This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 8.
BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.
The following sections summarize changes made in all Java SE 8u381 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8306899 (not public) | install | install | JRE 8u371 MSI unable to install side-by-side JREs |
JDK-8311244 (not public) | hotspot | gc | frequent crashes at g1CollectedHeap.cpp:5923 after updating to JDK8u371 |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8284542 | jfx | accessibility | Missing attribute for toggle state of CheckBox in CheckBoxTreeItem |
JDK-8309557 (not public) | install | Update the JRE 8 Description in RPM packages |
The following sections summarize changes made in Java SE 8u381 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8314063 | core-libs | javax.naming | The socket is not closed in Connection::createSocket when the handshake failed for LDAP connection |
JDK-8313657 | core-libs | javax.naming | com.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors |
JDK-8314929 (not public) | hotspot | jfr | Fix 8286707 JFR: Don't commit JFR internal jdk.JavaMonitorWait events |
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.
This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.
In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0
. The usage of such flags is not recommended.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8280007 | hotspot | compiler | Enable Neoverse N1 optimizations for Arm Neoverse V1 & N2 |
2 | JDK-8299179 | hotspot | compiler | ArrayFill with store on backedge needs to reduce length by 1 |
3 | JDK-8302595 | hotspot | compiler | use-after-free related to GraphKit::clone_map |
4 | JDK-8299959 | hotspot | compiler | C2: CmpU::Value must filter overflow computation against local sub computation |
5 | JDK-8303564 | hotspot | compiler | C2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi |
6 | JDK-8303508 | hotspot | compiler | Vector.lane() gets wrong value on x86 |
7 | JDK-8299570 | hotspot | compiler | [JVMCI] Insufficient error handling when CodeBuffer is exhausted |
8 | JDK-8300079 | hotspot | compiler | SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument |
9 | JDK-8299259 | hotspot | compiler | C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE |
10 | JDK-8296318 | hotspot | compiler | use-def assert: special case undetected loops nested in infinite loops |
11 | JDK-8296412 | hotspot | compiler | Special case infinite loops with unmerged backedges in IdealLoopTree::check_safepts |
12 | JDK-8297730 | hotspot | compiler | C2: Arraycopy intrinsic throws incorrect exception |
13 | JDK-8301491 | hotspot | compiler | C2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument |
14 | JDK-8303588 | hotspot | compiler | [JVMCI] make JVMCI source directories conform with standard layout |
15 | JDK-8201516 | hotspot | compiler | DebugNonSafepoints generates incorrect information |
16 | JDK-8302508 | hotspot | compiler | Add timestamp to the output TraceCompilerThreads |
17 | JDK-8289748 | hotspot | compiler | C2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM |
18 | JDK-8308884 | hotspot | compiler | [17u/11u] Backout JDK-8297951 |
19 | JDK-8303511 | hotspot | compiler | C2: assert(get_ctrl(n) == cle_out) during unrolling |
20 | JDK-8291456 | hotspot | jvmti | com/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4 |
21 | JDK-8280784 | hotspot | runtime | VM_Cleanup unnecessarily processes all thread oops |
22 | JDK-8294677 | hotspot | runtime | chunklevel::MAX_CHUNK_WORD_SIZE too small for some applications |
23 | JDK-8277946 | hotspot | runtime | NMT: Remove VM.native_memory shutdown jcmd command option |
24 | JDK-8301123 | hotspot | runtime | Enable Symbol refcounting underflow checks in PRODUCT |
25 | JDK-8295974 | hotspot | runtime | jni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames |
26 | JDK-8287007 | hotspot | runtime | [cgroups] Consistently use stringStream throughout parsing code |
27 | JDK-8278965 | hotspot | runtime | crash in SymbolTable::do_lookup |
28 | JDK-8301749 | hotspot | runtime | Tracking malloc pooled memory size |
July 18, 2023
The full version string for this update release is 8u381-b09 (where "b" means "build"). The version number is 8u381.
JDK 8u381 contains IANA time zone data 2023c which contains the following changes since the previous update.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u381 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u381-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u381) be used after the next critical patch update scheduled for October 17, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u381) on 2023-11-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 35 code points (U+9FCD
- U+9FEF
) from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 1
requirements.
The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset
implementation for this new standard has now replaced the prior 2000
standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030
, is introduced. By setting its value to 2000
, the previous JDK releases' mappings for the GB18030 Charset
are used, which are based on the 2000
standard.
The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 108 code points from CJK Unified Ideographs Extension E
block from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 2
requirements.
RSA private and public keys in PKCS#1 format can now be accepted by JDK providers, such as the RSA KeyFactory.impl
from the SunRsaSign provider. The RSA private or public key object should have the PKCS#1 format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA private key and public key.
Installing into the same, shared jdk-(family)
directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse
issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.
Internal Error (g1CollectedHeap.cpp:5923)
after Upgrading to JDK 8u371 or JDK 8u381
(JDK-8311244 (not public))
There is the possibility of an application crash with the following error:
# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx # guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be
This affects JDK 8u371 and JDK 8u381 runtimes using G1 GC on all supported platforms.
The failure is now corrected in the JDK 8u381 b32 Bundle Patch Release available via My Oracle Support.
Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe
command to not be found. For example:
java.exe
will now not work from all places. It will only work directly from the bin
directory.
java.exe
will not work unless you specify the full path to the bin directory of your JRE.
There are 2 workarounds:
java.exe
in the \bin
directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe
JDK 8u381 includes several enhancements and fixes to improve the cgroup v1 and v2 support for containers. The improvements include accurately detecting the resource limits of containers, correctly reporting the collected container metrics, printing additional container information, and improving application stability in containerized environments.
Some of the notable stability enhancements are:
JDK-8292083: Java applications may experience out-of-memory errors and run the risk of being killed by the OOM killer when running in a containerized environment where the container is configured with a higher memory limit than the available physical memory on the host system. JDK 8u381 addresses this stability issue. In the previous release, this situation can be avoided by using either -XX:-UseContainerSupport
, or -XX:MaxRAM=<physical memory>
, or by setting a memory limit for your container that is lower than the physical memory.
JDK-8286030: This release addresses an issue where Java applications may encounter a fatal error when the same /tmp
directory is shared across multiple containers. In earlier releases, this crash can be avoided by mounting /tmp
to different locations for different containers. Alternatively, the '-XX:-UsePerfData' JVM option can be used to prevent JVMs running within different containers from writing performance data to the shared /tmp
folder and thus avoid this issue.
Added an "Obsoletes" tag to JDK 8 RPM packages to allow automatic upgrades from older JDK 8 RPM packages.
jdk-1.8
package obsoletes jdk1.8
package.jre-1.8
package obsoletes jre1.8
package.jdk-1.8-headful
package obsoletes jdk1.8
package.jre-1.8-headful
package obsoletes jre1.8
package.No "Obsoletes" tag was added to the jdk-1.8-headless
package to prevent upgrading from the full to headless JDK.
The changes allow automatic upgrades for JDK 8 RPM packages starting from the 8u151 update when jdk1.8
and jre1.8
package names were first introduced. Older JDK 8 updates will not be eligible for automatic upgrades to 8u381 and newer updates.
Due to the limitations of "Obsoletes" tag downgrades from 8u381 to older versions are not supported.
/usr/java/default
Symlink on Linux Restored
(JDK-8306690)
A regression where the /usr/java/default
symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default
symlink if it doesn't exist, targeting the /usr/java/latest
symlink.
The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.
An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.
An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.
All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.
The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.
The following root certificate has been added to the cacerts truststore:
+ TWCA
+ twcaglobalrootca
DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW
The following root certificates have been added to the cacerts truststore:
+ Google Trust Services LLC
+ gtsrootcar1
DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US
+ Google Trust Services LLC
+ gtsrootcar2
DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US
+ Google Trust Services LLC
+ gtsrootecccar3
DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US
+ Google Trust Services LLC
+ gtsrootecccar4
DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US
The following root certificates have been added to the cacerts truststore:
+ Microsoft Corporation
+ microsoftecc2017
DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US
+ Microsoft Corporation
+ microsoftrsa2017
DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US
java.specification.maintenance.version
Set to 5
(JDK-8303028)
This JDK implements Maintenance Release 5 of the Java SE 8 specification (JSR 337). This is indicated by the system property java.specification.maintenance.version
having the value of "5"
.
Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.
This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.
In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0
. The usage of such flags is not recommended.
A behavioral change has been made when the default conf/security/java.security
security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError
.
Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.
A new system property, jdk.jar.maxSignatureFileSize
, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u381 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8304636 | client-libs/java.awt | java/awt/Mouse/EnterExitEvents/DragWindowTest.java fails with Compilation Error on JDK 8u |
2 | JDK-8189604 | client-libs/java.awt | possible hang in sun.awt.shell.Win32ShellFolder2$KnownFolderDefinition::<clinit> |
3 | JDK-8159956 | client-libs/java.awt | EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins |
4 | JDK-8302151 | client-libs/javax.imageio | BMPImageReader throws an exception reading BMP images |
5 | JDK-8003399 | client-libs/javax.swing | JFileChooser gives wrong path to selected file when saving to Libraries folder on Windows 7 |
6 | JDK-8017487 | client-libs/javax.swing | filechooser in Windows-Libraries folder: columns are mixed up |
7 | JDK-8284756 | core-libs | [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem |
8 | JDK-8212528 | core-libs | Wrong cgroup subsystem being used for some CPU Container Metrics |
9 | JDK-8275735 | core-libs | [linux] Remove deprecated Metrics api (kernel memory limit) |
10 | JDK-8305681 | core-libs/java.lang | Allow additional characters for GB18030-2022 (Level 2) support |
11 | JDK-8241786 | core-libs/java.net | Improve heuristic to determine default network interface on macOS |
12 | JDK-8211382 | core-libs/java.nio.charsets | ISO2022JP and GB18030 NIO converter issues |
13 | JDK-8301119 | core-libs/java.nio.charsets | Support for GB18030-2022 |
14 | JDK-8172347 | core-libs/java.rmi | Refactoring src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java to improve testability of rmiregistry |
15 | JDK-8212970 | core-libs/java.time | TZ database in "vanguard" format support |
16 | JDK-8305400 | core-libs/java.util:i18n | ISO 4217 Amendment 175 Update |
17 | JDK-8254001 | core-svc | [Metrics] Enhance parsing of cgroup interface files for version detection |
18 | JDK-8293540 | core-svc | [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts |
19 | JDK-8292541 | core-svc/java.lang.management | [Metrics] Reported memory limit may exceed physical machine memory |
20 | JDK-8301282 | docs/guides | JMX simple and delegation security samples don't work because of missing access control entries |
21 | JDK-8293821 | docs/guides | JDK LTS backports for Doc Tasks for JEP C206/C208: Modernize Oracle JDK Linux RPMs and installers on Windows and macOS |
22 | JDK-8233023 | hotspot/compiler | assert(Opcode() == mem->Opcode() || phase->C->get_alias_index(adr_type()) == Compile::AliasIdxRaw) failed: no mismatched stores, except on raw memory |
23 | JDK-8210389 | hotspot/compiler | C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc |
24 | JDK-8217230 | hotspot/compiler | assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() |
25 | JDK-8062258 | hotspot/compiler | compiler/debug/TraceIterativeGVN.java segfaults in trace_PhaseIterGVN |
26 | JDK-8281297 | hotspot/gc | TestStressG1Humongous fails with guarantee(is_range_uncommitted) |
27 | JDK-8167196 | hotspot/gc | WhiteBox methods should throw an exception if used with inappropriate collector. |
28 | JDK-8264593 | hotspot/runtime | debug.cpp utilities should be available in product builds. |
29 | JDK-8281274 | hotspot/runtime | deal with ActiveProcessorCount in os::Linux::print_container_info |
30 | JDK-8266490 | hotspot/runtime | Extend the OSContainer API to support the pids controller of cgroups |
31 | JDK-8273526 | hotspot/runtime | Extend the OSContainer API pids controller with pids.current |
32 | JDK-8231610 | hotspot/runtime | Relocate the CDS archive if it cannot be mapped to the requested address |
33 | JDK-8287741 | hotspot/runtime | Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete |
34 | JDK-8287107 | hotspot/runtime | CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller |
35 | JDK-8286030 | hotspot/runtime | Avoid JVM crash when containers share the same /tmp dir |
36 | JDK-8287011 | hotspot/runtime | Improve container information |
37 | JDK-8293472 | hotspot/runtime | Incorrect container resource limit detection if manual cgroup fs mounts present |
38 | JDK-8292083 | hotspot/runtime | Detected container memory limit may exceed physical machine memory |
39 | JDK-8272124 | hotspot/runtime | Cgroup v1 initialization causes NullPointerException when cgroup path contains colon |
40 | JDK-8281517 | install/install | Improve the error message shown when a user tries to install the aarch64 bundle on an intel mac |
41 | JDK-8284662 | javafx/accessibility | [Win][Accessibility][ListCell] Screen reader fails to read ListView/ComboBox item count if > 100 |
42 | JDK-8251862 | javafx/graphics | Wrong position of Popup windows at the intersection of 2 screens |
43 | JDK-8301009 | javafx/web | Update libxml2 to 2.10.3 |
44 | JDK-8306115 | javafx/web | Update libxml2 to 2.10.4 |
45 | JDK-8304441 | javafx/window-toolkit | [macos] Crash when putting invalid unicode char on clipboard |
46 | JDK-8296654 | javafx/window-toolkit | [macos] Crash when launching JavaFX app with JDK that targets SDK 13 |
47 | JDK-8292297 | security-libs/java.security | Fix up loading of override java.security properties file |
48 | JDK-8173181 | security-libs/java.security | Empty string alias in KeyStore throws StringIndexOutOfBoundsException for getEntry() |
49 | JDK-8293858 | security-libs/java.security | Change PKCS7 code to use default SecureRandom impl instead of SHA1PRNG |
50 | JDK-8294906 | security-libs/javax.crypto:pkcs11 | Memory leak in PKCS11 NSS TLS server |
51 | JDK-8274205 | security-libs/org.ietf.jgss:krb5 | Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC |
52 | JDK-8301269 | xml/jaxp | Update Commons BCEL to Version 6.7.0 |
The following sections summarize changes made in all Java SE 8u371 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8307400 (not public) | install | install | The new Java 8u371 RPMs break the standard RHEL OS update mechanism |
JDK-8307777 (not public) | install | install | JDK rpm packages have wrong license |
JDK-8307831 (not public) | install | install | Move dependency on libfreetype.so.6 from JDK8 headless to headful jdk |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8159956 | client-libs | java.awt | EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins |
JDK-8305113 | core-libs | java.time | (tz) Update Timezone Data to 2023c |
JDK-8212970 | core-libs | java.time | TZ database in "vanguard" format support |
JDK-8306690 | install | install | Restore missing /usr/java/default symlink on Linux |
JDK-8305976 | install | install | Installation of OL-specific x64 jdk rpms pulls in i686 dependencies |
JDK-8305177 (not public) | infrastructure | build | Perf and milestone suffix missing in rpm bundle names |
JDK-8302112 (not public) | hotspot | test | remove windows 2012 from task definitions |
Fixes from the prior BPR are included in this version.
The following sections summarize changes made in Java SE 8u371 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8309862 | hotspot | jfr | Unsafe list operations in JfrStringPool |
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8159956 | client-libs | java.awt | EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins |
JDK-8305113 | core-libs | java.time | (tz) Update Timezone Data to 2023c |
JDK-8212970 | core-libs | java.time | TZ database in "vanguard" format support |
JDK-8306690 | install | install | Restore missing /usr/java/default symlink on Linux |
JDK-8305976 | install | install | Installation of OL-specific x64 jdk rpms pulls in i686 dependencies |
JDK-8305177 (not public) | infrastructure | build | Perf and milestone suffix missing in rpm bundle names |
JDK-8302112 (not public) | hotspot | test | remove windows 2012 from task definitions |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8303452 (not public) | hotspot | jfr | [JFR] Larger strings arent added to string pool |
# | BugId | Component/Subcomponent | Summary |
---|---|---|---|
1 | JDK-8297656 | performance/hotspot | AArch64: Enable AES/GCM Intrinsics |
2 | JDK-8268276 | hotspot/compiler | Base64 Decoding optimization for x86 using AVX-512 |
3 | JDK-8269404 | hotspot/compiler | Base64 Encoding optimization enhancements for x86 using AVX-512 |
4 | JDK-8273108 | hotspot/compiler | RunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276 |
5 | JDK-8273459 | hotspot/compiler | Update code segment alignment to 64 bytes |
6 | JDK-8296958 | hotspot/compiler | [JVMCI] add API for retrieving ConstantValue attributes |
7 | JDK-8296961 | hotspot/compiler | [JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField |
8 | JDK-8296960 | hotspot/compiler | [JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool |
9 | JDK-8296967 | hotspot/compiler | [JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod |
10 | JDK-8282528 | hotspot/compiler | AArch64: Incorrect replicate2L_zero rule |
11 | JDK-8277137 | hotspot/compiler | Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 |
12 | JDK-8294902 | hotspot/compiler | Undefined Behavior in C2 regalloc with null references |
13 | JDK-8290322 | hotspot/compiler | Optimize Vector.rearrange over byte vectors for AVX512BW targets. |
14 | JDK-8295066 | hotspot/compiler | Folding of loads is broken in C2 after JDK-8242115 |
15 | JDK-8296912 | hotspot/compiler | C2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1 |
16 | JDK-8294538 | hotspot/compiler | missing is_unloading() check in SharedRuntime::fixup_callers_callsite() |
17 | JDK-8292602 | hotspot/compiler | ZGC: C2 late barrier analysis uses invalid dominator information |
18 | JDK-8292660 | hotspot/compiler | C2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly |
19 | JDK-8292285 | hotspot/compiler | C2: remove unreachable block after NeverBranch-to-Goto conversion |
20 | JDK-8290964 | hotspot/compiler | C2 compilation fails with assert "non-reduction loop contains reduction nodes" |
21 | JDK-8281122 | hotspot/compiler | [IR Framework] Cleanup IR matching code in preparation for JDK-8280378 |
22 | JDK-8276064 | hotspot/compiler | CheckCastPP with raw oop input floats below a safepoint |
23 | JDK-8296924 | hotspot/compiler | C2: assert(is_valid_AArch64_address(dest.target())) failed: bad address |
24 | JDK-8290850 | hotspot/compiler | C2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph |
25 | JDK-8297431 | hotspot/compiler | [JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception |
26 | JDK-8296136 | hotspot/compiler | Use correct register in aarch64_enc_fast_unlock() |
27 | JDK-8285835 | hotspot/compiler | SIGSEGV in PhaseIdealLoop::build_loop_late_post_work |
28 | JDK-8295788 | hotspot/compiler | C2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node" |
29 | JDK-8297951 | hotspot/compiler | C2: Create skeleton predicates for all If nodes in loop predication |
30 | JDK-8297264 | hotspot/compiler | C2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top |
31 | JDK-8295116 | hotspot/compiler | C2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead |
32 | JDK-8296389 | hotspot/compiler | C2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors |
33 | JDK-8242115 | hotspot/compiler | C2 SATB barriers are not safepoint-safe |
34 | JDK-8292301 | hotspot/compiler | [REDO v2] C2 crash when allocating array of size too large |
35 | JDK-8272985 | hotspot/gc | Reference discovery is confused about atomicity and degree of parallelism |
36 | JDK-8296733 | hotspot/jfr | JFR: File Read event for RandomAccessFile::write(byte[]) is incorrect |
37 | JDK-8283199 | hotspot/runtime | Linux os::cpu_microcode_revision() stalls cold startup |
38 | JDK-8287011 | hotspot/runtime | Improve container information |
39 | JDK-8271506 | hotspot/runtime | Add ResourceHashtable support for deleting selected entries |
40 | JDK-8294160 | hotspot/runtime | misc crash dump improvements |
41 | JDK-8286030 | hotspot/runtime | Avoid JVM crash when containers share the same /tmp dir |
42 | JDK-8048190 | hotspot/runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
43 | JDK-8293472 | hotspot/runtime | Incorrect container resource limit detection if manual cgroup fs mounts present |
44 | JDK-8262386 | hotspot/svc-agent | resourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out |
April 18, 2023
The full version string for this update release is 8u371-b11 (where "b" means "build"). The version number is 8u371.
JDK 8u371 contains IANA time zone data 2022g which contains the following changes since the previous update.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u371 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u371-b11 |
Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u371) after the next critical patch update release, scheduled for July 18, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u371) on 2023-08-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
A native GSS-API library named sspi_bridge.dll
has been added to the JDK on the Windows platform. The library is client-side only and uses the default credentials. It will be loaded when the sun.security.jgss.native
system property is set to "true". A user can still load a third-party native GSS-API library by setting the sun.security.jgss.lib
system property to its path.
Native GSS automatically uses cached credentials from operating systems, thus the javax.security.auth.useSubjectCredsOnly
system property should be set to false.
com.sun.security.auth.module.Krb5LoginModule
does not call native JGSS. Avoid using com.sun.security.auth.module.Krb5LoginModule
from JAAS config.
The AppleScript engine implementing the javax.script engine API has been removed without replacement. The AppleScript engine has worked inconsistently. The services configuration (META-INF/services)
file was missing and only worked by accident when installing JDK 7 or JDK 8 on systems that had Apple's version of AppleScriptEngine.jar already on the system.
The com.apple.concurrent.Dispatch
API was a Mac-only API. It was carried into JDK 7u4 with the port of Apple's JDK 6 code. Developers are encouraged to use the standard java.util.concurrent.Executor
and java.util.concurrent.ExecutorService
APIs instead.
This issue prevents yum
from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum
but with the x86_64 architecture.
After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:
rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo
It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install
command to ensure the installation of the required packages.
