe additional changes and information about this release. In some cases, the following descriptions provide links to additional detailed information about an issue or a change.
Monitoring Tools
See Running Tools and Using Libraries on Enterprise Performance Pack for more information.
Application Class Data Sharing (AppCDS)
Application Class Data Sharing (AppCDS) extends class data sharing (CDS) to enable application classes to be placed in a shared archive. See the Application Class Data Sharing section of the java
command page.
Relevant Changes for AppCDS: ➜ JEP 310: Application Class-Data Sharing (JEP 310)
Some linux kernel versions (including, but not limited to 3.13.0-121-generic and 4.4.0-81-generic) are known to contain an incorrect fix for a linux kernel stack overflow issue (See CVE-2017-1000364). The incorrect fix can trigger crashes in the Java Virtual Machine. Upgrading the kernel to a version that includes the corrected fix addresses the problem.
This change enforces the unqualified name format checks for NameAndType
strings as outlined in the JVM specification sections 4.4.6 and 4.2.2, meaning that some illegal names and descriptors that users may be utilizing in their classfiles will now be caught with a Class Format Error. This includes format checking for all strings under non-referenced NameAndType
's. Users will see a change if they (A) are using Java classfile version 6 or below and have an illegal NameAndType descriptor with no Methodref or Fieldref reference to it; or (B) are using any Java classfile version and have an illegal NameAndType name with no Methodref or Fieldref reference to it.
In both (A) and (B) the users will now receive a ClassFormatError for those illegal strings, which is an enforcement of unqualified name formats as delineated in JVMS 4.2.2.
When dumping the heap in binary format, HPROF format 1.0.2 is always used now. Previously, format 1.0.1 was used for heaps smaller than 2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the serviceability agent.
When running with compressed references on x86_64, one of the CPU registers holds the heap base pointer to be used for references encoding/decoding. This register is not available for register allocation.
Simple implementations before this release made this register unavailable (and thus unused) even if compressed references were disabled. In this release, the implementation was revised to put this unused register back into the available registers pool. Configurations with large heaps and/or -XX:-UseCompressedOops
benefit from this improvement.
In the previous release, a NotifyFramePop request was only cleared when the JVMTI_EVENT_FRAME_POP
was enabled. Now it is always cleared when the corresponding frame is popped, regardless of whether the JVMTI_EVENT_FRAME_POP
is enabled or not.
For improved performance, JVM/TI ObjectFree events are no longer posted within GC pauses. The events are still posted as requested, and will be posted before ObjectFree events are enabled or disabled with SetNotificationMode. SetNotificationMode can be used to explicitly flush ObjectFree events, if needed.
The default value for BiasedLockingStartupDelay
has been changed to 0. The flag BiasedLockingStartupDelay
previously had the default value 4000 which delayed the use of biased locking with 4 s (4000 ms). The reason for this delay was performance but recent performance runs show no difference between the 4000 ms delay and no delay. Since having the delay will cause other parts of the VM to do extra work, having the default set to 0 makes more sense.
The JNI function DetachCurrentThread
has been added to the list of JNI functions that can safely be called with an exception pending. The HotSpot Virtual Machine has always supported this as it reports that the exception occurred in a similar manner to the default handling of uncaught exceptions at the Java level. Other implementations are not obligated to do anything with the pending exception.
The -XX:-JNIDetachReleasesMonitors
flag requested that the VM run in a pre-JDK 6 compatibility mode with regard to not releasing monitors when a JNI attached thread detaches. This option is obsolete in JDK 9, and is ignored, as the VM always conforms to the JNI Specification and releases monitors. Use of this option will result in a warning being issued in JDK 9 and it may be removed completely in a future release.
When synchronization is performed on an object, an association is established between the object and the object monitor that implements the synchronization. In the past, the reference from a monitor to its associated object was a strong reference. These strong references would be observable through JVM TI functions that walk the heap (reported as JVMTI_HEAP_ROOT_MONITOR
or JVMTI_HEAP_REFERENCE_MONITOR
) and in heap dumps (reported as HPROF_GC_ROOT_MONITOR_USED
). As of this release, a weak reference is used. These are not observable to JVM TI or heap dumps. Consequently, JVMTI_HEAP_ROOT_MONITOR
, JVMTI_HEAP_REFERENCE_MONITOR
and HPROF_GC_ROOT_MONITOR_USED
are longer reported.
The FlatProfiler, deprecated in JDK 9, has been made obsolete by removing the implementation code. The FlatProfiler was enabled by setting the -Xprof
VM argument. The -Xprof
flag remains recognized in this release; however, setting it will print out a warning message.
The signal-chaining facility was introduced in JDK 1.4 and supported three different Linux signal-handling API's: sigset
, signal
and sigaction
. Only sigaction
is a cross-platform, supported, API for multi-threaded processes. Both signal
and sigset
are considered obsolete on those platforms that still define them. Consequently, the use of signal
and sigset
with the signal-chaining facility are now deprecated, and support for their use will be removed in a future release.
The following sections summarize changes made in all Java SE 8u341 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8291973 | install | install | JavaSE 8 RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8197387 | core-svc | tools | jcmd Started by "root" Must Be Allowed to Access All VM Processes |
JDK-8072439 | hotspot | runtime | Further refinement of the fix JDK-8047720 - Xprof hangs on Solaris |
JDK-8087557 | javafx | accessibility | Alert Dialog Content Is Not Fully Read by Screen Reader |
JDK-8291087 | javafx | accessibility | Wrong Position of Focus of Screen Reader on Windows with Screen Scale > 1 |
JDK-8197387 | javafx | accessibility | Exceptions with TextArea & TextField when Deleted Last Char |
Fixes from the prior BPR are included in this version.
July 19, 2022
The full version string for this update release is 8u341-b10 (where "b" means "build"). The version number is 8u341.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u341 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u341-b10 |
7 | 7u351-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u341) be used after the next critical patch update scheduled for October 18, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u341) on 2022-11-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The TLSv1.3 implementation is available in JDK 8u from 8u261 and enabled by default for server roles but disabled by default for client roles. From this release onwards, TLSv1.3 is now also enabled by default for client roles. You can find more details in the Additional Information section of the Oracle JRE and JDK Cryptographic Roadmap.
Note that TLS 1.3 is not directly compatible with previous versions. Enabling it on the client may introduce compatibility issues on either the server or the client side. Here are some more details on potential compatibility issues that you should be aware of:
signature_algorithms_cert
extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application may use non-supported signature algorithms.TLS_AES_128_GCM_SHA256
(1.3 and later) versus TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(1.2 and earlier).
Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.
Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.
The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:
jdk.https.negotiate.cbt
(default: "never")
This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:
The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.
The java.net.InetAddress
class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress
class methods are updated to throw an java.net.UnknownHostException
for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".
On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:
java.util.Vector
is updated to correctly report ClassNotFoundException
that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object)
when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException
is thrown that does not provide information about the missing class.
DeflaterOutputStream.close()
and GZIPOutputStream.finish()
methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry()
method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.
For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad
now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u341 release:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8259869 | client-libs | [macOS] Remove desktop module dependencies on JNF Reference APIs | |
2 | JDK-8274751 | client-libs | java.awt | Drag And Drop hangs on Windows |
3 | JDK-8272806 | client-libs | java.awt | [macOS] "Apple AWT Internal Exception" when input method is changed |
4 | JDK-8133713 | client-libs | javax.accessibility | [macosx] Accessible JTables always reported as empty |
5 | JDK-8277922 | client-libs | javax.accessibility | Unable to click JCheckBox in JTable through Java Access Bridge |
6 | JDK-7124301 | client-libs | javax.accessibility | [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements. |
7 | JDK-7124298 | client-libs | javax.accessibility | [macosx] Nothing heard from VoiceOver when tabbing between a nested tab group and a parent tab group |
8 | JDK-7124293 | client-libs | javax.accessibility | [macosx] VoiceOver reads percentages rather than the actual values for sliders. |
9 | JDK-8277093 | core-libs | java.io:serialization | Vector should throw ClassNotFoundException for a missing class of an element |
10 | JDK-8279842 | core-libs | java.net | HTTPS Channel Binding support for Java GSS/Kerberos |
11 | JDK-8282293 | core-libs | java.net | Domain value for system property jdk.https.negotiate.cbt should be case-insensitive |
12 | JDK-8288033 | core-libs | java.nio | (dc) DatagramChannel.disconnect uses disconnectx which is not supported on macOS 10.8.3 |
13 | JDK-8285515 | core-libs | java.nio | (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 |
14 | JDK-8258795 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2021-05-11 |
15 | JDK-8247469 | core-svc | javax.management | getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available |
16 | JDK-8273747 | deploy | webstart | Grant JWS JavaFX apps access to Windows trust store |
17 | JDK-8283886 | docs | guides | Fix broken links in the security guide of JDK 8u docs |
18 | JDK-6584403 | docs | guides | Request to add a CA/CSR certificate cookbook to JSSE Reference Guide |
19 | JDK-8173625 | install | install | JRE 8u121 fails to install with blank dialog box (username with character #) |
20 | JDK-8090477 | javafx | controls | Customizable visibility timing for Tooltip |
21 | JDK-8205915 | javafx | controls | [macOS] Accelerator assigned to button in dialog fires menuItem in owning stage |
22 | JDK-8222211 | javafx | graphics | Creating animated gif image from non FX App thread causes exception |
23 | JDK-8280840 | javafx | media | Update libFFI to 3.4.2 |
24 | JDK-8283403 | javafx | media | Update Glib to 2.72.0 |
25 | JDK-8283218 | javafx | media | Update GStreamer to 1.20.1 |
26 | JDK-8282054 | javafx | media | Mediaplayer not working with HTTP Live Stream link with query parameter appended with file extension m3u8 |
27 | JDK-8286256 | javafx | web | Update libxml2 to 2.9.14 |
28 | JDK-8283328 | javafx | web | Update libxml2 to 2.9.13 |
29 | JDK-8286257 | javafx | web | Update libxslt to 1.1.35 |
30 | JDK-8282134 | javafx | web | Certain regex can cause a JS trap in WebView |
31 | JDK-8281459 | javafx | web | WebKit 613.1 build broken on M1 |
32 | JDK-8280841 | javafx | web | Update SQLite to 3.37.2 |
33 | JDK-8284184 | javafx | web | Crash in GraphicsContextJava::drawLinesForText on https://us.yahoo.com/ |
34 | JDK-8278759 | javafx | web | PointerEvent: buttons property set to 0 when mouse down |
35 | JDK-8277734 | javafx | web | WebView: Update Public Suffix List to 3c213aa |
36 | JDK-8278851 | security-libs | java.security | Correct signer logic for jars signed with multiple digest algorithms |
37 | JDK-8245263 | security-libs | javax.net.ssl | Enable TLSv1.3 by default on JDK 8u for Client roles |
38 | JDK-8274524 | security-libs | javax.net.ssl | SSLSocket.close() hangs if it is called during the ssl handshake |
39 | JDK-8275082 | security-libs | javax.xml.crypto | Update XML Security for Java to 2.3.0 |
40 | JDK-8279520 | security-libs | org.ietf.jgss | SPNEGO has not passed channel binding info into the underlying mechanism |
41 | JDK-8157391 | tools | jdeps left JarFile open | |
42 | JDK-8284132 | tools | FXLauncherTest.java fails on headless macos |
The following sections summarize changes made in all Java SE 8u333 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8288212 | core-libs | java.net | WLS12.2.1.3/JDK8u281 high throughput servlet performance |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8279842 | core-libs | java.net | HTTPS Channel Binding support for Java GSS/Kerberos |
JDK-8088420 | javafx | web | JavaFX WebView memory leak via EventListener |
May 2, 2022
The full version string for this update release is 8u333-b02 (where "b" means "build"). The version number is 8u333.
The security baselines are unchanged from the release of JDK 8u331.
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u333) be used after the next critical patch update scheduled for July 19, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u333) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The Windows implementation of java.io.File
allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS
has been added to control this behavior. To disable ADS support in java.io.File
, the system property jdk.io.File.enableADS
should be set to false
(case ignored). Stricter path checking however prevents the use of special devices such as NUL:
This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8284920 | xml | javax.xml.path | Incorrect Token type causes XPath expression to return incorrect results |
JDK-8284548 | xml | jaxp | Invalid XPath expression causes StringIndexOutOfBoundsException |
The following sections summarize changes made in all Java SE 8u331 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8277922 | client-libs | javax.accessibility | Unable to click JCheckBox in JTable through Java Access Bridge |
JDK-8282583 | xml | jaxp | Update BCEL md to include the copyright notice |
JDK-8283350 | core-libs | java.time | (tz) Update Timezone Data to 2022a |
April 19, 2022
The full version string for this update release is 8u331-b09 (where "b" means "build"). The version number is 8u331.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u331 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u331) be used after the next critical patch update scheduled for July 19, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u331) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Three processing limits have been added. These are:
jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10.
jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 100.
jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10000.
Supported processors
jdk.xml.xpathExprGrpLimit
and jdk.xml.xpathExprOpLimit
are supported by the XPath processor.
All three limits are supported by the XSLT processor.
Setting properties
For the XSLT processor, the properties can be changed through the TransformerFactory
. For example,
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");
For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties
configuration file located in the conf
directory of the Java installation. For example,
System.setProperty("jdk.xml.xpathExprGrpLimit", "20");
or in the jaxp.properties
file,
jdk.xml.xpathExprGrpLimit=20
There are two known issues:
On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry
method or the keytool -importcert
command on a KeychainStore keystore now fails with a KeyStoreException
. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.
The gencert
command of the keytool
utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.
The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:
-Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict" (to control "ldap:" URLs)
-Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict" (to control "dns:" URLs)
-Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict" (to control "rmi:" URLs)
-Dcom.sun.jndi.corbaURLParsing="legacy" | "compat" | "strict" (to control "iiop:" and "iiopname:" URLs)
The default value is "compat" for all of the three providers.
In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI
constructors or its factory method to build URLs rather than handcrafting URL strings.
If an illegal URL string is found, a java.lang.IllegalArgumentException
or a javax.naming.NamingException
(or a subclass of it) is raised.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8259343 | client-libs | [macOS] Update JNI error handling in Cocoa code. | |
2 | JDK-8251840 | client-libs | java.awt | Java_sun_awt_X11_XToolkit_getDefaultScreenData should not be in make/mapfiles/libawt_xawt/mapfile-vers |
3 | JDK-8259237 | client-libs | javax.swing | Demo selection changes with left/right arrow key. No need to press space for selection. |
4 | JDK-8074883 | client-libs | javax.swing | Tab key should move to focused button in a button group |
5 | JDK-8258554 | client-libs | javax.swing | javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F |
6 | JDK-8272105 | client-libs | javax.swing | TestButtonGroupFocusTraversal.java fails in 8u |
7 | JDK-8275703 | core-libs | java.lang | System.loadLibrary fails on Big Sur for libraries hidden from filesystem |
8 | JDK-8274779 | core-libs | java.net | HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST |
9 | JDK-8209178 | core-libs | java.net | Proxied HttpsURLConnection doesn't send BODY when retrying POST request |
10 | JDK-8272473 | core-libs | java.time | Parsing epoch seconds at a DST transition with a non-UTC parser is wrong |
11 | JDK-8279618 | core-libs | java.util | Deserializing HashMap throws access denied suppressAccessChecks |
12 | JDK-8274658 | core-libs | java.util:i18n | ISO 4217 Amendment 170 Update |
13 | JDK-8277795 | core-libs | javax.naming | ldap connection timeout not honoured under contention |
14 | JDK-8266187 | core-svc | java.lang.instrument | Memory leak in appendBootClassPath() |
15 | JDK-8273575 | core-svc | java.lang.instrument | memory leak in appendBootClassPath(), paths must be deallocated |
16 | JDK-8276957 | docs | guides | Fix broken JDK8 documentation links |
17 | JDK-8166140 | hotspot | compiler | C1: Possible integer overflow in LIRGenerator::generate_address on several platforms |
18 | JDK-8183543 | hotspot | compiler | Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check" |
19 | JDK-8132306 | hotspot | gc | java/lang/ref/ReferenceEnqueue.java fails with "RuntimeException: Error: poll() returned null; expected ref object" |
20 | JDK-8273341 | hotspot | runtime | Update Siphash to version 1.0 |
21 | JDK-8189641 | javafx | accessibility | [Accessibility, windows] NPE when navigating to ComboBox with empty string |
22 | JDK-8151974 | javafx | accessibility | Invisible controls are still accessible by screen readers. |
23 | JDK-8089884 | javafx | controls | TextInputControls capturing function key events |
24 | JDK-8274022 | javafx | controls | Additional Memory Leak in ControlAcceleratorSupport |
25 | JDK-8244075 | javafx | controls | Accelerator of ContextMenu's MenuItem is not removed when ContextMenu is removed from Scene |
26 | JDK-8276847 | javafx | web | JSException: ReferenceError: Can't find variable: IntersectionObserver |
27 | JDK-8278980 | javafx | web | Update WebKit to 613.1 |
28 | JDK-8281711 | javafx | web | Cherry-pick WebKit 613.1 stabilization fixes |
29 | JDK-8282099 | javafx | web | Cherry-pick WebKit 613.1 stabilization fixes (2) |
30 | JDK-8242544 | javafx | window-toolkit | CMD+ENTER key event crashes the application when invoked on dialog |
31 | JDK-8257497 | security-libs | java.security | Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 |
32 | JDK-8274736 | security-libs | java.security | Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily |
33 | JDK-8241248 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) |
34 | JDK-8275811 | security-libs | javax.net.ssl | Incorrect instance to dispose |
35 | JDK-8141508 | tools | javac | java.lang.invoke.LambdaConversionException: Invalid receiver type ... |
36 | JDK-8255035 | xml | jaxp | Update BCEL to Version 6.5.0 |
37 | JDK-8276141 | xml | jaxp | XPathFactory set/getProperty method |
The following sections summarize changes made in all Java SE 8u321 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8278472 | client-libs | java.awt:i18n | Invalid value set to CANDIDATEFORM structure |
JDK-8278186 | security-libs | javax.xml.crypto | org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method |
JDK-8255199 | security-libs | javax.xml.crypto | Catching a few NumberFormatExceptions in xmldsig |
JDK-8275082 | security-libs | javax.xml.crypto | Update XML Security for Java to 2.3.0 |
JDK-8090477 | javafx | controls | Customizable visibility timing for Tooltip |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8247469 | core-svc | javax.management | getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available |
JDK-8265836 | core-svc | java.lang.management | OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container |
JDK-8268103 | core-svc | java.lang.management | JNI functions incorrectly return a double after JDK-8265836 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8141508 | tools | javac | java.lang.invoke.LambdaConversionException: Invalid receiver type |
JDK-8209178 | core-libs | java.net | Proxied HttpsURLConnection doesn't send BODY when retrying POST request |
JDK-8279618 | core-libs | java.util | Deserializing HashMap throws access denied suppressAccessChecks |
JDK-8273747 | deploy | webstart | Grant JWS JavaFX apps access to Windows trust store |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8279118 | core-libs | java.net | ServerSocket.close bind exception with ResourceManagement |
JDK-8151974 | javafx | accessibility | Invisible controls are still accessible by screen readers. |
January 18, 2022
The full version string for this update release is 8u321-b07 (where "b" means "build"). The version number is 8u321.
This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u321 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u321-b07 |
7 | 7u331-b06 |
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u321) be used after the next critical patch update scheduled for April 19, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u321) on 2022-05-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.
The 3 new attributes for SunPKCS11 provider configuration file are:
destroyTokenAfterLogout
(boolean, defaults to false) If set to true, when java.security.AuthProvider.logout()
is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout()
calls. Note that a PKCS11 provider with this attribute set to true
should not be added to the system provider list since the provider object is not usable after a logout()
method call.
cleaner.shortInterval
(integer, defaults to 2000, in milliseconds) This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).
cleaner.longInterval
(integer, defaults to 60000, in milliseconds) This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.
Two new system properties have been added. The system property, jdk.tls.client.disableExtensions
, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions
, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.
The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.
Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.