Fixed a regression where the /usr/java/default
symlink is not created by RPM installers on Linux platforms. Now, installers will create the /usr/java/default
symlink if it doesn't exist, targeting the /usr/java/latest
symlink.
After upgrading to JDK 8u371 or later, there is the possibility of an application crash. The error log has a stack trace that starts with the following:
# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx # guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be
The above error may impact applications using G1 GC on all supported platforms.
Those who encounter the above error are encouraged to create a Service Request through My Oracle Support so that we can provide an interim solution to resolve the error.
Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object>
tag which allows for subclasses of java.awt.Component
to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true
.
The installation directory name of the Oracle JRE in an RPM package has changed from /usr/java/jre-1.8.0_${UPDATE}-${ARCH}
to /usr/lib/jvm/jre-1.8-oracle-${ARCH}
. The installation directory name of the Oracle JDK in an RPM package has changed from /usr/java/jdk-1.8.0_${UPDATE}-${ARCH}
to /usr/lib/jvm/jdk-1.8-oracle-${ARCH}
. Thus the 8u371 and 8u381 releases of JDK for x64 will both be installed in the /usr/lib/jvm/jdk-1.8-oracle-x64
directory and the JRE for x64 will both be installed in the /usr/lib/jvm/jre-1.8-oracle-x64
directory. Both JDK and JRE RPM packages will create /usr/java/jdk-1.8.0-${ARCH}
and /usr/java/jre-1.8.0-${ARCH}
links respectively pointing to the installation directories for backward compatibility.
For the x86_64
platform, the value of the ${ARCH}
suffix has changed from amd64
to x64
. For the x86_32
platform, the value of the ${ARCH}
has changed from i586
to x86
.
The JRE RPM package name has changed from jre1.8
to jre-1.8
to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JRE and then install the new JRE. For example, sudo rpm -e jre1.8; sudo rpm -i jre-8u371-linux-x64.rpm
. The JDK RPM package name has changed from jdk1.8
to jdk-1.8
to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JDK and then install the new JDK. For example, sudo rpm -e jdk1.8; sudo rpm -i jdk-8u371-linux-x64.rpm
.
Communication with the alternatives framework for the JDK RPM package has changed. JDK RPM packages of prior versions registered a single java
group of commands with the alternatives framework. The JDK 1.8 RPM package registers java
and javac
groups with the alternatives framework. The java
group is for commands used to run applications: java
, javaws
, jcontrol
, jjs
, keytool
, orbd
, pack200
, policytool
, rmic
, rmid
, rmiregistry
, servertool
, tnameserv
, unpack200
. The javac
group is used for all other commands. The set of commands registered by the package has not changed.
Three new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-1.8-headless
, jdk-1.8-headful
, and jre-1.8-headful
. These packages are available in OL7, OL8, and OL9 repositories. They are not available for download from oracle.com.
jdk-1.8-headless
is a Headless Java Runtime for running non-GUI applications.jdk-1.8-headful
is a Headful Java Runtime with Development Tools for developing and running applications of all types.jre-1.8-headful
is a Headful Java Runtime for running applications of all types.The combination of the OL-specific jdk-1.8-headless
and jdk-1.8-headful
packages provides the same JDK image and the same capabilities as the jdk-1.8
oracle.com package. The jre-1.8-headful
package provides the same JRE image and the same capabilities as the jre-1.8
oracle.com package. OL-specific JDK and JRE RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist}
suffix. The value of the Release property of all RPM packages contains the value of the build number instead of the milestone.
Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE%
instead of %Program Files%\Java\jdk-%VNUM%
. That is, all updates of the same release must share one installation directory. It will not be possible to install older versions of a family if there is a newer JRE of that family already installed.
Thus the JDK 8u371 and JDK 8u381 releases will both install into %Program Files%\Java\jdk-1.8
by default, and they both cannot be installed at the same time.
Note: The Java 8u371 feature JDK-8293762 will now only allow one JRE of each family to be installed at one time. The REMOVEOLDERJRES=1
feature will no longer be supported with the standalone MSI. This is by design, as we only allow one JRE of each family of Java. The newer JREs will auto-upgrade older JREs of the same family.
The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk1.8.0_${UPDATE}.jdk
to /Library/Java/JavaVirtualMachines/jdk-1.8.jdk
. Thus the 8u371 and 8u381 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-1.8.jdk
installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 8 update releases shipped prior to this release, JDK 8u371, will not be uninstalled during installation of JDK 8u371 or later.
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignaca
DN: CN=Certigna, O=Dhimyotis, C=FR
SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.
After this update, if SSLv3 is removed from the jdk.tls.disabledAlgorithms
security property, the SSLSocket.getEnabledProtocols()
, SSLServerSocket.getEnabledProtocols()
, SSLEngine.getEnabledProtocols()
and SSLParameters.getProtocols()
APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.
If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the jdk.tls.client.protocols
or jdk.tls.server.protocols
system properties or with the SSLSocket.setEnabledProtocols()
, SSLServerSocket.setEnabledProtocols()
and SSLEngine.setEnabledProtocols()
APIs.
After updating to JDK 8u361, applications failed to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException
occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem
.
The JVM sometimes failed to initialize on Linux systems where /proc/self/mountinfo
does not contain any mounted filesystem or controllers for cgroup.
For background information, see also My Oracle Support see KM Doc ID 2923131.1.
As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.
If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes. More information can be found in “C++ binary compatibility between Visual Studio versions”.
Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:
Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)
Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.
Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe
command to not be found. For example:
java.exe
will now not work from all places. It will only work directly from the bin
directory.
java.exe
will not work unless you specify the full path to the bin directory of your JRE.
There are 2 workarounds:
java.exe
in the \bin
directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u371 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8285399 | client-libs/2d | JNI exception pending in awt_GraphicsEnv.c:1432 |
2 | JDK-8284023 | client-libs/java.awt | java.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo |
3 | JDK-8296496 | client-libs/java.awt | Overzealous check in sizecalc.h prevents large memory allocation |
4 | JDK-8295685 | client-libs/java.awt | Update Libpng to 1.6.38 |
5 | JDK-8294378 | core-libs/java.net | URLPermission constructor exception when using tr locale |
6 | JDK-8297569 | core-libs/java.net | URLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378 |
7 | JDK-8299439 | core-libs/java.text | java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR |
8 | JDK-8295530 | core-libs/java.util.jar | Update Zlib Data Compression Library to Version 1.2.13 |
9 | JDK-8287180 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-08-08 |
10 | JDK-8267038 | core-libs/java.util:i18n | Update IANA Language Subtag Registry to Version 2022-03-02 |
11 | JDK-8296239 | core-libs/java.util:i18n | ISO 4217 Amendment 174 Update |
12 | JDK-8241900 | hotspot/compiler | Loop unswitching may cause dependence on null check to be lost |
13 | JDK-8179954 | hotspot/compiler | AArch64: C1 and C2 volatile accesses are not sequentially consistent |
14 | JDK-8210387 | hotspot/compiler | C2 compilation fails with "assert(node->_last_del == _last) failed: must have deleted the edge just produced" |
15 | JDK-8248552 | hotspot/compiler | C2 crashes with SIGFPE due to division by zero |
16 | JDK-8069191 | hotspot/compiler | moving predicate out of loops may cause array accesses to bypass null check |
17 | JDK-8250825 | hotspot/compiler | C2 crashes with assert(field != __null) failed: missing field |
18 | JDK-8255466 | hotspot/compiler | C2 crashes at ciObject::get_oop() const+0x0 |
19 | JDK-8272985 | hotspot/gc | Reference discovery is confused about atomicity and degree of parallelism |
20 | JDK-8005165 | hotspot/runtime | Remove CPU-dependent code in self-patching vtables |
21 | JDK-8271506 | hotspot/runtime | Add ResourceHashtable support for deleting selected entries |
22 | JDK-8253797 | hotspot/runtime | [cgroups v2] Account for the fact that swap accounting is disabled on some systems |
23 | JDK-8239785 | hotspot/runtime | Cgroups: Incorrect detection logic on old systems in hotspot |
24 | JDK-8239559 | hotspot/runtime | Cgroups: Incorrect detection logic on some systems |
25 | JDK-8048190 | hotspot/runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
26 | JDK-8197859 | hotspot/runtime | VS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp |
27 | JDK-8254997 | hotspot/runtime | Remove unimplemented OSContainer::read_memory_limit_in_bytes |
28 | JDK-8252359 | hotspot/runtime | HotSpot Not Identifying it is Running in a Container |
29 | JDK-8253435 | hotspot/runtime | Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist |
30 | JDK-8284633 | hotspot/runtime | CompressedClassPointers.java fails on macos-aarch64 |
31 | JDK-8220658 | hotspot/runtime | Improve the readability of container information in the error log |
32 | JDK-8291763 | hotspot/runtime | Include virtualization information in hs_err crash log on Solaris |
33 | JDK-8289424 | hotspot/runtime | Include LD_HWCAP in hs_err log output |
34 | JDK-8298349 | install/install | /usr/java/latest points to wrong JDK |
35 | JDK-8298330 | install/install | /usr/java/latest is missing after one of JDK rpms is uninstalled |
36 | JDK-8149508 | javafx/controls | Performance issue when scrolling ListView due to excess CSS processing |
37 | JDK-8294400 | javafx/media | Provide media support for libavcodec version 59 |
38 | JDK-8257895 | javafx/media | Allow building of JavaFX media libs for Apple Silicon |
39 | JDK-8298167 | javafx/web | Opacity in WebView not working anymore |
40 | JDK-8295755 | javafx/web | Update SQLite to 3.39.4 |
41 | JDK-8303217 | javafx/web | Webview loaded webpage is not showing play, volume related buttons for embeded Audio/Video elements |
42 | JDK-8301022 | javafx/web | Video distortion is observed while playing youtube video |
43 | JDK-8300954 | javafx/web | HTML default Range input control not rendered |
44 | JDK-8301712 | javafx/web | [linux] Crash on exit from WebKit 615.1 |
45 | JDK-8302684 | javafx/web | Cherry-pick WebKit 615.1 stabilization fixes (2) |
46 | JDK-8302294 | javafx/web | Cherry-pick WebKit 615.1 stabilization fixes |
47 | JDK-8299977 | javafx/web | Update WebKit to 615.1 |
48 | JDK-8242151 | security-libs/java.security | Improve OID mapping and reuse among JDK security providers for aliases registration |
49 | JDK-8242897 | security-libs/java.security | KeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException |
50 | JDK-8280890 | security-libs/java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
51 | JDK-8200468 | security-libs/org.ietf.jgss | Port the native GSS-API bridge to Windows |
52 | JDK-8253829 | security-libs/org.ietf.jgss | Wrong length compared in SSPI bridge |
53 | JDK-8225687 | security-libs/org.ietf.jgss | Newly added sspi.cpp in JDK-6722928 still contains some small errors |
54 | JDK-8175000 | tools/launcher | jexec fails to execute simple helloworld.jar |
The following sections summarize changes made in all Java SE 8u361 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8299439 | core-libs | java.text | java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR |
JDK-8017487 | client-libs | javax.swing | filechooser in Windows-Libraries folder: columns are mixed up |
JDK-8301318 (Confidential) | deploy | webstart | Few JVM arguments are not supported in JAVAWS/JNLP |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8274205 | security-libs | org.ietf.jgss:krb5 | Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC |
JDK-8284662 | javafx | accessibility | Screen reader fails to read ListView/ComboBox item count if > 100 |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8251862 | javafx | graphics | Wrong position of Popup windows at the intersection of 2 screens |
JDK-8149508 | javafx | controls | Performance issue when scrolling ListView due to excess CSS processing |
JDK-8299741 | install | autoupdate | A temporary file is left in 'locallow' temp directory after Java Update |
The JVM will fail to initialize on Linux systems where /proc/self/mountinfo
does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.
A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8089986 | javafx | controls | Menu beeps when mnemonics is used |
JDK-7131823 | client-libs | javax.imageio | bug in GIFImageReader |
JDK-6357887 | client-libs | 2d | selected printertray is ignored under linux |
JDK-8239559 | hotspot | runtime | Cgroups: Incorrect detection logic on some systems |
JDK-8239785 | hotspot | runtime | Cgroups: Incorrect detection logic on old systems in hotspot |
JDK-8048190 | hotspot | runtime | NoClassDefFoundError omits original ExceptionInInitializerError |
JDK-8271506 | hotspot | runtime | Add ResourceHashtable support for deleting selected entries |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8205959 | core-libs | java.net | Do not restart close if errno is EINTR |
JDK-8280890 | security-libs | java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
JDK-8299628 (Confidential) | javafx | graphics | BMP top-down images fail to load after JDK-8289336 |
JDK-8297804 | core-libs | java.time | (tz) Update Timezone Data to 2022g |
The following sections summarize changes made in Java SE 8u361 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
This BPR contains all of the fixes included in the corresponding JDK 8 BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-6357887 | client-libs | 2d | selected printertray is ignored under linux |
JDK-7131823 | client-libs | javax.imageio | bug in GIFImageReader |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8205959 | core-libs | java.net | Do not restart close if errno is EINTR |
JDK-8280890 | security-libs | java.security | Cannot use '-Djava.system.class.loader' with class loader in signed JAR |
JDK-8297804 | core-libs | java.time | (tz) Update Timezone Data to 2022g |
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8293319 | hotspot | compiler | [C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if |
2 | JDK-8280511 | hotspot | compiler | AArch64: Combine shift and negate to a single instruction |
3 | JDK-8276108 | hotspot | compiler | Wrong instruction generation in aarch64 backend |
4 | JDK-8251216 | hotspot | compiler | Implement MD5 intrinsics on AArch64 |
5 | JDK-8186670 | hotspot | compiler | Implement _onSpinWait() intrinsic for AArch64 |
6 | JDK-8290781 | hotspot | compiler | Segfault at PhaseIdealLoop::clone_loop_handle_data_uses |
7 | JDK-8282347 | hotspot | compiler | AARCH64: Untaken branch in has_negatives stub |
8 | JDK-8282049 | hotspot | compiler | AArch64: Use ZR for integer zero immediate volatile stores |
9 | JDK-8291775 | hotspot | compiler | C2: assert(r != __null && r->is_Region()) failed: this phi must have a region |
10 | JDK-8290711 | hotspot | compiler | assert(false) failed: infinite loop in PhaseIterGVN::optimize |
11 | JDK-8287349 | hotspot | compiler | AArch64: Merge LDR instructions to improve C1 OSR performance |
12 | JDK-8277411 | hotspot | compiler | C2 fast_unlock intrinsic on AArch64 has unnecessary ownership check |
13 | JDK-8277358 | hotspot | compiler | Accelerate CRC32-C |
14 | JDK-8291599 | hotspot | compiler | Assertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127 |
15 | JDK-8290705 | hotspot | compiler | StringConcat::validate_mem_flow asserts with "unexpected user: StoreI" |
16 | JDK-8290529 | hotspot | compiler | C2: assert(BoolTest(btest).is_canonical()) failure |
17 | JDK-8288445 | hotspot | compiler | AArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding |
18 | JDK-8280872 | hotspot | compiler | Reorder code cache segments to improve code density |
19 | JDK-8272094 | hotspot | compiler | compiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline" |
20 | JDK-8293816 | hotspot | compiler | CI: ciBytecodeStream::get_klass() is not consistent |
21 | JDK-8293044 | hotspot | compiler | C1: Missing access check on non-accessible class |
22 | JDK-8292158 | hotspot | compiler | AES-CTR cipher state corruption with AVX-512 |
23 | JDK-8270947 | hotspot | compiler | AArch64: C1: use zero_words to initialize all objects |
24 | JDK-8287425 | hotspot | compiler | Remove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path |
25 | JDK-8290451 | hotspot | compiler | Incorrect result when switching to C2 OSR compilation from C1 |
26 | JDK-8268779 | hotspot | gc | ZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space" |
27 | JDK-8278389 | hotspot | gc | SuspendibleThreadSet::_suspend_all should be volatile/atomic |
28 | JDK-8288754 | hotspot | gc | GCC 12 fails to build zReferenceProcessor.cpp |
29 | JDK-8279398 | hotspot | jfr | jdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop" |
30 | JDK-8268297 | hotspot | jfr | jdk/jfr/api/consumer/streaming/TestLatestEvent.java times out |
31 | JDK-8291459 | hotspot | runtime | JVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*) |
32 | JDK-8292083 | hotspot | runtime | Detected container memory limit may exceed physical machine memory |
33 | JDK-8293156 | hotspot | svc | Dcmd VM.classloaders fails to print the full hierarchy |
January 17, 2023
The full version string for this update release is 8u361-b09 (where "b" means "build"). The version number is 8u361.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u361 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u361-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u361) be used after the next critical patch update scheduled for April 18, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u361) on 2023-05-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
An OCSP response signed with the RSASSA-PSS algorithm is now supported.
After updating to JDK 8u361, applications may fail to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException
occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem
.
The JVM will fail to initialize on Linux systems where /proc/self/mountinfo
does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.
A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).
Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.
Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares
command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.
The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.
It can be enabled by setting the system property: -Djavafx.allowjs=true
ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\"
, would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.
Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server
and http.keepAlive.time.proxy
respectively. More information about them can be found in Networking Properties.
This version of the JDK no longer includes a copy of Java VisualVM. VisualVM is now available as a separate download from https://visualvm.github.io.
The readObject
method of _DynAnyFactoryStub
has been amended, such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format, only. As DynAnyFactory
is a locally or ORB constrained type, it is not useful that serialized data should contain corbaname or corbaloc URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to a DynAnyFactory
IOR, as such, using a corbaname to reference an instance of DynAnyFactory
is not meaningful.
A system property is introduced, org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck
, which when set to true, will revert the _DynAnyFactoryStub::readObject
to its current behavior and bypass the additional IOR checks.
The SunJSSE close notification checks for SSLEngine
to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.
Specifically, if an application tries to close its SSLEngine
inbound side using SSLEngine.closeInbound()
without having received a close notification message from its peer, the SSLEngine
will no longer:
The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException
. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.
In addition, the internal transport context for the SSLEngine
will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus
value on the SSLEngine
. Any outstanding outbound data must still be obtained (SSLEngine.wrap()
) and sent in order to gracefully close the connection.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u361 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8240756 | client-libs/2d | [macos] SwingSet2:TableDemo:Printed Japanese characters were garbled |
2 | JDK-8212677 | client-libs/java.awt | X11 default visual support for IM status window on VNC |
3 | JDK-8231445 | client-libs/java.awt | check ZALLOC return values in awt coding |
4 | JDK-8284033 | client-libs/java.awt | Leak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c |
5 | JDK-8277497 | client-libs/javax.accessibility | Last column cell in the JTable row is read as empty cell |
6 | JDK-8280950 | core-libs/java.util | RandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix |
7 | JDK-8281183 | core-libs/java.util | RandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950 |
8 | JDK-8294307 | core-libs/java.util:i18n | ISO 4217 Amendment 173 Update |
9 | JDK-8215571 | core-svc/debugger | jdb does not include jdk.* in the default class filter |
10 | JDK-8197387 | core-svc/tools | jcmd started by "root" must be allowed to access all VM processes |
11 | JDK-8294294 | docs/guides | Document jdk.xml.xpathExprGrpLimit, jdk.xml.xpathExprOpLimit, and jdk.xml.xpathTotalOpLimit in the JAXP Security Guide |
12 | JDK-8145458 | docs/hotspot | JDK 8 man page incorrectly states -XX:ThreadStackSize=size sets the thread stack size (in bytes). |
13 | JDK-8217359 | hotspot/compiler | C2 compiler triggers SIGSEGV after transformation in ConvI2LNode::Ideal |
14 | JDK-8255058 | hotspot/compiler | C1: assert(is_virtual()) failed: type check |
15 | JDK-8253816 | hotspot/compiler | Support macOS W^X |
16 | JDK-8253795 | hotspot/compiler | Implementation of JEP 391: macOS/AArch64 Port |
17 | JDK-8168712 | hotspot/compiler | [AOT] assert(false) failed: DEBUG MESSAGE: InterpreterMacroAssembler::call_VM_base: last_sp != NULL |
18 | JDK-8261336 | hotspot/compiler | IGV: enhance default filters |
19 | JDK-8253817 | hotspot/runtime | Support macOS Aarch64 ABI in Interpreter |
20 | JDK-8200109 | hotspot/runtime | NMT: diff_malloc_site assert(early->flags() == current->flags(), "Must be the same memory type") |
21 | JDK-8238676 | hotspot/runtime | jni crashes on accessing it from process exit hook |
22 | JDK-8230305 | hotspot/runtime | Cgroups v2: Container awareness |
23 | JDK-8027429 | hotspot/runtime | Add diagnostic command VM.info to get hs_err print-out |
24 | JDK-8253714 | hotspot/runtime | [cgroups v2] Soft memory limit incorrectly using memory.high |
25 | JDK-8253727 | hotspot/runtime | [cgroups v2] Memory and swap limits reported incorrectly |
26 | JDK-8255716 | hotspot/runtime | AArch64: Regression: JVM crashes if manually offline a core |
27 | JDK-8191846 | hotspot/svc | jstat prints debug message when debugging is disabled |
28 | JDK-8038392 | hotspot/svc | Generating prelink cache breaks JAVA 'jinfo' utility normal behaviour |
29 | JDK-8087557 | javafx/accessibility | [Win] [Accessibility, Dialogs] Alert Dialog content is not fully read by Screen Reader |
30 | JDK-8284281 | javafx/accessibility | [Accessibility] [Win] [Narrator] Exceptions with TextArea & TextField when deleted last char |
31 | JDK-8291087 | javafx/accessibility | Wrong position of focus of screen reader on Windows with screen scale > 1 |
32 | JDK-8293795 | javafx/accessibility | [Accessibility] [Win] [Narrator] Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField |
33 | JDK-8289542 | javafx/graphics | Update JPEG Image Decoding Software to 9e |
34 | JDK-8293971 | javafx/media | Loading new Media from resources can sometimes fail when loading from FXML |
35 | JDK-8289541 | javafx/web | Update ICU4C to 71.1 |
36 | JDK-8257722 | security-libs/java.security | Improve "keytool -printcert -jarfile" output |
37 | JDK-8273553 | security-libs/javax.net.ssl | sun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368 |
The following sections summarize changes made in all Java SE 8u351 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8294307 | core-libs | java.util:i18n | ISO 4217 Amendment 173 Update |
JDK-8296239 | core-libs | java.util:i18n | ISO 4217 Amendment 174 Update |
JDK-8295173 | core-libs | java.time | (tz) Update Timezone Data to 2022e |
JDK-8296108 | core-libs | java.time | (tz) Update Timezone Data to 2022f |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8278027 | security-libs | javax.crypto | X509Key.decode exception while using JSafeJCE FIPS provider |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8224671 | hotspot | compiler | AArch64: mauve System.arraycopy test failure |
JDK-8292695 | hotspot | runtime | SIGQUIT and jcmd attaching mechanism does not work with signal chaining library |
JDK-8202014 | hotspot | runtime | Possible to receive signal before signal semaphore created |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8291973 | install | install | Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash |
JDK-8294357 | core-libs | java.time | (tz) Update Timezone Data to 2022d |
JDK-8293795 | javafx | accessibility | Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField |
The following sections summarize changes made in Java SE 8u351 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.
JBS | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8294307 | core-libs | java.util:i18n | ISO 4217 Amendment 173 Update |
JDK-8296239 | core-libs | java.util:i18n | ISO 4217 Amendment 174 Update |
JDK-8294357 | core-libs | java.time | (tz) Update Timezone Data to 2022d |
JDK-8295173 | core-libs | java.time | (tz) Update Timezone Data to 2022e |
JDK-8296108 | core-libs | java.time | (tz) Update Timezone Data to 2022f |
JBS | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8278027 | security-libs | javax.crypto | X509Key.decode exception while using JSafeJCE FIPS provider |
Enterprise Performance Pack supports JDK Flight Recorder (JFR).
JFR is a low-overhead data collection framework for troubleshooting Java applications and the HotSpot JVM in production. Recorded data can be opened in JDK Mission Control (JMC). To start recordings from within JMC, a new version of JMC is required. Currently, it is not released as part of the JDK but is available as a downloadable patch from Supported Java SE Downloads on MOS or from JDK Mission Control 8 Downloads. JFR comes with a supported API to produce and consume data programmatically.
Relevant Changes for JFR include JEP 328: Flight Recorder, JEP 349: JFR Event Streaming
# | JBS | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8282467 | hotspot | compiler | add extra diagnostics for JDK-8268184 |
2 | JDK-8284883 | hotspot | compiler | JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512 |
3 | JDK-8285923 | hotspot | compiler | [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities |
4 | JDK-8282555 | hotspot | compiler | Missing memory edge when spilling MoveF2I, MoveD2L etc |
5 | JDK-8286638 | hotspot | compiler | C2: CmpU needs to do more precise over/underflow analysis |
6 | JDK-8288303 | hotspot | compiler | C1: Miscompilation due to broken Class.getModifiers intrinsic |
7 | JDK-8270090 | hotspot | compiler | C2: LCM may prioritize CheckCastPP nodes over projections |
8 | JDK-8280696 | hotspot | compiler | C2 compilation hits assert(is_dominator(c, n_ctrl)) failed |
9 | JDK-8285820 | hotspot | compiler | C2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090 |
10 | JDK-8287091 | hotspot | compiler | aarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn |
11 | JDK-8287396 | hotspot | compiler | LIR_Opr::vreg_number() and data() can return negative number |
12 | JDK-8286625 | hotspot | compiler | C2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect |
13 | JDK-8288467 | hotspot | compiler | remove memory_operand assert for spilled instructions |
14 | JDK-8276546 | hotspot | compiler | [IR Framework] Whitelist and ignore CompileThreshold |
15 | JDK-8279622 | hotspot | compiler | C2: miscompilation of map pattern as a vector reduction |
16 | JDK-8286177 | hotspot | compiler | C2: "failed: non-reduction loop contains reduction nodes" assert failure |
17 | JDK-8284944 | hotspot | compiler | assert(cnt++ < 40) failed: infinite cycle in loop optimization |
18 | JDK-8287223 | hotspot | compiler | C1: Inlining attempt through MH::invokeBasic() with null receiver |
19 | JDK-8272736 | hotspot | compiler | [JVMCI] Add API for reading and writing JVMCI thread locals |
20 | JDK-8284358 | hotspot | compiler | Unreachable loop is not removed from C2 IR, leading to a broken graph |
21 | JDK-8288360 | hotspot | compiler | CI: ciInstanceKlass::implementor() is not consistent for well-known classes |
22 | JDK-8286314 | hotspot | compiler | Trampoline not created for far runtime targets outside small CodeCache |
23 | JDK-8288781 | hotspot | compiler | C1: LIR_OpVisitState::maxNumberOfOperands too small |
24 | JDK-8289127 | hotspot | compiler | Apache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible |
25 | JDK-8283441 | hotspot | compiler | C2: segmentation fault in ciMethodBlocks::make_block_at(int) |
26 | JDK-8287432 | hotspot | compiler | C2: assert(tn->in(0) != __null) failed: must have live top node |
27 | JDK-8281297 | hotspot | gc | TestStressG1Humongous fails with guarantee(is_range_uncommitted) |
28 | JDK-8283597 | hotspot | jvmti | [REDO] Invalid generic signature for redefined classes |
29 | JDK-8278753 | hotspot | runtime | Runtime crashes with access violation during JNI_CreateJavaVM call |
30 | JDK-8283469 | hotspot | runtime | Don't use memset to initialize members in FileMapInfo and fix memory leak |
31 | JDK-8268773 | hotspot | runtime | Improvements related to: Failed to start thread - pthread_create failed (EAGAIN) |
32 | JDK-8289477 | hotspot | runtime | Memory corruption with CPU_ALLOC, CPU_FREE on muslc |
33 | JDK-8289799 | hotspot | runtime | Build warning in methodData.cpp memset zero-length parameter |
34 | JDK-8290417 | hotspot | runtime | CDS cannot archive lamda proxy with useImplMethodHandle |
35 | JDK-8287107 | hotspot | runtime | CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller |
36 | JDK-8287741 | hotspot | runtime | Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete |
October 18, 2022
The full version string for this update release is 8u351-b10 (where "b" means "build"). The version number is 8u351.
JDK 8u351 contains IANA time zone data 2022b, 2022c.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u351 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u351-b10 |
7 | 7u361-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u351) be used after the next critical patch update scheduled for January 17, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u351) on 2023-02-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.
For compatibility, use the keystore.pkcs12.legacy
system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
On platforms that support the concept of a thread name on their native threads, the java.lang.Thread.setName()
method will also set that native thread name. However, this will only occur when called by the current thread, and only for threads started through the java.lang.Thread
class (not for native threads that have attached via JNI). The presence of a native thread name can be useful for debugging and monitoring purposes. Some platforms may limit the native thread name to a length much shorter than that used by the java.lang.Thread
, which may result in some threads having the same native name.
The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation.
However, Java Access Bridge can still be enabled and disabled by following these steps:
%JAVAHOME%\bin\windowsaccessbridge-64.dll
to %WINDOWSHOME%\SYSTEM32
. A reboot might be required after this step.%JAVAHOME%\bin\jabswitch /enable
and %JAVAHOME%\bin\jabswitch /disable
.Note: %WINDOWSHOME%
is the directory where Microsoft Windows is installed (for example, C:\WINDOWS
) %JAVAHOME%
is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11
)
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.
To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:
This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.
For example:
- Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or override it by using the java.security.properties
system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
The des3-hmac-sha1
and rc4-hmac
Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true
in the krb5.conf
configuration file to re-enable them (along with other weak etypes including des-cbc-crc
and des-cbc-md5
) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes
, default_tgs_enctypes
, or permitted_enctypes
settings.
This enhancement changes phantom references to be automatically cleared by the garbage collector as soft and weak references.
An object becomes phantom reachable after it has been finalized. This change may cause the phantom reachable objects to be GC'ed earlier - previously the referent is kept alive until PhantomReference objects are GC'ed or cleared by the application. This potential behavioral change might only impact existing code that would depend on PhantomReference being enqueued rather than when the referent be freed from the heap.
java.lang.ref.Reference.enqueue
method clears the reference object before it is added to the registered queue. When the enqueue
method is called, the reference object is cleared and get()
method will return null in JDK 9.
Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear
method to avoid memory leak because its referent is no longer referenced. In other words the get
method is expected not to be called in common cases once the enqueue
method is called. In the case when the get
method from an enqueued reference object and existing code attempts to access members of the referent, NullPointerException
may be thrown. Such code will need to be updated.
java.lang.ref.Reference::clone
method always throws CloneNotSupportedException
. Reference
objects cannot be meaningfully cloned. To create a new Reference object, call the constructor to create a Reference
object with the same referent and reference queue instead.
This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.
As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.
For more details, refer to the announcement of 2022b.
This JDK implements Maintenance Release 4 of the Java SE 8 specification (JSR 337). Implementing this maintenance release is indicated by the new system property java.specification.maintenance.version
having the value of "4"
.
A new system property named jdk.httpserver.maxConnections
has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer
to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u351 release:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8260616 | client-libs | Removing remaining JNF dependencies in the java.desktop module | |
2 | JDK-8270216 | client-libs | java.awt | [macOS] Update named used for Java run loop mode |
3 | JDK-8272602 | client-libs | java.awt | [macOS] not all KEY_PRESSED events sent when control modifier is used |
4 | JDK-8261352 | client-libs | javax.accessibility | Create implementation for component peer for all the components who should be ignored in a11y interactions |
5 | JDK-8263420 | client-libs | javax.accessibility | Incorrect function name in NSAccessibilityStaticText native peer implementation |
6 | JDK-8261198 | client-libs | javax.accessibility | [macOS] Incorrect JNI parameters in number conversion in A11Y code |
7 | JDK-8262981 | client-libs | javax.accessibility | Create implementation for NSAccessibilitySlider protocol |
8 | JDK-8287740 | client-libs | javax.accessibility | NSAccessibilityShowMenuAction not working for text editors |
9 | JDK-8275071 | client-libs | javax.accessibility | [macos] A11y cursor gets stuck when combobox is closed |
10 | JDK-8274383 | client-libs | javax.accessibility | JNI call of getAccessibleSelection on a wrong thread |
11 | JDK-8267387 | client-libs | javax.accessibility | Create implementation for NSAccessibilityOutline protocol |
12 | JDK-8267388 | client-libs | javax.accessibility | Create implementation for NSAccessibilityTable protocol |
13 | JDK-8262031 | client-libs | javax.accessibility | Create implementation for NSAccessibilityNavigableStaticText protocol |
14 | JDK-8275809 | client-libs | javax.accessibility | crash in [CommonComponentAccessibility getCAccessible:withEnv:] |
15 | JDK-8273678 | client-libs | javax.accessibility | TableAccessibility and TableRowAccessibility miss autorelease |
16 | JDK-8271071 | client-libs | javax.accessibility | accessibility of a table on macOS lacks cell navigation |
17 | JDK-8267066 | client-libs | javax.accessibility | New NSAccessibility peers should return they roles and subroles directly |
18 | JDK-8275720 | client-libs | javax.accessibility | CommonComponentAccessibility.createWithParent isWrapped causes mem leak |
19 | JDK-8267385 | client-libs | javax.accessibility | Create NSAccessibilityElement implementation for JavaComponentAccessibility |
20 | JDK-8275819 | client-libs | javax.accessibility | [TableRowAccessibility accessibilityChildren] method is ineffective |
21 | JDK-8284690 | client-libs | javax.accessibility | [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox |
22 | JDK-8286266 | client-libs | javax.accessibility | [macos] Voice over moving JTable column to be the first column JVM crashes |
23 | JDK-8284014 | client-libs | javax.accessibility | Menu items with submenus in JPopupMenu are not spoken on macOS |
24 | JDK-8283383 | client-libs | javax.accessibility | [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name |
25 | JDK-8278609 | client-libs | javax.accessibility | [macos] accessibility frame is misplaced on a secondary monitor on macOS |
26 | JDK-8274735 | client-libs | javax.imageio | javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image |
27 | JDK-8256109 | client-libs | javax.swing | Create implementation for NSAccessibilityButton protocol |
28 | JDK-8256108 | client-libs | javax.swing | Create implementation for NSAccessibilityElement protocol peer |
29 | JDK-8256126 | client-libs | javax.swing | Create implementation for NSAccessibilityImage protocol peer |
30 | JDK-8256110 | client-libs | javax.swing | Create implementation for NSAccessibilityStepper protocol |
31 | JDK-8256111 | client-libs | javax.swing | Create implementation for NSAccessibilityStaticText protocol |
32 | JDK-8261350 | client-libs | javax.swing | Create implementation for NSAccessibilityCheckBox protocol peer |
33 | JDK-8261351 | client-libs | javax.swing | Create implementation for NSAccessibilityRadioButton protocol |
34 | JDK-8264299 | client-libs | javax.swing | Create implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles |
35 | JDK-8264300 | client-libs | javax.swing | Create implementation for NSAccessibilityScrollBar protocol peer |
36 | JDK-8264290 | client-libs | javax.swing | Create implementation for NSAccessibilityComponentGroup protocol peer |
37 | JDK-8264304 | client-libs | javax.swing | Create implementation for NSAccessibilityToolbar protocol peer |
38 | JDK-8264302 | client-libs | javax.swing | Create implementation for Accessibility native peer for Splitpane java role |
39 | JDK-8264305 | client-libs | javax.swing | Create implementation for native accessibility peer for Statusbar java role |
40 | JDK-8264287 | client-libs | javax.swing | Create implementation for NSAccessibilityComboBox protocol peer |
41 | JDK-8264303 | client-libs | javax.swing | Create implementation for NSAccessibilityTabGroup protocol peer |
42 | JDK-8264297 | client-libs | javax.swing | Create implementation for NSAccessibilityProgressIndicator protocol peer |
43 | JDK-8264294 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuBar protocol peer |
44 | JDK-8264298 | client-libs | javax.swing | Create implementation for NSAccessibilityRow protocol peer |
45 | JDK-8264286 | client-libs | javax.swing | Create implementation for NSAccessibilityColumn protocol peer |
46 | JDK-8264291 | client-libs | javax.swing | Create implementation for NSAccessibilityCell protocol peer |
47 | JDK-8264292 | client-libs | javax.swing | Create implementation for NSAccessibilityList protocol peer |
48 | JDK-8264293 | client-libs | javax.swing | Create implementation for NSAccessibilityMenu protocol peer |
49 | JDK-8264295 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuItem protocol peer |
50 | JDK-8264296 | client-libs | javax.swing | Create implementation for NSAccessibilityPopUpButton protocol peer |
51 | JDK-8257620 | core-libs | Do not use objc_msgSend_stret to get macOS version | |
52 | JDK-8071507 | core-libs | java.lang | (ref) Clear phantom reference as soft and weak references do |
53 | JDK-8287132 | core-libs | java.lang | Retire Runtime.runFinalizersOnExit so that it always throws UOE |
54 | JDK-8178832 | core-libs | java.lang | (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored |
55 | JDK-8175797 | core-libs | java.lang | (ref) Reference::enqueue method should clear the reference object before enqueuing |
56 | JDK-8193780 | core-libs | java.lang | (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property |
57 | JDK-8285497 | core-libs | java.lang | Add system property for Java SE specification maintenance version |
58 | JDK-8201793 | core-libs | java.lang | (ref) Reference object should not support cloning |
59 | JDK-8287917 | core-libs | java.lang:class_loading | System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier |
60 | JDK-8288769 | core-libs | java.util.jar | Revert unintentional change to deflate.c |
61 | JDK-8283277 | core-libs | java.util:i18n | ISO 4217 Amendment 171 Update |
62 | JDK-8289549 | core-libs | java.util:i18n | ISO 4217 Amendment 172 Update |
63 | JDK-8277368 | core-libs | javax.script | Metaspace OOM thrown due to the leak of Nashorn ScriptEngine |
64 | JDK-6447817 | docs | Add additional Service Attributes to Standard Algorithm Names guide | |
65 | JDK-8291414 | docs | guides | Fix the incorrect wording about delayed provider selection in the PKCS11 documentation |
66 | JDK-8261071 | hotspot | compiler | AArch64: Refactor interpreter native wrappers |
67 | JDK-8234930 | hotspot | compiler | Use MAP_JIT when allocating pages for code cache on macOS |
68 | JDK-8253015 | hotspot | compiler | Aarch64: Move linux code out from generic CPU feature detection |
69 | JDK-8188066 | hotspot | gc | (ref) Examine the reachability of JNI WeakGlobalRef and interaction with phantom refs |
70 | JDK-8143847 | hotspot | gc | Remove REF_CLEANER reference category |
71 | JDK-8285621 | hotspot | jfr | Xcheck:jni warnings during JFR initialization |
72 | JDK-6885993 | hotspot | runtime | Named Thread: introduce print() and print_on(outputStream* st) methods |
73 | JDK-7102541 | hotspot | runtime | RFE: os::set_native_thread_name() cleanups |
74 | JDK-8261075 | hotspot | runtime | Create stubRoutines.inline.hpp with SafeFetch implementation |
75 | JDK-8151322 | hotspot | runtime | Implement os::set_native_thread_name() on Solaris |
76 | JDK-8061999 | hotspot | runtime | Enhance VM option parsing to allow options to be specified in a file |
77 | JDK-8078521 | hotspot | svc | AARCH64: Add AArch64 SA support |
78 | JDK-8289587 | javafx | web | IllegalArgumentException: Color.rgb's red parameter (-16776961) expects color values 0-255 |
79 | JDK-8088420 | javafx | web | JavaFX WebView memory leak via EventListener |
80 | JDK-8285881 | javafx | web | Update WebKit to 614.1 |
81 | JDK-8292609 | javafx | web | Cherry-pick WebKit 614.1 stabilization fixes |
82 | JDK-8268427 | security-libs | java.security | Improve AlgorithmConstraints:checkAlgorithm performance |
83 | JDK-8186143 | security-libs | java.security | keytool -ext option doesn't accept wildcards for DNS subject alternative names |
84 | JDK-8267880 | security-libs | java.security | Upgrade the default PKCS12 MAC algorithm |
85 | JDK-8263404 | security-libs | java.security | RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec |
86 | JDK-8269039 | security-libs | java.security | Disable SHA-1 Signed JARs |
87 | JDK-8275887 | security-libs | java.security | jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled |
88 | JDK-8270317 | security-libs | javax.net.ssl | Large Allocation in CipherSuite |
89 | JDK-8284694 | security-libs | javax.net.ssl | Avoid evaluating SSLAlgorithmConstraints twice |
90 | JDK-8286211 | security-libs | javax.smartcardio | Update PCSC-Lite for Suse Linux to 1.9.5 |
91 | JDK-8285398 | security-libs | jdk.security | Cache the results of constraint checks |
92 | JDK-8074835 | security-libs | org.ietf.jgss | Resolve disabled warnings for libj2gss |
93 | JDK-8074836 | security-libs | org.ietf.jgss:krb5 | Resolve disabled warnings for libosxkrb5 |
94 | JDK-8139348 | security-libs | org.ietf.jgss:krb5 | Deprecate 3DES and RC4 in Kerberos |
95 | JDK-8289486 | xml | jaxp | Improve XSLT XPath operators count efficiency |
The following sections summarize changes made in all Enterprise Performance Pack BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Category | Subcategory | Description |
---|---|---|---|
JDK-8292260 | hotspot | compiler | C2 Compilation Errors Unpredictably Crashes |
The Java SE Subscription Enterprise Performance Pack (EPP) is a commercial feature release of the Java SE platform. It contains new features and enhancements in many functional areas. It is currently available only through My Oracle Support. It is available as part of an Oracle Java SE Subscription and Oracle Cloud Infrastructure (OCI) Subscription. The Release Notes below describe the features, important changes, enhancements, and other information about the Enterprise Performance Pack.
Enterprise Performance Pack runtime brings improved performance, new features, and enhancements from the Java Virtual Machine from JDK 17 to JDK 8. It reduces the memory footprint for Java SE 8 workloads. It is ideal if you want or need to use Java SE 8 and you are running those workloads at scale. If you need to develop applications, Oracle recommends that you use the full JDK.
Enterprise Performance Pack is for server-side, headless systems (systems that operate without a graphical user interface or peripheral devices like a keyboard or a mouse) running 64-bit Linux on Intel or ARM.
Links to other sources of information about the Enterprise Performance Pack are also provided below:
The full version string for this update release is 1.8.0_345-perf-97-b06 (where "b" means "build"). The version number is 8u345.
IANA Data 2022a
The Enterprise Performance Pack contains IANA time zone data version 2022a. For more information, refer to Timezone Data Versions in the JRE Software.
This section describes Enterprise Performance Pack features and important information. In some cases, the descriptions provide links to additional detailed information about an issue or a change.
New Garbage Collector
Enterprise Performance Pack supports the latest garbage collector, ZGC.
The Z Garbage Collector, also known as ZGC, is a scalable low latency garbage collector (JEP 333). At its core, ZGC is a concurrent garbage collector, meaning that all heavy lifting work (marking, compaction, reference processing, string table cleaning, etc) is done while Java threads continue to execute. This greatly limits the negative impact that garbage collection has on application response times.