The following root certificate from Google has been removed from the cacerts
keystore:
+ alias name "globalsignr2ca [jdk]"
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b
This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8263846 | client-libs | Bad JNI lookup getFocusOwner in accessibility code on Mac OS X | |
2 | JDK-8155742 | client-libs | [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows | |
3 | JDK-8249548 | client-libs | backward focus traversal gets stuck in button group | |
4 | JDK-8259232 | client-libs | 2d | Bad JNI lookup during printing |
5 | JDK-6801613 | client-libs | 2d | Cross-platform pageDialog and printDialog top margin entry broken |
6 | JDK-8042713 | client-libs | 2d | [macosx] Print dialog does not update attribute set with page range |
7 | JDK-8257853 | client-libs | java.awt | Remove dependencies on JNF's JNI utility functions in AWT and 2D code |
8 | JDK-8259585 | client-libs | java.awt | [macOS] Bad JNI lookup error : Accessible actions do not work on macOS |
9 | JDK-8038631 | client-libs | java.awt | Create wrapper for awt.Robot with additional functionality |
10 | JDK-6722236 | client-libs | java.awt | 3 Choice regression testcases are failing from 6u10_b26 build onwards |
11 | JDK-8041928 | client-libs | java.awt | MouseEvent.getModifiersEx gives wrong result |
12 | JDK-8275131 | client-libs | java.awt | Exceptions after a touchpad gesture on macOS |
13 | JDK-8263490 | client-libs | java.awt:i18n | [macos] Crash occurs on JPasswordField with activated InputMethod |
14 | JDK-8274326 | client-libs | javax.accessibility | [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m |
15 | JDK-8274056 | client-libs | javax.accessibility | JavaAccessibilityUtilities leaks JNI objects |
16 | JDK-8274381 | client-libs | javax.accessibility | missing CAccessibility definitions in JNI code |
17 | JDK-8259729 | client-libs | javax.accessibility | Missed JNFInstanceOf -> IsInstanceOf conversion |
18 | JDK-8208640 | client-libs | javax.accessibility | [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard. |
19 | JDK-8208747 | client-libs | javax.accessibility | [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on |
20 | JDK-8194873 | client-libs | javax.swing | right ALT key hotkeys no longer work in Swing components |
21 | JDK-8182577 | client-libs | javax.swing | Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel |
22 | JDK-8269850 | core-libs | Most JDK releases report macOS version 12 as 10.16 instead of 12.0 | |
23 | JDK-8190482 | core-libs | InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride | |
24 | JDK-8143317 | core-libs | jdk/lambda/vm/InterfaceAccessFlagsTest.java fails with IncompatibleClassChangeError | |
25 | JDK-8253702 | core-libs | java.lang | BigSur version number reported as 10.16, should be 11.nn |
26 | JDK-8202788 | core-libs | java.nio | Explicitly reclaim cached thread-local direct buffers at thread exit |
27 | JDK-8276536 | core-libs | java.time | Update TimeZoneNames files to follow the changes made by JDK-8275766 |
28 | JDK-8273924 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() |
29 | JDK-8187649 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar |
30 | JDK-8273819 | docs | guides | Update JSSE Reference Guide with new properties to disable TLS extensions |
31 | JDK-8139247 | hotspot | compiler | Improper locking of MethodData::_extra_data_lock |
32 | JDK-8057038 | hotspot | compiler | Speculative traps not robust when compilation and class unloading are concurrent |
33 | JDK-8253353 | hotspot | compiler | Crash in C2: guarantee(n != NULL) failed: No Node |
34 | JDK-8069034 | hotspot | gc | gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure |
35 | JDK-8071530 | hotspot | runtime | Update OS detection code to reflect Windows 10 version change |
36 | JDK-8273229 | hotspot | runtime | Update OS detection code to recognize Windows Server 2022 |
37 | JDK-8274840 | hotspot | runtime | Update OS detection code to recognize Windows 11 |
38 | JDK-8273342 | hotspot | runtime | Null pointer dereference in classFileParser.cpp:2817 |
39 | JDK-8266404 | hotspot | runtime | Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report |
40 | JDK-8219562 | hotspot | runtime | Line of code in osContainer_linux.cpp#L102 appears unreachable |
41 | JDK-8186902 | hotspot | svc | jcmd GC.run should not be blocked by DisableExplicitGC |
42 | JDK-8263807 | javafx | controls | Button types of a DialogPane are set twice, returns a wrong button |
43 | JDK-8261460 | javafx | controls | Incorrect CSS applied to ContextMenu on DialogPane |
44 | JDK-8178297 | javafx | controls | TableView scrolls slightly when adding new elements |
45 | JDK-8269538 | javafx | controls | StackOverflowError when pressing F10 within SpinnerSkin |
46 | JDK-8208088 | javafx | controls | Memory Leak in ControlAcceleratorSupport |
47 | JDK-8275138 | javafx | web | WebView: UserAgent string is empty for first request |
48 | JDK-8274929 | javafx | window-toolkit | Crash while reading specific clipboard content |
49 | JDK-8275723 | javafx | window-toolkit | Crash on macOS 12 in GlassRunnable::dealloc |
50 | JDK-8192988 | security-libs | java.security | keytool should support -storepasswd for pkcs12 keystores |
51 | JDK-8225083 | security-libs | java.security | Remove Google certificate that is expiring in December 2021 |
52 | JDK-8273826 | security-libs | java.security | Correct Manifest file name and NPE checks |
53 | JDK-8277224 | security-libs | java.security | sun.security.pkcs.PKCS9Attributes.toString() throws NPE |
54 | JDK-8269034 | security-libs | javax.crypto:pkcs11 | AccessControlException for SunPKCS11 daemon threads |
55 | JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
56 | JDK-8098580 | security-libs | javax.crypto:pkcs11 | drainRefQueueBounds() puts pressure on pool.size() |
57 | JDK-8270344 | security-libs | javax.net.ssl | Session resumption errors |
58 | JDK-8217633 | security-libs | javax.net.ssl | Configurable extensions with system properties |
59 | JDK-8268965 | security-libs | javax.net.ssl | TCP Connection Reset when connecting simple socket to SSL server |
60 | JDK-8259662 | security-libs | javax.net.ssl | Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl |
61 | JDK-8169416 | security-libs | javax.net.ssl | SSLSessionImpl finalize overhead |
62 | JDK-8147051 | xml | javax.xml.stream | StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator |
The following sections summarize changes made in all Java SE 8u311 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8182577 | client-libs | javax.swing | Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel |
JDK-8241248 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8274929 | javafx | window-toolkit | Crash while reading specific clipboard content |
JDK-8089884 | javafx | controls | TextInputControls capturing function key events |
JDK-8253353 | hotspot | compiler | Crash in C2: guarantee(n != NULL) failed: No Node |
JDK-8275766 | core-libs | java.time | (tz) Update Timezone Data to 2021e |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8275138 | javafx | web | WebView: UserAgent string is empty for first request |
JDK-8274779 | core-libs | java.net | HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST |
JDK-8273229 | hotspot | runtime | Update OS detection code to recognize Windows Server 2022 |
JDK-8274840 | hotspot | runtime | Update OS detection code to recognize Windows 11 |
JDK-8041928 | client-libs | java.awt | MouseEvent.getModifiersEx gives wrong result |
JDK-8275723 | javafx | window-toolkit | Crash on macOS 12 in GlassRunnable::dealloc |
JDK-8274407 | core-libs | java.time | (tz) Update Timezone Data to 2021c |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8269538 | javafx | controls | StackOverflowError when pressing F10 within SpinnerSkin |
JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
JDK-8098580 | security-libs | javax.crypto:pkcs11 | drainRefQueueBounds() puts pressure on pool.size() |
JDK-8190482 | core-libs | InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride | |
JDK-8169416 | security-libs | javax.net.ssl | SSLSessionImpl finalize overhead |
October 19, 2021
The full version string for this update release is 8u311-b11 (where "b" means "build"). The version number is 8u311.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u311 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u311-b11 |
7 | 7u321-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u311) be used after the next critical patch update scheduled for January 18, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u311) on 2022-02-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Starting from version 8u311, the Marlin graphics rasterizer and its artifacts will be built and distributed as a part of the JDK/JRE bundles. It is not the default rendering engine, however there is an option to enable it by setting the following system property:
sun.java2d.renderer=sun.java2d.marlin.MarlinRenderingEngine
Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.
The behavior is opt-in based on the presence of the jdk.serialFilterFactory
system property on the command line or the jdk.serialFilterFactory
security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.
The JVM-wide filter factory is a java.util.function.BinaryOperator<sun.misc.ObjectInputFilter>
function invoked when each ObjectInputStream
is constructed and when the stream-specific filter is set using sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter)
. The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream
constructors, the first parameter is null
and the second parameter is the static JVM-wide filter
. When invoked from sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter)
, the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter requested.
A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.
Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.
The following root certificate from IdenTrust has been removed from the cacerts
keystore:
+ alias name "identrustdstx3 [jdk]"
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
This release doesn't correctly identify Windows 11. The property os.name
is set to Windows 10
on Windows 11. In HotSpot error logs, the OS is identified as Windows 10
; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.
The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted.
For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256.
For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows:
The behavior of HttpURLConnection
when using ProxySelector
has been modified in this JDK release. HttpURLConnection
used to fall back to a direct connection attempt if the configured proxy(s) failed to make a connection. Beginning with this release, the default behavior has been changed to no longer use a direct connection when the first proxy connection attempt fails.
A new system property, sun.net.http.fallbackToDirect
, can be set to a value of "true" should an application need to fall back to the old behavior (fall back to a direct connection when the first proxy connection attempt fails).
The scope of the com.sun.jndi.ldap.object.trustSerialData
system property has been extended to control the deserialization of java objects from the javaReferenceAddress
LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData
and javaReferenceAddress
LDAP attributes.
To prevent deserialization of java objects from these attributes, the system property can be set to false
. By default, the deserialization of java objects from javaSerializedData
and javaReferenceAddress
attributes is allowed.
This release doesn't correctly identify Windows Server. The property os.name
is set to Windows 2019
on Windows Server 2022. In HotSpot error logs, the OS is identified as Windows 10.0
for Windows Server releases 2016, 2019, and 2022; however, the HotSpot error log does show the Build number. Windows Server 2016 has Build 14393 or above, Windows Server 2019 has Build 17763 or above, and Windows Server 2022 has Build 20348 or above.
The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module".
This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8148886 | client-libs | SEGV in sun.java2d.marlin.Renderer._endRendering | |
2 | JDK-8149338 | client-libs | 2d | JVM Crash caused by Marlin renderer not handling NaN coordinates |
3 | JDK-8144938 | client-libs | 2d | Handle properly coordinate overflow in Marlin Renderer |
4 | JDK-8180055 | client-libs | 2d | Upgrade the Marlin renderer in Java2D |
5 | JDK-8202580 | client-libs | 2d | Dashed BasicStroke randomly painted incorrectly, may freeze application |
6 | JDK-8210335 | client-libs | 2d | Clipping problems with complex affine transforms: negative scaling factors or small scaling factors |
7 | JDK-8228711 | client-libs | 2d | Path rendered incorrectly when it goes outside the clipping region |
8 | JDK-8230728 | client-libs | 2d | Thin stroked shapes are not rendered if affine transform has flip bit |
9 | JDK-8145055 | client-libs | 2d | Marlin renderer causes unaligned write accesses |
10 | JDK-8244088 | client-libs | 2d | [Regression] Switch of Gnome theme ends up in deadlocked UI |
11 | JDK-8262392 | client-libs | 2d | Update Mesa 3-D Headers to version 21.0.3 |
12 | JDK-8262731 | client-libs | 2d | [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" |
13 | JDK-8198885 | client-libs | 2d | Upgrade Marlin (java2d) to 0.9.1 |
14 | JDK-8273358 | client-libs | 2d | macOS Monterey does not have the font Times needed by Serif |
15 | JDK-8269984 | client-libs | java.awt | [macos] JTabbedPane title looks like disabled |
16 | JDK-8129940 | client-libs | javax.swing | JRadioButton does not honor non-standard FocusTraversalKeys |
17 | JDK-8251377 | client-libs | javax.swing | [macos11] JTabbedPane selected tab text is barely legible |
18 | JDK-8269931 | client-libs | javax.swing | ButtonGroupLayoutTraversalTest.java fails on macOS |
19 | JDK-8268518 | client-libs | javax.swing | Add headful keyword to LayoutFocusTraversalPolicy.java |
20 | JDK-8154043 | client-libs | javax.swing | Fields not reachable anymore by tab-key, because of new tabbing behaviour of radio button groups. |
21 | JDK-8035424 | core-libs | java.lang:reflect | Performance problem in sun.reflect.generics.parser.SignatureParser |
22 | JDK-8161016 | core-libs | java.net | Strange behavior of URLConnection with proxy |
23 | JDK-8183369 | core-libs | java.net | RFC unconformity of HttpURLConnection with proxy |
24 | JDK-8067744 | hotspot | compiler | XMM/SSE float register values corrupted by JNI_CreateVM call in JRE 8 (Windows) |
25 | JDK-8268366 | hotspot | compiler | Incorrect calculation of has_fpu_registers in C1 linear scan |
26 | JDK-8268347 | hotspot | compiler | C2: nested locks optimization may create unbalanced monitor enter/exit code |
27 | JDK-8269304 | hotspot | compiler | Regression ~5% in spec2005 in b27 |
28 | JDK-8065895 | hotspot | runtime | Synchronous signals during error reporting may terminate or hang VM process |
29 | JDK-8261397 | hotspot | runtime | try catch Method failing to work when dividing an integer by 0 |
30 | JDK-8262396 | javafx | graphics | Update Mesa 3-D Headers to version 21.0.3 |
31 | JDK-8266860 | javafx | media | [macos] Incorrect duration reported for HLS live streams |
32 | JDK-8264737 | javafx | media | JavaFX media stream stops playing after reconnecting via Remote Desktop |
33 | JDK-8267819 | javafx | media | CoInitialize/CoUninitialize should be called on same thread |
34 | JDK-8268219 | javafx | media | hlsprogressbuffer should provide PTS after GStreamer update |
35 | JDK-8269147 | javafx | media | Update GStreamer to version 1.18.4 |
36 | JDK-8268718 | javafx | media | [macos] Video stops, but audio continues to play when stopTime is reached |
37 | JDK-8269131 | javafx | web | Update libxml2 to version 2.9.12 |
38 | JDK-8270479 | javafx | web | WebKit 612.1 build fails with Visual Studio 2017 |
39 | JDK-8272329 | javafx | web | Cherry pick GTK WebKit 2.32.3 changes |
40 | JDK-8268849 | javafx | web | Update to 612.1 version of WebKit |
41 | JDK-8274107 | javafx | web | Cherry pick GTK WebKit 2.32.4 changes |
42 | JDK-8231558 | javafx | window-toolkit | [macos] Platform.exit causes assertion error on macOS 10.15 or later |
43 | JDK-8268158 | security-libs | Partial backport of JDK-8214074 | |
44 | JDK-8156584 | security-libs | java.security | Initialization race in sun.security.x509.AlgorithmId.get |
45 | JDK-8268128 | security-libs | java.security | ProviderConfig deadlock in JDK 8u291 |
46 | JDK-8225082 | security-libs | java.security | Remove IdenTrust certificate that is expiring in September 2021 |
47 | JDK-8238555 | security-libs | javax.crypto:pkcs11 | Allow initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB |
48 | JDK-8163326 | security-libs | javax.net.ssl | Update the default enabled cipher suites preference |
49 | JDK-8259886 | security-libs | javax.net.ssl | Improve SSL session cache performance and scalability |
50 | JDK-8255255 | security-libs | javax.xml.crypto | Update Apache Santuario (XML Signature) to version 2.2.1 |
51 | JDK-8260690 | tools | jconsole | JConsole User Guide Link from the Help menu is not accessible by keyboard |
52 | JDK-8268213 | xml | jax-ws | Racecondition at ContextClassloaderLocal.java:45 |
The following sections summarize changes made in all Java SE 8u301 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-6801613 | client-libs | 2d | Cross-platform pageDialog and printDialog top margin entry broken |
JDK-8268965 | security-libs | javax.net.ssl | TCP Connection Reset when connecting simple socket to SSL server |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8261287 (Confidential) | client-libs | 2d | Ductus renderer does not work properly on aarch64, all graphics primitives appear broken |
JDK-8271206 (Confidential) | deploy | webstart | Passing system property jnlp.sis.session requires multi-clicks |
JDK-8271087 (Confidential) | install | install | [macos] postinstall script should provide verbose output |
JDK-8271854 | core-libs | java.nio | Explicitly reclaim cached thread-local direct buffers at thread exit |
JDK-8205540 | core-svc | debugger | test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8268213 | xml | jax-ws | Racecondition at ContextClassloaderLocal.java:45 |
July 20, 2021
The full version string for this update release is 8u301-b09 (where "b" means "build"). The version number is 8u301.
JDK 8u301 contains IANA time zone data 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u301 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u301-b09 |
7 | 7u311-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u301) be used after the next critical patch update scheduled for October 19, 2021.
Java SE Subscription customers managing JRE updates/installs for large numbers of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u301) on 2021-11-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.
By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.
New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security
file.
Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts
keystore:
+ alias name "thawtepremiumserverca [jdk]"
Distinguished Name: EMAILADDRESS=premium-server@thawte.com,
CN=Thawte Premium Server CA, OU=Certification Services Division,
O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
+ alias name "verisignclass2g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network,
OU="(c) 1998 VeriSign, Inc. - For authorized use only",
OU=Class 2 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
+ alias name "verisignclass3ca [jdk]"
Distinguished Name: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
+ alias name "verisignclass3g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network,
OU="(c) 1998 VeriSign, Inc. - For authorized use only",
OU=Class 3 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
+ alias name "verisigntsaca [jdk]"
Distinguished Name: CN=Thawte Timestamping CA,
OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
+ alias name "gtecybertrustglobalca [jdk]"
Distinguished Name:CN=GTE CyberTrust Global Root,
OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
The following root certificate has been removed from the cacerts truststore:
+ Telia Company
+ soneraclass2ca
DN: CN=Sonera Class2 CA, O=Sonera, C=FI
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api
, jaxp_parser_impl
, and java-fonts
. This clean-up of the list resolves existing and potential conflicts with modular RPMs.
There are other rpms providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other RPMs to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
On the macOS platform, custom URL protocol handlers such as Java WebStart (jnlp and jnlps URI schemes) are deregistered after an OS upgrade. If the Java WebStart application uses jnlp or jnlps URI scheme(s), it is recommended that you check their registration status after the OS upgrade. The registration status of the custom URL protocol handlers can be obtained via the 'lsregister'
command.
For example:
lsregister -dump URLSchemeBinding | sort | grep 'jnlp|java|jar'
The Java WebStart protocol handler is registered and no-further action is required if the output of the above command contains the following lines:
jnlp: Java Network Launch Protocol (0x4680) (0x4682)
jnlps: Secure Java Network Launch Protocol (0x4684) (0x4686)
Otherwise, it is necessary to upgrade or reinstall the JRE in order to register the Java WebStart protocol.
The default encryption algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
For compatibility, a new system property named keystore.pkcs12.legacy
is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:
cacerts
keystore will not be restricted.These exceptions may be removed in a future JDK release.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or overriding it using the java.security.properties
system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.
SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset
to "UTF-8" revert the behavior.
See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8249142 | client-libs | java/awt/FontClass/CreateFont/DeleteFont.sh is unstable | |
2 | JDK-8166673 | client-libs | The new implementation of Robot.waitForIdle() may hang | |
3 | JDK-8263311 | client-libs | 2d | Watch registry changes for remote printers update instead of polling |
4 | JDK-8262829 | client-libs | 2d | Native crash in Win32PrintServiceLookup.getAllPrinterNames() |
5 | JDK-8260380 | client-libs | 2d | Upgrade to LittleCMS 2.12 |
6 | JDK-6847157 | client-libs | 2d | java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit |
7 | JDK-8225105 | client-libs | java.awt | java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10 |
8 | JDK-8198335 | client-libs | java.awt | java/awt/FullScreen/UninitializedDisplayModeChangeTest/UninitializedDisplayModeChangeTest.java fails in headless mode |
9 | JDK-6544871 | client-libs | java.awt | java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows. |
10 | JDK-8196019 | client-libs | java.awt | java/awt/Window/Grab/GrabTest.java fails on Windows |
11 | JDK-8224821 | client-libs | java.awt | java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64 |
12 | JDK-8215105 | client-libs | java.awt | java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color |
13 | JDK-8261231 | client-libs | java.awt | Windows IME was disabled after DnD operation |
14 | JDK-7185258 | client-libs | java.awt | [macOS] Deadlock in SunToolKit.realSync() |
15 | JDK-8240518 | client-libs | java.awt | Incorrect JNU_ReleaseStringPlatformChars in Windows Print |
16 | JDK-8004148 | client-libs | java.awt | NPE in sun.awt.SunToolkit.getWindowDeactivationTime |
17 | JDK-8262446 | client-libs | java.awt | DragAndDrop hangs on Windows |
18 | JDK-8159898 | client-libs | java.beans | Negative array size in java/beans/Introspector/Test8027905.java |
19 | JDK-8178403 | client-libs | javax.sound | DirectAudio in JavaSound may hang and leak |
20 | JDK-8159135 | client-libs | javax.swing | [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail |
21 | JDK-8264328 | client-libs | javax.swing | Broken license in javax/swing/JComboBox/8072767/bug8072767.java |
22 | JDK-8240690 | client-libs | javax.swing | Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() |
23 | JDK-8239312 | client-libs | javax.swing | [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java |
24 | JDK-8196100 | client-libs | javax.swing | javax/swing/text/JTextComponent/5074573/bug5074573.java fails |
25 | JDK-8177809 | core-libs | java.io | File.lastModified() is losing milliseconds (always ends in 000) |
26 | JDK-8178161 | core-libs | java.net | Default multicast interface on Mac |
27 | JDK-8263917 | core-libs | java.rmi | Backout of 8049202 in 8u |
28 | JDK-8252883 | core-libs | java.util.logging | AccessDeniedException caused by delayed file deletion on Windows |
29 | JDK-8262110 | core-libs | java.util:i18n | DST starts from incorrect time in 2038 |
30 | JDK-8255086 | core-libs | java.util:i18n | Update the root locale display names |
31 | JDK-8247432 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-09-29 |
32 | JDK-8241082 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry data to 03-16-2020 version |
33 | JDK-8242010 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-04-01 |
34 | JDK-8073446 | core-libs | java.util:i18n | TimeZone getOffset API does not return a DST offset between years 2038-2137 |
35 | JDK-8258753 | core-libs | javax.naming | StartTlsResponse.close() hangs due to synchronization issues |
36 | JDK-8247707 | deploy | plugin | UAC prompt of unknown publisher after upgrading java 8u241 |
37 | JDK-7123987 | docs | Request Documentation on JNLP/JNI with in 32-bit and 64-bit windows | |
38 | JDK-8216154 | hotspot | compiler | C4819 warnings at HotSpot sources on Windows |
39 | JDK-8211233 | hotspot | compiler | MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better |
40 | JDK-8209420 | hotspot | compiler | Track membars for volatile accesses so they can be properly optimized |
41 | JDK-8132148 | hotspot | gc | G1 hs_err region dump legend out of sync with region values |
42 | JDK-8166607 | hotspot | gc | G1 needs klass_or_null_acquire |
43 | JDK-8166862 | hotspot | gc | CMS needs klass_or_null_acquire |
44 | JDK-8166229 | hotspot | gc | Eliminate ParNew's use of klass_or_null() |
45 | JDK-8166663 | hotspot | gc | Simplify oops_on_card_seq_iterate_careful |
46 | JDK-8166583 | hotspot | gc | Add oopDesc::klass_or_null_acquire() |
47 | JDK-8165808 | hotspot | gc | Add release barriers when allocating objects with concurrent collection |
48 | JDK-8260704 | hotspot | gc | ParallelGC: oldgen expansion needs release-store for _end |
49 | JDK-8259271 | hotspot | gc | gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" |
50 | JDK-8257746 | hotspot | runtime | Regression introduced with JDK-8250984 - memory might be null in some machines |
51 | JDK-8203345 | javafx | accessibility | Memory leak in VirtualFlow when screen reader is enabled |
52 | JDK-8160554 | javafx | controls | Wrong unit measure in CornerRadiiConverter |
53 | JDK-8185854 | javafx | controls | NPE on non-editable ComboBox in TabPane with custom Skin |
54 | JDK-8266966 | javafx | controls | Wrong CSS properties are applied to other nodes after fix for JDK-8204568 |
55 | JDK-8204568 | javafx | controls | Relative CSS-Attributes don't work all time |
56 | JDK-8239589 | javafx | graphics | JavaFX UI will not repaint after reconnecting via Remote Desktop |
57 | JDK-8259046 | javafx | graphics | ViewPainter.ROOT_PATHS holds reference to Scene causing memory leak |
58 | JDK-8258986 | javafx | graphics | getColor throws IOOBE when PixelReader reads the same pixel twice |
59 | JDK-8259356 | javafx | media | MediaPlayer's seek freezes video |
60 | JDK-8262365 | javafx | media | Update GStreamer to version 1.18.3 |
61 | JDK-8262366 | javafx | media | Update glib to version 2.66.7 |
62 | JDK-8268152 | javafx | media | gstmpegaudioparse does not provides timestamps for HLS MP3 streams |
63 | JDK-8260246 | javafx | samples | Ensemble: Update version of Lucene to 7.7.3 |
64 | JDK-8259680 | javafx | scenegraph | Need API to query states of CAPS LOCK and NUM LOCK keys |
65 | JDK-8264990 | javafx | web | WebEngine crashes with segfault when not loaded through system classloader |
66 | JDK-8259555 | javafx | web | Webkit crashes on Apple Silicon |
67 | JDK-8263788 | javafx | web | JavaFX application freezes completely after some time when using the WebView |
68 | JDK-8261927 | javafx | web | WebKit build fails with Visual Studio 2017 |
69 | JDK-8260245 | javafx | web | Update ICU4C to version 68.2 |
70 | JDK-8251555 | javafx | window-toolkit | Remove unused focusedWindow field in glass Window to avoid leak |
71 | JDK-8263169 | javafx | window-toolkit | [macOS] JavaFX windows open as tabs when system preference for documents is set |
72 | JDK-8266293 | security-libs | Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" | |
73 | JDK-8263817 | security-libs | java.security | java.util.MissingResourceException if add cert with GOST key in cacerts |
74 | JDK-8218553 | security-libs | java.security | Enhance keystore load debug output |
75 | JDK-8243559 | security-libs | java.security | Remove root certificates with 1024-bit keys |
76 | JDK-8225081 | security-libs | java.security | Remove Telia Company CA certificate expiring in April 2021 |
77 | JDK-8153005 | security-libs | java.security | Upgrade the default PKCS12 encryption/MAC algorithms |
78 | JDK-8267599 | security-libs | java.security | Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u |
79 | JDK-8214513 | security-libs | java.security | A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11 |
80 | JDK-8202837 | security-libs | java.security | PBES2 AlgorithmId encoding error in PKCS12 KeyStore |
81 | JDK-8267100 | security-libs | java.security | [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs |
82 | JDK-8196415 | security-libs | java.security | Disable SHA-1 Signed JARs |
83 | JDK-8076190 | security-libs | java.security | Customizing the generation of a PKCS12 keystore |
84 | JDK-8260300 | security-libs | javax.net.ssl | Restrict TLS signature schemes in 8u |
85 | JDK-8254631 | security-libs | javax.net.ssl | Better support ALPN byte wire values in SunJSSE |
86 | JDK-8005819 | security-libs | org.ietf.jgss:krb5 | Support cross-realm MSSFU |
87 | JDK-8180478 | tools | tools/launcher/MultipleJRE.sh fails on Windows because of extra-'' | |
88 | JDK-8260568 | xml | Xerces version string output does not match actual version in JDK | |
89 | JDK-8235368 | xml | jaxp | Update BCEL to Version 6.4.1 |
90 | JDK-8213734 | xml | org.xml.sax | SAXParser.parse(File, ..) does not close resources when Exception occurs. |
The following sections summarize changes made in all Java SE 8u291 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8268128 | security-libs | java.security | ProviderConfig deadlock in JDK 8u291 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259886 | security-libs | javax.net.ssl | Improve SSL session cache performance and scalability |
JDK-8266943 (Confidential) | install | install | Request to reinstate MacOS JRE pkg.dmg binary bundle |
JDK-8267429 (Confidential) | infrastructure | release_eng | MacOS JRE pkg.dmg binary bundle reinstated |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8258753 | core-libs | javax.naming | StartTlsResponse.close() hangs due to synchronization issues |
JDK-8263788 | javafx | web | JavaFX application freezes completely after some time when using the WebView |
JDK-8185854 | javafx | controls | NPE on non-editable ComboBox in TabPane with custom Skin |
JDK-8260300 | security-libs | javax.net.ssl | Restrict TLS signature schemes in 8u |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8239589 | javafx | graphics | JavaFX UI will not repaint after reconnecting via Remote Desktop |
April 20, 2021
The full version string for this update release is 1.8.0_291-b10 (where "b" means "build"). The version number is 8u291.
JDK 8u291 contains IANA time zone data 2020e, 2020f, 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u291 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_291-b10 |
7 | 1.7.0_301-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u291) be used after the next critical patch update scheduled for July 20, 2021.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u291) on 2021-08-20. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
jdk.jndi.object.factoriesFilter
: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.
com.sun.jndi.ldap.object.trustSerialData
: This system property allows control of the deserialization of java objects from the javaSerializedData
LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false
value. By default, deserialization of java objects from the javaSerializedData
attribute is allowed.
The following root certificates have been added to the cacerts truststore:
+ HARICA
+ haricarootca2015
DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+ haricaeccrootca2015
DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
Oracle JRE installers will update the PATH environment variable with their directory behind any already put in place by other Oracle JDK installers.
TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).
These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file.
TLS 1.0 and 1.1 have been disabled. These protocols are NOT used by Java Plugin applets and Java Web Start applications by default. In case of any issues there is an option to re-enable the protocols via Java Control Panel.
In the java.lang.ProcessBuilder
implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false
ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess
. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands
property can be set to true
: jdk.lang.Process.allowAmbiguousCommands=true
or false
. If left unset, it is the same as setting it to true
.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8244621 | client-libs | 2d | [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 |
2 | JDK-8258805 | client-libs | java.awt | Japanese characters not entered by mouse click on Windows 10 |
3 | JDK-8212678 | client-libs | java.awt | Windows IME related patch |
4 | JDK-8239137 | client-libs | javax.accessibility | JAWS does not always announce the value of JSliders in JColorChooser |
5 | JDK-8249588 | client-libs | javax.accessibility | libwindowsaccessbridge issues on 64bit Windows |
6 | JDK-8255880 | client-libs | javax.swing | UI of Swing components is not redrawn after their internal state changed |
7 | JDK-8250627 | core-libs | Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics | |
8 | JDK-8251397 | core-libs | java.lang | NPE on ClassValue.ClassValueMap.cacheArray |
9 | JDK-7146776 | core-libs | java.net | Deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection |
10 | JDK-8247766 | hotspot | compiler | AArch64: guarantee(val < (1U << nbits)) failed: Field too big for insn | 11 | JDK-8252482 | hotspot | compiler | disable cbcond instructions on SPARC64 |
12 | JDK-8243290 | hotspot | runtime | Improve diagnostic messages for class verification and redefinition failures |
13 | JDK-8257168 | hotspot | runtime | Use SkippedException instead of RuntimeException for docker not able to pull the repository |
14 | JDK-8260159 | install | install | Typo in Javapath.cpp |
15 | JDK-8260190 | install | install | Incomplete JDK-8259215 fix |
16 | JDK-8259215 | install | install | Default Java version is not updated for double click jar execution |
17 | JDK-8242565 | security-libs | java.security | Policy initialization issues when the denyAfter constraint is enabled |
18 | JDK-8244154 | security-libs | javax.crypto:pkcs11 | Update SunPKCS11 provider with PKCS11 v3.0 header files |
19 | JDK-8240871 | security-libs | javax.net.ssl | SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3 |
20 | JDK-8257997 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 |
21 | JDK-8253368 | security-libs | javax.net.ssl | TLS connection always receives close_notify exception |
22 | JDK-8202343 | security-libs | javax.net.ssl | Disable TLS 1.0 and 1.1 |
23 | JDK-8256818 | security-libs | javax.net.ssl | SSLSocket that is never bound or connected leaks socket resources |
24 | JDK-8257670 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks |
25 | JDK-8255559 | security-libs | javax.xml.crypto | Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() |
26 | JDK-8261970 | xml | reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271 | |
27 | JDK-8256685 | xml | jaxp | Behavior change in XML since JDK 8u271 |
28 | JDK-8249867 | xml | jaxp | XML declaration is not followed by a newline |
The following sections summarize changes made in all Java SE 8u281 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8204568 | javafx | controls | Relative CSS-Attributes don't work all time |
JDK-8262829 | client-libs | 2d | Native crash in Win32PrintServiceLookup.getAllPrinterNames() |
JDK-8262940 (Confidential) | install | [macOS] Java Webstart protocol schemes not registered by JRE installer on macOS | |
JDK-8247707 | deploy | plugin | UAC prompt of unknown publisher after upgrading java 8u241 |
JDK-8263575 (Confidential) | install | install | Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates |
JDK-8263842 (Confidential) | install | install | Clean up "Provides" tag of OracleJDK/JRE rpms |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8261970 | xml | reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259680 | javafx | scenegraph | Need API to query states of CAPS LOCK and NUM LOCK keys |
JDK-8258803 | xml | WLS/Tuxedo error in encoding post JDK upgrade | |
JDK-8261209 | xml | jaxp | isStandalone property: remove dependency on pretty-print |
JDK-8249867 | xml | jaxp | xml declaration is not followed by a newline |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259048 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020f |
JDK-8259215 | install | install | default java version is not updated for double click jar execution |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8256925 (Confidential) | security-libs | java.security | Regression with JDK-8236464 in Oracle 8u271 |
JDK-8256818 | security-libs | javax.net.ssl | SSLSocket that is never bound or connected leaks socket resources |
JDK-8257670 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks |
JDK-8257884 | security-libs | javax.net.ssl | Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test |
JDK-8257997 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 |
JDK-8256004 (Confidential) | deploy | plugin | DRS: Can not run applet in DRS with java 6 after 8u261 upgrade |
JDK-8258373 | client-libs | javax.swing | Update the text handling in the JPasswordField |
JDK-8253368 | security-libs | javax.net.ssl | TLS connection always receives close_notify exception |
January 19, 2021
The full version string for this update release is 1.8.0_281-b09 (where "b" means "build"). The version number is 8u281.
JDK 8u281 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u281 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_281-b09 |
7 | 1.7.0_291-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u281) be used after the next critical patch update scheduled for April 20, 2021.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u281) on May 15, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
A new -groupname
option has been added to keytool -genkeypair
so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1
will generate an EC key pair by using the secp384r1
curve. Because there might be multiple curves with the same size, using the -groupname
option is preferred over the -keysize
option.
The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size
has been introduced.
This new system property sets the pool size of the internal DocumentBuilder
cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size
system property used in Apache Santuario and has the same default value of 20.
The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.
With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.
Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension
system property to true
. The default value of the property is false
.
Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension
is set to true
and the client trusts more CAs than the server implementation limit.
Starting from macOS Catalina 10.15, applications do not have access to the Desktop, Documents and Downloads folders. So, if you use JavaControlPanel app to access files at the locations specified above, (such as load certificates from the Downloads folder) you must either move the files to another location or grant the required permissions to the JavaControlPanel app.
The steps to required to grant the permissions to JavaControlPanel are provided below:
1. On your Mac, open the Apple menu, click System Preferences, click Security & Privacy, then click Privacy.
2. Select Full Disk Access and click +.
3. In Applications, navigate to the System Preferences app (Applications > System Preferences), and click Open.
Note: You must grant permissions to the System Preferences app because the JavaControlPanel app is a part of that application on macOS.
The JDK update incorporates tzdata2020d. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.
The JDK update incorporates tzdata2020c. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.
Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew
and systemv
have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew
data file is no longer available for use.
Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8209113 | client-libs | 2d | Use WeakReference for lastFontStrike for created Fonts |
2 | JDK-8245400 | client-libs | 2d | Upgrade to LittleCMS 2.11 |
3 | JDK-8198334 | client-libs | java.awt | java/awt/FileDialog/8003399/bug8003399.java fails in headless mode |
4 | JDK-8232114 | client-libs | java.awt | JVM crashed at imjpapi.dll in native code |
5 | JDK-8252470 | client-libs | java.awt | java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows |
6 | JDK-8240633 | client-libs | javax.swing | Memory leaks in the implementations of FileChooserUI |
7 | JDK-8253072 | core-libs | XERCES version is displayed incorrect | |
8 | JDK-8069211 | core-libs | java.nio | (zipfs) ZipFileSystem creates corrupted zip if entry output stream gets closed more than once |
9 | JDK-8242480 | core-svc | java.lang.management | Negative value may be returned by getFreeSwapSpaceSize() in the docker |
10 | JDK-8252789 | deploy | deployment_toolkit | Empty client certificate issue during TLS handshake |
11 | JDK-8253695 | docs | guides | JDK 8 Install Guide - 8u RPM Installer Failed to Install on SUSE When Updating Alternatives |
12 | JDK-8255558 | docs | guides | InstallGuide: Update documentation of JDK RPM installation steps |
13 | JDK-8250665 | globalization | locale-data | Wrong translation for the month of May in ar_JO, ar_LB and ar_SY |
14 | JDK-8146612 | hotspot | compiler | C2: Precedence edges specification violated |
15 | JDK-8160006 | hotspot | compiler | Fix AArch64 after changes made by 8151661 |
16 | JDK-8214862 | hotspot | compiler | assert(proj != __null) at compile.cpp:3251 |
17 | JDK-8248214 | hotspot | gc | Add paddings for TaskQueueSuper to reduce false-sharing cache contention |
18 | JDK-8185348 | hotspot | jvmti | Major performance regression in GetMethodDeclaringClass and other JVMTI Method functions |
19 | JDK-8140091 | hotspot | runtime | remove VMStructs cast_uint64_t workaround for GCC 4.1.1 bug |
20 | JDK-8148854 | hotspot | runtime | Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent |
21 | JDK-8217338 | hotspot | runtime | [Containers] Improve systemd slice memory limit support |
22 | JDK-8217766 | hotspot | runtime | Container Support doesn't work for some Join Controllers combinations |
23 | JDK-8221408 | hotspot | runtime | Windows 32bit build build errors/warnings in hotspot |
24 | JDK-8221725 | hotspot | runtime | AArch64 build failures after JDK-8221408 (Windows 32bit build build errors/warnings in hotspot) |
25 | JDK-8227006 | hotspot | runtime | [linux] Runtime.availableProcessors execution time increased by factor of 100 |
26 | JDK-8246648 | hotspot | runtime | issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480 |
27 | JDK-8247839 | javafx | graphics | Wrong position of GUI elements using multiple HiDPI displays in JavaFX 8 |
28 | JDK-8252060 | javafx | media | gstreamer fails to build with gcc 10 |
29 | JDK-8254100 | javafx | other | FX: Update copyright year in docs, readme files to 2021 |
30 | JDK-8181775 | javafx | web | JavaFX WebView does not calculate border-radius properly |
31 | JDK-8234471 | javafx | web | Canvas in webview displayed with wrong scale on Windows |
32 | JDK-8251241 | javafx | window-toolkit | macOS: iconify property doesn't change after minimize when resizable is false |
33 | JDK-8244151 | security-libs | javax.smartcardio | Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 |
The following sections summarize changes made in all Java SE 8u271 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8256818 | security-libs | javax.net.ssl | SSLSocket that is never bound or connected leaks socket resources |
JDK-8257670 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks |
JDK-8257997 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 |
JDK-8255908 | core-libs | ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem | |
JDK-8250627 | core-libs | Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics | |
JDK-8256685 | xml | jaxp | Behavior change in XML since jdk1.8.0_271 |
JDK-8238579 | core-libs | java.net | HttpsURLConnection drops the timeout and hangs forever in read |
JDK-8254982 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020c |
JDK-8255226 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020d |
JDK-8250984 | hotspot | runtime | Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8255559 | security-libs | javax.xml.crypto | Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8253502 (Confidential) | hotspot | svc | No certificates in "Request Authentication" dialog after upgrading to 8u261 |
JDK-8252455 (Confidential) | core-libs | java.net | Performance issue caused by 8232854 |
JDK-8206925 | security-libs | javax.net.ssl | Support the certificate_authorities extension |
JDK-8250676 (Confidential) | hotspot | svc | JFR recording MonitorEnter events - Stack trace caching |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8254177 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020b. |
October 20, 2020
The full version string for this update release is 1.8.0_271-b09 (where "b" means "build"). The version number is 8u271.
JDK 8u271 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u271 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_271-b09 |
7 | 1.7.0_281-b06 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u271) be used after the next critical patch update scheduled for January 19, 2021.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u271) on February 20, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Weak named curves are disabled by default by adding them to the following disabledAlgorithms
security properties: jdk.tls.disabledAlgorithms
, jdk.certpath.disabledAlgorithms
, and jdk.jar.disabledAlgorithms
. The named curves are listed below.
With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms
property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves
, is implemented that can list the named curves common to all of the disabledAlgorithms
properties. To use the new property in the disabledAlgorithms
properties, precede the full property name with the keyword include
. Users can still add individual named curves to disabledAlgorithms
properties separate from this new property. No other properties can be included in the disabledAlgorithms
properties.
To restore the named curves, remove the include jdk.disabled.namedCurves
either from specific or from all disabledAlgorithms
security properties.
To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves
property.
Curves that are disabled through jdk.disabled.namedCurves
include the following:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448
The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.
As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).
Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals
security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals
security or system property to any positive value.
See further information in JDK-8223172.
A new system property, jdk.tls.maxHandshakeMessageSize
, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).
A new system property, jdk.tls.maxCertificateChainLength
, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.
The keytool
and jarsigner
tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms
security property in the java.security
configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.
The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.
The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).
NPAPI is considered to be a vulnerable plugin and has been disabled in many browsers. No browsers currently support Java Plugin, which is NPAPI-based, on Linux, Solaris, and MacOS platforms.
Starting from 8u271, the part of Java Plugin responsible for integration and interaction with a browser (in particular libnpjp2
library) and an associated artifact will not be built and is not part of the JRE distribution on Linux, Solaris, and MacOS platforms.
A new environment property,
jdk.jndi.ldap.mechsAllowedToSendCredentials
, has been added to
control which LDAP authentication mechanisms are allowed to send
credentials over clear
LDAP connections - a connection not secured
with TLS. An encrypted
LDAP connection is a connection opened
by using ldaps
scheme, or a connection opened by using ldap
scheme
and then upgraded to TLS with a STARTTLS extended operation.
The value of the property, which is by default not set, is a comma
separated list of the mechanism names that are permitted to authenticate
over a clear
connection. If a value is not specified for the property, then all mechanisms
are allowed. If the specified value is an empty list, then no mechanisms are
allowed (except for none
and anonymous
). The default value for this property is 'null'
( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials")
returns 'null'). To explicitly permit all mechanisms to authenticate over a clear
connection, the property
value can be set to "all"
. If a connection is downgraded from
encrypted
to clear
, then only the mechanisms that are explicitly permitted are allowed.
The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.
Note: none
and anonymous
authentication mechanisms are exempted
from these rules and are always allowed regardless of the property value.
The following root certificates have been added to the cacerts truststore:
+ SSL Corporation
+ sslrootrsaca
DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrootevrsaca
DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrooteccca
DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
The following root certificate has been added to the cacerts truststore:
+ Entrust
+ entrustrootcag4
DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java
and javac
. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac
group with alternatives framework. All links unique to the javac
group have been moved into the java
group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.
The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java
group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command:
/usr/sbin/alternatives --auto java
Some text in the Installer window is hidden/invisible when using Dark mode on macOS. To workaround this issue, switch to Light mode when running the installer. This issue should be resolved by JDK-8249683.
The deserialization of java.lang.reflect.Proxy
objects can be limited by setting the system property jdk.serialProxyInterfaceLimit
.
The limit is the maximum number of interfaces allowed per Proxy in the stream.
Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8198406 | client-libs | 2d | Test TestAATMorxFont is unstable |
2 | JDK-8220150 | client-libs | 2d | [macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs |
3 | JDK-8236996 | client-libs | 2d | Incorrect Roboto font rendering on Windows with subpixel antialiasing |
4 | JDK-8244818 | client-libs | 2d | [macos] Java2D Queue Flusher crash while moving application window to external monitor |
5 | JDK-6966205 | client-libs | java.awt | closed/sun/awt/font/DeriveFont.java failed with compilation error |
6 | JDK-8183286 | client-libs | java.awt | Some java/awt and javax/swing tests miss headful jtreg keyword |
7 | JDK-8198612 | client-libs | java.awt | Headful closed tests should not be run in headless mode |
8 | JDK-8030123 | client-libs | java.beans | java/beans/Introspector/Test8027648.java fails |
9 | JDK-8060027 | client-libs | java.beans | Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java |
10 | JDK-8156579 | client-libs | java.beans | Two JavaBeans tests failed |
11 | JDK-8156581 | client-libs | java.beans | Cleanup of ProblemList.txt |
12 | JDK-8249278 | client-libs | javax.accessibility | Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList |
13 | JDK-8183341 | client-libs | javax.imageio | Better cleanup for javax/imageio/AllowSearch.java |
14 | JDK-8183349 | client-libs | javax.imageio | Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java |
15 | JDK-8183351 | client-libs | javax.imageio | Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh |
16 | JDK-7109623 | client-libs | javax.sound | javax/sound/sampled/DirectAudio/bug6372428.java failed |
17 | JDK-8047222 | client-libs | javax.sound | Test closed/javax/sound/sampled/Clip/bug6251460.java fails if run with 32-bit java on Windows 64-bit host |
18 | JDK-8148983 | client-libs | javax.sound | Fix extra comma in changes for JDK-8148916 |
19 | JDK-8153725 | client-libs | javax.sound | Problem list javax/sound/sampled/DirectAudio/bug6400879.java for Linux |
20 | JDK-8156169 | client-libs | javax.sound | Some sound tests rarely hangs because of incorrect synchronization |
21 | JDK-8160217 | client-libs | javax.sound | JavaSound should clean up resources better |
22 | JDK-6962725 | client-libs | javax.swing | Regtest javax/swing/JFileChooser/6738668/bug6738668.java fails under Linux |
23 | JDK-8198004 | client-libs | javax.swing | javax/swing/JFileChooser/6868611/bug6868611.java throws error |
24 | JDK-8198321 | client-libs | javax.swing | javax/swing/JEditorPane/5076514/bug5076514.java fails |
25 | JDK-8249251 | client-libs | javax.swing | [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel |
26 | JDK-8168517 | core-libs | java.lang | java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" |
27 | JDK-8151788 | core-libs | java.net | NullPointerException from ntlm.Client.type3 |
28 | JDK-8192953 | core-svc | java.lang.management | sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied |
29 | JDK-8242884 | deploy | plugin | 8u241 32 bit SSV Helper causes long load time and page load on IE11 |
30 | JDK-8145096 | hotspot | compiler | Undefined behaviour in HotSpot |
31 | JDK-8215265 | hotspot | compiler | C2: range check elimination may allow illegal out of bound access |
32 | JDK-8023697 | hotspot | runtime | failed class resolution reports different class name in detail message for the first and subsequent times |
33 | JDK-8048933 | hotspot | runtime | -XX:+TraceExceptions output should include the message |
34 | JDK-8064319 | hotspot | runtime | Need to enable -XX:+TraceExceptions in release builds |
35 | JDK-8235243 | hotspot | runtime | handle VS2017 15.9 and VS2019 in abstract_vm_version |
36 | JDK-8240295 | hotspot | runtime | hs_err elapsed time in seconds is not accurate enough |
37 | JDK-8193800 | javafx | controls | TreeTableView selection changes on sorting |
38 | JDK-8129582 | javafx | graphics | Controls slow considerably when displaying RTL-languages text on Linux |
39 | JDK-8246204 | javafx | graphics | No 3D support for newer Intel graphics drivers on Linux |
40 | JDK-8246348 | javafx | graphics | Crash in libpango on Ubuntu 20.04 with some unicode chars |
41 | JDK-8239095 | javafx | media | Upgrade libFFI to the latest 3.3 version |
42 | JDK-8248365 | javafx | media | Debug build crashes on Windows when playing media file |
43 | JDK-8252107 | javafx | media | Media pipeline initialization can crash if audio or video bin state change fails |
44 | JDK-8191758 | javafx | web | Match WebKit's font weight rendering with JavaFX |
45 | JDK-8208169 | javafx | web | can not print selected pages of web page |
46 | JDK-8245284 | javafx | web | Update to 610.1 version of WebKit |
47 | JDK-8246357 | javafx | web | Allow static build of webkit library on linux |
48 | JDK-8247963 | javafx | web | Update SQLite to version 3.32.3 |
49 | JDK-8249839 | javafx | web | Cherry pick GTK WebKit 2.28.3 changes |
50 | JDK-8252381 | javafx | web | Cherry pick GTK WebKit 2.28.4 changes |
51 | JDK-8248490 | javafx | window-toolkit | [macOS] Undecorated stage does not minimize |
52 | JDK-8141457 | security-libs | java.security | keytool default cert fingerprint algorithm should be SHA-256 |
53 | JDK-8211049 | security-libs | java.security | Second parameter of "initialize" method is not used |
54 | JDK-8242556 | security-libs | java.security | Cannot load RSASSA-PSS public key with non-null params from byte array |
55 | JDK-8245151 | security-libs | java.security | jarsigner should not raise duplicate warnings on verification |
56 | JDK-8205111 | security-libs | javax.net.ssl | Develop new Test to verify different key types for supported TLS protocols. |
57 | JDK-8215443 | security-libs | javax.net.ssl | The use of TransportContext.fatal() leads to bad coding style |
58 | JDK-8236464 | security-libs | javax.net.ssl | SO_LINGER option is ignored by SSLSocket in JDK 11 |
59 | JDK-8226719 | security-libs | org.ietf.jgss | Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message" |
60 | JDK-8227381 | security-libs | org.ietf.jgss | GSS login fails with PREAUTH_FAILED |
61 | JDK-8227437 | security-libs | org.ietf.jgss:krb5 | S4U2proxy cannot continue because server's TGT cannot be found |
62 | JDK-8246193 | security-libs | org.ietf.jgss:krb5 | Possible NPE in ENC-PA-REP search in AS-REQ |
63 | JDK-8250582 | security-libs | org.ietf.jgss:krb5 | Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets |
64 | JDK-8249717 | tools | javac | langtools tests are failing on Windows in jdk8u-cpu |
65 | JDK-8248348 | xml | jaxp | Regression caused by the update to BCEL 6.0 |
The following sections summarize changes made in all Java SE 8u261 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8252789 | deploy | deployment_toolkit | Empty client certificate issue during TLS handshake |
8249183 | client-libs | java.awt | JVM crash in "AwtFrame::WmSize" method |
8249846 | core-libs | java.util.concurrent | Change of behavior after JDK-8237117: Better ForkJoinPool behavior |
8252861 | deploy | Disable TLSv1.3 by default on deploy configurations |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8248505 | security-libs | java.security | Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider |
8248990 (Confidential) | docs | guides | Remove link to old license page from JDK 8 troubleshooting guide |
8248523 (Confidential) | docs | guides | In TLS overview page, change JDK 11 to JDK 8 |
8235932 (Confidential) | docs | guides | Backport TLS 1.3 documentation for JDK 8u MR3 |
8245624 (Confidential) | embedded | hotspot | Arm support missing for JDK-8176100 |
8062947 | core-libs | javax.naming | Fix exception message to correctly represent LDAP connection failure |
8217606 | core-libs | javax.naming | LdapContext#reconnect always opens a new connection |
8151678 | core-libs | javax.naming | com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect |
8243138 | core-libs | javax.naming | Enhance BaseLdapServer to support starttls extended request |
8247925 (Confidential) | xml | jaxp | JDK8u251- XSL transformer fails with TransformerConfigurationException |
July 14, 2020
The full version string for this update release is 1.8.0_261-b12 (where "b" means "build"). The version number is 8u261.
JDK 8u261 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u261 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_261-b12 |
7 | 1.7.0_271-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u261) be used after the next critical patch update scheduled for October 20, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u261) on November 17, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
As part of ongoing maintenance, the Microsoft Visual Studio 2017 tool chain will be used to build JDK 7 and JDK 8 for Windows. JDK 8u261, in the July 2020 CPU, was built with Visual Studio 2017. With the release of the January 2021 CPU, JDK 7u291 will move to Visual Studio 2017.
Moving to Visual Studio 2017 for JDK 7 and JDK 8 requires changing the runtime library that the JDK/JRE depends on. Before this change, JDK/JRE implementations used and shipped the Microsoft Visual C++ 2010 SP1 Redistributable Package (x86/x64) that included MSVCR100.dll
[a][b]. Microsoft Visual Studio 2017 uses a different set of libraries/DLLs.
Native applications (including JNI) that have depended on and assumed the presence of MSCVR100.dll
in the JDK/JRE directory will fail to run. When this happens, users will see an error such as:
"The code execution cannot proceed because MSVCR100.dll was not found. Reinstalling the program may fix this problem."
These applications should be rebuilt and shipped with modern C++ runtime dependencies that use a later instance of Visual Studio. Applications should not depend on DLLs included with the JDK/JRE that are not documented in the product as offering support for the specification or other functionality in Java SE.
[a] http://support.microsoft.com/kb/2019667
[b] https://docs.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2020
Added support for RSASSA-PSS signature algorithms in JSSE implementation.
JDK 8u261 includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). For more details including a list of the features that are supported, refer to the Java Secure Socket Extension (JSSE) Reference Guide documentation and JEP 332.
For TLS 1.3, the following new standard algorithm names are defined:
SSLContext
algorithm name: TLSv1.3TLS 1.3 is disabled for default SSLContext("SSL" or "TLS") for client end-point.
The TLS 1.3 protocol can be enabled using several mechanisms already available in the JDK. For example, TLS 1.3 protocol can be enabled on SSL/TLS connections using SSLSocket/SSLEngine/SSLServerSocket APIs and system properties by the following:
sslSocket.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2"});
SSLContext ctx = SSLContext.getInstance("TLSv1.3");
sslParameters.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
jdk.tls.client.protocols
system property can also be used to control the protocols in use for a TLS connection. One may launch their application with this property. For example, java -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2"
enables TLSv1.3 and TLSv1.2 on client SSLSockets.https.protocols
system property can also be used to control the protocols on connection obtained through use of the HttpsURLConnection
class or URL.openStream()
operations. For example, -Dhttps.protocols=TLSv1.3,TLSv1.2
.A new system property, jdk.tls.server.protocols
, has been added to configure the default enabled protocol suite in the server side of the SunJSSE provider.
A new security property, jdk.tls.keyLimits
, has been added for TLS 1.3. When the specified amount of data of a specific algorithm has been processed, a post-handshake Key and IV Update is triggered to derive new keys.
Note that TLS 1.3 is not directly compatible with previous versions. Although TLS 1.3 can be implemented with a backward-compatibility mode, there are still several compatibility risks to take into account when upgrading to TLS 1.3:
jdk.tls.acknowledgeCloseNotify
, is added. The default value of the system property is "false". If the system property is set to "true", a corresponding close_notify
alert will be sent when receiving a close_notify
alert, and the connection will be duplex closed.signature_algorithms_cert
extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application can use unsupported signature algorithms.com.sun.net.ssl.dhKeyExchangeFix
system property has been removed from the new TLS implementation.Improved JSSE debug logging format has been introduced to record the logger name, the logger level, the thread ID, the thread name, the time and the caller for each log item. Use the javax.net.debug=all
system property to get full debug logs.
Since January 2018 (8u161, 7u171) unlimited Java Cryptography Extension (JCE) Jurisdiction Policy files have been bundled with the JDK and enabled by default (see JDK Cryptographic Roadmap).
The certificate for the old stand alone jar has expired, and if used the following exception will be seen:
Caused By: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.) at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:336) at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378) at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323) at javax.crypto.JceSecurity.access$000(JceSecurity.java:50) at javax.crypto.JceSecurity$1.run(JceSecurity.java:85) at java.security.AccessController.doPrivileged(Native Method) at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)
If still required for older releases the re-signed files can be found at https://www.oracle.com/java/technologies/oracle-java-archive-downloads.html
Two new system properties have been added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes
has been added for the TLS client side, and jdk.tls.server.SignatureSchemes
has been added for the server side.
Each system property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.
The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.
The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process the supported_groups
TLS extension or the named groups in the extension, applications can either customize the supported group names with jdk.tls.namedGroups
, or turn off the FFDHE mechanisms by setting the System Property jsse.enableFFDHE
to false
.
Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.
security-libs/java.security
➜ Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts
keystore:
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
See JDK-8225068
Media playback does not work on Ubuntu 20.04. This affects all media formats (such as, mp4, mp3, wav, etc.). In some cases, an error will be thrown. In other cases, the media player will switch to the ready state, but playback will not start. There is no workaround for this issue. This issue should be resolved by JDK-8239095.
The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection)
. In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.
Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias
method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-
If application code implements javax.net.ssl.X509KeyManager
, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType
String array in the first call to chooseClientAlias: String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
This version of the JDK no longer includes Java Mission Control (JMC). The jmc
launcher has been removed from the JDK bin
directory, and the missioncontrol
directory has been removed from the JDK lib
directory. The .jfr
file association is not registered by JDK installers. JMC is now available as a separate download. Please visit https://www.oracle.com/javase/jmc for more information.
JDK 8u261 release includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). The following are descriptions of "Known Issues" which an application might encounter during a SSL handshake, post upgrade to Oracle JDK/JRE 8u261:
javax.net.ssl|SEVERE|C8|....|TransportContext.java:319|Fatal (HANDSHAKE_FAILURE): Received fatal
alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:187)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1198)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1107)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:372)
Cause: One possible cause is old server intolerance to FFDHE arguments. As per TLS RFC 7919 on server behavior If a compatible TLS server receives a Supported Groups extension from a client that includes any FFDHE group (i.e., any codepoint between 256 and 511, inclusive, even if unknown to the server), and if none of the client-proposed FFDHE groups are known and acceptable to the server, then the server MUST NOT select an FFDHE cipher suite. In this case, the server SHOULD select an acceptable non-FFDHE cipher suite from the client's offered list. If the extension is present with FFDHE groups, none of the client's offered groups are acceptable by the server, and none of the client's proposed non-FFDHE cipher suites are acceptable to the server, the server MUST end the connection with a fatal TLS alert of type insufficient_security(71).
Solution: In Oracle JDK 8u261, Finite Field Diffie-Hellman Ephemeral (FFDHE) is enabled by default. User can disable FFDHE via security property "-Djsse.enableFFDHE=false on the server (See JDK-8252716)
javax.net.ssl.SSLProtocolException: Received close_notify during handshake
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
at sun.security.ssl.TransportContext.dispatch(Unknown Source)
at sun.security.ssl.SSLTransport.decode(Unknown Source)
at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Cause: In case of an SSL abbreviated handshake (session resumption) SSL client is adding extra extensions than the agreed protocol's supported extensions. While it is TLS RFC complaint, some old non-compliant server implementations may reject this ClientHello.
Solution: As a work around specify System property -Djdk.tls.client.protocols=
Following method reference count would increase in memory profilers
HashMap$Node[] java.util.HashMap.resize()
void sun.security.ssl.SSLSessionContextImpl.put(SSLSessionImpl)
void sun.security.util.MemoryCache.put(Object, Object)
Object java.util.HashMap.put(Object, Object)
Object java.util.HashMap.putVal(int, Object, Object, boolean, boolean)
HashMap$Node[] java.util.HashMap.resize()
Cause: In 8u261, System Property SSLSessionContext.getSessionCacheSize default value was changed from 0 to 20480 ( see JDK-8210985 ) The change was made since with larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.
Solution: Revert back to JDK 8u251 behaviour by setting System Property "-Djavax.net.ssl.sessionCacheSize=0" (set number of entries in the SSL session cache to infinite)
Cause: The internal implementation of the SSLEngine and associated classes has been reworked with the introduction of TLS v1.3 support. Buffer usage has been improved in the SSLEngine area.
Solution: If an SSLEngine application encounters issues after upgrading to JDK 8u261 or later, refer to the Java 8 API to ensure application code is correct. In particular, applications using SSLEngine should not just depend on SSLEngineResult.Status.BUFFER_UNDERFLOW or SSLEngineResult.Status.BUFFER_OVERFLOW results in order to flush pending data. Buffers should always be flushed after an SSLEngine wrap operation if such a call produces data (where SSLEngineResult.Status.OK may be returned).
Cause: If deployment.security.clientauth.keystore.auto=false in the deployment.properties file Java Plugin and Java Web Start show “Request Authentication” dialog regardless the number of available certificates. However due to some modifications introduced by TLS 1.3 framework sometimes the list of available certificates might be empty.
Solution: There are two possible ways to resolve the issue:
Set deployment System Property deployment.security.clientauth.keystore.auto=true
Upgrade to new version 8u281 of Oracle JDK contained the fix for the issue
(see JDK-8253502 )
javax.net.ssl|WARNING|03|Finalizer|2020-08-31 09:42:20.203 EDT|null:-1|SSLSocket duplex close failed (
"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.duplexCloseOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.close(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.finalize(Unknown Source)
at java.lang.System$2.invokeFinalize(Unknown Source)
at java.lang.ref.Finalizer.runFinalizer(Unknown Source)
at java.lang.ref.Finalizer.access$100(Unknown Source)
at java.lang.ref.Finalizer$FinalizerThread.run(Unknown Source)}
Cause: JDK 8u261 introduced a new format for TLS logging. Additional data is now captured per event and logged. Exceptions handled by the JDK TLS library code may print verbose information about the cause of such exceptions when logging is enabled.
Solution: User can safely ignore these Warning messages
Symptoms: New/Unexpected issues from 3rd party library software being used in conjunction with the JDK.
Cause: The new TLS implementation introduces significant changes to the internal, underlying, design of the JDK TLS security libraries. The new design has exposed some bugs in 3rd party software libraries. For the most part, these issues have already been patched in such 3rd party libraries.
Examples include: Apache http-core Bouncy Castle Jetty
Solution: It's good practice to ensure that 3rd party library products being used in conjunction with the JDK TLS API are patched and up to date.
On Windows 7, the Internet Explorer 11 (IE 11) JavaScript engine does not interact properly with Java Applets because, beginning with 8u261, the JDK/JRE is compiled with VisualStudio 2017. For example, an application that uses the JavaScript methods setTimeout()
and setInterval()
may cause IE 11 to hang when a modal dialog is shown by a Java Applet.
Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java
and javac
. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac
group with alternatives framework. All links unique to the javac
group have been moved into the java
group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.
The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java
group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command: /usr/sbin/alternatives --auto java
When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean
methods in this release return container specific information, if available. Otherwise, they return host specific data:
getFreePhysicalMemorySize()
getTotalPhysicalMemorySize()
getFreeSwapSpaceSize()
getTotalSwapSpaceSize()
getSystemCpuLoad()
The default SSL session cache size has been updated to 20480 in this JDK release
BoringSSL is an SSL library deployed on some popular websites such as those run by Google/YouTube. An interoperability issue with the BoringSSL library can lead to a connection failure if TLSv1.3 is presented as the only enabled protocol in the ClientHello message and the certificate status_request extension is disabled. Enabling the certificate status_request extension by setting the jdk.tls.client.enableStatusRequestExtension
system property to true
will provide mitigation in such scenarios.
When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter
the method must be called before reading any objects from the stream. If the methods readObject
or readUnshared
are called, the setObjectInputFilter
method throws IllegalStateException
.
In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider.
In the SunJSSE provider, the following ciphersuites are now the most preferred by default:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.
client-libs/javax.swing
➜ Deprecated NSWindowStyleMaskTexturedBackground
After an upgrade of the macOS SDK used to build the JDK, the behavior of the apple.awt.brushMetalLook
and textured
Swing properties has changed. When these properties are set, the title of the frame is still visible. It is recommended that the apple.awt.transparentTitleBar
property be set to true
to make the title of the frame invisible again. The apple.awt.fullWindowContent
property can also be used.
Please note that Textured window
support was implemented by using the NSTexturedBackgroundWindowMask
value of NSWindowStyleMask
. However, this was deprecated in macOS 10.12 along with NSWindowStyleMaskTexturedBackground
, which was deprecated in macOS 10.14.