Applications moving from Parallel GC, CMS GC, or G1 GC to ZGC might observe higher CPU utilization and might require an increase in Java heap space. The tuning options for ZGC in the presence of observing allocation stalls are: increasing the max Java heap size (-Xmx), or setting -XX:SoftMaxHeapSize to a value less than -Xmx, or increasing the number of concurrent GC threads and disabling dynamic GC threads (-XX:ConcGCThreads=n -XX:-UseDynamicGCThreads), or some combination of those three.
See Enterprise Performance Pack documentation for more information about JVM options and Enterprise Performance Pack configuration.
Unified Logging
Enterprise Performance Pack supports a common logging system for all components of the JVM. This provides line-at-a-time, human readable log messages enabled at the command line through the -Xlog
flag. See Printing JVM Information in the Enterprise Performance Pack User's Guide for more details.
Relevant Changes for Unified Logging: ➜ Use Unified Logging for GC logging (JDK-8145092) ➜ print_tracing_info Uses Unified Logging (JDK-8184286) ➜ Deprecated Tracing Flags Are Obsolete and Must Be Replaced With Unified Logging Equivalents (JDK-8256718)
Compact Strings
This is a space-efficient internal representation of strings, which reduces memory footprint and garbage collection activity. See Compact Strings in the Java Virtual Machine Guide of JDK 17 for more details.
Relevant Changes for Compact Strings: ➜ JEP 254: Compact Strings (JDK-8054307)
A new Class Hierarchy Analysis implementation is introduced in the HotSpot JVM. It features enhanced handling of abstract and default methods which improves inlining decisions made by the JIT-compilers. The new implementation supersedes the original one and is turned on by default.
To help diagnose possible issues related to the new implementation, the original implementation can be turned on by specifying the -XX:+UnlockDiagnosticVMOptions -XX:-UseVtableBasedCHA
command-line flags.
The original implementation may be removed in a future release.
This section describes Enterprise Performance Pack enhancements. In some cases, the descriptions provide links to additional detailed information about an issue or a change.
Garbage Collectors
Enterprise Performance Pack's Garbage First (G1) collector should not require additional tuning or re-tuning; it's the default garbage collector. Moving from CMS GC to G1 should follow the guidance suggested in the Enterprise Performance Pack User's Guide. Only G1 supports String Deduplication. This feature continuously checks for duplicate String objects during garbage collection thus reducing overall heap size.
Since Enterprise Performance Pack has the Compact Strings feature which reduces the amount of Java heap space occupied by Java Strings, improved performance with Parallel GC may be realized by re-tuning Java heap sizes.
Relevant Changes for Garbage Collectors: ➜ Parallel GC Enables Adaptive Parallel Reference Processing by Default (JDK-8204686) ➜ G1 Enables Adaptive Parallel Reference Processing by Default (JDK-8205043) ➜ JEP 345: NUMA-Aware Memory Allocation for G1 (JDK-8210473) ➜ Parallel GC Improvements (JDK-8224666) ➜ Improvements in Serial GC Young pause time report (JDK-8215221) ➜ JEP 307: Parallel Full GC for G1 (JDK-8172890) ➜ Concurrently Uncommit Memory in G1 (JDK-8236926) ➜ Improved Ergonomics for G1 Heap Region Size (JDK-8241670) ➜ Improve Ergonomics for Sparse PRT Entry Size (JDK-8223162) ➜ New PerfCounters for STW Phases on Concurrent GC Are Available (JDK-8153333) ➜ G1 May Uncommit Memory During Marking Cycle (JDK-6490394) ➜ Garbage Collectors Adaptively Scale the Number of Threads by Default (JDK-8198510) ➜ JEP 363: Remove the Concurrent Mark and Sweep (CMS) Garbage Collector (JDK-8229049) ➜ Various GC combinations have now been removed (JDK-8044022) ➜ JEP 366: Deprecate the ParallelScavenge + SerialOld GC Combination (JDK-8233301) ➜ UseAutoGCSelectPolicy has been deprecated (JDK-8166461)
The java
Command
Enterprise Performance Pack includes several runtime options from JDK 17. However, some options from JDK 8 are not available in Enterprise Performance Pack. For example, Enterprise Performance Pack uses Unified JVM Logging, which replaces options that print details about the JVM with -Xlog:gc options. See the Enterprise Performance Pack documentation for more information about the changes made to the JVM options.
Runtime Options
A number of runtime options have been added or removed from the Enterprise Performance Pack. See the Changes to JVM Runtime Options section of the Enterprise Performance Pack User's Guide.
Relevant Changes for Runtime Options: ➜ Flags Controlling C1 Inlining Have New Names (JDK-8235673) ➜ Improved CompileCommand Flag (JDK-8256508) ➜ Improve the Behavior of MaxRAM Settings and UseCompressedOops (JDK-8222252) ➜ VM Options AdaptiveSizePausePolicy and ParallelGCRetainPLAB are obsolete (JDK-8073861) ➜ Added -XX:+AdjustStackSizeForTLS Flag (JDK-8225035) ➜ Obsolete -XX:UseAdaptiveGCBoundary (JDK-8228991) ➜ Removal of Obsolete -X Options (JDK-8179018) ➜ Obsolete Support for Commercial Features (JDK-8202331) ➜ Obsoleted -XX:+/-MonitorInUseLists (JDK-8211384) ➜ Deprecated Java Options -Xverify:none and -noverify (JDK-8214719) ➜ Command-Line Flag -XX:+ExtensiveErrorReports (JDK-8211845)
Class Data Sharing
This feature helps reduce the startup time and memory footprint between multiple Java Virtual Machines. See the Class Data Sharing section of the Java Virtual Machine Guide of JDK 17 for more information.
Relevant Changes for Class Data Sharing: ➜ CDS Behavior Change With Non-existent Files During Archive Creation (JDK-8227370)
This enhancement causes phantom references to be automatically cleared by the garbage collector just as soft and weak references are.
An object becomes phantom reachable after it has been finalized. This change may cause phantom reachable objects to be garbage collected earlier. Previously, the referent was kept alive until the associated PhantomReference
objects were collected or cleared by the application. This behavioral change should only impact existing code that depends on a PhantomReference
being enqueued rather than when the referent is freed from the heap.
The java.lang.ref.Reference.enqueue
method clears the reference object before it is added to the registered queue. When the enqueue
method is called, the reference object is cleared and the get()
method will return null in Enterprise Performance Pack and later releases.
Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear
method to avoid a memory leak because its referent is no longer referenced. In other words, the get
method is not expected to be called in common cases once the enqueue
method has been called. In the case when the get
method from an enqueued reference object and existing code attempts to access members of the referent, a NullPointerException
may be thrown. Such code will need to be updated.
The java.lang.ref.Reference::clone
method always throws a CloneNotSupportedException
. Therefore, Reference
objects cannot be meaningfully cloned. To copy a Reference
object, call the constructor to create a new Reference
object with the same referent and reference queue instead.
In Java SE Subscription Enterprise Performance Pack, constant pool patching of classes created by calling the unsupported sun.misc.Unsafe.defineAnonymousClass
method is not enabled and could cause your application to crash. The cpPatches
argument to defineAnonymousClass
should be null.
In Java SE Subscription Enterprise Performance Pack, the methods monitorEnter
, monitorExit
, and tryMonitorEnter
have been removed from the unsupported sun.misc.Unsafe
class. These methods are not used within the JDK itself and are very rarely used outside of the JDK.
The Java SE 8 Enterprise Performance Pack follows the versioning format defined by JEP 322, and reports the actual VM version of 17.x, when, for example, java -version
is invoked. However, for compatibility purposes, the sun.misc.Version
methods jvmMajorVersion()
and jvmMinorVersion()
instead report the same VM version as Java SE 8 i.e. 25.x. This ensures that application code checking for a Java 8 runtime by looking for a major version greater than, or equal to, 25, will work correctly even though the actual VM version is 17.
The following notes describe additional changes and information about this release. In some cases, the following descriptions provide links to additional detailed information about an issue or a change.
Monitoring Tools
See Running Tools and Using Libraries on Enterprise Performance Pack for more information.
Application Class Data Sharing (AppCDS)
Application Class Data Sharing (AppCDS) extends class data sharing (CDS) to enable application classes to be placed in a shared archive. See the Application Class Data Sharing section of the java
command page.
Relevant Changes for AppCDS: ➜ JEP 310: Application Class-Data Sharing (JEP 310)
Some linux kernel versions (including, but not limited to 3.13.0-121-generic and 4.4.0-81-generic) are known to contain an incorrect fix for a linux kernel stack overflow issue (See CVE-2017-1000364). The incorrect fix can trigger crashes in the Java Virtual Machine. Upgrading the kernel to a version that includes the corrected fix addresses the problem.
This change enforces the unqualified name format checks for NameAndType
strings as outlined in the JVM specification sections 4.4.6 and 4.2.2, meaning that some illegal names and descriptors that users may be utilizing in their classfiles will now be caught with a Class Format Error. This includes format checking for all strings under non-referenced NameAndType
's. Users will see a change if they (A) are using Java classfile version 6 or below and have an illegal NameAndType descriptor with no Methodref or Fieldref reference to it; or (B) are using any Java classfile version and have an illegal NameAndType name with no Methodref or Fieldref reference to it.
In both (A) and (B) the users will now receive a ClassFormatError for those illegal strings, which is an enforcement of unqualified name formats as delineated in JVMS 4.2.2.
When dumping the heap in binary format, HPROF format 1.0.2 is always used now. Previously, format 1.0.1 was used for heaps smaller than 2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the serviceability agent.
When running with compressed references on x86_64, one of the CPU registers holds the heap base pointer to be used for references encoding/decoding. This register is not available for register allocation.
Simple implementations before this release made this register unavailable (and thus unused) even if compressed references were disabled. In this release, the implementation was revised to put this unused register back into the available registers pool. Configurations with large heaps and/or -XX:-UseCompressedOops
benefit from this improvement.
In the previous release, a NotifyFramePop request was only cleared when the JVMTI_EVENT_FRAME_POP
was enabled. Now it is always cleared when the corresponding frame is popped, regardless of whether the JVMTI_EVENT_FRAME_POP
is enabled or not.
For improved performance, JVM/TI ObjectFree events are no longer posted within GC pauses. The events are still posted as requested, and will be posted before ObjectFree events are enabled or disabled with SetNotificationMode. SetNotificationMode can be used to explicitly flush ObjectFree events, if needed.
The default value for BiasedLockingStartupDelay
has been changed to 0. The flag BiasedLockingStartupDelay
previously had the default value 4000 which delayed the use of biased locking with 4 s (4000 ms). The reason for this delay was performance but recent performance runs show no difference between the 4000 ms delay and no delay. Since having the delay will cause other parts of the VM to do extra work, having the default set to 0 makes more sense.
The JNI function DetachCurrentThread
has been added to the list of JNI functions that can safely be called with an exception pending. The HotSpot Virtual Machine has always supported this as it reports that the exception occurred in a similar manner to the default handling of uncaught exceptions at the Java level. Other implementations are not obligated to do anything with the pending exception.
The -XX:-JNIDetachReleasesMonitors
flag requested that the VM run in a pre-JDK 6 compatibility mode with regard to not releasing monitors when a JNI attached thread detaches. This option is obsolete in JDK 9, and is ignored, as the VM always conforms to the JNI Specification and releases monitors. Use of this option will result in a warning being issued in JDK 9 and it may be removed completely in a future release.
When synchronization is performed on an object, an association is established between the object and the object monitor that implements the synchronization. In the past, the reference from a monitor to its associated object was a strong reference. These strong references would be observable through JVM TI functions that walk the heap (reported as JVMTI_HEAP_ROOT_MONITOR
or JVMTI_HEAP_REFERENCE_MONITOR
) and in heap dumps (reported as HPROF_GC_ROOT_MONITOR_USED
). As of this release, a weak reference is used. These are not observable to JVM TI or heap dumps. Consequently, JVMTI_HEAP_ROOT_MONITOR
, JVMTI_HEAP_REFERENCE_MONITOR
and HPROF_GC_ROOT_MONITOR_USED
are longer reported.
The FlatProfiler, deprecated in JDK 9, has been made obsolete by removing the implementation code. The FlatProfiler was enabled by setting the -Xprof
VM argument. The -Xprof
flag remains recognized in this release; however, setting it will print out a warning message.
The signal-chaining facility was introduced in JDK 1.4 and supported three different Linux signal-handling API's: sigset
, signal
and sigaction
. Only sigaction
is a cross-platform, supported, API for multi-threaded processes. Both signal
and sigset
are considered obsolete on those platforms that still define them. Consequently, the use of signal
and sigset
with the signal-chaining facility are now deprecated, and support for their use will be removed in a future release.
The following sections summarize changes made in all Java SE 8u341 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8291973 | install | install | JavaSE 8 RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8197387 | core-svc | tools | jcmd Started by "root" Must Be Allowed to Access All VM Processes |
JDK-8072439 | hotspot | runtime | Further refinement of the fix JDK-8047720 - Xprof hangs on Solaris |
JDK-8087557 | javafx | accessibility | Alert Dialog Content Is Not Fully Read by Screen Reader |
JDK-8291087 | javafx | accessibility | Wrong Position of Focus of Screen Reader on Windows with Screen Scale > 1 |
JDK-8197387 | javafx | accessibility | Exceptions with TextArea & TextField when Deleted Last Char |
Fixes from the prior BPR are included in this version.
July 19, 2022
The full version string for this update release is 8u341-b10 (where "b" means "build"). The version number is 8u341.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u341 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u341-b10 |
7 | 7u351-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u341) be used after the next critical patch update scheduled for October 18, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u341) on 2022-11-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The TLSv1.3 implementation is available in JDK 8u from 8u261 and enabled by default for server roles but disabled by default for client roles. From this release onwards, TLSv1.3 is now also enabled by default for client roles. You can find more details in the Additional Information section of the Oracle JRE and JDK Cryptographic Roadmap.
Note that TLS 1.3 is not directly compatible with previous versions. Enabling it on the client may introduce compatibility issues on either the server or the client side. Here are some more details on potential compatibility issues that you should be aware of:
signature_algorithms_cert
extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application may use non-supported signature algorithms.TLS_AES_128_GCM_SHA256
(1.3 and later) versus TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
(1.2 and earlier).
Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.
Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.
The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:
jdk.https.negotiate.cbt
(default: "never")
This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:
The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.
The java.net.InetAddress
class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress
class methods are updated to throw an java.net.UnknownHostException
for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".
On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:
java.util.Vector
is updated to correctly report ClassNotFoundException
that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object)
when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException
is thrown that does not provide information about the missing class.
DeflaterOutputStream.close()
and GZIPOutputStream.finish()
methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry()
method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.
For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad
now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u341 release:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8259869 | client-libs | [macOS] Remove desktop module dependencies on JNF Reference APIs | |
2 | JDK-8274751 | client-libs | java.awt | Drag And Drop hangs on Windows |
3 | JDK-8272806 | client-libs | java.awt | [macOS] "Apple AWT Internal Exception" when input method is changed |
4 | JDK-8133713 | client-libs | javax.accessibility | [macosx] Accessible JTables always reported as empty |
5 | JDK-8277922 | client-libs | javax.accessibility | Unable to click JCheckBox in JTable through Java Access Bridge |
6 | JDK-7124301 | client-libs | javax.accessibility | [macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements. |
7 | JDK-7124298 | client-libs | javax.accessibility | [macosx] Nothing heard from VoiceOver when tabbing between a nested tab group and a parent tab group |
8 | JDK-7124293 | client-libs | javax.accessibility | [macosx] VoiceOver reads percentages rather than the actual values for sliders. |
9 | JDK-8277093 | core-libs | java.io:serialization | Vector should throw ClassNotFoundException for a missing class of an element |
10 | JDK-8279842 | core-libs | java.net | HTTPS Channel Binding support for Java GSS/Kerberos |
11 | JDK-8282293 | core-libs | java.net | Domain value for system property jdk.https.negotiate.cbt should be case-insensitive |
12 | JDK-8288033 | core-libs | java.nio | (dc) DatagramChannel.disconnect uses disconnectx which is not supported on macOS 10.8.3 |
13 | JDK-8285515 | core-libs | java.nio | (dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4 |
14 | JDK-8258795 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2021-05-11 |
15 | JDK-8247469 | core-svc | javax.management | getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available |
16 | JDK-8273747 | deploy | webstart | Grant JWS JavaFX apps access to Windows trust store |
17 | JDK-8283886 | docs | guides | Fix broken links in the security guide of JDK 8u docs |
18 | JDK-6584403 | docs | guides | Request to add a CA/CSR certificate cookbook to JSSE Reference Guide |
19 | JDK-8173625 | install | install | JRE 8u121 fails to install with blank dialog box (username with character #) |
20 | JDK-8090477 | javafx | controls | Customizable visibility timing for Tooltip |
21 | JDK-8205915 | javafx | controls | [macOS] Accelerator assigned to button in dialog fires menuItem in owning stage |
22 | JDK-8222211 | javafx | graphics | Creating animated gif image from non FX App thread causes exception |
23 | JDK-8280840 | javafx | media | Update libFFI to 3.4.2 |
24 | JDK-8283403 | javafx | media | Update Glib to 2.72.0 |
25 | JDK-8283218 | javafx | media | Update GStreamer to 1.20.1 |
26 | JDK-8282054 | javafx | media | Mediaplayer not working with HTTP Live Stream link with query parameter appended with file extension m3u8 |
27 | JDK-8286256 | javafx | web | Update libxml2 to 2.9.14 |
28 | JDK-8283328 | javafx | web | Update libxml2 to 2.9.13 |
29 | JDK-8286257 | javafx | web | Update libxslt to 1.1.35 |
30 | JDK-8282134 | javafx | web | Certain regex can cause a JS trap in WebView |
31 | JDK-8281459 | javafx | web | WebKit 613.1 build broken on M1 |
32 | JDK-8280841 | javafx | web | Update SQLite to 3.37.2 |
33 | JDK-8284184 | javafx | web | Crash in GraphicsContextJava::drawLinesForText on https://us.yahoo.com/ |
34 | JDK-8278759 | javafx | web | PointerEvent: buttons property set to 0 when mouse down |
35 | JDK-8277734 | javafx | web | WebView: Update Public Suffix List to 3c213aa |
36 | JDK-8278851 | security-libs | java.security | Correct signer logic for jars signed with multiple digest algorithms |
37 | JDK-8245263 | security-libs | javax.net.ssl | Enable TLSv1.3 by default on JDK 8u for Client roles |
38 | JDK-8274524 | security-libs | javax.net.ssl | SSLSocket.close() hangs if it is called during the ssl handshake |
39 | JDK-8275082 | security-libs | javax.xml.crypto | Update XML Security for Java to 2.3.0 |
40 | JDK-8279520 | security-libs | org.ietf.jgss | SPNEGO has not passed channel binding info into the underlying mechanism |
41 | JDK-8157391 | tools | jdeps left JarFile open | |
42 | JDK-8284132 | tools | FXLauncherTest.java fails on headless macos |
The following sections summarize changes made in all Java SE 8u333 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8288212 | core-libs | java.net | WLS12.2.1.3/JDK8u281 high throughput servlet performance |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8279842 | core-libs | java.net | HTTPS Channel Binding support for Java GSS/Kerberos |
JDK-8088420 | javafx | web | JavaFX WebView memory leak via EventListener |
May 2, 2022
The full version string for this update release is 8u333-b02 (where "b" means "build"). The version number is 8u333.
The security baselines are unchanged from the release of JDK 8u331.
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u333) be used after the next critical patch update scheduled for July 19, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u333) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The Windows implementation of java.io.File
allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS
has been added to control this behavior. To disable ADS support in java.io.File
, the system property jdk.io.File.enableADS
should be set to false
(case ignored). Stricter path checking however prevents the use of special devices such as NUL:
This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8284920 | xml | javax.xml.path | Incorrect Token type causes XPath expression to return incorrect results |
JDK-8284548 | xml | jaxp | Invalid XPath expression causes StringIndexOutOfBoundsException |
The following sections summarize changes made in all Java SE 8u331 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8277922 | client-libs | javax.accessibility | Unable to click JCheckBox in JTable through Java Access Bridge |
JDK-8282583 | xml | jaxp | Update BCEL md to include the copyright notice |
JDK-8283350 | core-libs | java.time | (tz) Update Timezone Data to 2022a |
April 19, 2022
The full version string for this update release is 8u331-b09 (where "b" means "build"). The version number is 8u331.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u331 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u331-b09 |
7 | 7u341-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u331) be used after the next critical patch update scheduled for July 19, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u331) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Three processing limits have been added. These are:
jdk.xml.xpathExprGrpLimit
Description: Limits the number of groups an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10.
jdk.xml.xpathExprOpLimit
Description: Limits the number of operators an XPath expression can contain.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 100.
jdk.xml.xpathTotalOpLimit
Description: Limits the total number of XPath operators in an XSL Stylesheet.
Type: integer
Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException
is thrown. Default 10000.
Supported processors
jdk.xml.xpathExprGrpLimit
and jdk.xml.xpathExprOpLimit
are supported by the XPath processor.
All three limits are supported by the XSLT processor.
Setting properties
For the XSLT processor, the properties can be changed through the TransformerFactory
. For example,
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");
For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties
configuration file located in the conf
directory of the Java installation. For example,
System.setProperty("jdk.xml.xpathExprGrpLimit", "20");
or in the jaxp.properties
file,
jdk.xml.xpathExprGrpLimit=20
There are two known issues:
On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry
method or the keytool -importcert
command on a KeychainStore keystore now fails with a KeyStoreException
. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.
The gencert
command of the keytool
utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.
The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:
-Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict" (to control "ldap:" URLs)
-Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict" (to control "dns:" URLs)
-Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict" (to control "rmi:" URLs)
-Dcom.sun.jndi.corbaURLParsing="legacy" | "compat" | "strict" (to control "iiop:" and "iiopname:" URLs)
The default value is "compat" for all of the three providers.
In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI
constructors or its factory method to build URLs rather than handcrafting URL strings.
If an illegal URL string is found, a java.lang.IllegalArgumentException
or a javax.naming.NamingException
(or a subclass of it) is raised.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8259343 | client-libs | [macOS] Update JNI error handling in Cocoa code. | |
2 | JDK-8251840 | client-libs | java.awt | Java_sun_awt_X11_XToolkit_getDefaultScreenData should not be in make/mapfiles/libawt_xawt/mapfile-vers |
3 | JDK-8259237 | client-libs | javax.swing | Demo selection changes with left/right arrow key. No need to press space for selection. |
4 | JDK-8074883 | client-libs | javax.swing | Tab key should move to focused button in a button group |
5 | JDK-8258554 | client-libs | javax.swing | javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F |
6 | JDK-8272105 | client-libs | javax.swing | TestButtonGroupFocusTraversal.java fails in 8u |
7 | JDK-8275703 | core-libs | java.lang | System.loadLibrary fails on Big Sur for libraries hidden from filesystem |
8 | JDK-8274779 | core-libs | java.net | HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST |
9 | JDK-8209178 | core-libs | java.net | Proxied HttpsURLConnection doesn't send BODY when retrying POST request |
10 | JDK-8272473 | core-libs | java.time | Parsing epoch seconds at a DST transition with a non-UTC parser is wrong |
11 | JDK-8279618 | core-libs | java.util | Deserializing HashMap throws access denied suppressAccessChecks |
12 | JDK-8274658 | core-libs | java.util:i18n | ISO 4217 Amendment 170 Update |
13 | JDK-8277795 | core-libs | javax.naming | ldap connection timeout not honoured under contention |
14 | JDK-8266187 | core-svc | java.lang.instrument | Memory leak in appendBootClassPath() |
15 | JDK-8273575 | core-svc | java.lang.instrument | memory leak in appendBootClassPath(), paths must be deallocated |
16 | JDK-8276957 | docs | guides | Fix broken JDK8 documentation links |
17 | JDK-8166140 | hotspot | compiler | C1: Possible integer overflow in LIRGenerator::generate_address on several platforms |
18 | JDK-8183543 | hotspot | compiler | Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check" |
19 | JDK-8132306 | hotspot | gc | java/lang/ref/ReferenceEnqueue.java fails with "RuntimeException: Error: poll() returned null; expected ref object" |
20 | JDK-8273341 | hotspot | runtime | Update Siphash to version 1.0 |
21 | JDK-8189641 | javafx | accessibility | [Accessibility, windows] NPE when navigating to ComboBox with empty string |
22 | JDK-8151974 | javafx | accessibility | Invisible controls are still accessible by screen readers. |
23 | JDK-8089884 | javafx | controls | TextInputControls capturing function key events |
24 | JDK-8274022 | javafx | controls | Additional Memory Leak in ControlAcceleratorSupport |
25 | JDK-8244075 | javafx | controls | Accelerator of ContextMenu's MenuItem is not removed when ContextMenu is removed from Scene |
26 | JDK-8276847 | javafx | web | JSException: ReferenceError: Can't find variable: IntersectionObserver |
27 | JDK-8278980 | javafx | web | Update WebKit to 613.1 |
28 | JDK-8281711 | javafx | web | Cherry-pick WebKit 613.1 stabilization fixes |
29 | JDK-8282099 | javafx | web | Cherry-pick WebKit 613.1 stabilization fixes (2) |
30 | JDK-8242544 | javafx | window-toolkit | CMD+ENTER key event crashes the application when invoked on dialog |
31 | JDK-8257497 | security-libs | java.security | Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280 |
32 | JDK-8274736 | security-libs | java.security | Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily |
33 | JDK-8241248 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) |
34 | JDK-8275811 | security-libs | javax.net.ssl | Incorrect instance to dispose |
35 | JDK-8141508 | tools | javac | java.lang.invoke.LambdaConversionException: Invalid receiver type ... |
36 | JDK-8255035 | xml | jaxp | Update BCEL to Version 6.5.0 |
37 | JDK-8276141 | xml | jaxp | XPathFactory set/getProperty method |
The following sections summarize changes made in all Java SE 8u321 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8278472 | client-libs | java.awt:i18n | Invalid value set to CANDIDATEFORM structure |
JDK-8278186 | security-libs | javax.xml.crypto | org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method |
JDK-8255199 | security-libs | javax.xml.crypto | Catching a few NumberFormatExceptions in xmldsig |
JDK-8275082 | security-libs | javax.xml.crypto | Update XML Security for Java to 2.3.0 |
JDK-8090477 | javafx | controls | Customizable visibility timing for Tooltip |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8247469 | core-svc | javax.management | getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available |
JDK-8265836 | core-svc | java.lang.management | OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container |
JDK-8268103 | core-svc | java.lang.management | JNI functions incorrectly return a double after JDK-8265836 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8141508 | tools | javac | java.lang.invoke.LambdaConversionException: Invalid receiver type |
JDK-8209178 | core-libs | java.net | Proxied HttpsURLConnection doesn't send BODY when retrying POST request |
JDK-8279618 | core-libs | java.util | Deserializing HashMap throws access denied suppressAccessChecks |
JDK-8273747 | deploy | webstart | Grant JWS JavaFX apps access to Windows trust store |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8279118 | core-libs | java.net | ServerSocket.close bind exception with ResourceManagement |
JDK-8151974 | javafx | accessibility | Invisible controls are still accessible by screen readers. |
January 18, 2022
The full version string for this update release is 8u321-b07 (where "b" means "build"). The version number is 8u321.
This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u321 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u321-b07 |
7 | 7u331-b06 |
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u321) be used after the next critical patch update scheduled for April 19, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u321) on 2022-05-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.
The 3 new attributes for SunPKCS11 provider configuration file are:
destroyTokenAfterLogout
(boolean, defaults to false) If set to true, when java.security.AuthProvider.logout()
is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout()
calls. Note that a PKCS11 provider with this attribute set to true
should not be added to the system provider list since the provider object is not usable after a logout()
method call.
cleaner.shortInterval
(integer, defaults to 2000, in milliseconds) This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).
cleaner.longInterval
(integer, defaults to 60000, in milliseconds) This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.
Two new system properties have been added. The system property, jdk.tls.client.disableExtensions
, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions
, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.
The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.
Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.
The following root certificate from Google has been removed from the cacerts
keystore:
+ alias name "globalsignr2ca [jdk]"
Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b
This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8263846 | client-libs | Bad JNI lookup getFocusOwner in accessibility code on Mac OS X | |
2 | JDK-8155742 | client-libs | [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows | |
3 | JDK-8249548 | client-libs | backward focus traversal gets stuck in button group | |
4 | JDK-8259232 | client-libs | 2d | Bad JNI lookup during printing |
5 | JDK-6801613 | client-libs | 2d | Cross-platform pageDialog and printDialog top margin entry broken |
6 | JDK-8042713 | client-libs | 2d | [macosx] Print dialog does not update attribute set with page range |
7 | JDK-8257853 | client-libs | java.awt | Remove dependencies on JNF's JNI utility functions in AWT and 2D code |
8 | JDK-8259585 | client-libs | java.awt | [macOS] Bad JNI lookup error : Accessible actions do not work on macOS |
9 | JDK-8038631 | client-libs | java.awt | Create wrapper for awt.Robot with additional functionality |
10 | JDK-6722236 | client-libs | java.awt | 3 Choice regression testcases are failing from 6u10_b26 build onwards |
11 | JDK-8041928 | client-libs | java.awt | MouseEvent.getModifiersEx gives wrong result |
12 | JDK-8275131 | client-libs | java.awt | Exceptions after a touchpad gesture on macOS |
13 | JDK-8263490 | client-libs | java.awt:i18n | [macos] Crash occurs on JPasswordField with activated InputMethod |
14 | JDK-8274326 | client-libs | javax.accessibility | [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m |
15 | JDK-8274056 | client-libs | javax.accessibility | JavaAccessibilityUtilities leaks JNI objects |
16 | JDK-8274381 | client-libs | javax.accessibility | missing CAccessibility definitions in JNI code |
17 | JDK-8259729 | client-libs | javax.accessibility | Missed JNFInstanceOf -> IsInstanceOf conversion |
18 | JDK-8208640 | client-libs | javax.accessibility | [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard. |
19 | JDK-8208747 | client-libs | javax.accessibility | [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on |
20 | JDK-8194873 | client-libs | javax.swing | right ALT key hotkeys no longer work in Swing components |
21 | JDK-8182577 | client-libs | javax.swing | Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel |
22 | JDK-8269850 | core-libs | Most JDK releases report macOS version 12 as 10.16 instead of 12.0 | |
23 | JDK-8190482 | core-libs | InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride | |
24 | JDK-8143317 | core-libs | jdk/lambda/vm/InterfaceAccessFlagsTest.java fails with IncompatibleClassChangeError | |
25 | JDK-8253702 | core-libs | java.lang | BigSur version number reported as 10.16, should be 11.nn |
26 | JDK-8202788 | core-libs | java.nio | Explicitly reclaim cached thread-local direct buffers at thread exit |
27 | JDK-8276536 | core-libs | java.time | Update TimeZoneNames files to follow the changes made by JDK-8275766 |
28 | JDK-8273924 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add() |
29 | JDK-8187649 | core-libs | java.util:i18n | ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar |
30 | JDK-8273819 | docs | guides | Update JSSE Reference Guide with new properties to disable TLS extensions |
31 | JDK-8139247 | hotspot | compiler | Improper locking of MethodData::_extra_data_lock |
32 | JDK-8057038 | hotspot | compiler | Speculative traps not robust when compilation and class unloading are concurrent |
33 | JDK-8253353 | hotspot | compiler | Crash in C2: guarantee(n != NULL) failed: No Node |
34 | JDK-8069034 | hotspot | gc | gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure |
35 | JDK-8071530 | hotspot | runtime | Update OS detection code to reflect Windows 10 version change |
36 | JDK-8273229 | hotspot | runtime | Update OS detection code to recognize Windows Server 2022 |
37 | JDK-8274840 | hotspot | runtime | Update OS detection code to recognize Windows 11 |
38 | JDK-8273342 | hotspot | runtime | Null pointer dereference in classFileParser.cpp:2817 |
39 | JDK-8266404 | hotspot | runtime | Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report |
40 | JDK-8219562 | hotspot | runtime | Line of code in osContainer_linux.cpp#L102 appears unreachable |
41 | JDK-8186902 | hotspot | svc | jcmd GC.run should not be blocked by DisableExplicitGC |
42 | JDK-8263807 | javafx | controls | Button types of a DialogPane are set twice, returns a wrong button |
43 | JDK-8261460 | javafx | controls | Incorrect CSS applied to ContextMenu on DialogPane |
44 | JDK-8178297 | javafx | controls | TableView scrolls slightly when adding new elements |
45 | JDK-8269538 | javafx | controls | StackOverflowError when pressing F10 within SpinnerSkin |
46 | JDK-8208088 | javafx | controls | Memory Leak in ControlAcceleratorSupport |
47 | JDK-8275138 | javafx | web | WebView: UserAgent string is empty for first request |
48 | JDK-8274929 | javafx | window-toolkit | Crash while reading specific clipboard content |
49 | JDK-8275723 | javafx | window-toolkit | Crash on macOS 12 in GlassRunnable::dealloc |
50 | JDK-8192988 | security-libs | java.security | keytool should support -storepasswd for pkcs12 keystores |
51 | JDK-8225083 | security-libs | java.security | Remove Google certificate that is expiring in December 2021 |
52 | JDK-8273826 | security-libs | java.security | Correct Manifest file name and NPE checks |
53 | JDK-8277224 | security-libs | java.security | sun.security.pkcs.PKCS9Attributes.toString() throws NPE |
54 | JDK-8269034 | security-libs | javax.crypto:pkcs11 | AccessControlException for SunPKCS11 daemon threads |
55 | JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
56 | JDK-8098580 | security-libs | javax.crypto:pkcs11 | drainRefQueueBounds() puts pressure on pool.size() |
57 | JDK-8270344 | security-libs | javax.net.ssl | Session resumption errors |
58 | JDK-8217633 | security-libs | javax.net.ssl | Configurable extensions with system properties |
59 | JDK-8268965 | security-libs | javax.net.ssl | TCP Connection Reset when connecting simple socket to SSL server |
60 | JDK-8259662 | security-libs | javax.net.ssl | Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl |
61 | JDK-8169416 | security-libs | javax.net.ssl | SSLSessionImpl finalize overhead |
62 | JDK-8147051 | xml | javax.xml.stream | StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator |
The following sections summarize changes made in all Java SE 8u311 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8182577 | client-libs | javax.swing | Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel |
JDK-8241248 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8274929 | javafx | window-toolkit | Crash while reading specific clipboard content |
JDK-8089884 | javafx | controls | TextInputControls capturing function key events |
JDK-8253353 | hotspot | compiler | Crash in C2: guarantee(n != NULL) failed: No Node |
JDK-8275766 | core-libs | java.time | (tz) Update Timezone Data to 2021e |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8275138 | javafx | web | WebView: UserAgent string is empty for first request |
JDK-8274779 | core-libs | java.net | HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST |
JDK-8273229 | hotspot | runtime | Update OS detection code to recognize Windows Server 2022 |
JDK-8274840 | hotspot | runtime | Update OS detection code to recognize Windows 11 |
JDK-8041928 | client-libs | java.awt | MouseEvent.getModifiersEx gives wrong result |
JDK-8275723 | javafx | window-toolkit | Crash on macOS 12 in GlassRunnable::dealloc |
JDK-8274407 | core-libs | java.time | (tz) Update Timezone Data to 2021c |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8269538 | javafx | controls | StackOverflowError when pressing F10 within SpinnerSkin |
JDK-8240256 | security-libs | javax.crypto:pkcs11 | Better resource cleaning for SunPKCS11 Provider |
JDK-8098580 | security-libs | javax.crypto:pkcs11 | drainRefQueueBounds() puts pressure on pool.size() |
JDK-8190482 | core-libs | InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride | |
JDK-8169416 | security-libs | javax.net.ssl | SSLSessionImpl finalize overhead |
October 19, 2021
The full version string for this update release is 8u311-b11 (where "b" means "build"). The version number is 8u311.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u311 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u311-b11 |
7 | 7u321-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u311) be used after the next critical patch update scheduled for January 18, 2022.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u311) on 2022-02-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Starting from version 8u311, the Marlin graphics rasterizer and its artifacts will be built and distributed as a part of the JDK/JRE bundles. It is not the default rendering engine, however there is an option to enable it by setting the following system property:
sun.java2d.renderer=sun.java2d.marlin.MarlinRenderingEngine
Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.
The behavior is opt-in based on the presence of the jdk.serialFilterFactory
system property on the command line or the jdk.serialFilterFactory
security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.
The JVM-wide filter factory is a java.util.function.BinaryOperator<sun.misc.ObjectInputFilter>
function invoked when each ObjectInputStream
is constructed and when the stream-specific filter is set using sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter)
. The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream
constructors, the first parameter is null
and the second parameter is the static JVM-wide filter
. When invoked from sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter)
, the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter requested.
A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.
Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.
The following root certificate from IdenTrust has been removed from the cacerts
keystore:
+ alias name "identrustdstx3 [jdk]"
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
This release doesn't correctly identify Windows 11. The property os.name
is set to Windows 10
on Windows 11. In HotSpot error logs, the OS is identified as Windows 10
; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.
The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted.
For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256.
For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows:
The behavior of HttpURLConnection
when using ProxySelector
has been modified in this JDK release. HttpURLConnection
used to fall back to a direct connection attempt if the configured proxy(s) failed to make a connection. Beginning with this release, the default behavior has been changed to no longer use a direct connection when the first proxy connection attempt fails.
A new system property, sun.net.http.fallbackToDirect
, can be set to a value of "true" should an application need to fall back to the old behavior (fall back to a direct connection when the first proxy connection attempt fails).
The scope of the com.sun.jndi.ldap.object.trustSerialData
system property has been extended to control the deserialization of java objects from the javaReferenceAddress
LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData
and javaReferenceAddress
LDAP attributes.
To prevent deserialization of java objects from these attributes, the system property can be set to false
. By default, the deserialization of java objects from javaSerializedData
and javaReferenceAddress
attributes is allowed.
This release doesn't correctly identify Windows Server. The property os.name
is set to Windows 2019
on Windows Server 2022. In HotSpot error logs, the OS is identified as Windows 10.0
for Windows Server releases 2016, 2019, and 2022; however, the HotSpot error log does show the Build number. Windows Server 2016 has Build 14393 or above, Windows Server 2019 has Build 17763 or above, and Windows Server 2022 has Build 20348 or above.
The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module".
This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8148886 | client-libs | SEGV in sun.java2d.marlin.Renderer._endRendering | |
2 | JDK-8149338 | client-libs | 2d | JVM Crash caused by Marlin renderer not handling NaN coordinates |
3 | JDK-8144938 | client-libs | 2d | Handle properly coordinate overflow in Marlin Renderer |
4 | JDK-8180055 | client-libs | 2d | Upgrade the Marlin renderer in Java2D |
5 | JDK-8202580 | client-libs | 2d | Dashed BasicStroke randomly painted incorrectly, may freeze application |
6 | JDK-8210335 | client-libs | 2d | Clipping problems with complex affine transforms: negative scaling factors or small scaling factors |
7 | JDK-8228711 | client-libs | 2d | Path rendered incorrectly when it goes outside the clipping region |
8 | JDK-8230728 | client-libs | 2d | Thin stroked shapes are not rendered if affine transform has flip bit |
9 | JDK-8145055 | client-libs | 2d | Marlin renderer causes unaligned write accesses |
10 | JDK-8244088 | client-libs | 2d | [Regression] Switch of Gnome theme ends up in deadlocked UI |
11 | JDK-8262392 | client-libs | 2d | Update Mesa 3-D Headers to version 21.0.3 |
12 | JDK-8262731 | client-libs | 2d | [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print" |
13 | JDK-8198885 | client-libs | 2d | Upgrade Marlin (java2d) to 0.9.1 |
14 | JDK-8273358 | client-libs | 2d | macOS Monterey does not have the font Times needed by Serif |
15 | JDK-8269984 | client-libs | java.awt | [macos] JTabbedPane title looks like disabled |
16 | JDK-8129940 | client-libs | javax.swing | JRadioButton does not honor non-standard FocusTraversalKeys |
17 | JDK-8251377 | client-libs | javax.swing | [macos11] JTabbedPane selected tab text is barely legible |
18 | JDK-8269931 | client-libs | javax.swing | ButtonGroupLayoutTraversalTest.java fails on macOS |
19 | JDK-8268518 | client-libs | javax.swing | Add headful keyword to LayoutFocusTraversalPolicy.java |
20 | JDK-8154043 | client-libs | javax.swing | Fields not reachable anymore by tab-key, because of new tabbing behaviour of radio button groups. |
21 | JDK-8035424 | core-libs | java.lang:reflect | Performance problem in sun.reflect.generics.parser.SignatureParser |
22 | JDK-8161016 | core-libs | java.net | Strange behavior of URLConnection with proxy |
23 | JDK-8183369 | core-libs | java.net | RFC unconformity of HttpURLConnection with proxy |
24 | JDK-8067744 | hotspot | compiler | XMM/SSE float register values corrupted by JNI_CreateVM call in JRE 8 (Windows) |
25 | JDK-8268366 | hotspot | compiler | Incorrect calculation of has_fpu_registers in C1 linear scan |
26 | JDK-8268347 | hotspot | compiler | C2: nested locks optimization may create unbalanced monitor enter/exit code |
27 | JDK-8269304 | hotspot | compiler | Regression ~5% in spec2005 in b27 |
28 | JDK-8065895 | hotspot | runtime | Synchronous signals during error reporting may terminate or hang VM process |
29 | JDK-8261397 | hotspot | runtime | try catch Method failing to work when dividing an integer by 0 |
30 | JDK-8262396 | javafx | graphics | Update Mesa 3-D Headers to version 21.0.3 |
31 | JDK-8266860 | javafx | media | [macos] Incorrect duration reported for HLS live streams |
32 | JDK-8264737 | javafx | media | JavaFX media stream stops playing after reconnecting via Remote Desktop |
33 | JDK-8267819 | javafx | media | CoInitialize/CoUninitialize should be called on same thread |
34 | JDK-8268219 | javafx | media | hlsprogressbuffer should provide PTS after GStreamer update |
35 | JDK-8269147 | javafx | media | Update GStreamer to version 1.18.4 |
36 | JDK-8268718 | javafx | media | [macos] Video stops, but audio continues to play when stopTime is reached |
37 | JDK-8269131 | javafx | web | Update libxml2 to version 2.9.12 |
38 | JDK-8270479 | javafx | web | WebKit 612.1 build fails with Visual Studio 2017 |
39 | JDK-8272329 | javafx | web | Cherry pick GTK WebKit 2.32.3 changes |
40 | JDK-8268849 | javafx | web | Update to 612.1 version of WebKit |
41 | JDK-8274107 | javafx | web | Cherry pick GTK WebKit 2.32.4 changes |
42 | JDK-8231558 | javafx | window-toolkit | [macos] Platform.exit causes assertion error on macOS 10.15 or later |
43 | JDK-8268158 | security-libs | Partial backport of JDK-8214074 | |
44 | JDK-8156584 | security-libs | java.security | Initialization race in sun.security.x509.AlgorithmId.get |
45 | JDK-8268128 | security-libs | java.security | ProviderConfig deadlock in JDK 8u291 |
46 | JDK-8225082 | security-libs | java.security | Remove IdenTrust certificate that is expiring in September 2021 |
47 | JDK-8238555 | security-libs | javax.crypto:pkcs11 | Allow initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB |
48 | JDK-8163326 | security-libs | javax.net.ssl | Update the default enabled cipher suites preference |
49 | JDK-8259886 | security-libs | javax.net.ssl | Improve SSL session cache performance and scalability |
50 | JDK-8255255 | security-libs | javax.xml.crypto | Update Apache Santuario (XML Signature) to version 2.2.1 |
51 | JDK-8260690 | tools | jconsole | JConsole User Guide Link from the Help menu is not accessible by keyboard |
52 | JDK-8268213 | xml | jax-ws | Racecondition at ContextClassloaderLocal.java:45 |
The following sections summarize changes made in all Java SE 8u301 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-6801613 | client-libs | 2d | Cross-platform pageDialog and printDialog top margin entry broken |
JDK-8268965 | security-libs | javax.net.ssl | TCP Connection Reset when connecting simple socket to SSL server |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8261287 (Confidential) | client-libs | 2d | Ductus renderer does not work properly on aarch64, all graphics primitives appear broken |
JDK-8271206 (Confidential) | deploy | webstart | Passing system property jnlp.sis.session requires multi-clicks |
JDK-8271087 (Confidential) | install | install | [macos] postinstall script should provide verbose output |
JDK-8271854 | core-libs | java.nio | Explicitly reclaim cached thread-local direct buffers at thread exit |
JDK-8205540 | core-svc | debugger | test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8268213 | xml | jax-ws | Racecondition at ContextClassloaderLocal.java:45 |
July 20, 2021
The full version string for this update release is 8u301-b09 (where "b" means "build"). The version number is 8u301.