For additional information, refer to the following documentation:
See JDK-8240995
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8130737 | client-libs | 2d | [macosx] AffineTransformOp can't handle child raster with non-zero x-offset |
2 | JDK-8211301 | client-libs | java.awt | [macos] support full window content options |
3 | JDK-8214046 | client-libs | java.awt | [macosx] Undecorated Frame does not Iconify when set to |
4 | JDK-8231438 | client-libs | java.awt | [macOS] Dark mode for the desktop is not supported |
5 | JDK-8242498 | client-libs | java.awt | Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash |
6 | JDK-8226253 | client-libs | javax.accessibility | JAWS reports wrong number of radio buttons when buttons are hidden |
7 | JDK-8238842 | client-libs | javax.imageio | AIOOBE in GIFImageReader.initializeStringTable |
8 | JDK-8194298 | core-libs | java.net | Add support for per Socket configuration of TCP keepalive |
9 | JDK-8232854 | core-libs | java.net | URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails |
10 | JDK-8044365 | core-libs | java.nio | (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) |
11 | JDK-8229888 | core-libs | java.nio | (zipfs) Updating an existing zip file does not preserve original permissions |
12 | JDK-8146356 | core-libs | java.time | java.time.format.TextStyle.FULL_STANDALONE does not work well while formatting months. |
13 | JDK-8165936 | core-libs | java.util:i18n | Potential Heap buffer overflow when seaching timezone info files |
14 | JDK-8228477 | core-libs | java.util:i18n | Have calendar revert to default names if no standalone resources exist |
15 | JDK-8214440 | core-libs | javax.naming | ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" |
16 | JDK-8193137 | core-libs | jdk.nashorn | Nashorn crashes when given an empty script file. |
17 | JDK-8226575 | core-svc | java.lang.management | OperatingSystemMXBean should be made container aware |
18 | JDK-8239332 | deploy | plugin | LiveConnect netscape.javascript.JSException: No such property "outerWidthX" on JavaScript object |
19 | JDK-8170074 | docs | guides | Typos on "How Classes are Found" web page on Oracle site |
20 | JDK-8240337 | docs | guides | JDK 8 Developer Guides index.html page has incorrect links |
21 | JDK-8241531 | docs | guides | Update copyright page for JDK 8 docs |
22 | JDK-8243337 | docs | guides | Java Print Service API User's Guide contains typos and formatting errors |
23 | JDK-8243584 | docs | guides | Malformed HTML in the Serialization section of the JDK 8 developer guides |
24 | JDK-8181872 | hotspot | compiler | C1: possible overflow when strength reducing integer multiply by constant |
25 | JDK-8062808 | hotspot | gc | Turn on the -Wreturn-type warning |
26 | JDK-8064786 | hotspot | gc | Fix debug build after 8062808: Turn on the -Wreturn-type warning |
27 | JDK-8141056 | hotspot | gc | Erroneous assignment in HeapRegionSet.cpp |
28 | JDK-8176100 | hotspot | gc | [REDO][REDO] G1 Needs pre barrier on dereference of weak JNI handles |
29 | JDK-8191393 | hotspot | gc | Random crashes during cfree+0x1c |
30 | JDK-8225716 | hotspot | gc | G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding |
31 | JDK-8231779 | hotspot | gc | crash HeapWord*ParallelScavengeHeap::failed_mem_allocate |
32 | JDK-8041626 | hotspot | jfr | Shutdown tracing event |
33 | JDK-8213617 | hotspot | jfr | JFR should record the PID of the recorded process |
34 | JDK-8035493 | hotspot | jvmti | JVMTI PopFrame capability must instruct compilers not to prune locals |
35 | JDK-8060721 | hotspot | runtime | Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler |
36 | JDK-8076475 | hotspot | runtime | Misuses of strncpy/strncat |
37 | JDK-8187667 | hotspot | runtime | Disable deprecation warning for readdir_r |
38 | JDK-8223671 | infrastructure | The latest Java 8 is not ready to use in applications on future macOS versions | |
39 | JDK-8237820 | infrastructure | build | remove clang version check for optimization bug workaround from 8u |
40 | JDK-8240780 | infrastructure | build | [8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds |
41 | JDK-8232811 | javafx | controls | Dialog's preferred size no longer accommodates multi-line strings |
42 | JDK-8189092 | javafx | graphics | ArrayIndexOutOfBoundsException on Linux in getCachedGlyph |
43 | JDK-8212034 | javafx | graphics | Potential memory leaks in jpegLoader.c in error case |
44 | JDK-8234916 | javafx | graphics | [macos 10.15] Garbled text running with native-image |
45 | JDK-8237782 | javafx | graphics | Only read advances up to the minimum of the numHorMetrics or the available font data. |
46 | JDK-8237833 | javafx | graphics | Check glyph size before adding to glyph texture cache. |
47 | JDK-8239107 | javafx | graphics | Update libjpeg to version 9d |
48 | JDK-8241370 | javafx | graphics | Crash in JPEGImageLoader after fix for JDK-8212034 |
49 | JDK-8202393 | javafx | media | App Transport Security blocks http media on macOS with JDK build using new compilers |
50 | JDK-8236832 | javafx | media | [macos 10.15] JavaFX Application hangs on video play on Catalina |
51 | JDK-8240694 | javafx | media | [macos 10.15] JavaFX Media hangs on some video files on Catalina |
52 | JDK-8241629 | javafx | media | [macos10.15] Long startup delay playing media over https on Catalina |
53 | JDK-8242530 | javafx | media | [macos] Some audio files miss spectrum data when another audio file plays first |
54 | JDK-8238434 | javafx | samples | Ensemble: Update version of Lucene to 7.7.2 |
55 | JDK-8132880 | javafx | scenegraph | Unpredictable behaviour when trying to set negative scene width or height |
56 | JDK-8223298 | javafx | web | SVG patterns are drawn wrong |
57 | JDK-8237889 | javafx | web | Update libxml2 to version 2.9.10 |
58 | JDK-8237944 | javafx | web | webview native cl "-m32" unknown option for windows 32-bit build |
59 | JDK-8242209 | javafx | web | Increase web native thread stack size for x86 mode |
60 | JDK-8244579 | javafx | web | Windows "User Objects" leakage with WebView |
61 | JDK-8181476 | javafx | window-toolkit | [macos] Stages with StageStyle.UTILITY are always on-top when initialized without an owner |
62 | JDK-8234474 | javafx | window-toolkit | [macos 10.15] Crash in file dialog in sandbox mode |
63 | JDK-8236685 | javafx | window-toolkit | [macOs] Remove obsolete file dialog subclasses |
64 | JDK-8236971 | javafx | window-toolkit | [macos] Gestures handled incorrectly due to missing events |
65 | JDK-7092821 | security-libs | java.security | java.security.Provider.getService() is synchronized and became scalability bottleneck |
66 | JDK-8028431 | security-libs | java.security | NullPointerException in DerValue.equals(DerValue) |
67 | JDK-8028591 | security-libs | java.security | NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString() |
68 | JDK-8181841 | security-libs | java.security | A TSA server returns timestamp with precision higher than milliseconds |
69 | JDK-8228613 | security-libs | java.security | java.security.Provider#getServices order is no longer deterministic |
70 | JDK-8231387 | security-libs | java.security | java.security.Provider.getService returns random result due to race condition with mutating methods in the same class |
71 | JDK-8238452 | security-libs | java.security | Keytool generates wrong expiration date if validity is set to 2050/01/01 |
72 | JDK-8177784 | security-libs | javax.crypto | Use CounterMode intrinsic for AES/GCM |
73 | JDK-8179098 | security-libs | javax.crypto | Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73) |
74 | JDK-8201633 | security-libs | javax.crypto | Problems with AES-GCM native acceleration |
75 | JDK-8220165 | security-libs | javax.crypto | Encryption using GCM results in RuntimeException: input length out of bound |
76 | JDK-8233954 | security-libs | javax.crypto | UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll |
77 | JDK-8165275 | security-libs | javax.crypto:pkcs11 | Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey |
78 | JDK-4919790 | security-libs | javax.net.ssl | Errors in alert ssl message does not reflect the actual certificate status |
79 | JDK-7013776 | security-libs | javax.net.ssl | Multithreaded JSSE application debug information is hard to read |
80 | JDK-8028518 | security-libs | javax.net.ssl | Increase the priorities of GCM cipher suites |
81 | JDK-8145854 | security-libs | javax.net.ssl | SSLContextImpl.statusResponseManager should be generated if required |
82 | JDK-8166595 | security-libs | javax.net.ssl | TLS Support for RSASSA-PSS Signature Algorithms |
83 | JDK-8185576 | security-libs | javax.net.ssl | New handshake implementation |
84 | JDK-8206355 | security-libs | javax.net.ssl | SSLSessionImpl.getLocalPrincipal() throws NPE |
85 | JDK-8206929 | security-libs | javax.net.ssl | Check session context for TLS 1.3 session resumption |
86 | JDK-8207009 | security-libs | javax.net.ssl | TLS 1.3 half-close and synchronization issues |
87 | JDK-8207029 | security-libs | javax.net.ssl | Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21 |
88 | JDK-8207058 | security-libs | javax.net.ssl | Backport System Property jdk.tls.server.protocols |
89 | JDK-8207223 | security-libs | javax.net.ssl | SSL Handshake failures are reported with more generic SSLException |
90 | JDK-8207317 | security-libs | javax.net.ssl | SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy |
91 | JDK-8208166 | security-libs | javax.net.ssl | Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029 |
92 | JDK-8209333 | security-libs | javax.net.ssl | Socket reset issue for TLS 1.3 socket close |
93 | JDK-8209916 | security-libs | javax.net.ssl | NPE in SupportedGroupsExtension |
94 | JDK-8209965 | security-libs | javax.net.ssl | The "supported_groups" extension in ServerHellos |
95 | JDK-8210334 | security-libs | javax.net.ssl | TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes |
96 | JDK-8210846 | security-libs | javax.net.ssl | TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth |
97 | JDK-8210974 | security-libs | javax.net.ssl | No extensions debug log for ClientHello |
98 | JDK-8210985 | security-libs | javax.net.ssl | Update the default SSL session cache size to 20480 |
99 | JDK-8210989 | security-libs | javax.net.ssl | RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2 |
100 | JDK-8211339 | security-libs | javax.net.ssl | NPE during SSL handshake caused by HostnameChecker |
101 | JDK-8211806 | security-libs | javax.net.ssl | TLS 1.3 handshake server name indication is missing on a session resume |
102 | JDK-8211866 | security-libs | javax.net.ssl | TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms |
103 | JDK-8212738 | security-libs | javax.net.ssl | Incorrectly named signature scheme ecdsa_secp512r1_sha512 |
104 | JDK-8212885 | security-libs | javax.net.ssl | TLS 1.3 resumed session does not retain peer certificate chain |
105 | JDK-8213202 | security-libs | javax.net.ssl | Possible race condition in TLS 1.3 session resumption |
106 | JDK-8213782 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers |
107 | JDK-8214098 | security-libs | javax.net.ssl | sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards. |
108 | JDK-8214129 | security-libs | javax.net.ssl | SSL session resumption/SNI with TLS1.2 causes StackOverflowError |
109 | JDK-8214339 | security-libs | javax.net.ssl | SSLSocketImpl erroneously wraps SocketException |
110 | JDK-8214688 | security-libs | javax.net.ssl | TLS 1.3 session resumption with hello retry request failed with "illegal_parameter" |
111 | JDK-8215524 | security-libs | javax.net.ssl | Finished message validation failure should be decrypt_error alert |
112 | JDK-8215711 | security-libs | javax.net.ssl | Missing key_share extension for (EC)DHE key exchange should alert missing_extension |
113 | JDK-8215790 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws java.nio.BufferUnderflowException |
114 | JDK-8216045 | security-libs | javax.net.ssl | The size of key_exchange may be wrong on FFDHE |
115 | JDK-8216326 | security-libs | javax.net.ssl | SSLSocket stream close() does not close the associated socket |
116 | JDK-8217610 | security-libs | javax.net.ssl | TLSv1.3 fail with ClassException when EC keys are stored in PKCS11 |
117 | JDK-8219389 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws BufferUnderflowException |
118 | JDK-8221253 | security-libs | javax.net.ssl | TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes |
119 | JDK-8223482 | security-libs | javax.net.ssl | Unsupported ciphersuites may be offered by a TLS client |
120 | JDK-8223940 | security-libs | javax.net.ssl | Private key not supported by chosen signature algorithm |
121 | JDK-8225766 | security-libs | javax.net.ssl | Curve in certificate should not affect signature scheme when using TLSv1.3 |
122 | JDK-8228757 | security-libs | javax.net.ssl | Fail fast if the handshake type is unknown |
123 | JDK-8235263 | security-libs | javax.net.ssl | Revert TLS 1.3 change that wrapped IOExceptions |
124 | JDK-8235311 | security-libs | javax.net.ssl | Tag mismatch may alert bad_record_mac |
125 | JDK-8235874 | security-libs | javax.net.ssl | The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property. |
126 | JDK-8236039 | security-libs | javax.net.ssl | JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 |
127 | JDK-8237474 | security-libs | javax.net.ssl | Default SSLEngine should create in server role |
128 | JDK-8239798 | security-libs | javax.net.ssl | SSLSocket closes socket both socket endpoints on a SocketTimeoutException |
129 | JDK-8242141 | security-libs | javax.net.ssl | New System Properties to configure the TLS signature schemes |
130 | JDK-8242294 | security-libs | javax.net.ssl | JSSE Client does not throw SSLException when an alert occurs during handshaking |
131 | JDK-8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
132 | JDK-8224157 | xml | jaxp | BCEL: update to version 6.3.1 |
133 | JDK-8238164 | xml | jaxp | Update Apache Xerces to version 2.12.0 in JDK 8u |
The following sections summarize changes made in all Java SE 8u251 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8244579 | javafx | web | Windows "User Objects" leakage with WebView |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8241966 (Confidential) | install | Add Oracle copyright to modified Sparkle 1.23.0 files | |
8241965 (Confidential) | install | Update THIRD_PARTY_README for Sparkle 1.23.0 | |
8241814 (Confidential) | install | auto_update | [macos] 8u251b60 AU missing "Remind Me" button |
8241410 (Confidential) | infrastructure | 8u251 b60 Mac notarized build is missing the ant-javafx.jar | |
8241399 (Confidential) | client-libs | java.awt | jdk8 build broken on macOS 10.7 and sdk 10.8 |
8240780 | infrastructure | build[8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds | |
8239919 | hotspot | [8u] enable parentheses-equality warnings in HotSpot | |
8239808 (Confidential) | install | auto_update | Change URL In <cntry-lookup> Tag In mac-XXX-XX.xml |
8239400 | hotspot | [8u] clean up delete-non-virtual-dtor warnings in HotSpot | |
8239223 | hotspot | [8u] enable Wparentheses warnings in HotSpot | |
8239112 | hotspot | [8u] clean up empty-body warnings in HotSpot | |
8239053 | hotspot | runtime | [8u] clean up undefined-var-template warnings |
8238852 (Confidential) | install | install | [macos] AU to NEXTVER failed when AU from 8u251 to future |
8238700 (Confidential) | infrastructure | build | Signing reliability change not fully working on 8u |
8238225 | infrastructure | build | Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary |
8237820 | infrastructure | build | remove clang version check for optimization bug workaround from 8u |
8236971 | javafx | window-toolkit | [macos] Gestures handled incorrectly due to missing events |
8236956 (Confidential) | security-libs | javax.net.ssl | Backport test lib files from JDK-8228967 |
8235687 | infrastructure | build | Contents/MacOS/libjli.dylib cannot be a symlink |
8232580 (Confidential) | infrastructure | build | Sign Macosx binaries with hardened runtime enabled |
8232087 (Confidential) | security-libs | org.ietf.jgss | Migrate KDC from sca00jvo/burge0401/sca00kte/sca00lol/adc1140258/sca00joh to new OCI hosts |
8231438 | client-libs | java.awt | [macOS] Dark mode for the desktop is not supported |
8231092 (Confidential) | infrastructure | build | Implement Apple notarization support in the build |
8230555 (Confidential) | security-libs | javax.net.ssl | OCI migration on IIS |
8226306 (Confidential) | infrastructure | build | Improve signing reliability |
8214046 | client-libs | java.awt | [macosx] Undecorated Frame does not Iconify when set to |
8213838 (Confidential) | install | Upgrade sparkle to 1.23.0 | |
8202393 | javafx | media | App Transport Security blocks http media on macOS with JDK build using new compilers |
8200550 | hotspot | gc | Xcode 9.3 produce warning -Wexpansion-to-defined |
8196724 | infrastructure | build | Change macosx deployment target to 10.9 |
8196538 (Confidential) | infrastructure | build | Fix compilation errors when using Xcode 9.2/Macosx 10.13 in deploy and install |
8181872 | hotspot | compiler | C1: possible overflow when strength reducing integer multiply by constant |
8152856 | hotspot | runtime | Xcode 7.3 -Wshift-negative-value compile failure on Mac OS X |
8141056 | hotspot | gc | Erroneous assignment in HeapRegionSet.cpp |
8060721 | hotspot | runtime | Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler |
8043646 | client-libs | java.awt | libosxapp.dylib fails to build on Mac OS 10.9 with clang |
8030680 | hotspot | compiler | 292 cleanup from default method code assessment |
7188942 (Confidential) | client-libs | 2d | Remove support of pbuffers in OGL Java2d pipeline |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8239444 (Confidential) | security-libs | java.security | High contention java.security.Provider.getService()-JDK-7092821 |
7092821 | security-libs | java.security | java.security.Provider.getService() is synchronized and became scalability bottleneck |
8231387 | security-libs | java.security | java.security.Provider.getService returns random result due to race condition with mutating methods in the same class |
8228613 | security-libs | java.security | java.security.Provider#getServices order is no longer deterministic |
8239946 (Confidential) | security-libs | javax.crypto | Update JarVerifier class with new signing cert details |
8240439 (Confidential) | core-libs | java.net | java.net.PlainDatagramSocketImpl.receive0 seems to fail for UDP traffic spontaneously |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8231779 | hotspot | gc | crash HeapWord*ParallelScavengeHeap::failed_mem_allocate |
April 14, 2020
The full version string for this update release is 1.8.0_251-b08 (where "b" means "build"). The version number is 8u251. This JDK 8 Update release implements JSR 337 Maintenance Release 3 (approved Feb 2020).
JDK 8u251 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u251 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_251-b08 |
7 | 1.7.0_261-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u251) be used after the next critical patch update scheduled for July 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u251) on August 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.net.ssl
➜ TLS Application-Layer Protocol Negotiation Extension
JEP 244 has enhanced the Java Secure Socket Extension (JSSE) to provide support for the TLS Application-Layer Protocol Negotiation (ALPN) Extension (RFC 7301). New methods have been added to the javax.net.ssl
classes SSLEngine
, SSLSocket
, and SSLParameters
to allow clients and servers to negotiate an application layer value as part of the TLS handshake.
This API change was required by JSR 337 MR 3.
See JDK-8051498
security-libs/javax.crypto
➜ RSASSA-PSS Signature Support Added to SunMSCAPI
The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider.
See JDK-8205445
security-libs/java.security
➜ Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature
The SunRsaSign and SunJCE providers have been enhanced with support for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS signature and OAEP using FIPS 180-4 digest algorithms. New constructors and methods have been added to relevant JCA/JCE classes under the java.security.spec
and javax.crypto.spec
packages for supporting additional RSASSA-PSS parameters.
This API change was required by JSR 337 MR 3.
See JDK-8146293
javafx/web
➜ WebEngine Limits JavaScript Method Calls for Certain Classes
JavaScript programs that are run in the context of a web page loaded by WebEngine can communicate with Java objects passed from the application to the JavaScript program. JavaScript programs that reference java.lang.Class
objects are now limited to the following methods:
getCanonicalName
getEnumConstants
getFields
getMethods
getName
getPackageName
getSimpleName
getSuperclass
getTypeName
getTypeParameters
isAssignableFrom
isArray
isEnum
isInstance
isInterface
isLocalClass
isMemberClass
isPrimitive
isSynthetic
toGenericString
toString
No methods can be called on the following classes:
java.lang.ClassLoader
java.lang.Module
java.lang.Runtime
java.lang.System
java.lang.invoke.*
java.lang.module.*
java.lang.reflect.*
java.security.*
sun.misc.*
JDK-8236798 (not public)
security-libs/javax.xml.crypto
➜ New Oracle Specific JDK 8 Updates System Property to Fallback to Legacy Base64 Encoding Format
Oracle JDK 8u231 upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue where XML signature using Base64 encoding resulted in appending 
or 
to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without 
or 
.
Therefore, a new Oracle JDK 8 Updates only system property, - com.sun.org.apache.xml.internal.security.lineFeedOnly,
is made available to fall back to legacy Base64 encoded format.
Users can set this flag in one of two ways:
-Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")
This new system property is disabled by default. It has no effect on default behavior nor when com.sun.org.apache.xml.internal.security.ignoreLineBreaks
property is set.
Later JDK family versions might only support the recommended property: com.sun.org.apache.xml.internal.security.ignoreLineBreaks
See JDK-8236645
security-libs/javax.crypto
➜ Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA
, SHA256withECDSA
, etc.) are also supported.
See JDK-8026953
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8232154 | client-libs | 2d | Update Mesa 3-D Headers to version 19.2.1 |
2 | JDK-8214578 | client-libs | java.awt | [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings |
3 | JDK-8230597 | client-libs | java.awt | Update GIFlib library to the 5.2.1 |
4 | JDK-8230926 | client-libs | java.awt | [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout |
5 | JDK-4949105 | client-libs | javax.accessibility | Access Bridge lacks html tags parsing |
6 | JDK-8223158 | client-libs | javax.swing | Docked MacBook cannot start any Java Swing applications |
7 | JDK-8224475 | client-libs | javax.swing | JTextPane does not show images in HTML rendering |
8 | JDK-8226892 | client-libs | javax.swing | ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys |
9 | JDK-8230235 | client-libs | javax.swing | Rendering HTML with empty img attribute and documentBaseKey cause Exception |
10 | JDK-8235744 | client-libs | javax.swing | PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 |
11 | JDK-8229022 | core-libs | java.io | BufferedReader performance can be improved by using StringBuilder |
12 | JDK-6996807 | core-libs | java.io:serialization | FieldReflectorKey hash code computation can be improved |
13 | JDK-8067796 | core-libs | java.lang | (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null |
14 | JDK-8208715 | core-libs | java.lang | Conversion of milliseconds to nanoseconds in UNIXProcess contains bug. |
15 | JDK-8051853 | core-libs | java.net | new URI("x/").resolve("..").getSchemeSpecificPart() returns null! |
16 | JDK-8230856 | core-libs | java.net | Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return |
17 | JDK-8233022 | core-libs | java.net | [test] backout accidental change to SetLoopbackMode.java |
18 | JDK-8232003 | core-libs | java.nio | (fs) Files.write can leak file descriptor in the exception case |
19 | JDK-8237368 | core-libs | java.rmi | Problem with NullPointerException in RMI TCPEndpoint.read |
20 | JDK-8227127 | core-libs | java.text | Era designator not displayed correctly using the COMPAT provider |
21 | JDK-8234466 | core-libs | java.util.jar | Class loading deadlock involving X509Factory#commitEvent() |
22 | JDK-8066652 | core-libs | java.util:i18n | Default TimeZone is GMT not local if user.timezone is invalid on Mac OS |
23 | JDK-8225435 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry to the latest for JDK14 |
24 | JDK-8033215 | hotspot | compiler | clang: node.cpp:284 IDX_INIT macro use uninitialized field _out |
25 | JDK-8146792 | hotspot | compiler | Predicate moved after partial peel may lead to broken graph |
26 | JDK-8231988 | hotspot | compiler | Unexpected test result caused by C2 IdealLoopTree::do_remove_empty_loop |
27 | JDK-8222122 | hotspot | jfr | Provision to disable XML validation in .jfc file in JFR |
28 | JDK-8215355 | hotspot | runtime | Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) |
29 | JDK-8229345 | hotspot | runtime | Memory leak due to vtable stubs not being shared on SPARC |
30 | JDK-8146293 | security-libs | java.security | Add support for RSASSA-PSS Signature algorithm |
31 | JDK-8175029 | security-libs | java.security | StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider) |
32 | JDK-8206171 | security-libs | java.security | Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized |
33 | JDK-8214096 | security-libs | java.security | sun.security.util.SignatureUtil passes null parameter, so JCE validation fails |
34 | JDK-8215694 | security-libs | java.security | keytool cannot generate RSASSA-PSS certificates |
35 | JDK-8225180 | security-libs | java.security | SignedObject with invalid Key not throwing the InvalidKeyException in Windows |
36 | JDK-8225745 | security-libs | java.security | NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support |
37 | JDK-8236470 | security-libs | java.security | Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId |
38 | JDK-8193262 | security-libs | javax.crypto | JNI array not released in libsunmscapi convertToLittleEndian |
39 | JDK-8205445 | security-libs | javax.crypto | Add RSASSA-PSS Signature support to SunMSCAPI |
40 | JDK-8221407 | security-libs | javax.crypto | Windows 32bit build error in libsunmscapi/security.cpp |
41 | JDK-8223003 | security-libs | javax.crypto | SunMSCAPI keys are not cleaned up |
42 | JDK-8145849 | security-libs | javax.net.ssl | ALPN: getHandshakeApplicationProtocol() always return null |
43 | JDK-8158978 | security-libs | javax.net.ssl | ALPN not working when values are set directly on a SSLServerSocket |
44 | JDK-8170282 | security-libs | javax.net.ssl | Enable ALPN parameters to be supplied during the TLS handshake |
45 | JDK-8171443 | security-libs | javax.net.ssl | (spec) An ALPN callback function may also ignore ALPN |
46 | JDK-8216039 | security-libs | javax.net.ssl | TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange |
47 | JDK-8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
48 | JDK-8207760 | xml | javax.xml.transform | SAXException: Invalid UTF-16 surrogate detected: d83c ? |
49 | JDK-8046274 | xml | jaxp | Removing dependency on jakarta-regexp |
50 | JDK-8163121 | xml | jaxp | BCEL: update to the latest 6.0 release |
51 | JDK-8233548 | xml | jaxp | Update CUP to v0.11b |
Java SE 8u241 BPRs, are based on the current Java SE 8u241 release and are available for Java SE Subscription customers.