JDK 8u301 contains IANA time zone data 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u301 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u301-b09 |
7 | 7u311-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u301) be used after the next critical patch update scheduled for October 19, 2021.
Java SE Subscription customers managing JRE updates/installs for large numbers of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u301) on 2021-11-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.
By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.
New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security
file.
Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts
keystore:
+ alias name "thawtepremiumserverca [jdk]"
Distinguished Name: EMAILADDRESS=premium-server@thawte.com,
CN=Thawte Premium Server CA, OU=Certification Services Division,
O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
+ alias name "verisignclass2g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network,
OU="(c) 1998 VeriSign, Inc. - For authorized use only",
OU=Class 2 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
+ alias name "verisignclass3ca [jdk]"
Distinguished Name: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
+ alias name "verisignclass3g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network,
OU="(c) 1998 VeriSign, Inc. - For authorized use only",
OU=Class 3 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
+ alias name "verisigntsaca [jdk]"
Distinguished Name: CN=Thawte Timestamping CA,
OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
+ alias name "gtecybertrustglobalca [jdk]"
Distinguished Name:CN=GTE CyberTrust Global Root,
OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
The following root certificate has been removed from the cacerts truststore:
+ Telia Company
+ soneraclass2ca
DN: CN=Sonera Class2 CA, O=Sonera, C=FI
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api
, jaxp_parser_impl
, and java-fonts
. This clean-up of the list resolves existing and potential conflicts with modular RPMs.
There are other rpms providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other RPMs to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
On the macOS platform, custom URL protocol handlers such as Java WebStart (jnlp and jnlps URI schemes) are deregistered after an OS upgrade. If the Java WebStart application uses jnlp or jnlps URI scheme(s), it is recommended that you check their registration status after the OS upgrade. The registration status of the custom URL protocol handlers can be obtained via the 'lsregister'
command.
For example:
lsregister -dump URLSchemeBinding | sort | grep 'jnlp|java|jar'
The Java WebStart protocol handler is registered and no-further action is required if the output of the above command contains the following lines:
jnlp: Java Network Launch Protocol (0x4680) (0x4682)
jnlps: Secure Java Network Launch Protocol (0x4684) (0x4686)
Otherwise, it is necessary to upgrade or reinstall the JRE in order to register the Java WebStart protocol.
The default encryption algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
For compatibility, a new system property named keystore.pkcs12.legacy
is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:
cacerts
keystore will not be restricted.These exceptions may be removed in a future JDK release.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or overriding it using the java.security.properties
system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.
SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset
to "UTF-8" revert the behavior.
See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP
passive mode.
jdk.net.ftp.trustPasvAddress
.In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV
command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress
system property can be set to true
. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV
command
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8249142 | client-libs | java/awt/FontClass/CreateFont/DeleteFont.sh is unstable | |
2 | JDK-8166673 | client-libs | The new implementation of Robot.waitForIdle() may hang | |
3 | JDK-8263311 | client-libs | 2d | Watch registry changes for remote printers update instead of polling |
4 | JDK-8262829 | client-libs | 2d | Native crash in Win32PrintServiceLookup.getAllPrinterNames() |
5 | JDK-8260380 | client-libs | 2d | Upgrade to LittleCMS 2.12 |
6 | JDK-6847157 | client-libs | 2d | java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit |
7 | JDK-8225105 | client-libs | java.awt | java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10 |
8 | JDK-8198335 | client-libs | java.awt | java/awt/FullScreen/UninitializedDisplayModeChangeTest/UninitializedDisplayModeChangeTest.java fails in headless mode |
9 | JDK-6544871 | client-libs | java.awt | java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows. |
10 | JDK-8196019 | client-libs | java.awt | java/awt/Window/Grab/GrabTest.java fails on Windows |
11 | JDK-8224821 | client-libs | java.awt | java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64 |
12 | JDK-8215105 | client-libs | java.awt | java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color |
13 | JDK-8261231 | client-libs | java.awt | Windows IME was disabled after DnD operation |
14 | JDK-7185258 | client-libs | java.awt | [macOS] Deadlock in SunToolKit.realSync() |
15 | JDK-8240518 | client-libs | java.awt | Incorrect JNU_ReleaseStringPlatformChars in Windows Print |
16 | JDK-8004148 | client-libs | java.awt | NPE in sun.awt.SunToolkit.getWindowDeactivationTime |
17 | JDK-8262446 | client-libs | java.awt | DragAndDrop hangs on Windows |
18 | JDK-8159898 | client-libs | java.beans | Negative array size in java/beans/Introspector/Test8027905.java |
19 | JDK-8178403 | client-libs | javax.sound | DirectAudio in JavaSound may hang and leak |
20 | JDK-8159135 | client-libs | javax.swing | [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail |
21 | JDK-8264328 | client-libs | javax.swing | Broken license in javax/swing/JComboBox/8072767/bug8072767.java |
22 | JDK-8240690 | client-libs | javax.swing | Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() |
23 | JDK-8239312 | client-libs | javax.swing | [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java |
24 | JDK-8196100 | client-libs | javax.swing | javax/swing/text/JTextComponent/5074573/bug5074573.java fails |
25 | JDK-8177809 | core-libs | java.io | File.lastModified() is losing milliseconds (always ends in 000) |
26 | JDK-8178161 | core-libs | java.net | Default multicast interface on Mac |
27 | JDK-8263917 | core-libs | java.rmi | Backout of 8049202 in 8u |
28 | JDK-8252883 | core-libs | java.util.logging | AccessDeniedException caused by delayed file deletion on Windows |
29 | JDK-8262110 | core-libs | java.util:i18n | DST starts from incorrect time in 2038 |
30 | JDK-8255086 | core-libs | java.util:i18n | Update the root locale display names |
31 | JDK-8247432 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-09-29 |
32 | JDK-8241082 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry data to 03-16-2020 version |
33 | JDK-8242010 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-04-01 |
34 | JDK-8073446 | core-libs | java.util:i18n | TimeZone getOffset API does not return a DST offset between years 2038-2137 |
35 | JDK-8258753 | core-libs | javax.naming | StartTlsResponse.close() hangs due to synchronization issues |
36 | JDK-8247707 | deploy | plugin | UAC prompt of unknown publisher after upgrading java 8u241 |
37 | JDK-7123987 | docs | Request Documentation on JNLP/JNI with in 32-bit and 64-bit windows | |
38 | JDK-8216154 | hotspot | compiler | C4819 warnings at HotSpot sources on Windows |
39 | JDK-8211233 | hotspot | compiler | MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better |
40 | JDK-8209420 | hotspot | compiler | Track membars for volatile accesses so they can be properly optimized |
41 | JDK-8132148 | hotspot | gc | G1 hs_err region dump legend out of sync with region values |
42 | JDK-8166607 | hotspot | gc | G1 needs klass_or_null_acquire |
43 | JDK-8166862 | hotspot | gc | CMS needs klass_or_null_acquire |
44 | JDK-8166229 | hotspot | gc | Eliminate ParNew's use of klass_or_null() |
45 | JDK-8166663 | hotspot | gc | Simplify oops_on_card_seq_iterate_careful |
46 | JDK-8166583 | hotspot | gc | Add oopDesc::klass_or_null_acquire() |
47 | JDK-8165808 | hotspot | gc | Add release barriers when allocating objects with concurrent collection |
48 | JDK-8260704 | hotspot | gc | ParallelGC: oldgen expansion needs release-store for _end |
49 | JDK-8259271 | hotspot | gc | gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" |
50 | JDK-8257746 | hotspot | runtime | Regression introduced with JDK-8250984 - memory might be null in some machines |
51 | JDK-8203345 | javafx | accessibility | Memory leak in VirtualFlow when screen reader is enabled |
52 | JDK-8160554 | javafx | controls | Wrong unit measure in CornerRadiiConverter |
53 | JDK-8185854 | javafx | controls | NPE on non-editable ComboBox in TabPane with custom Skin |
54 | JDK-8266966 | javafx | controls | Wrong CSS properties are applied to other nodes after fix for JDK-8204568 |
55 | JDK-8204568 | javafx | controls | Relative CSS-Attributes don't work all time |
56 | JDK-8239589 | javafx | graphics | JavaFX UI will not repaint after reconnecting via Remote Desktop |
57 | JDK-8259046 | javafx | graphics | ViewPainter.ROOT_PATHS holds reference to Scene causing memory leak |
58 | JDK-8258986 | javafx | graphics | getColor throws IOOBE when PixelReader reads the same pixel twice |
59 | JDK-8259356 | javafx | media | MediaPlayer's seek freezes video |
60 | JDK-8262365 | javafx | media | Update GStreamer to version 1.18.3 |
61 | JDK-8262366 | javafx | media | Update glib to version 2.66.7 |
62 | JDK-8268152 | javafx | media | gstmpegaudioparse does not provides timestamps for HLS MP3 streams |
63 | JDK-8260246 | javafx | samples | Ensemble: Update version of Lucene to 7.7.3 |
64 | JDK-8259680 | javafx | scenegraph | Need API to query states of CAPS LOCK and NUM LOCK keys |
65 | JDK-8264990 | javafx | web | WebEngine crashes with segfault when not loaded through system classloader |
66 | JDK-8259555 | javafx | web | Webkit crashes on Apple Silicon |
67 | JDK-8263788 | javafx | web | JavaFX application freezes completely after some time when using the WebView |
68 | JDK-8261927 | javafx | web | WebKit build fails with Visual Studio 2017 |
69 | JDK-8260245 | javafx | web | Update ICU4C to version 68.2 |
70 | JDK-8251555 | javafx | window-toolkit | Remove unused focusedWindow field in glass Window to avoid leak |
71 | JDK-8263169 | javafx | window-toolkit | [macOS] JavaFX windows open as tabs when system preference for documents is set |
72 | JDK-8266293 | security-libs | Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" | |
73 | JDK-8263817 | security-libs | java.security | java.util.MissingResourceException if add cert with GOST key in cacerts |
74 | JDK-8218553 | security-libs | java.security | Enhance keystore load debug output |
75 | JDK-8243559 | security-libs | java.security | Remove root certificates with 1024-bit keys |
76 | JDK-8225081 | security-libs | java.security | Remove Telia Company CA certificate expiring in April 2021 |
77 | JDK-8153005 | security-libs | java.security | Upgrade the default PKCS12 encryption/MAC algorithms |
78 | JDK-8267599 | security-libs | java.security | Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u |
79 | JDK-8214513 | security-libs | java.security | A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11 |
80 | JDK-8202837 | security-libs | java.security | PBES2 AlgorithmId encoding error in PKCS12 KeyStore |
81 | JDK-8267100 | security-libs | java.security | [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs |
82 | JDK-8196415 | security-libs | java.security | Disable SHA-1 Signed JARs |
83 | JDK-8076190 | security-libs | java.security | Customizing the generation of a PKCS12 keystore |
84 | JDK-8260300 | security-libs | javax.net.ssl | Restrict TLS signature schemes in 8u |
85 | JDK-8254631 | security-libs | javax.net.ssl | Better support ALPN byte wire values in SunJSSE |
86 | JDK-8005819 | security-libs | org.ietf.jgss:krb5 | Support cross-realm MSSFU |
87 | JDK-8180478 | tools | tools/launcher/MultipleJRE.sh fails on Windows because of extra-'' | |
88 | JDK-8260568 | xml | Xerces version string output does not match actual version in JDK | |
89 | JDK-8235368 | xml | jaxp | Update BCEL to Version 6.4.1 |
90 | JDK-8213734 | xml | org.xml.sax | SAXParser.parse(File, ..) does not close resources when Exception occurs. |
The following sections summarize changes made in all Java SE 8u291 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8268128 | security-libs | java.security | ProviderConfig deadlock in JDK 8u291 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259886 | security-libs | javax.net.ssl | Improve SSL session cache performance and scalability |
JDK-8266943 (Confidential) | install | install | Request to reinstate MacOS JRE pkg.dmg binary bundle |
JDK-8267429 (Confidential) | infrastructure | release_eng | MacOS JRE pkg.dmg binary bundle reinstated |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8258753 | core-libs | javax.naming | StartTlsResponse.close() hangs due to synchronization issues |
JDK-8263788 | javafx | web | JavaFX application freezes completely after some time when using the WebView |
JDK-8185854 | javafx | controls | NPE on non-editable ComboBox in TabPane with custom Skin |
JDK-8260300 | security-libs | javax.net.ssl | Restrict TLS signature schemes in 8u |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8239589 | javafx | graphics | JavaFX UI will not repaint after reconnecting via Remote Desktop |
April 20, 2021
The full version string for this update release is 1.8.0_291-b10 (where "b" means "build"). The version number is 8u291.
JDK 8u291 contains IANA time zone data 2020e, 2020f, 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u291 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_291-b10 |
7 | 1.7.0_301-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u291) be used after the next critical patch update scheduled for July 20, 2021.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u291) on 2021-08-20. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
jdk.jndi.object.factoriesFilter
: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.
com.sun.jndi.ldap.object.trustSerialData
: This system property allows control of the deserialization of java objects from the javaSerializedData
LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false
value. By default, deserialization of java objects from the javaSerializedData
attribute is allowed.
The following root certificates have been added to the cacerts truststore:
+ HARICA
+ haricarootca2015
DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+ haricaeccrootca2015
DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
Oracle JRE installers will update the PATH environment variable with their directory behind any already put in place by other Oracle JDK installers.
TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).
These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms
security property in the java.security
configuration file.
TLS 1.0 and 1.1 have been disabled. These protocols are NOT used by Java Plugin applets and Java Web Start applications by default. In case of any issues there is an option to re-enable the protocols via Java Control Panel.
In the java.lang.ProcessBuilder
implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false
ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess
. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands
property can be set to true
: jdk.lang.Process.allowAmbiguousCommands=true
or false
. If left unset, it is the same as setting it to true
.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8244621 | client-libs | 2d | [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 |
2 | JDK-8258805 | client-libs | java.awt | Japanese characters not entered by mouse click on Windows 10 |
3 | JDK-8212678 | client-libs | java.awt | Windows IME related patch |
4 | JDK-8239137 | client-libs | javax.accessibility | JAWS does not always announce the value of JSliders in JColorChooser |
5 | JDK-8249588 | client-libs | javax.accessibility | libwindowsaccessbridge issues on 64bit Windows |
6 | JDK-8255880 | client-libs | javax.swing | UI of Swing components is not redrawn after their internal state changed |
7 | JDK-8250627 | core-libs | Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics | |
8 | JDK-8251397 | core-libs | java.lang | NPE on ClassValue.ClassValueMap.cacheArray |
9 | JDK-7146776 | core-libs | java.net | Deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection |
10 | JDK-8247766 | hotspot | compiler | AArch64: guarantee(val < (1U << nbits)) failed: Field too big for insn | 11 | JDK-8252482 | hotspot | compiler | disable cbcond instructions on SPARC64 |
12 | JDK-8243290 | hotspot | runtime | Improve diagnostic messages for class verification and redefinition failures |
13 | JDK-8257168 | hotspot | runtime | Use SkippedException instead of RuntimeException for docker not able to pull the repository |
14 | JDK-8260159 | install | install | Typo in Javapath.cpp |
15 | JDK-8260190 | install | install | Incomplete JDK-8259215 fix |
16 | JDK-8259215 | install | install | Default Java version is not updated for double click jar execution |
17 | JDK-8242565 | security-libs | java.security | Policy initialization issues when the denyAfter constraint is enabled |
18 | JDK-8244154 | security-libs | javax.crypto:pkcs11 | Update SunPKCS11 provider with PKCS11 v3.0 header files |
19 | JDK-8240871 | security-libs | javax.net.ssl | SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3 |
20 | JDK-8257997 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 |
21 | JDK-8253368 | security-libs | javax.net.ssl | TLS connection always receives close_notify exception |
22 | JDK-8202343 | security-libs | javax.net.ssl | Disable TLS 1.0 and 1.1 |
23 | JDK-8256818 | security-libs | javax.net.ssl | SSLSocket that is never bound or connected leaks socket resources |
24 | JDK-8257670 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks |
25 | JDK-8255559 | security-libs | javax.xml.crypto | Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() |
26 | JDK-8261970 | xml | reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271 | |
27 | JDK-8256685 | xml | jaxp | Behavior change in XML since JDK 8u271 |
28 | JDK-8249867 | xml | jaxp | XML declaration is not followed by a newline |
The following sections summarize changes made in all Java SE 8u281 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8204568 | javafx | controls | Relative CSS-Attributes don't work all time |
JDK-8262829 | client-libs | 2d | Native crash in Win32PrintServiceLookup.getAllPrinterNames() |
JDK-8262940 (Confidential) | install | [macOS] Java Webstart protocol schemes not registered by JRE installer on macOS | |
JDK-8247707 | deploy | plugin | UAC prompt of unknown publisher after upgrading java 8u241 |
JDK-8263575 (Confidential) | install | install | Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates |
JDK-8263842 (Confidential) | install | install | Clean up "Provides" tag of OracleJDK/JRE rpms |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8261970 | xml | reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259680 | javafx | scenegraph | Need API to query states of CAPS LOCK and NUM LOCK keys |
JDK-8258803 | xml | WLS/Tuxedo error in encoding post JDK upgrade | |
JDK-8261209 | xml | jaxp | isStandalone property: remove dependency on pretty-print |
JDK-8249867 | xml | jaxp | xml declaration is not followed by a newline |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8259048 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020f |
JDK-8259215 | install | install | default java version is not updated for double click jar execution |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8256925 (Confidential) | security-libs | java.security | Regression with JDK-8236464 in Oracle 8u271 |
JDK-8256818 | security-libs | javax.net.ssl | SSLSocket that is never bound or connected leaks socket resources |
JDK-8257670 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks |
JDK-8257884 | security-libs | javax.net.ssl | Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test |
JDK-8257997 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 |
JDK-8256004 (Confidential) | deploy | plugin | DRS: Can not run applet in DRS with java 6 after 8u261 upgrade |
JDK-8258373 | client-libs | javax.swing | Update the text handling in the JPasswordField |
JDK-8253368 | security-libs | javax.net.ssl | TLS connection always receives close_notify exception |
January 19, 2021
The full version string for this update release is 1.8.0_281-b09 (where "b" means "build"). The version number is 8u281.
JDK 8u281 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u281 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_281-b09 |
7 | 1.7.0_291-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u281) be used after the next critical patch update scheduled for April 20, 2021.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u281) on May 15, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
A new -groupname
option has been added to keytool -genkeypair
so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1
will generate an EC key pair by using the secp384r1
curve. Because there might be multiple curves with the same size, using the -groupname
option is preferred over the -keysize
option.
The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size
has been introduced.
This new system property sets the pool size of the internal DocumentBuilder
cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size
system property used in Apache Santuario and has the same default value of 20.
The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.
With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.
Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension
system property to true
. The default value of the property is false
.
Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension
is set to true
and the client trusts more CAs than the server implementation limit.
Starting from macOS Catalina 10.15, applications do not have access to the Desktop, Documents and Downloads folders. So, if you use JavaControlPanel app to access files at the locations specified above, (such as load certificates from the Downloads folder) you must either move the files to another location or grant the required permissions to the JavaControlPanel app.
The steps to required to grant the permissions to JavaControlPanel are provided below:
1. On your Mac, open the Apple menu, click System Preferences, click Security & Privacy, then click Privacy.
2. Select Full Disk Access and click +.
3. In Applications, navigate to the System Preferences app (Applications > System Preferences), and click Open.
Note: You must grant permissions to the System Preferences app because the JavaControlPanel app is a part of that application on macOS.
The JDK update incorporates tzdata2020d. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.
The JDK update incorporates tzdata2020c. The main change is
Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.
Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew
and systemv
have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew
data file is no longer available for use.
Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8209113 | client-libs | 2d | Use WeakReference for lastFontStrike for created Fonts |
2 | JDK-8245400 | client-libs | 2d | Upgrade to LittleCMS 2.11 |
3 | JDK-8198334 | client-libs | java.awt | java/awt/FileDialog/8003399/bug8003399.java fails in headless mode |
4 | JDK-8232114 | client-libs | java.awt | JVM crashed at imjpapi.dll in native code |
5 | JDK-8252470 | client-libs | java.awt | java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows |
6 | JDK-8240633 | client-libs | javax.swing | Memory leaks in the implementations of FileChooserUI |
7 | JDK-8253072 | core-libs | XERCES version is displayed incorrect | |
8 | JDK-8069211 | core-libs | java.nio | (zipfs) ZipFileSystem creates corrupted zip if entry output stream gets closed more than once |
9 | JDK-8242480 | core-svc | java.lang.management | Negative value may be returned by getFreeSwapSpaceSize() in the docker |
10 | JDK-8252789 | deploy | deployment_toolkit | Empty client certificate issue during TLS handshake |
11 | JDK-8253695 | docs | guides | JDK 8 Install Guide - 8u RPM Installer Failed to Install on SUSE When Updating Alternatives |
12 | JDK-8255558 | docs | guides | InstallGuide: Update documentation of JDK RPM installation steps |
13 | JDK-8250665 | globalization | locale-data | Wrong translation for the month of May in ar_JO, ar_LB and ar_SY |
14 | JDK-8146612 | hotspot | compiler | C2: Precedence edges specification violated |
15 | JDK-8160006 | hotspot | compiler | Fix AArch64 after changes made by 8151661 |
16 | JDK-8214862 | hotspot | compiler | assert(proj != __null) at compile.cpp:3251 |
17 | JDK-8248214 | hotspot | gc | Add paddings for TaskQueueSuper to reduce false-sharing cache contention |
18 | JDK-8185348 | hotspot | jvmti | Major performance regression in GetMethodDeclaringClass and other JVMTI Method functions |
19 | JDK-8140091 | hotspot | runtime | remove VMStructs cast_uint64_t workaround for GCC 4.1.1 bug |
20 | JDK-8148854 | hotspot | runtime | Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent |
21 | JDK-8217338 | hotspot | runtime | [Containers] Improve systemd slice memory limit support |
22 | JDK-8217766 | hotspot | runtime | Container Support doesn't work for some Join Controllers combinations |
23 | JDK-8221408 | hotspot | runtime | Windows 32bit build build errors/warnings in hotspot |
24 | JDK-8221725 | hotspot | runtime | AArch64 build failures after JDK-8221408 (Windows 32bit build build errors/warnings in hotspot) |
25 | JDK-8227006 | hotspot | runtime | [linux] Runtime.availableProcessors execution time increased by factor of 100 |
26 | JDK-8246648 | hotspot | runtime | issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480 |
27 | JDK-8247839 | javafx | graphics | Wrong position of GUI elements using multiple HiDPI displays in JavaFX 8 |
28 | JDK-8252060 | javafx | media | gstreamer fails to build with gcc 10 |
29 | JDK-8254100 | javafx | other | FX: Update copyright year in docs, readme files to 2021 |
30 | JDK-8181775 | javafx | web | JavaFX WebView does not calculate border-radius properly |
31 | JDK-8234471 | javafx | web | Canvas in webview displayed with wrong scale on Windows |
32 | JDK-8251241 | javafx | window-toolkit | macOS: iconify property doesn't change after minimize when resizable is false |
33 | JDK-8244151 | security-libs | javax.smartcardio | Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 |
The following sections summarize changes made in all Java SE 8u271 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8256818 | security-libs | javax.net.ssl | SSLSocket that is never bound or connected leaks socket resources |
JDK-8257670 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks |
JDK-8257997 | security-libs | javax.net.ssl | sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 |
JDK-8255908 | core-libs | ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem | |
JDK-8250627 | core-libs | Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics | |
JDK-8256685 | xml | jaxp | Behavior change in XML since jdk1.8.0_271 |
JDK-8238579 | core-libs | java.net | HttpsURLConnection drops the timeout and hangs forever in read |
JDK-8254982 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020c |
JDK-8255226 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020d |
JDK-8250984 | hotspot | runtime | Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8255559 | security-libs | javax.xml.crypto | Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8253502 (Confidential) | hotspot | svc | No certificates in "Request Authentication" dialog after upgrading to 8u261 |
JDK-8252455 (Confidential) | core-libs | java.net | Performance issue caused by 8232854 |
JDK-8206925 | security-libs | javax.net.ssl | Support the certificate_authorities extension |
JDK-8250676 (Confidential) | hotspot | svc | JFR recording MonitorEnter events - Stack trace caching |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
JDK-8254177 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2020b. |
October 20, 2020
The full version string for this update release is 1.8.0_271-b09 (where "b" means "build"). The version number is 8u271.
JDK 8u271 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u271 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_271-b09 |
7 | 1.7.0_281-b06 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u271) be used after the next critical patch update scheduled for January 19, 2021.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u271) on February 20, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Weak named curves are disabled by default by adding them to the following disabledAlgorithms
security properties: jdk.tls.disabledAlgorithms
, jdk.certpath.disabledAlgorithms
, and jdk.jar.disabledAlgorithms
. The named curves are listed below.
With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms
property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves
, is implemented that can list the named curves common to all of the disabledAlgorithms
properties. To use the new property in the disabledAlgorithms
properties, precede the full property name with the keyword include
. Users can still add individual named curves to disabledAlgorithms
properties separate from this new property. No other properties can be included in the disabledAlgorithms
properties.
To restore the named curves, remove the include jdk.disabled.namedCurves
either from specific or from all disabledAlgorithms
security properties.
To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves
property.
Curves that are disabled through jdk.disabled.namedCurves
include the following:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448
The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.
As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).
Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals
security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals
security or system property to any positive value.
See further information in JDK-8223172.
A new system property, jdk.tls.maxHandshakeMessageSize
, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).
A new system property, jdk.tls.maxCertificateChainLength
, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.
The keytool
and jarsigner
tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms
security property in the java.security
configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.
The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.
The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).
NPAPI is considered to be a vulnerable plugin and has been disabled in many browsers. No browsers currently support Java Plugin, which is NPAPI-based, on Linux, Solaris, and MacOS platforms.
Starting from 8u271, the part of Java Plugin responsible for integration and interaction with a browser (in particular libnpjp2
library) and an associated artifact will not be built and is not part of the JRE distribution on Linux, Solaris, and MacOS platforms.
A new environment property,
jdk.jndi.ldap.mechsAllowedToSendCredentials
, has been added to
control which LDAP authentication mechanisms are allowed to send
credentials over clear
LDAP connections - a connection not secured
with TLS. An encrypted
LDAP connection is a connection opened
by using ldaps
scheme, or a connection opened by using ldap
scheme
and then upgraded to TLS with a STARTTLS extended operation.
The value of the property, which is by default not set, is a comma
separated list of the mechanism names that are permitted to authenticate
over a clear
connection. If a value is not specified for the property, then all mechanisms
are allowed. If the specified value is an empty list, then no mechanisms are
allowed (except for none
and anonymous
). The default value for this property is 'null'
( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials")
returns 'null'). To explicitly permit all mechanisms to authenticate over a clear
connection, the property
value can be set to "all"
. If a connection is downgraded from
encrypted
to clear
, then only the mechanisms that are explicitly permitted are allowed.
The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.
Note: none
and anonymous
authentication mechanisms are exempted
from these rules and are always allowed regardless of the property value.
The following root certificates have been added to the cacerts truststore:
+ SSL Corporation
+ sslrootrsaca
DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrootevrsaca
DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+ sslrooteccca
DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
The following root certificate has been added to the cacerts truststore:
+ Entrust
+ entrustrootcag4
DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only",
OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java
and javac
. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac
group with alternatives framework. All links unique to the javac
group have been moved into the java
group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.
The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java
group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command:
/usr/sbin/alternatives --auto java
Some text in the Installer window is hidden/invisible when using Dark mode on macOS. To workaround this issue, switch to Light mode when running the installer. This issue should be resolved by JDK-8249683.
The deserialization of java.lang.reflect.Proxy
objects can be limited by setting the system property jdk.serialProxyInterfaceLimit
.
The limit is the maximum number of interfaces allowed per Proxy in the stream.
Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8198406 | client-libs | 2d | Test TestAATMorxFont is unstable |
2 | JDK-8220150 | client-libs | 2d | [macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs |
3 | JDK-8236996 | client-libs | 2d | Incorrect Roboto font rendering on Windows with subpixel antialiasing |
4 | JDK-8244818 | client-libs | 2d | [macos] Java2D Queue Flusher crash while moving application window to external monitor |
5 | JDK-6966205 | client-libs | java.awt | closed/sun/awt/font/DeriveFont.java failed with compilation error |
6 | JDK-8183286 | client-libs | java.awt | Some java/awt and javax/swing tests miss headful jtreg keyword |
7 | JDK-8198612 | client-libs | java.awt | Headful closed tests should not be run in headless mode |
8 | JDK-8030123 | client-libs | java.beans | java/beans/Introspector/Test8027648.java fails |
9 | JDK-8060027 | client-libs | java.beans | Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java |
10 | JDK-8156579 | client-libs | java.beans | Two JavaBeans tests failed |
11 | JDK-8156581 | client-libs | java.beans | Cleanup of ProblemList.txt |
12 | JDK-8249278 | client-libs | javax.accessibility | Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList |
13 | JDK-8183341 | client-libs | javax.imageio | Better cleanup for javax/imageio/AllowSearch.java |
14 | JDK-8183349 | client-libs | javax.imageio | Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java |
15 | JDK-8183351 | client-libs | javax.imageio | Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh |
16 | JDK-7109623 | client-libs | javax.sound | javax/sound/sampled/DirectAudio/bug6372428.java failed |
17 | JDK-8047222 | client-libs | javax.sound | Test closed/javax/sound/sampled/Clip/bug6251460.java fails if run with 32-bit java on Windows 64-bit host |
18 | JDK-8148983 | client-libs | javax.sound | Fix extra comma in changes for JDK-8148916 |
19 | JDK-8153725 | client-libs | javax.sound | Problem list javax/sound/sampled/DirectAudio/bug6400879.java for Linux |
20 | JDK-8156169 | client-libs | javax.sound | Some sound tests rarely hangs because of incorrect synchronization |
21 | JDK-8160217 | client-libs | javax.sound | JavaSound should clean up resources better |
22 | JDK-6962725 | client-libs | javax.swing | Regtest javax/swing/JFileChooser/6738668/bug6738668.java fails under Linux |
23 | JDK-8198004 | client-libs | javax.swing | javax/swing/JFileChooser/6868611/bug6868611.java throws error |
24 | JDK-8198321 | client-libs | javax.swing | javax/swing/JEditorPane/5076514/bug5076514.java fails |
25 | JDK-8249251 | client-libs | javax.swing | [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel |
26 | JDK-8168517 | core-libs | java.lang | java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed" |
27 | JDK-8151788 | core-libs | java.net | NullPointerException from ntlm.Client.type3 |
28 | JDK-8192953 | core-svc | java.lang.management | sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied |
29 | JDK-8242884 | deploy | plugin | 8u241 32 bit SSV Helper causes long load time and page load on IE11 |
30 | JDK-8145096 | hotspot | compiler | Undefined behaviour in HotSpot |
31 | JDK-8215265 | hotspot | compiler | C2: range check elimination may allow illegal out of bound access |
32 | JDK-8023697 | hotspot | runtime | failed class resolution reports different class name in detail message for the first and subsequent times |
33 | JDK-8048933 | hotspot | runtime | -XX:+TraceExceptions output should include the message |
34 | JDK-8064319 | hotspot | runtime | Need to enable -XX:+TraceExceptions in release builds |
35 | JDK-8235243 | hotspot | runtime | handle VS2017 15.9 and VS2019 in abstract_vm_version |
36 | JDK-8240295 | hotspot | runtime | hs_err elapsed time in seconds is not accurate enough |
37 | JDK-8193800 | javafx | controls | TreeTableView selection changes on sorting |
38 | JDK-8129582 | javafx | graphics | Controls slow considerably when displaying RTL-languages text on Linux |
39 | JDK-8246204 | javafx | graphics | No 3D support for newer Intel graphics drivers on Linux |
40 | JDK-8246348 | javafx | graphics | Crash in libpango on Ubuntu 20.04 with some unicode chars |
41 | JDK-8239095 | javafx | media | Upgrade libFFI to the latest 3.3 version |
42 | JDK-8248365 | javafx | media | Debug build crashes on Windows when playing media file |
43 | JDK-8252107 | javafx | media | Media pipeline initialization can crash if audio or video bin state change fails |
44 | JDK-8191758 | javafx | web | Match WebKit's font weight rendering with JavaFX |
45 | JDK-8208169 | javafx | web | can not print selected pages of web page |
46 | JDK-8245284 | javafx | web | Update to 610.1 version of WebKit |
47 | JDK-8246357 | javafx | web | Allow static build of webkit library on linux |
48 | JDK-8247963 | javafx | web | Update SQLite to version 3.32.3 |
49 | JDK-8249839 | javafx | web | Cherry pick GTK WebKit 2.28.3 changes |
50 | JDK-8252381 | javafx | web | Cherry pick GTK WebKit 2.28.4 changes |
51 | JDK-8248490 | javafx | window-toolkit | [macOS] Undecorated stage does not minimize |
52 | JDK-8141457 | security-libs | java.security | keytool default cert fingerprint algorithm should be SHA-256 |
53 | JDK-8211049 | security-libs | java.security | Second parameter of "initialize" method is not used |
54 | JDK-8242556 | security-libs | java.security | Cannot load RSASSA-PSS public key with non-null params from byte array |
55 | JDK-8245151 | security-libs | java.security | jarsigner should not raise duplicate warnings on verification |
56 | JDK-8205111 | security-libs | javax.net.ssl | Develop new Test to verify different key types for supported TLS protocols. |
57 | JDK-8215443 | security-libs | javax.net.ssl | The use of TransportContext.fatal() leads to bad coding style |
58 | JDK-8236464 | security-libs | javax.net.ssl | SO_LINGER option is ignored by SSLSocket in JDK 11 |
59 | JDK-8226719 | security-libs | org.ietf.jgss | Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message" |
60 | JDK-8227381 | security-libs | org.ietf.jgss | GSS login fails with PREAUTH_FAILED |
61 | JDK-8227437 | security-libs | org.ietf.jgss:krb5 | S4U2proxy cannot continue because server's TGT cannot be found |
62 | JDK-8246193 | security-libs | org.ietf.jgss:krb5 | Possible NPE in ENC-PA-REP search in AS-REQ |
63 | JDK-8250582 | security-libs | org.ietf.jgss:krb5 | Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets |
64 | JDK-8249717 | tools | javac | langtools tests are failing on Windows in jdk8u-cpu |
65 | JDK-8248348 | xml | jaxp | Regression caused by the update to BCEL 6.0 |
The following sections summarize changes made in all Java SE 8u261 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8252789 | deploy | deployment_toolkit | Empty client certificate issue during TLS handshake |
8249183 | client-libs | java.awt | JVM crash in "AwtFrame::WmSize" method |
8249846 | core-libs | java.util.concurrent | Change of behavior after JDK-8237117: Better ForkJoinPool behavior |
8252861 | deploy | Disable TLSv1.3 by default on deploy configurations |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8248505 | security-libs | java.security | Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider |
8248990 (Confidential) | docs | guides | Remove link to old license page from JDK 8 troubleshooting guide |
8248523 (Confidential) | docs | guides | In TLS overview page, change JDK 11 to JDK 8 |
8235932 (Confidential) | docs | guides | Backport TLS 1.3 documentation for JDK 8u MR3 |
8245624 (Confidential) | embedded | hotspot | Arm support missing for JDK-8176100 |
8062947 | core-libs | javax.naming | Fix exception message to correctly represent LDAP connection failure |
8217606 | core-libs | javax.naming | LdapContext#reconnect always opens a new connection |
8151678 | core-libs | javax.naming | com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect |
8243138 | core-libs | javax.naming | Enhance BaseLdapServer to support starttls extended request |
8247925 (Confidential) | xml | jaxp | JDK8u251- XSL transformer fails with TransformerConfigurationException |
July 14, 2020
The full version string for this update release is 1.8.0_261-b12 (where "b" means "build"). The version number is 8u261.
JDK 8u261 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u261 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_261-b12 |
7 | 1.7.0_271-b10 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u261) be used after the next critical patch update scheduled for October 20, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u261) on November 17, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
As part of ongoing maintenance, the Microsoft Visual Studio 2017 tool chain will be used to build JDK 7 and JDK 8 for Windows. JDK 8u261, in the July 2020 CPU, was built with Visual Studio 2017. With the release of the January 2021 CPU, JDK 7u291 will move to Visual Studio 2017.
Moving to Visual Studio 2017 for JDK 7 and JDK 8 requires changing the runtime library that the JDK/JRE depends on. Before this change, JDK/JRE implementations used and shipped the Microsoft Visual C++ 2010 SP1 Redistributable Package (x86/x64) that included MSVCR100.dll
[a][b]. Microsoft Visual Studio 2017 uses a different set of libraries/DLLs.
Native applications (including JNI) that have depended on and assumed the presence of MSCVR100.dll
in the JDK/JRE directory will fail to run. When this happens, users will see an error such as:
"The code execution cannot proceed because MSVCR100.dll was not found. Reinstalling the program may fix this problem."
These applications should be rebuilt and shipped with modern C++ runtime dependencies that use a later instance of Visual Studio. Applications should not depend on DLLs included with the JDK/JRE that are not documented in the product as offering support for the specification or other functionality in Java SE.
[a] http://support.microsoft.com/kb/2019667
[b] https://docs.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2020
Added support for RSASSA-PSS signature algorithms in JSSE implementation.
JDK 8u261 includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). For more details including a list of the features that are supported, refer to the Java Secure Socket Extension (JSSE) Reference Guide documentation and JEP 332.
For TLS 1.3, the following new standard algorithm names are defined:
SSLContext
algorithm name: TLSv1.3TLS 1.3 is disabled for default SSLContext("SSL" or "TLS") for client end-point.
The TLS 1.3 protocol can be enabled using several mechanisms already available in the JDK. For example, TLS 1.3 protocol can be enabled on SSL/TLS connections using SSLSocket/SSLEngine/SSLServerSocket APIs and system properties by the following:
sslSocket.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2"});
SSLContext ctx = SSLContext.getInstance("TLSv1.3");
sslParameters.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
jdk.tls.client.protocols
system property can also be used to control the protocols in use for a TLS connection. One may launch their application with this property. For example, java -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2"
enables TLSv1.3 and TLSv1.2 on client SSLSockets.https.protocols
system property can also be used to control the protocols on connection obtained through use of the HttpsURLConnection
class or URL.openStream()
operations. For example, -Dhttps.protocols=TLSv1.3,TLSv1.2
.A new system property, jdk.tls.server.protocols
, has been added to configure the default enabled protocol suite in the server side of the SunJSSE provider.
A new security property, jdk.tls.keyLimits
, has been added for TLS 1.3. When the specified amount of data of a specific algorithm has been processed, a post-handshake Key and IV Update is triggered to derive new keys.
Note that TLS 1.3 is not directly compatible with previous versions. Although TLS 1.3 can be implemented with a backward-compatibility mode, there are still several compatibility risks to take into account when upgrading to TLS 1.3:
jdk.tls.acknowledgeCloseNotify
, is added. The default value of the system property is "false". If the system property is set to "true", a corresponding close_notify
alert will be sent when receiving a close_notify
alert, and the connection will be duplex closed.signature_algorithms_cert
extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application can use unsupported signature algorithms.com.sun.net.ssl.dhKeyExchangeFix
system property has been removed from the new TLS implementation.Improved JSSE debug logging format has been introduced to record the logger name, the logger level, the thread ID, the thread name, the time and the caller for each log item. Use the javax.net.debug=all
system property to get full debug logs.
Since January 2018 (8u161, 7u171) unlimited Java Cryptography Extension (JCE) Jurisdiction Policy files have been bundled with the JDK and enabled by default (see JDK Cryptographic Roadmap).
The certificate for the old stand alone jar has expired, and if used the following exception will be seen:
Caused By: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.) at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:336) at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378) at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323) at javax.crypto.JceSecurity.access$000(JceSecurity.java:50) at javax.crypto.JceSecurity$1.run(JceSecurity.java:85) at java.security.AccessController.doPrivileged(Native Method) at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)
If still required for older releases the re-signed files can be found at https://www.oracle.com/java/technologies/oracle-java-archive-downloads.html
Two new system properties have been added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes
has been added for the TLS client side, and jdk.tls.server.SignatureSchemes
has been added for the server side.
Each system property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.
The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.
The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process the supported_groups
TLS extension or the named groups in the extension, applications can either customize the supported group names with jdk.tls.namedGroups
, or turn off the FFDHE mechanisms by setting the System Property jsse.enableFFDHE
to false
.
Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.
security-libs/java.security
➜ Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts
keystore:
Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
See JDK-8225068
Media playback does not work on Ubuntu 20.04. This affects all media formats (such as, mp4, mp3, wav, etc.). In some cases, an error will be thrown. In other cases, the media player will switch to the ready state, but playback will not start. There is no workaround for this issue. This issue should be resolved by JDK-8239095.
The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection)
. In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.
Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias
method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-
If application code implements javax.net.ssl.X509KeyManager
, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType
String array in the first call to chooseClientAlias: String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
This version of the JDK no longer includes Java Mission Control (JMC). The jmc
launcher has been removed from the JDK bin
directory, and the missioncontrol
directory has been removed from the JDK lib
directory. The .jfr
file association is not registered by JDK installers. JMC is now available as a separate download. Please visit https://www.oracle.com/javase/jmc for more information.