For more information on installation and licensing of Java SE Products, visit Java SE Products Overview.
Find information about Java SE Subscriptions at Oracle Java SE Subscriptions.
The following sections summarize changes made in all Java SE 8u241 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8163251 | security-libs | javax.smartcardio | Hard coded loop limit prevents reading of smart card data greater than 8k |
8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
8239033 (Confidential) | security-libs | javax.xml.crypto | Oracle JDK 8u Base64XmlEncode.java test fails for windows platform |
8236832 | javafx | media | [macos 10.15] JavaFX Application hangs on video play on Catalina |
8239803 (Confidential) | javafx | build | [macOS 10.15] Wrong SDK recorded in dylib files prevents notarization |
8160768 | core-libs | javax.naming | Add capability to custom resolve host/domain names within the default JNDI LDAP provider |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8234468 | security-libs | java.security | Application startup failed on JRE 8u231 |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8193445 | javafx | controls | JavaFX CSS is applied redundantly leading to significant performance degradation |
January 14, 2020
The full version string for this update release is 1.8.0_241-b07 (where "b" means "build"). The version number is 8u241.
JDK 8u241 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u241 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_241-b07 |
7 | 1.7.0_251-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u241) be used after the next critical patch update scheduled for April 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u241) on May 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.security
➜ Allow SASL Mechanisms to Be Restricted
A security property named jdk.sasl.disabledMechanisms
has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms
argument of Sasl.createSaslClient
or the mechanism
argument of Sasl.createSaslServer
. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.
See JDK-8200400
security-libs/javax.crypto:pkcs11
➜ SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
See JDK-8080462
security-libs/java.security
➜ New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named jdk.security.allowNonCaAnchor
has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
JDK-8230318 (not public)
security-libs/java.security
➜ Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
JDK-8227758 (not public)
security-libs/java.security
➜ Added LuxTrust Global Root 2 Certificate
The following root certificate has been added to the cacerts truststore:
+ LuxTrust
+ luxtrustglobalroot2ca
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU
See JDK-8232019
security-libs/java.security
➜ Added 4 Amazon Root CA Certificates
The following root certificates have been added to the cacerts truststore:
+ Amazon
+ amazonrootca1
DN: CN=Amazon Root CA 1, O=Amazon, C=US
+ amazonrootca2
DN: CN=Amazon Root CA 2, O=Amazon, C=US
+ amazonrootca3
DN: CN=Amazon Root CA 3, O=Amazon, C=US
+ amazonrootca4
DN: CN=Amazon Root CA 4, O=Amazon, C=US
See JDK-8233223
core-libs/java.rmi
➜ Improve Registry Support
The java.rmi.Remote
marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:
java.rmi.Remote
can be invoked remotelyRemote
directly or indirectly cannot be invoked remotelyThis affects remote objects in the java.rmi.registry.Registry
and any other remote object.
JDK-8230967 (not public)
The following are some of the notable bug fixes included in this release:
client-libs/2d
➜ Support for OpenType CFF Fonts
Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf
fonts) into the standard logical fonts (such as "Dialog" and "SansSerif"). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.
Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.
Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.
See JDK-8209672
core-libs/java.io:serialization
➜ Better Serial Filter Handling
The jdk.serialFilter
system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter
. Setting the jdk.serialFilter with java.lang.System.setProperty
has no effect.
JDK-8231422 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8080465 | client-libs | The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel". | |
2 | JDK-8185538 | client-libs | 2d | JDK 9 is really slow initialising some OTF/CFF fonts. |
3 | JDK-8146238 | client-libs | 2d | [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts |
4 | JDK-8209672 | client-libs | 2d | Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init |
5 | JDK-8225101 | client-libs | java.awt | Crash at sun.awt.X11.XlibWrapper.XkbGetUpdatedMap when change keybord map |
6 | JDK-8230782 | client-libs | java.awt | Robot.createScreenCapture() fails if ???awt.robot.gtk??? is set to false |
7 | JDK-8221246 | client-libs | java.awt | NullPointerException within Win32ShellFolder2 |
8 | JDK-8213119 | client-libs | java.awt | [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails |
9 | JDK-8225505 | client-libs | javax.swing | ctrl-F1 does not show the tooltip of a menu item (JMenuItems) |
10 | JDK-8134424 | core-libs | java.io:serialization | BlockDataInputStream.readUTFBody: size local StringBuffer with the given length |
11 | JDK-8185898 | core-libs | java.net | setRequestProperty(key, null) results in HTTP header without colon in request |
12 | JDK-8230085 | core-libs | java.nio | (fs) FileStore::isReadOnly is always true on macOS Catalina |
13 | JDK-8223490 | core-libs | java.util | Optimize search algorithm for determining default time zone |
14 | JDK-8227018 | core-libs | java.util.concurrent | CompletableFuture should not call Runtime.availableProcessors on fast path |
15 | JDK-8204290 | core-libs | jdk.nashorn | Add check to limit number of capture groups |
16 | JDK-8232984 | core-libs | jdk.nashorn | Upgrading Joni License version to 2.1.16 |
17 | JDK-8204288 | core-libs | jdk.nashorn | Matching the end of a string followed by an empty greedy regex and a word boundary fails |
18 | JDK-8230303 | core-svc | debugger | JDB hangs when running monitor command |
19 | JDK-8179348 | deploy | webstart | User friendly warning when Java WebStart Temporary Internet Files is disabled. |
20 | JDK-8133949 | deploy | webstart | deploy-test build broken by fix to JDK-6921877 |
21 | JDK-6921877 | deploy | webstart | JCP JNLP Shortcut settings for JDK 9 |
22 | JDK-7024585 | deploy | webstart | enhance the list of secure jnlp vm-args for plugin and web start |
23 | JDK-8223925 | docs | No document covering default property files and system properties of the Preferences API | |
24 | JDK-8060000 | docs | guides | Endpoint identification algorithm is not only in TLS 1.2 |
25 | JDK-8207028 | docs | guides | JSSE TrustManagerFactory ignores custom value of deployment.system.security.cacerts property |
26 | JDK-8227326 | docs | guides | Broken link to JNLP specifications in Java Web Start documentation |
27 | JDK-8077316 | docs | guides | JRE Installer Options Page should include JDK |
28 | JDK-8171356 | docs | tools | providerpath option should be added to all keytool commands which specify provider information's |
29 | JDK-8143925 | hotspot | compiler | enhancing CounterMode.crypt() for AESCrypt.implEncryptBlock() |
30 | JDK-8146581 | hotspot | compiler | Minor corrections to the patch submitted for earlier bug id - 8143925 |
31 | JDK-8171974 | hotspot | compiler | Fix for R10 Register clobbering with usage of ExternalAddress |
32 | JDK-8131778 | hotspot | compiler | java disables UseAES flag when using VIS=2 on sparc |
33 | JDK-8225141 | hotspot | compiler | Better handling of classes in error state by fast class initialization checks |
34 | JDK-8229420 | hotspot | gc | [Redo] jstat reports incorrect values for OU for CMS GC |
35 | JDK-8048556 | hotspot | gc | Unnecessary GCLocker-initiated young GCs |
36 | JDK-8226798 | hotspot | runtime | JVM crash in klassItable::initialize_itable_for_interface(int, InstanceKlass*, bool, Thread*) |
37 | JDK-8041620 | hotspot | runtime | Solaris Studio 12.4 C++ 5.13 change in behavior for placing friend declarations within surrounding scope |
38 | JDK-8231854 | javafx | other | Change Mercurial to git in various README files |
39 | JDK-8231590 | javafx | other | Update location of jfx repo to GitHub in third-party legal files |
40 | JDK-8232522 | javafx | other | FX: Update copyright year in docs, readme files to 2020 |
41 | JDK-8231126 | javafx | web | libxslt.md has incorrect version string |
42 | JDK-8224636 | javafx | web | CSS "pointer-events" property "stroke" is not respected for SVG renderings |
43 | JDK-8218640 | javafx | web | Update ICU4C to version 64.2 |
44 | JDK-8173956 | security-libs | java.security | KeyStore regression due to default keystore being changed to PKCS12 |
45 | JDK-8195667 | security-libs | javax.crypto:pkcs11 | ProblemList PKCS11 tests Secmod/AddTrustedCert.java and tls/TestKeyMaterial.java due to JDK-8180837 |
46 | JDK-8080462 | security-libs | javax.crypto:pkcs11 | Update SunPKCS11 provider with PKCS11 v2.40 support |
47 | JDK-8228835 | security-libs | javax.crypto:pkcs11 | Memory leak in PKCS11 provider when using AES GCM |
48 | JDK-8229243 | security-libs | javax.crypto:pkcs11 | SunPKCS11-Solaris provider tests failing on Solaris 11.4 |
49 | JDK-8225695 | security-libs | javax.crypto:pkcs11 | 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) |
50 | JDK-8133489 | security-libs | javax.net.ssl | Better messaging for PKIX path validation matching |
51 | JDK-8229767 | security-libs | javax.security | Typo in java.security: Sasl.createClient and Sasl.createServer |
52 | JDK-8200400 | security-libs | javax.security | Allow Sasl mechanisms to be restricted |
53 | JDK-8226607 | security-libs | javax.smartcardio | Inconsistent info between pcsclite.md and MUSCLE headers |
54 | JDK-8201627 | security-libs | org.ietf.jgss:krb5 | Kerberos sequence number issues |
The following sections summarize changes made in all Java SE 8u231 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8223158 | client-libs | javax.swing | Docked MacBook cannot start any Java Swing applications |
8134424 | core-libs | java.io:serialization | BlockDataInputStream.readUTFBody: size local StringBuffer with the given length |
8077707 (Confidential) |
client-libs | javax.accessibility | jdk9 b58 cannot run any graphical application on Win 8 with JAWS running |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8185538 | client-libs | 2d | JDK 9 is really slow initialising some OTF/CFF fonts. |
8223490 | core-libs | java.util | Optimize search algorithm for determining default time zone |
8209672 (Confidential) |
client-libs | 2d | Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init |
8080465 (Confidential) |
client-libs | The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel". |
Bug Fixes
October 15, 2019
The full version string for this update release is 1.8.0_231-b11 (where "b" means "build"). The version number is 8u231.
JDK 8u231 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u231 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_231-b11 |
7 | 1.7.0_241-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u231) be used after the next critical patch update scheduled for January 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u231) on February 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.crypto
New jdk.jceks.iterationCount System Property
A new system property has been introduced to control the iteration count value used for the jceks
keystore. The default value remains at 200000 but values between 10000 and 5000000 may be specified. The new system property name is jdk.jceks.iterationCount
and the value supplied should be an integer in the accepted range. The default value will be used if a parsing error is encountered.
JDK-8223269 (not public)
security-libs/java.security
➜ New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
java/security_property
Security.setProperty(String key, String value)
method callsjava/tls_handshake
java/x509_validation
java/x509_certificate
See JDK-8148188
javafx/graphics
➜ Removal of T2K Rasterizer and ICU Layout Engine From JavaFX
The T2K rasterizer and ICU layout engine have been removed from JavaFX.
See JDK-8187147
client-libs
➜ [client-libs and javaFX] GTK3 Is Now the Default on Linux/Unix
Newer versions of Linux, Solaris, and other Unix flavor desktop environments use GTK3, while still supporting GTK2.
Previously, the JDK would default to loading the older GTK2 libraries. However, in this release, it defaults to loading GTK3 libraries. Loading is typically triggered by using the Swing GTK Look And Feel.
The old behavior can be restored by using the system property: -Djdk.gtk.version=2.2
See JDK-8222496
docs
➜ Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see http:/java/technologies/javase/jdk-jre-macos-catalina.html.
JDK-8230057 (not public)
security-libs/javax.net.ssl
➜ Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.
To re-enable these curves, use the jdk.tls.namedGroups
system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1,
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ...
JDK-8228825 (not public)
security-libs/javax.xml.crypto
➜Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto
module has been updated to version 2.1.3 of Apache Santuario. New features include:
See JDK-8219013
security-libs/javax.xml.crypto
➜ Updated xmldsig Implementation to Apache Santuario 2.1.1
The XMLDSig provider implementation in the java.xml.crypto
module has been updated to version 2.1.1 of Apache Santuario. New features include:
See JDK-8177334
security-libs/javax.crypto
➜ System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC
, which was introduced in the update releases 7u231 and 8u221, is turned off by default.
This option allows control of which implementation of ECC is in use.
When the system property, jdk.security.useLegacyECC
, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC
If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.
JDK-8224499 (not public)
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in 
or 
being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
An application may continue working with the encoded output data containing the carriage return character (
or 
) if the application coding logic allows such output.
The com.sun.org.apache.xml.internal.security.ignoreLineBreaks
system property may be set to a value of true
if an application is unable to handle encoded output data including the carriage return character (
or 
).
Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.
core-libs/java.lang
➜ Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec
and ProcessBuilder
have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.
In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands
to false
.
In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands
to true
.
Applications using Runtime.exec
or ProcessBuilder
with a security manager to invoke .bat
or .cmd
and command names that do not end in ".exe
" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.
For .exe
programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands
property is "false
" or there is no security manager and property is not "false
".
JDK-8221858 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8222496 | client-libs | [8u] Switch on GTK3 as a default GTK L&F in client-libs | |
2 | JDK-8217676 | client-libs | Upgrade libpng to 1.6.37 | |
3 | JDK-8219914 | client-libs | Change the environment variable for Java Access Bridge logging to have a directory | |
4 | JDK-8222108 | client-libs | 2d | Reduce minRefreshTime for updating remote printer list on Windows |
5 | JDK-8196681 | client-libs | javax.accessibility | Java Access Bridge logging and debug flags dynamically controlled |
6 | JDK-8226964 | client-libs | javax.swing | [Yaru] GTK L&F: There is no difference between menu selected and de-selected |
7 | JDK-8225423 | client-libs | javax.swing | GTK L&F: JSplitPane: There is no divider shown |
8 | JDK-8214702 | client-libs | javax.swing | Wrong text position for whitespaced string in printing Swing text |
9 | JDK-8216401 | core-libs | Allow "file:" URLs in Class-Path of local JARs | |
10 | JDK-8151486 | core-libs | java.lang | Class.forName causes memory leak |
11 | JDK-8197930 | core-libs | java.lang | JNI exception pending in initializeEncoding of jni_util.c |
12 | JDK-8225425 | core-libs | java.net | java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries |
13 | JDK-8214687 | core-libs | java.util:collections | Optimize Collections.nCopies().hashCode() and equals() |
14 | JDK-8222980 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry to Version 2019-04-03 |
15 | JDK-8219890 | core-libs | java.util:i18n | Calendar.getDisplayName() returns empty string for new Japanese Era on some locales |
16 | JDK-8203324 | core-libs | java.util:i18n | Use out of scope in getMacOSXLocale of java_props_macosx.c:120 |
17 | JDK-8139965 | core-libs | javax.naming | Hang seen when using com.sun.jndi.ldap.search.replyQueueSize |
18 | JDK-8217581 | docs | tools | JDK 8 javadoc man page does not list correct values for -source |
19 | JDK-8206879 | globalization | locale-data | Currency decimal marker incorrect for Peru |
20 | JDK-8202414 | hotspot | compiler | Unsafe write after primitive array creation may result in array length change |
21 | JDK-8219807 | hotspot | compiler | C2 crash in IfNode::up_one_dom(Node*, bool) |
22 | JDK-8218721 | hotspot | compiler | C1's CEE optimization produces safepoint poll with invalid debug information |
23 | JDK-8130341 | hotspot | compiler | GHASH 32bit intrinsics has AEADBadTagException |
24 | JDK-8080157 | hotspot | compiler | assert(allocates2(pc)) failed: not in CodeBuffer memory |
25 | JDK-8187147 | javafx | graphics | Remove T2K from JavaFX in JDK 10 |
26 | JDK-8201539 | javafx | graphics | Crash in DirectWrite CreateBitmap code when running TestFX test suite |
27 | JDK-8213510 | javafx | media | [Windows] MediaPlayer does not play some mp3 with artwork stream in mjpeg |
28 | JDK-8222780 | javafx | media | Visual Studio does not open media vs_projects files |
29 | JDK-8223046 | javafx | samples | AudioClip sample does not work in Ensemble when run via web-start |
30 | JDK-8230361 | javafx | web | [web] Cookies are not enabled in WebKit v608.1 |
31 | JDK-8229328 | javafx | web | [windows] PlatformFileHandle type should be JGObject rather than void * |
32 | JDK-8227431 | javafx | web | [Windows] Fix assertion failure on X86 32-bit when enabling CLOOP based JavaScript interpreter |
33 | JDK-8227079 | javafx | web | Cherry pick GTK WebKit 2.24.3 changes |
34 | JDK-8222912 | javafx | web | Websocket client doesn't work in WebView |
35 | JDK-8219362 | javafx | web | Update to 608.1 version of WebKit |
36 | JDK-8225203 | javafx | web | Update SQLite to version 3.28.0 |
37 | JDK-8222788 | javafx | web | javafx.web build fails on XCode 10.2 |
38 | JDK-8222497 | javafx | window-toolkit | [8u] Switch on GTK3 as a default GTK L&F in javafx |
39 | JDK-8226537 | javafx | window-toolkit | Multi-level Stage::initOwner can crash gnome-shell or X.org server |
40 | JDK-8211302 | javafx | window-toolkit | DragAndDrop no longer works with GTK3 |
41 | JDK-8212060 | javafx | window-toolkit | [GTK3] Stage sometimes shown at top-left before moving to correct position |
42 | JDK-8147502 | security-libs | java.security | Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size |
43 | JDK-8148188 | security-libs | java.security | Enhance the security libraries to record events of interest |
44 | JDK-8226543 | security-libs | javax.crypto | Reduce GC pressure during message digest calculations in password-based encryption |
45 | JDK-8073108 | security-libs | javax.crypto | Use x86 and SPARC CPU instructions for GHASH acceleration |
46 | JDK-8218780 | security-libs | javax.smartcardio | Update MUSCLE PCSC-Lite header files |
47 | JDK-8229868 | security-libs | javax.xml.crypto | Update Apache Santuario TPRM version |
48 | JDK-8218629 | security-libs | javax.xml.crypto | XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 |
49 | JDK-8217878 | security-libs | javax.xml.crypto | ENVELOPING XML signature no longer works in JDK 11 |
50 | JDK-8219013 | security-libs | javax.xml.crypto | Update Apache Santuario (XML Signature) to version 2.1.3 |
51 | JDK-8177334 | security-libs | javax.xml.crypto | Update xmldsig implementation to Apache Santuario 2.1.1 |
The following sections summarize changes made in all Java SE 8u221 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8221246 | client-libs | java.awt | NullPointerException within Win32ShellFolder2 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8080157 | hotspot | compiler | assert(allocates2(pc)) failed: not in CodeBuffer memory |
8130341 | hotspot | compiler | GHASH 32bit intrinsics has AEADBadTagException |
8073108 | security-libs | javax.crypto | Use x86 and SPARC CPU instructions for GHASH acceleration |
8048556 | hotspot | gc | Unnecessary GCLocker-initiated young GCs |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8226895 (Confidential) |
xml | jaxp | Problems when validating XML with STax |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8226543 | security-libs | javax.crypto | Reduce GC pressure during message digest calculations in password-based encryption |
8139965 | core-libs | javax.naming | Hang seen when using com.sun.jndi.ldap.search.replyQueueSize |
8225615 (Confidential) |
deploy | packager | Need javapackager to work with Inno Setup 6.x |
8223727 (Confidential) |
core-libs | javax.naming | com/sun/jndi/ldap/privconn/RunTest.java failed due to hang in LdapRequest.getReplyBer |
Please note that fixes from prior BPR are included in this version.
July 16, 2019
The full version string for this update release is 1.8.0_221-b11 (where "b" means "build"). The version number is 8u221.
JDK 8u221 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u221 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_221-b11 |
7 | 1.7.0_231-b08 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u221) will expire with the release of the next critical patch update scheduled for October 15, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u221) on November 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
hotspot/runtime
HotSpot Windows OS Detection Correctly Identifies Windows Server 2019
Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name
system property and the hs_err_pid
file.
See JDK-8211106
security-libs/java.security
Removal of Two DocuSign Root CA Certificates
Two DocuSign root CA certificates are expired and have been removed from the cacerts
keystore:
Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR
Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR
See JDK-8223499
security-libs/java.security
Removal of Two Comodo Root CA Certificates
Two Comodo root CA certificates are expired and have been removed from the cacerts
keystore:
Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
See JDK-8222136
security-libs/java.security
Removal of T-Systems Deutsche Telekom Root CA 2 Certificate
The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts
keystore:
Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
See JDK-8222137
install
Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
security-libs/javax.crypto
System Property to Switch Between Implementations of ECC
A new boolean system property, jdk.security.useLegacyECC
, has been introduced that enables switching between implementations of ECC.
When the system property, jdk.security.useLegacyECC
, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC
in the command line.
If the option is explicitly set to "false", the provider decides which implementation of ECC is used.
The default value of the option is "true". Note that the default value might change in a future update release of the JDK.
JDK-8217763 (not public)
client-libs/2d
Missing Glyphs in AWT/Swing Components Due to Lack of CJK TrueType Fonts in RHEL 8
Red Hat Enterprise Linux 8 no longer includes packages which provided TrueType fonts used by JDK for CJK (Chinese, Japanese, and Korean) languages.
Text display for those languages will therefore result in missing glyphs.
See JDK-8209672 for a resolution to this issue.
See JDK-8230150
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8214252 | client-libs | Expanded & Collapsed nodes of a JTree look the same on GTK3 | |
2 | JDK-8153732 | client-libs | 2d | Windows remote printer changes do not reflect in lookupPrintServices() |
3 | JDK-8212202 | client-libs | 2d | [Windows] Exception if no printers are installed. |
4 | JDK-8218020 | client-libs | 2d | Fix version number in mesa.md 3rd party legal file |
5 | JDK-8215210 | client-libs | 2d | [macos] Hangul text does not shape to the precomposed form on JDK8u |
6 | JDK-8218605 | client-libs | 2d | Startup Splash Screen of SwingSet2 flashes in smaller coordinates before appearing in the final size |
7 | JDK-8214765 | client-libs | java.awt | All TrayIcon MessageType icons does not show up with gtk3 option set |
8 | JDK-8204142 | client-libs | java.awt | AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts. |
9 | JDK-8210886 | client-libs | java.awt | Remove references in xwindows.md to non-existent files. |
10 | JDK-8214109 | client-libs | java.awt | XToolkit is not correctly displayed color on 16-bit high color setting |
11 | JDK-8213183 | client-libs | java.awt:i18n | InputMethod cannot be used after its restarting |
12 | JDK-8214253 | client-libs | javax.swing | Tooltip is transparent rather than having a black background |
13 | JDK-8214112 | client-libs | javax.swing | The whole text in target JPasswordField image are not selected. |
14 | JDK-8214111 | client-libs | javax.swing | There is no icon in all JOptionPane target image |
15 | JDK-8220349 | client-libs | javax.swing | The fix done for JDK-8214253 have caused issues in JTree behaviour |
16 | JDK-8218674 | client-libs | javax.swing | HTML Tooltip with "img src=" on component doesn't show |
17 | JDK-8196775 | core-libs | java.net | java/net/Socket/asyncClose/Race.java failed intermittently on Windows with ConnectException: Connection refused |
18 | JDK-8044047 | core-libs | java.util.stream | Missing null pointer checks for streams |
19 | JDK-8213294 | core-libs | java.util:i18n | Upgrade IANA LSR data |
20 | JDK-8040211 | core-libs | java.util:i18n | Update LSR datafile for BCP 47 |
21 | JDK-8191404 | core-libs | java.util:i18n | Upgrading JDK with latest available LSR data from IANA. |
22 | JDK-8203872 | core-libs | java.util:i18n | Upgrading JDK with latest available LSR data from IANA. |
23 | JDK-8214935 | core-libs | java.util:i18n | Upgrade IANA LSR data |
24 | JDK-8218781 | core-libs | java.util:i18n | Localized names for Japanese Era Reiwa in COMPAT provider |
25 | JDK-8209775 | core-libs | java.util:i18n | ISO 4217 Amendment #169 Update |
26 | JDK-8210153 | core-libs | java.util:i18n | localized currency symbol of VES |
27 | JDK-8209951 | hotspot | compiler | Problematic sparc intrinsic: com.sun.crypto.provider.CipherBlockChaining |
28 | JDK-8211106 | hotspot | runtime | [windows] Update OS detection code to recognize Windows Server 2019 |
29 | JDK-8134030 | hotspot | svc | test/serviceability/dcmd/gc/HeapDumpTest fails to verify the dump |
30 | JDK-8202884 | hotspot | svc-agent | SA: Attach/detach might fail on Linux if debugee application create/destroy threads during attaching |
31 | JDK-8222812 | install | install | java usage unit tests are failing |
32 | JDK-8212742 | install | uninstall | More information link at Java Uninstall tool for MAC point to Windows page instructions |
33 | JDK-8215686 | javafx | build | FX build fails using gradle 5 |
34 | JDK-8217942 | javafx | build | Upgrade to libxslt 1.1.33 |
35 | JDK-8219008 | javafx | graphics | Update OpenGL Headers to version 4.6 |
36 | JDK-8204060 | javafx | graphics | [Canvas] Add API in GraphicsContext to control image smoothing |
37 | JDK-8215894 | javafx | media | Provide media support for libav version 58 |
38 | JDK-8133841 | javafx | media | Full HD video can not be played on standard 1080p screen in portrait mode |
39 | JDK-8222217 | javafx | media | FX build fails on 32-bit Windows after fix for JDK-8133841 |
40 | JDK-8218174 | javafx | other | Add missing license file for Mesa header files |
41 | JDK-8222883 | javafx | samples | Ensemble: Update version of Lucene to 7.7.1 |
42 | JDK-8219734 | javafx | web | [WebView] Get rid of macOS SDK private API usage |
43 | JDK-8215775 | javafx | web | Scrollbars from web pages appear to be absolute, overlapping everything |
44 | JDK-8220147 | javafx | web | Cherry pick GTK WebKit 2.22.7 changes |
45 | JDK-8219917 | javafx | web | [WebView] Sub-resource integrity check fails on Windows and Linux |
46 | JDK-8151225 | security-libs | java.security | Mark SpecTest.java as intermittently failing |
47 | JDK-8222137 | security-libs | java.security | Remove T-Systems root CA certificate |
48 | JDK-8223499 | security-libs | java.security | Remove two DocuSign root certificates that are expiring |
49 | JDK-8222136 | security-libs | java.security | Remove two Comodo root CA certificates that are expiring |
50 | JDK-8181594 | security-libs | javax.crypto | Efficient and constant-time modular arithmetic |
51 | JDK-8203228 | security-libs | javax.crypto | Branch-free output conversion for X25519 and X448 |
52 | JDK-8201317 | security-libs | javax.crypto | X25519/X448 code improvements |
53 | JDK-8208648 | security-libs | javax.crypto | ECC Field Arithmetic Enhancements |
54 | JDK-8204909 | security-libs | javax.crypto | Improved ECC Implementation |
55 | JDK-8193830 | xml | jaxp | Xalan Update: Xalan Java 2.7.2 |
The following sections summarize changes made in all Java SE 8u212 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Please note that fixes in 8u212 b34 are included in 8u221-b32.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8208666 | client-libs | 2d | Missing glyphs from custom made font when rendering on Graphics2D |
8178870 | hotspot | jvmti | instrumentation.retransformClasses cause coredump |
8155951 | hotspot | jvmti | VM crash in nsk/jvmti/RedefineClasses/StressRedefine: assert failed: Corrupted constant pool |
8151066 | hotspot | jvmti | assert(0 <= i && i < length()) failed: index out of bounds |
8221986 (Confidential) |
javafx | build | Intermittent FX Hudson build failure on Windows: cannot execute gperf |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8218674 | client-libs | javax.swing | HTML Tooltip with "img src=" on component doesn't show |
8223233 (Confidential) |
install | install | 8u 211 32 bit MSI uninstalls Java 8u211 64 bit, which is above the security baseline |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8204060 | javafx | graphics | [Canvas] Add API in GraphicsContext to control image smoothing |
8221263 | client-libs | 2d | [TEST_BUG] RemotePrinterStatusRefresh test is hard to use |
8153732 | client-libs | 2d | Windows remote printer changes do not reflect in lookupPrintServices() |
8221412 | client-libs | 2d | lookupPrintServices() does not always update the list of Windows remote printers |
8212202 | client-libs | 2d | [Windows] Exception if no printers are installed. |
8194653 | core-libs | java.lang | Deadlock involving FileSystems.getDefault and System.loadLibrary call |
8219410 (Confidential) |
javafx | graphics | [GraphicsContext] Backport doc changes |
Please note that fixes from prior BPR (8u202 b34) are included in this version.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8221355 | hotspot | compiler | Performance regression after JDK-8155635 backport into 8u |
April 16, 2019
The full version string for this update release is 1.8.0_212-b10 (where "b" means "build"). The version number is 8u212.
JDK 8u212 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u212 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_211-b12 |
7 | 1.7.0_221-b08 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u212) will expire with the release of the next critical patch update scheduled for July 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u212) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8215364 | client-libs | JavaFX crashes on Ubuntu 18.04 with Wayland while using Swing-FX interop | |
2 | JDK-8207070 | client-libs | java.awt | Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor |
3 | JDK-8189926 | javafx | other | [Mac] Pulse timer should pause when idle |
4 | JDK-8210411 | javafx | window-toolkit | JavaFX crashes on Ubuntu 18.04 with Wayland |
5 | JDK-8211280 | javafx | window-toolkit | JavaFX build fails on Linux with gcc8 |
6 | JDK-8213952 | security-libs | java.security | Relax DNSName restriction as per RFC 1123 |
April 16, 2019
The full version string for this update release is 1.8.0_211-b12 (where "b" means "build"). The version number is 8u211.
JDK 8u211 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u211 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_211-b12 |
7 | 1.7.0_221-b08 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u211) will expire with the release of the next critical patch update scheduled for July 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u211) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
core-libs/java.time
An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3)
or JapaneseEra.valueOf("Reiwa")
. JDK 13 and later will have a new public field to represent this era.
The placeholder name, "NewEra
", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")
) will no longer work.
See JDK-8205432
core-libs/java.util:i18n
Square Character Support for Japanese New Era
The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character
class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.
See JDK-8211398
client-libs/2d
High DPI Auto-Scaling on Windows
If the Windows desktop DPI of the default screen is configured via Display Settings to be 150% or greater (that is 144 dpi or greater), JDK will now ask Windows to auto-scale the entire UI of a Java application to be consistent with the rest of the Windows desktop UI.
Below that value Java applications will appear at the same size as they did in previous releases.
This threshold is chosen as a trade-off between compatibility and legibility of the UI. At higher DPI settings, without this auto-scaling, the Java UI may be just too small to be read comfortably.
There may be some negative consequences such as
In the event that the negative consequences outweigh the benefits, an application can request the old behaviour by specifying:
-Dsun.java2d.dpiaware=true
Conversely, if the application would prefer to be auto-scaled even at lower DPI settings, then specify:
-Dsun.java2d.dpiaware=false
In the absence of either explicit setting, the default behaviour described above will apply.
JDK-8204512 (not public)
core-libs/java.lang
New Currency Code Points Added
The Java SE 8 Platform spec for java.lang.Character
now supports Unicode 6.2 plus an extension to allow new currency code points from Unicode 10.0.
The following currency code points have been added:
0BB NORDIC MARK SIGN
20BC MANAT SIGN
20BD RUBLE SIGN
20BE LARI SIGN
20BF BITCOIN SIGN
See JDK-8217710
install
Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
hotspot/compiler
Possible Performance Regression in JDK 8 Updates 202, 211, and 212
Due to a known issue with the fix for JDK-8155635, introduced in JDK 8 update 202, some applications may experience a performance regression (lower throughput and/or higher CPU consumption) when migrating from earlier releases. Examples of code that might trigger this regression include heavy use of sun.misc.Unsafe
and the Reflection API. This performance regression is addressed in JDK-8221355.
See JDK-8221355
security-libs/java.security
Added GlobalSign R6 Root Certificate
The following root certificate has been added to the cacerts truststore:
globalsignrootcar6
DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
JDK-8216577 (not public)
security-libs/javax.net.ssl
Distrust TLS Server Certificates Anchored by Symantec Root CAs
The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.
TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).
An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.
The restrictions are enforced in the JDK implementation (the SunJSSE
Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.
An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:
"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"
If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies
security property in the java.security
configuration file.
The restrictions are imposed on the following Symantec Root certificates included in the JDK:
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US | FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A |
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US | 37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C |
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US | 5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66 |
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US | B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4 |
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US | A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12 |
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US | 8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F |
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US | A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57 |
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US | 4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C |
EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA | 3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US | 3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1 |
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US | A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US | 83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B |
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 |
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | 69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 |
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF |
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C |
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B |
CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US | A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED |
If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.
You can also use the keytool
utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.
See JDK-8207258
core-libs/java.time
Support New Japanese Era in java.time.chrono.JapaneseEraThe JapaneseEra class and its of(int)
, valueOf(String)
, and values()
methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.
See JDK-8212941
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8213983 | client-libs | java.awt | [macosx] Keyboard shortcut ???cmd +`??? stops working properly if popup window is displayed |
2 | JDK-8213583 | client-libs | java.awt | Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files |
3 | JDK-8076164 | client-libs | javax.swing | [JTextField] When input too long Thai character, cursor's behavior is odd |
4 | JDK-8132136 | client-libs | javax.swing | [PIT] RTL orientation in JEditorPane is broken |
5 | JDK-8133108 | client-libs | javax.swing | [PIT] Container size is wrong in JEditorPane |
6 | JDK-8187364 | client-libs | javax.swing | Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component |
7 | JDK-8216396 | core-libs | java.lang | Support new Japanese era and new currency code points in java.lang.Character for Java SE 8 |
8 | JDK-8218915 | core-libs | java.lang | Change isJavaIdentifierStart and isJavaIdentifierPart to handle new code points |
9 | JDK-8217710 | core-libs | java.lang | Add 5 currency code points to Java SE 8uX |
10 | JDK-8180469 | core-libs | java.time | Wrong short form text for supplemental Japanese era |
11 | JDK-8212941 | core-libs | java.time | Support new Japanese era in java.time.chrono.JapaneseEra |
12 | JDK-8211398 | core-libs | java.util:i18n | Square character support for the Japanese new era |
13 | JDK-8202088 | core-libs | java.util:i18n | Japanese new era implementation |
14 | JDK-8207152 | core-libs | java.util:i18n | Placeholder for Japanese new era should be two characters |
15 | JDK-8217609 | core-libs | java.util:i18n | New era placeholder not recognized by java.text.SimpleDateFormat |
16 | JDK-8159886 | deploy | plugin | Window of a newly launched Oracle Forms applet loses focus |
17 | JDK-8133984 | hotspot | runtime | print_compressed_class_space() is only defined in 64-bit VM |
18 | JDK-8180904 | hotspot | test | Hotspot tests running with -agentvm failing due to classpath |
19 | JDK-8187220 | install | install | postinstall fails if there is a space in user name |
20 | JDK-8214185 | javafx | media | Upgrade GStreamer to the latest (1.14.4) version |
21 | JDK-8200665 | javafx | samples | Ensemble: Update SyntaxHighlighter to version 4.0.1 |
22 | JDK-8207772 | javafx | web | File API and FileReader should be supported in WebView |
23 | JDK-8213541 | javafx | web | WebView does not handle HTTP response without ContentType |
24 | JDK-8215702 | javafx | web | SVG gradients are not rendered |
25 | JDK-8215799 | javafx | web | Complex text is not rendered by webkit on Windows |
26 | JDK-8214119 | javafx | web | Update to 607.1 version of WebKit |
27 | JDK-8211399 | javafx | web | libxslt fails to build with glibc 2.26 |
28 | JDK-8211454 | javafx | web | Update SQLite to version 3.26.0 |
29 | JDK-8214452 | javafx | web | Update libxml2 to version 2.9.9 |
30 | JDK-8213806 | javafx | web | WebView - JVM crashes for given HTML |
31 | JDK-8218611 | javafx | web | [DRT] fast/xslt tests fails with Unsupported encoding windows-1251 |
32 | JDK-8219539 | javafx | web | Cherry pick GTK WebKit 2.22.6 changes |
33 | JDK-8133802 | security-libs | replace some <tt> tags (obsolete in html5) in security-libs docs | |
34 | JDK-8216280 | security-libs | java.security | Allow later Symantec Policy distrust date for two Apple SubCAs |
35 | JDK-8215318 | security-libs | java.security | Amend the Standard Algorithm Names specification to clarify that names can be defined in later versions |
36 | JDK-8029661 | security-libs | javax.net.ssl | Support TLS v1.2 algorithm in SunPKCS11 provider |
37 | JDK-8207258 | security-libs | javax.net.ssl | Distrust TLS server certificates anchored by Symantec Root CAs |
38 | JDK-8129988 | security-libs | javax.net.ssl | JSSE should create a single instance of the cacerts KeyStore |
39 | JDK-8217579 | security-libs | javax.net.ssl | TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883 |
40 | JDK-8203190 | security-libs | javax.net.ssl | SessionId.hashCode generates too many collisions |
41 | JDK-8164656 | security-libs | org.ietf.jgss:krb5 | krb5 does not retry if TCP connection timeouts |
The following sections summarize changes made in all Java SE 8u202 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8204142 | client-libs | java.awt | AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts. |
8217227 (Confidential) |
deploy | plugin | Java Deployment Ruleset (DRS) not working for forms Web Start (webstart) config |
8221544 (Confidential) |
deploy | webstart | StackOverflowError and JWS fails to launch for some client PCs in cluster config |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8213583 | client-libs | java.awt | Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files |
8207070 | client-libs | java.awt | Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor |
8027434 | hotspot | runtime | "-XX:OnOutOfMemoryError" uses fork instead of vfork |
Please note that fixes from the prior BPR (8u192 b35) are included in this version.
January 15, 2019
The full version string for this update release is 1.8.0_202-b08 (where "b" means "build"). The version number is 8u202.
JDK 8u202 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u202 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_201-b09 |
7 | 1.7.0_211-b07 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u202) will expire with the release of the next critical patch update scheduled for April 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u202) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
client-libs
GTK+ 3.20 and Later Unsupported by Swing
Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.
See JDK-8219072
The following are some of the notable bug fixes included in this release:
deploy/webstart
Changes in Update Process of Java Web Start Cached Objects
The update mechanism of cached Java Web Start objects has been slightly changed. Now Java Web Start issues HTTP HEAD request instead of GET to test whether the updates for cached object are available or not. The downloading of the updates did not change and keeps working in the same way as before.
JDK-8211746 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8210384 | client-libs | 2d | SunLayoutEngine.isAAT() font is expensive on MacOS |
2 | JDK-8191178 | client-libs | java.awt | [macos] Problem with input of yen symbol |
3 | JDK-8130655 | client-libs | java.awt | OS X: keyboard input in textfield is not possible if the window contained textfield is owned by EmbeddedFrame |
4 | JDK-8205479 | client-libs | java.awt | OS X: requestFocus() does not work properly for embedded frame |
5 | JDK-8170937 | client-libs | java.awt | Swing apps are slow if displaying from a remote source to many local displays |
6 | JDK-8207322 | client-libs | java.awt | [Client-Libs] Backport GTK3 support on Linux to 8u |
7 | JDK-8201801 | client-libs | java.awt | RTL language (Hebrew) is presented from left to right |
8 | JDK-8182461 | client-libs | javax.imageio | IndexOutOfBoundsException when reading indexed color BMP |
9 | JDK-8207150 | client-libs | javax.sound | Clip.isRunning() may return true after Clip.stop() was called |
10 | JDK-8202264 | client-libs | javax.sound | Race condition in AudioClip.loop() |
11 | JDK-8206392 | client-libs | javax.swing | [macosx] Cycling through windows (JFrames) does not work with keyboard shortcut |
12 | JDK-8208638 | client-libs | javax.swing | Instead of circle rendered in appl window, but ellipse is produced JEditor Pane |
13 | JDK-8207060 | core-libs | java.io | Memory leak when malloc fails within WITH_UNICODE_STRING block |
14 | JDK-8207750 | core-libs | java.io | Native handle leak in java.io.WinNTFileSystem.list() |
15 | JDK-8200719 | core-libs | java.net | Cannot connect to IPv6 host when exists any active network interface without IPv6 address |
16 | JDK-8202261 | core-libs | java.nio | (fc) FileChannel.map and RandomAccessFile.setLength should not preallocate space |
17 | JDK-8207145 | core-libs | java.nio | (fs) Native memory leak in WindowsNativeDispatcher.LookupPrivilegeValue0 |
18 | JDK-8165852 | core-libs | java.nio | (fs) Mount point not found for a file which is present in overlayfs |
19 | JDK-8139507 | core-libs | java.util | WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs |
20 | JDK-8209184 | core-libs | java.util:i18n | JCK Test Failure due to ResourceBundle |
21 | JDK-8210038 | deploy | webstart | JNLP 'arch' attribute fails with NPE in SingleInstanceServiceImpl |
22 | JDK-8208183 | hotspot | update HSDIS plugin license to UPL | |
23 | JDK-8212709 | hotspot | Backout backport of JDK-8211394 from jdk 8u-dev | |
24 | JDK-8164920 | hotspot | compiler | ppc: enhancement of CRC32 intrinsic |
25 | JDK-8209639 | hotspot | compiler | assert failure in coalesce.cpp: attempted to spill a non-spillable item |
26 | JDK-8172850 | hotspot | compiler | Anti-dependency on membar causes crash in register allocator due to invalid instruction scheduling |
27 | JDK-8155635 | hotspot | compiler | C2: Mixed unsafe oop accesses break alias analysis |
28 | JDK-8131048 | hotspot | compiler | ppc: implement CRC32 intrinsic |
29 | JDK-8211150 | hotspot | gc | G1 Full GC not purging code root memory and hence causing memory leak |
30 | JDK-8064811 | hotspot | gc | Use THREAD instead of CHECK_NULL in return statements |
31 | JDK-8211909 | hotspot | jvmti | JDWP Transport Listener: dt_socket thread crash |
32 | JDK-8211387 | hotspot | runtime | [Zero] atomic_copy64: Use ldrexd for atomic reads on ARMv7 |
33 | JDK-8211124 | hotspot | runtime | HotSpot vm_version.cpp should recognise updated VS2017 |
34 | JDK-8205965 | hotspot | runtime | SIGSEGV on write to NativeCallStack::EMPTY_STACK |
35 | JDK-8196882 | hotspot | runtime | VS2017 Hotspot Defined vsnprintf Function Causes C2084 Already Defined Compilation Error |
36 | JDK-8209863 | hotspot | runtime | Add a test to verify that -XX:+EnableTracing works |
37 | JDK-8211394 | hotspot | runtime | CHECK_ must be used in the rhs of an assignment statement within a block (round 2) |
38 | JDK-8145788 | hotspot | svc | JVM crashes with -XX:+EnableTracing |
39 | JDK-8208091 | hotspot | svc-agent | SA: jhsdb jstack --mixed throws UnmappedAddressException on i686 |
40 | JDK-8164383 | hotspot | svc-agent | jhsdb dumps core on Solaris 12 when loading dumped core |
41 | JDK-8210219 | javafx | graphics | GlassClipboard.cpp fails to compile with newer versions of VS2017 |
42 | JDK-8148129 | javafx | web | Implement Accelerated composition for WebView |
43 | JDK-8209457 | javafx | web | [WebView] Canvas.toDataURL with image/jpeg MIME type fails |
44 | JDK-8202277 | javafx | web | WebView image capture fails with standalone FX due to dependency on javafx.swing |
45 | JDK-8196968 | javafx | web | One time crash on exit in JNIEnv_::CallObjectMethod |
46 | JDK-8207159 | javafx | web | Update ICU to version 62.1 |
47 | JDK-8212147 | javafx | window-toolkit | [JavaFX] Backport GTK3 support on Linux to 8u |
48 | JDK-8156709 | security-libs | java.security | Cannot call setSeed on NativePRNG on Mac if EGD is /dev/urandom |
49 | JDK-8187218 | security-libs | org.ietf.jgss | GSSCredential.getRemainingLifetime() returns negative value for TTL > 24 days. |
50 | JDK-8131051 | security-libs | org.ietf.jgss:krb5 | KDC might issue a renewable ticket even if not requested |
51 | JDK-8160928 | tools | javac | javac incorrectly copies over interior type annotations to bridge method |
January 15, 2019
The full version string for this update release is 1.8.0_201-b09 (where "b" means "build"). The version number is 8u201.
JDK 8u201 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u201 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_201-b09 |
7 | 1.7.0_211-b07 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u201) will expire with the release of the next critical patch update scheduled for April 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u201) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
This change limits the use of transparent HTTP authentication on Microsoft Windows for the NTLM scheme. In that scheme, the security credentials based on the currently logged in user's name and password are obtained directly from the operating system, without prompting the user.
A new networking system property, jdk.http.ntlm.transparentAuth
, has been added with the following possible values:
java.net.Authenticator
class.Any other value, or no value, is treated the same as "disabled". Care should be taken before enabling this mechanism.
See JDK-8209094
security-libs/javax.net.ssl
TLS anon and NULL Cipher Suites are Disabled
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms
security property and are now disabled by default.
See JDK-8211883
security-libs/java.security
jarsigner Prints When a timestamp Will Expire
The jarsigner
tool now shows more information about the lifetime of a timestamped JAR. New warning and error messages are displayed when a timestamp has expired or is expiring within one year.
See JDK-8191438
hotspot/runtime
Linux Native Code Checks
Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.
JDK-8196902 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8201818 | client-libs | 2d | [macosx] Printing attributes break page size set via "java.awt.print.Book" object |
2 | JDK-8141491 | core-libs | java.nio | Unaligned memory access in Bits.c |
3 | JDK-8171049 | core-libs | java.time | Era.getDisplayName doesn't work with non-IsoChronology |
4 | JDK-8205330 | core-libs | javax.naming | InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection |
5 | JDK-8157913 | deploy | packager | Launcher can not find path to libpackager.so |
6 | JDK-8213011 | deploy | plugin | Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError |
7 | JDK-8212457 | deploy | webstart | JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled |
8 | JDK-8212793 | deploy | webstart | Fix for JDK-8189783 fails |
9 | JDK-8147555 | docs | Document that % and " characters are not supported in keys and values of a property for Java Web Start | |
10 | JDK-8161741 | docs | guides | Typo within section "22.2.3 File Names" |
11 | JDK-8189182 | install | install | JDK8 RPM postinstall scriptlet assumes /usr/share/man/man1 exists |
12 | JDK-8203884 | javafx | graphics | Update libjpeg to version 9c |
13 | JDK-8214035 | javafx | graphics | Unable to render cmyk jpeg image |
14 | JDK-8212158 | javafx | other | FX: Update copyright year in docs, readme files to 2019 |
15 | JDK-8209652 | javafx | samples | Ensemble: Update version of Lucene to 7.4.0 |
16 | JDK-8213837 | javafx | samples | FX samples cannot load media from download.java.net over http |
17 | JDK-8211304 | javafx | window-toolkit | [macOS] Crash on focus loss from dialog on macOS 10.14 Mojave |
18 | JDK-8027781 | security-libs | java.security | New jarsigner timestamp warning is grammatically incorrect |
19 | JDK-8209129 | security-libs | javax.crypto | Further improvements to cipher buffer management |
20 | JDK-8208583 | security-libs | javax.crypto | Better management of internal KeyStore buffers |
21 | JDK-8207775 | security-libs | javax.crypto | Better management of CipherCore buffers |
22 | JDK-8209862 | security-libs | javax.crypto | CipherCore performance improvement |
23 | JDK-8211883 | security-libs | javax.net.ssl | Disable anon and NULL cipher suites |
The following sections summarize changes made in all Java SE 8u192 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR. Note that bug fixes in previous BPR (8u181-b37) are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8213011 | deploy | plugin | Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError |
8187364 | client-libs | javax.swing | Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component |
8159886 | deploy | plugin | Window of a newly launched Oracle Forms applet loses focus |
8141491 | core-libs | java.nio | Unaligned memory access in Bits.c |
8029661 | security-libs | javax.net.ssl | Support TLS v1.2 algorithm in SunPKCS11 provider |
8129988 | security-libs | javax.net.ssl | JSSE should create a single instance of the cacerts KeyStore |
8203190 | security-libs | javax.net.ssl | SessionId.hashCode generates too many collisions |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8212457 | deploy | webstart | JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8139507 | core-libs | java.util | WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs |
8170937 | client-libs | java.awt | Swing apps are slow if displaying from a remote source to many local displays |
8193879 (Confidential) |
core-svc | debugger | Java debugger hangs on method invocation |
8163083 (Confidential) |
core-svc | debugger | SocketListeningConnector does not allow invocations with port 0 |
Please note that fixes from the prior BPR (8u181 b37) are included in this version.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8208638 | client-libs | javax.swing | Instead of circle rendered in appl window, but ellipse is produced JEditor Pane |
October 16, 2018
The full version string for this update release is 1.8.0_192-b12 (where "b" means "build"). The version number is 8u192.
JDK 8u192 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u192 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_191-b12 |
7 | 1.7.0_201-b11 |
6 | 1.6.0_211-b11 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u192) will expire with the release of the next critical patch update scheduled for January 15, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u192) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
Support for Customization of Default Enabled Cipher Suites via System Properties
The system property jdk.tls.client.cipherSuites
can be used to customize the default enabled cipher suites for the client side of SSL/TLS connections. In a similar way, the system property jdk.tls.server.cipherSuites
can be used for customization on the server side.
The system properties contain a comma-separated list of supported cipher suite names that specify the default enabled cipher suites. All other supported cipher suites are disabled for this default setting. Unrecognized or unsupported cipher suite names specified in properties are ignored. Explicit setting of enabled cipher suites will override the system properties.
Please refer to the "Java Cryptography Architecture Standard Algorithm Name Documentation" for the standard JSSE cipher suite names, and the "Java Cryptography Architecture Oracle Providers Documentation" for the cipher suite names supported by the SunJSSE provider.
Note that the actual use of enabled cipher suites is restricted by algorithm constraints.
Note also that these system properties are currently supported by the JDK Reference Implementation. They are not guaranteed to be supported by other implementations.
Warning: These system properties can be used to configure weak cipher suites, or the configured cipher suites may become more weak over time. We do not recommend using the system properties unless you understand the security implications. Use them at your own risk.
See JDK-8162362
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8201240 | client-libs | 2d | Improve releasing native resources of BufImgSurfaceData.ICMColorData |
2 | JDK-8188030 | client-libs | java.awt | AWT java apps fail to start when some minimal fonts are present |
3 | JDK-8200353 | client-libs | java.awt | Shift or Capslock not working in Textfield after accented keystrokes |
4 | JDK-8195738 | client-libs | java.awt | scroll position in ScrollPane is reset after calling validate() |
5 | JDK-8188083 | client-libs | java.awt | NullPointerExcpn-java.awt.image.FilteredImageSource.startProduction JDK-8079607 |
6 | JDK-8150954 | client-libs | java.awt | Taking screenshots on x11 composite desktop produce wrong result |
7 | JDK-8202696 | client-libs | javax.swing | Remove exclusion range for phonetic chars in windows fontconfig.properties |
8 | JDK-8195095 | client-libs | javax.swing | Images are not scaled correctly in JEditorPane |
9 | JDK-8206914 | core-libs | add jdk8u-dev test failures to ProblemList.txt | |
10 | JDK-8201369 | core-libs | java.net | Inet4AddressImpl_getLocalHostName reverse lookup on Solaris only |
11 | JDK-8194412 | core-libs | java.time | Adding 256 units of IsoFields.QUARTER_YEARS broken |
12 | JDK-8176192 | core-libs | javax.naming | Incorrect usage of Iterator in Java 8 In com.sun.jndi.ldap.EventSupport.removeNamingListener |
13 | JDK-8156824 | core-libs | javax.naming | com.sun.jndi.ldap.pool.PoolCleaner should clear its context class loader |
14 | JDK-8186646 | core-libs | jdk.nashorn | Nashorn: "duplicate code" assertion when binding a vararg function that just passes arguments along |
15 | JDK-8201651 | deploy | plugin | Better error handling during JNLP2Manager initialisation |
16 | JDK-8204508 | deploy | webstart | Robot ScreenCapture fails on HiDPI system |
17 | JDK-8205343 | deploy | webstart | bug in backport of JDK-8185002 |
18 | JDK-8168415 | deploy | webstart | ShowDocument fails with URL using jnlp or jnlps protocol |
19 | JDK-8193711 | deploy | webstart | Launching JWS applet the default download progress dialog only shows if the java console is enabled |
20 | JDK-8195609 | deploy | webstart | DRS - cert based run rule not working when running offline |
21 | JDK-8008321 | hotspot | compiler | compile.cpp verify_graph_edges uses "bool" as "int" |
22 | JDK-8162540 | hotspot | compiler | Crash in C2 escape analysis with assert: "node should be registered" |
23 | JDK-8194642 | hotspot | compiler | Improve OOM error reporting for JDK8 |
24 | JDK-8158012 | hotspot | compiler | Use SW prefetch instructions instead of BIS for allocation prefetches on SPARC Core C4 |
25 | JDK-8148175 | hotspot | compiler | C1: G1 barriers don't preserve FP registers |
26 | JDK-8165489 | hotspot | gc | Missing G1 barrier in Unsafe_GetObjectVolatile |
27 | JDK-8173013 | hotspot | gc | JVMTI tagged object access needs G1 pre-barrier |
28 | JDK-8114823 | hotspot | gc | G1 doesn't honor request to disable class unloading |
29 | JDK-8081323 | hotspot | jvmti | ConstantPool::_resolved_references is missing in heap dump |
30 | JDK-8150426 | hotspot | runtime | Wrong cast in metadata_at_put |
31 | JDK-8196884 | hotspot | runtime | VS2017 Multiple Type Cast Conversion Compilation Errors |
32 | JDK-8196880 | hotspot | runtime | VS2017 Addition of Global Delete Operator with Size Parameter Conflicts with Arena's Chunk Provided One |
33 | JDK-8197868 | hotspot | runtime | VS2017 (C2065) 'timezone': Undeclared Identifier in share/runtime/os.cpp |
34 | JDK-8144201 | hotspot | runtime | openjdk aarch64: jdk/test/com/sun/net/httpserver/Test6a.java fails with --enable-unlimited-crypto |
35 | JDK-8189170 | hotspot | runtime | Add option to disable stack overflow checking in primordial thread for use with JNI_CreateJavaJVM |
36 | JDK-8206406 | hotspot | runtime | StubCodeDesc constructor publishes partially-constructed objects on StubCodeDesc::_list |
37 | JDK-8186461 | hotspot | runtime | Zero's atomic_copy64() should use SPE instructions on linux-powerpcspe |
38 | JDK-8185723 | hotspot | runtime | Zero: segfaults on Power PC 32-bit |
39 | JDK-8026331 | hotspot | runtime | hs_err improvement: Print if we have seen any OutOfMemoryErrors or StackOverflowErrors |
40 | JDK-8202600 | hotspot | runtime | [Zero] Undefined behaviour in src/os_cpu/linux_zero/vm/os_linux_zero.cpp |
41 | JDK-6730115 | hotspot | svc | Fastdebug VM crashes with "ExceptionMark destructor expects no pending exceptions" error |
42 | JDK-8204053 | hotspot | svc-agent | libsaproc.so not linked with -z,noexecstack |
43 | JDK-8189677 | javafx | controls | RadioMenuItem fires extra NULL value in property |
44 | JDK-8192800 | javafx | controls | Table auto resize ignores column resize policy |
45 | JDK-8198354 | javafx | graphics | [macOS] Corrupt Thai characters displayed in word wrapped label |
46 | JDK-8198316 | javafx | media | MediaPlayer crashes when playing m3u8 files on macOS High Sierra 10.13.2 |
47 | JDK-8202036 | javafx | other | Update OpenJFX license files to match OpenJDK |
48 | JDK-8147476 | javafx | web | Rendering issues with MathML token elements |
49 | JDK-8203845 | performance | backport of JDK-8034788 inadvertently rolled back JDK-8187045 changes to toolchain.m4 | |
50 | JDK-8165463 | security-libs | Native implementation of sunmscapi should use operator new (nothrow) for allocations | |
51 | JDK-8185855 | security-libs | java.security | Debug exception stacks should be clearer |
52 | JDK-8193171 | security-libs | java.security | keytool -list displays "JKS" for a PKCS12 keystore. |
53 | JDK-8081792 | security-libs | javax.crypto | buffer size calculation issue in NativeGCMCipher |
54 | JDK-8203182 | security-libs | javax.crypto:pkcs11 | Release session if initialization of SunPKCS11 Signature fails |
55 | JDK-8162362 | security-libs | javax.net.ssl | Introduce system property to control enabled ciphersuites |
October 16, 2018
The full version string for this update release is 1.8.0_191-b12 (where "b" means "build"). The version number is 8u191.
JDK 8u191 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u191 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_191-b12 |
7 | 1.7.0_201-b11 |
6 | 1.6.0_211-b11 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u191) will expire with the release of the next critical patch update scheduled for January 15, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u191) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
infrastructure/build
Build Environment Update Linux x86/x64 Moved to gcc 7.3
On x86/x64 Linux, the toolchain used to build the JDK has been upgraded from GCC 4.3 to GCC 7.3.
JDK-8206409 (not public)
core-svc
Changed Central File System Location for usagetracker.properties File
The file system location in Windows for the usagetracker.properties
file has been moved from %ProgramData%\Oracle\Java\
to %ProgramFiles%\Java\conf
There is no change in the file path for Linux, Solaris, or macOS.
JDK-8204901 (not public)
security-libs/javax.net.ssl
Disabled all DES TLS Cipher Suites
DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms
security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms
security property in the java.security
file or by dynamically calling the Security.setProperty()
method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites()
or SSLEngine.setEnabledCipherSuites()
methods.
Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms
security property.
See JDK-8208350
security-libs/java.security
Removal of Several Symantec Root CAs
The following Symantec root certificates are no longer in use and have been removed:
DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
DN: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DN: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
DN: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
See JDK-8191031
security-libs/java.security
Removal of Baltimore Cybertrust Code Signing CA
The following Baltimore CyberTrust Code Signing root certificate is no longer in use and has been removed:
DN: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
See JDK-8189949
security-libs/java.security
Removal of SECOM Root Certificate
The following SECOM root certificate is no longer in use and has been removed:
DN: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
See JDK-8191844
hotspot/runtime
Java Improvements for Docker Containers
The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:
The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:
-XX:-UseContainerSupport
In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:
-XX:ActiveProcessorCount=count
This count overrides any other automatic CPU detection logic in the JVM.
Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:
-XX:InitialRAMPercentage
-XX:MaxRAMPercentage
-XX:MinRAMPercentage
These options replace the deprecated Fraction forms (-XX:InitialRAMFraction
, -XX:MaxRAMFraction
, and -XX:MinRAMFraction
).
This bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.
See JDK-8146115
security-libs/javax.crypto
The specification of javax.crypto.CipherInputStream
has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.
JDK-8201756 (not public)
The following are some of the notable bug fixes included in this release:
core-libs/javax.naming
Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ) may encounter an exception when establishing the connection.
The top most frames from Exception stack traces of applications encountering such issues might resemble the following:
javax.naming.ServiceUnavailableException: <server:port>; socket closed
at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
...
See JDK-8211107
core-libs/java.net
Better HTTP Redirection Support
In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection
has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false)
for the original request.
JDK-8196902 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8152974 | client-libs | java.awt | AWT hang occurrs when sequenced events arrive out of sequence |
2 | JDK-8208353 | client-libs | java.awt | Upgrade JDK to libpng 1.6.35 |
3 | JDK-8168628 | core-libs | java.nio | (fc) SIGBUS when extending file size to map it |
4 | JDK-8171452 | core-libs | java.nio | (ch) linux io_util_md: Operation not supported exception after 8168628 |
5 | JDK-8211107 | core-libs | javax.naming | LDAPS communication failure with jdk 1.8.0_181 |
6 | JDK-8175871 | docs | guides | Deployment.properties file example is incorrect |
7 | JDK-8198835 | docs | guides | Typo in URL for XML section in developer guides |
8 | JDK-8173224 | docs | guides | Document jdk.tls.legacyAlgorithms security property |
9 | JDK-8164480 | hotspot | compiler | Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same |
10 | JDK-8146115 | hotspot | runtime | Improve docker container detection and resource configuration usage |
11 | JDK-8206875 | install | install | [L10N]Truncation issue happens on the final dialog for pt on Mac |
12 | JDK-8209191 | javafx | graphics | [macOS] Distorted complex text rendering |
13 | JDK-8199527 | javafx | media | Upgrade GStreamer to 1.14 |
14 | JDK-8209049 | javafx | web | Cherry pick GTK WebKit 2.20.4 changes |
15 | JDK-8208622 | javafx | web | [WebView] IllegalStateException when invoking print API with html form controls |
16 | JDK-8204856 | javafx | web | WebEngine document becomes null after PAGE_REPLACED event |
17 | JDK-8208114 | javafx | web | Drag and drop of text contents and URL links functionalities are broken in Webview |
18 | JDK-8203698 | javafx | web | JavaFX WebView crashes when visiting certain web sites |
19 | JDK-8199474 | javafx | web | Update to 606.1 version of WebKit |
20 | JDK-8200629 | javafx | web | Update SQLite to version 3.23.0 |
21 | JDK-8197987 | javafx | web | Update libxslt to version 1.1.32 |
22 | JDK-8193368 | javafx | web | [OS X] Remove redundant files |
23 | JDK-8142927 | other-libs | other | Feed some text to STDIN in ProcessTools.executeProcess() |
24 | JDK-8180289 | security-libs | java.security | jarsigner treats timestamped signed jar invalid after the signer cert expires |
25 | JDK-8130132 | security-libs | java.security | jarsigner should emit warning if weak algorithms or keysizes are used |
26 | JDK-8191031 | security-libs | java.security | Remove several Symantec Root CAs |
27 | JDK-8191844 | security-libs | java.security | Remove SECOM root (secomevrootca1) |
28 | JDK-8189949 | security-libs | java.security | Remove Baltimore Cybertrust Code Signing CA |
29 | JDK-8074462 | security-libs | javax.net.ssl | Handshake messages can be strictly ordered |
30 | JDK-8172529 | security-libs | jdk.security | Use PKIXValidator in jarsigner |
31 | JDK-8197518 | security-libs | org.ietf.jgss | Kerberos krb5 authentication: AuthList's put method leads to performance issue |
The following sections summarize changes made in all Java SE 8u181 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8211107 | core-libs | javax.naming | LDAPS communication failure with jdk 1.8.0_181 |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8204513 (Confidential) |
deploy | deployment_toolkit | Context lost after resizing the browser window in applet with Forms |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8201818 | client-libs | 2d | [macosx] Printing attributes break page size set via "java.awt.print.Book" object |
Bug Fixes