JDK 8u261 release includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). The following are descriptions of "Known Issues" which an application might encounter during a SSL handshake, post upgrade to Oracle JDK/JRE 8u261:
javax.net.ssl|SEVERE|C8|....|TransportContext.java:319|Fatal (HANDSHAKE_FAILURE): Received fatal
alert: handshake_failure (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.Alert.createSSLException(Alert.java:117)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:187)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1198)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1107)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:372)
Cause: One possible cause is old server intolerance to FFDHE arguments. As per TLS RFC 7919 on server behavior If a compatible TLS server receives a Supported Groups extension from a client that includes any FFDHE group (i.e., any codepoint between 256 and 511, inclusive, even if unknown to the server), and if none of the client-proposed FFDHE groups are known and acceptable to the server, then the server MUST NOT select an FFDHE cipher suite. In this case, the server SHOULD select an acceptable non-FFDHE cipher suite from the client's offered list. If the extension is present with FFDHE groups, none of the client's offered groups are acceptable by the server, and none of the client's proposed non-FFDHE cipher suites are acceptable to the server, the server MUST end the connection with a fatal TLS alert of type insufficient_security(71).
Solution: In Oracle JDK 8u261, Finite Field Diffie-Hellman Ephemeral (FFDHE) is enabled by default. User can disable FFDHE via security property "-Djsse.enableFFDHE=false on the server (See JDK-8252716)
javax.net.ssl.SSLProtocolException: Received close_notify during handshake
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.Alert.createSSLException(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.TransportContext.fatal(Unknown Source)
at sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
at sun.security.ssl.TransportContext.dispatch(Unknown Source)
at sun.security.ssl.SSLTransport.decode(Unknown Source)
at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown
Cause: In case of an SSL abbreviated handshake (session resumption) SSL client is adding extra extensions than the agreed protocol's supported extensions. While it is TLS RFC complaint, some old non-compliant server implementations may reject this ClientHello.
Solution: As a work around specify System property -Djdk.tls.client.protocols=
Following method reference count would increase in memory profilers
HashMap$Node[] java.util.HashMap.resize()
void sun.security.ssl.SSLSessionContextImpl.put(SSLSessionImpl)
void sun.security.util.MemoryCache.put(Object, Object)
Object java.util.HashMap.put(Object, Object)
Object java.util.HashMap.putVal(int, Object, Object, boolean, boolean)
HashMap$Node[] java.util.HashMap.resize()
Cause: In 8u261, System Property SSLSessionContext.getSessionCacheSize default value was changed from 0 to 20480 ( see JDK-8210985 ) The change was made since with larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.
Solution: Revert back to JDK 8u251 behaviour by setting System Property "-Djavax.net.ssl.sessionCacheSize=0" (set number of entries in the SSL session cache to infinite)
Cause: The internal implementation of the SSLEngine and associated classes has been reworked with the introduction of TLS v1.3 support. Buffer usage has been improved in the SSLEngine area.
Solution: If an SSLEngine application encounters issues after upgrading to JDK 8u261 or later, refer to the Java 8 API to ensure application code is correct. In particular, applications using SSLEngine should not just depend on SSLEngineResult.Status.BUFFER_UNDERFLOW or SSLEngineResult.Status.BUFFER_OVERFLOW results in order to flush pending data. Buffers should always be flushed after an SSLEngine wrap operation if such a call produces data (where SSLEngineResult.Status.OK may be returned).
Cause: If deployment.security.clientauth.keystore.auto=false in the deployment.properties file Java Plugin and Java Web Start show “Request Authentication” dialog regardless the number of available certificates. However due to some modifications introduced by TLS 1.3 framework sometimes the list of available certificates might be empty.
Solution: There are two possible ways to resolve the issue:
Set deployment System Property deployment.security.clientauth.keystore.auto=true
Upgrade to new version 8u281 of Oracle JDK contained the fix for the issue
(see JDK-8253502 )
javax.net.ssl|WARNING|03|Finalizer|2020-08-31 09:42:20.203 EDT|null:-1|SSLSocket duplex close failed (
"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.duplexCloseOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.close(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.finalize(Unknown Source)
at java.lang.System$2.invokeFinalize(Unknown Source)
at java.lang.ref.Finalizer.runFinalizer(Unknown Source)
at java.lang.ref.Finalizer.access$100(Unknown Source)
at java.lang.ref.Finalizer$FinalizerThread.run(Unknown Source)}
Cause: JDK 8u261 introduced a new format for TLS logging. Additional data is now captured per event and logged. Exceptions handled by the JDK TLS library code may print verbose information about the cause of such exceptions when logging is enabled.
Solution: User can safely ignore these Warning messages
Symptoms: New/Unexpected issues from 3rd party library software being used in conjunction with the JDK.
Cause: The new TLS implementation introduces significant changes to the internal, underlying, design of the JDK TLS security libraries. The new design has exposed some bugs in 3rd party software libraries. For the most part, these issues have already been patched in such 3rd party libraries.
Examples include: Apache http-core Bouncy Castle Jetty
Solution: It's good practice to ensure that 3rd party library products being used in conjunction with the JDK TLS API are patched and up to date.
On Windows 7, the Internet Explorer 11 (IE 11) JavaScript engine does not interact properly with Java Applets because, beginning with 8u261, the JDK/JRE is compiled with VisualStudio 2017. For example, an application that uses the JavaScript methods setTimeout()
and setInterval()
may cause IE 11 to hang when a modal dialog is shown by a Java Applet.
Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java
and javac
. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac
group with alternatives framework. All links unique to the javac
group have been moved into the java
group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.
The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java
group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command: /usr/sbin/alternatives --auto java
When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean
methods in this release return container specific information, if available. Otherwise, they return host specific data:
getFreePhysicalMemorySize()
getTotalPhysicalMemorySize()
getFreeSwapSpaceSize()
getTotalSwapSpaceSize()
getSystemCpuLoad()
The default SSL session cache size has been updated to 20480 in this JDK release
BoringSSL is an SSL library deployed on some popular websites such as those run by Google/YouTube. An interoperability issue with the BoringSSL library can lead to a connection failure if TLSv1.3 is presented as the only enabled protocol in the ClientHello message and the certificate status_request extension is disabled. Enabling the certificate status_request extension by setting the jdk.tls.client.enableStatusRequestExtension
system property to true
will provide mitigation in such scenarios.
When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter
the method must be called before reading any objects from the stream. If the methods readObject
or readUnshared
are called, the setObjectInputFilter
method throws IllegalStateException
.
In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider.
In the SunJSSE provider, the following ciphersuites are now the most preferred by default:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.
client-libs/javax.swing
➜ Deprecated NSWindowStyleMaskTexturedBackground
After an upgrade of the macOS SDK used to build the JDK, the behavior of the apple.awt.brushMetalLook
and textured
Swing properties has changed. When these properties are set, the title of the frame is still visible. It is recommended that the apple.awt.transparentTitleBar
property be set to true
to make the title of the frame invisible again. The apple.awt.fullWindowContent
property can also be used.
Please note that Textured window
support was implemented by using the NSTexturedBackgroundWindowMask
value of NSWindowStyleMask
. However, this was deprecated in macOS 10.12 along with NSWindowStyleMaskTexturedBackground
, which was deprecated in macOS 10.14.
For additional information, refer to the following documentation:
See JDK-8240995
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8130737 | client-libs | 2d | [macosx] AffineTransformOp can't handle child raster with non-zero x-offset |
2 | JDK-8211301 | client-libs | java.awt | [macos] support full window content options |
3 | JDK-8214046 | client-libs | java.awt | [macosx] Undecorated Frame does not Iconify when set to |
4 | JDK-8231438 | client-libs | java.awt | [macOS] Dark mode for the desktop is not supported |
5 | JDK-8242498 | client-libs | java.awt | Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash |
6 | JDK-8226253 | client-libs | javax.accessibility | JAWS reports wrong number of radio buttons when buttons are hidden |
7 | JDK-8238842 | client-libs | javax.imageio | AIOOBE in GIFImageReader.initializeStringTable |
8 | JDK-8194298 | core-libs | java.net | Add support for per Socket configuration of TCP keepalive |
9 | JDK-8232854 | core-libs | java.net | URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails |
10 | JDK-8044365 | core-libs | java.nio | (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) |
11 | JDK-8229888 | core-libs | java.nio | (zipfs) Updating an existing zip file does not preserve original permissions |
12 | JDK-8146356 | core-libs | java.time | java.time.format.TextStyle.FULL_STANDALONE does not work well while formatting months. |
13 | JDK-8165936 | core-libs | java.util:i18n | Potential Heap buffer overflow when seaching timezone info files |
14 | JDK-8228477 | core-libs | java.util:i18n | Have calendar revert to default names if no standalone resources exist |
15 | JDK-8214440 | core-libs | javax.naming | ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" |
16 | JDK-8193137 | core-libs | jdk.nashorn | Nashorn crashes when given an empty script file. |
17 | JDK-8226575 | core-svc | java.lang.management | OperatingSystemMXBean should be made container aware |
18 | JDK-8239332 | deploy | plugin | LiveConnect netscape.javascript.JSException: No such property "outerWidthX" on JavaScript object |
19 | JDK-8170074 | docs | guides | Typos on "How Classes are Found" web page on Oracle site |
20 | JDK-8240337 | docs | guides | JDK 8 Developer Guides index.html page has incorrect links |
21 | JDK-8241531 | docs | guides | Update copyright page for JDK 8 docs |
22 | JDK-8243337 | docs | guides | Java Print Service API User's Guide contains typos and formatting errors |
23 | JDK-8243584 | docs | guides | Malformed HTML in the Serialization section of the JDK 8 developer guides |
24 | JDK-8181872 | hotspot | compiler | C1: possible overflow when strength reducing integer multiply by constant |
25 | JDK-8062808 | hotspot | gc | Turn on the -Wreturn-type warning |
26 | JDK-8064786 | hotspot | gc | Fix debug build after 8062808: Turn on the -Wreturn-type warning |
27 | JDK-8141056 | hotspot | gc | Erroneous assignment in HeapRegionSet.cpp |
28 | JDK-8176100 | hotspot | gc | [REDO][REDO] G1 Needs pre barrier on dereference of weak JNI handles |
29 | JDK-8191393 | hotspot | gc | Random crashes during cfree+0x1c |
30 | JDK-8225716 | hotspot | gc | G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding |
31 | JDK-8231779 | hotspot | gc | crash HeapWord*ParallelScavengeHeap::failed_mem_allocate |
32 | JDK-8041626 | hotspot | jfr | Shutdown tracing event |
33 | JDK-8213617 | hotspot | jfr | JFR should record the PID of the recorded process |
34 | JDK-8035493 | hotspot | jvmti | JVMTI PopFrame capability must instruct compilers not to prune locals |
35 | JDK-8060721 | hotspot | runtime | Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler |
36 | JDK-8076475 | hotspot | runtime | Misuses of strncpy/strncat |
37 | JDK-8187667 | hotspot | runtime | Disable deprecation warning for readdir_r |
38 | JDK-8223671 | infrastructure | The latest Java 8 is not ready to use in applications on future macOS versions | |
39 | JDK-8237820 | infrastructure | build | remove clang version check for optimization bug workaround from 8u |
40 | JDK-8240780 | infrastructure | build | [8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds |
41 | JDK-8232811 | javafx | controls | Dialog's preferred size no longer accommodates multi-line strings |
42 | JDK-8189092 | javafx | graphics | ArrayIndexOutOfBoundsException on Linux in getCachedGlyph |
43 | JDK-8212034 | javafx | graphics | Potential memory leaks in jpegLoader.c in error case |
44 | JDK-8234916 | javafx | graphics | [macos 10.15] Garbled text running with native-image |
45 | JDK-8237782 | javafx | graphics | Only read advances up to the minimum of the numHorMetrics or the available font data. |
46 | JDK-8237833 | javafx | graphics | Check glyph size before adding to glyph texture cache. |
47 | JDK-8239107 | javafx | graphics | Update libjpeg to version 9d |
48 | JDK-8241370 | javafx | graphics | Crash in JPEGImageLoader after fix for JDK-8212034 |
49 | JDK-8202393 | javafx | media | App Transport Security blocks http media on macOS with JDK build using new compilers |
50 | JDK-8236832 | javafx | media | [macos 10.15] JavaFX Application hangs on video play on Catalina |
51 | JDK-8240694 | javafx | media | [macos 10.15] JavaFX Media hangs on some video files on Catalina |
52 | JDK-8241629 | javafx | media | [macos10.15] Long startup delay playing media over https on Catalina |
53 | JDK-8242530 | javafx | media | [macos] Some audio files miss spectrum data when another audio file plays first |
54 | JDK-8238434 | javafx | samples | Ensemble: Update version of Lucene to 7.7.2 |
55 | JDK-8132880 | javafx | scenegraph | Unpredictable behaviour when trying to set negative scene width or height |
56 | JDK-8223298 | javafx | web | SVG patterns are drawn wrong |
57 | JDK-8237889 | javafx | web | Update libxml2 to version 2.9.10 |
58 | JDK-8237944 | javafx | web | webview native cl "-m32" unknown option for windows 32-bit build |
59 | JDK-8242209 | javafx | web | Increase web native thread stack size for x86 mode |
60 | JDK-8244579 | javafx | web | Windows "User Objects" leakage with WebView |
61 | JDK-8181476 | javafx | window-toolkit | [macos] Stages with StageStyle.UTILITY are always on-top when initialized without an owner |
62 | JDK-8234474 | javafx | window-toolkit | [macos 10.15] Crash in file dialog in sandbox mode |
63 | JDK-8236685 | javafx | window-toolkit | [macOs] Remove obsolete file dialog subclasses |
64 | JDK-8236971 | javafx | window-toolkit | [macos] Gestures handled incorrectly due to missing events |
65 | JDK-7092821 | security-libs | java.security | java.security.Provider.getService() is synchronized and became scalability bottleneck |
66 | JDK-8028431 | security-libs | java.security | NullPointerException in DerValue.equals(DerValue) |
67 | JDK-8028591 | security-libs | java.security | NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString() |
68 | JDK-8181841 | security-libs | java.security | A TSA server returns timestamp with precision higher than milliseconds |
69 | JDK-8228613 | security-libs | java.security | java.security.Provider#getServices order is no longer deterministic |
70 | JDK-8231387 | security-libs | java.security | java.security.Provider.getService returns random result due to race condition with mutating methods in the same class |
71 | JDK-8238452 | security-libs | java.security | Keytool generates wrong expiration date if validity is set to 2050/01/01 |
72 | JDK-8177784 | security-libs | javax.crypto | Use CounterMode intrinsic for AES/GCM |
73 | JDK-8179098 | security-libs | javax.crypto | Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73) |
74 | JDK-8201633 | security-libs | javax.crypto | Problems with AES-GCM native acceleration |
75 | JDK-8220165 | security-libs | javax.crypto | Encryption using GCM results in RuntimeException: input length out of bound |
76 | JDK-8233954 | security-libs | javax.crypto | UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll |
77 | JDK-8165275 | security-libs | javax.crypto:pkcs11 | Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey |
78 | JDK-4919790 | security-libs | javax.net.ssl | Errors in alert ssl message does not reflect the actual certificate status |
79 | JDK-7013776 | security-libs | javax.net.ssl | Multithreaded JSSE application debug information is hard to read |
80 | JDK-8028518 | security-libs | javax.net.ssl | Increase the priorities of GCM cipher suites |
81 | JDK-8145854 | security-libs | javax.net.ssl | SSLContextImpl.statusResponseManager should be generated if required |
82 | JDK-8166595 | security-libs | javax.net.ssl | TLS Support for RSASSA-PSS Signature Algorithms |
83 | JDK-8185576 | security-libs | javax.net.ssl | New handshake implementation |
84 | JDK-8206355 | security-libs | javax.net.ssl | SSLSessionImpl.getLocalPrincipal() throws NPE |
85 | JDK-8206929 | security-libs | javax.net.ssl | Check session context for TLS 1.3 session resumption |
86 | JDK-8207009 | security-libs | javax.net.ssl | TLS 1.3 half-close and synchronization issues |
87 | JDK-8207029 | security-libs | javax.net.ssl | Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21 |
88 | JDK-8207058 | security-libs | javax.net.ssl | Backport System Property jdk.tls.server.protocols |
89 | JDK-8207223 | security-libs | javax.net.ssl | SSL Handshake failures are reported with more generic SSLException |
90 | JDK-8207317 | security-libs | javax.net.ssl | SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy |
91 | JDK-8208166 | security-libs | javax.net.ssl | Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029 |
92 | JDK-8209333 | security-libs | javax.net.ssl | Socket reset issue for TLS 1.3 socket close |
93 | JDK-8209916 | security-libs | javax.net.ssl | NPE in SupportedGroupsExtension |
94 | JDK-8209965 | security-libs | javax.net.ssl | The "supported_groups" extension in ServerHellos |
95 | JDK-8210334 | security-libs | javax.net.ssl | TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes |
96 | JDK-8210846 | security-libs | javax.net.ssl | TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth |
97 | JDK-8210974 | security-libs | javax.net.ssl | No extensions debug log for ClientHello |
98 | JDK-8210985 | security-libs | javax.net.ssl | Update the default SSL session cache size to 20480 |
99 | JDK-8210989 | security-libs | javax.net.ssl | RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2 |
100 | JDK-8211339 | security-libs | javax.net.ssl | NPE during SSL handshake caused by HostnameChecker |
101 | JDK-8211806 | security-libs | javax.net.ssl | TLS 1.3 handshake server name indication is missing on a session resume |
102 | JDK-8211866 | security-libs | javax.net.ssl | TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms |
103 | JDK-8212738 | security-libs | javax.net.ssl | Incorrectly named signature scheme ecdsa_secp512r1_sha512 |
104 | JDK-8212885 | security-libs | javax.net.ssl | TLS 1.3 resumed session does not retain peer certificate chain |
105 | JDK-8213202 | security-libs | javax.net.ssl | Possible race condition in TLS 1.3 session resumption |
106 | JDK-8213782 | security-libs | javax.net.ssl | NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers |
107 | JDK-8214098 | security-libs | javax.net.ssl | sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards. |
108 | JDK-8214129 | security-libs | javax.net.ssl | SSL session resumption/SNI with TLS1.2 causes StackOverflowError |
109 | JDK-8214339 | security-libs | javax.net.ssl | SSLSocketImpl erroneously wraps SocketException |
110 | JDK-8214688 | security-libs | javax.net.ssl | TLS 1.3 session resumption with hello retry request failed with "illegal_parameter" |
111 | JDK-8215524 | security-libs | javax.net.ssl | Finished message validation failure should be decrypt_error alert |
112 | JDK-8215711 | security-libs | javax.net.ssl | Missing key_share extension for (EC)DHE key exchange should alert missing_extension |
113 | JDK-8215790 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws java.nio.BufferUnderflowException |
114 | JDK-8216045 | security-libs | javax.net.ssl | The size of key_exchange may be wrong on FFDHE |
115 | JDK-8216326 | security-libs | javax.net.ssl | SSLSocket stream close() does not close the associated socket |
116 | JDK-8217610 | security-libs | javax.net.ssl | TLSv1.3 fail with ClassException when EC keys are stored in PKCS11 |
117 | JDK-8219389 | security-libs | javax.net.ssl | Delegated task created by SSLEngine throws BufferUnderflowException |
118 | JDK-8221253 | security-libs | javax.net.ssl | TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes |
119 | JDK-8223482 | security-libs | javax.net.ssl | Unsupported ciphersuites may be offered by a TLS client |
120 | JDK-8223940 | security-libs | javax.net.ssl | Private key not supported by chosen signature algorithm |
121 | JDK-8225766 | security-libs | javax.net.ssl | Curve in certificate should not affect signature scheme when using TLSv1.3 |
122 | JDK-8228757 | security-libs | javax.net.ssl | Fail fast if the handshake type is unknown |
123 | JDK-8235263 | security-libs | javax.net.ssl | Revert TLS 1.3 change that wrapped IOExceptions |
124 | JDK-8235311 | security-libs | javax.net.ssl | Tag mismatch may alert bad_record_mac |
125 | JDK-8235874 | security-libs | javax.net.ssl | The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property. |
126 | JDK-8236039 | security-libs | javax.net.ssl | JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 |
127 | JDK-8237474 | security-libs | javax.net.ssl | Default SSLEngine should create in server role |
128 | JDK-8239798 | security-libs | javax.net.ssl | SSLSocket closes socket both socket endpoints on a SocketTimeoutException |
129 | JDK-8242141 | security-libs | javax.net.ssl | New System Properties to configure the TLS signature schemes |
130 | JDK-8242294 | security-libs | javax.net.ssl | JSSE Client does not throw SSLException when an alert occurs during handshaking |
131 | JDK-8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
132 | JDK-8224157 | xml | jaxp | BCEL: update to version 6.3.1 |
133 | JDK-8238164 | xml | jaxp | Update Apache Xerces to version 2.12.0 in JDK 8u |
The following sections summarize changes made in all Java SE 8u251 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8244579 | javafx | web | Windows "User Objects" leakage with WebView |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8241966 (Confidential) | install | Add Oracle copyright to modified Sparkle 1.23.0 files | |
8241965 (Confidential) | install | Update THIRD_PARTY_README for Sparkle 1.23.0 | |
8241814 (Confidential) | install | auto_update | [macos] 8u251b60 AU missing "Remind Me" button |
8241410 (Confidential) | infrastructure | 8u251 b60 Mac notarized build is missing the ant-javafx.jar | |
8241399 (Confidential) | client-libs | java.awt | jdk8 build broken on macOS 10.7 and sdk 10.8 |
8240780 | infrastructure | build[8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds | |
8239919 | hotspot | [8u] enable parentheses-equality warnings in HotSpot | |
8239808 (Confidential) | install | auto_update | Change URL In <cntry-lookup> Tag In mac-XXX-XX.xml |
8239400 | hotspot | [8u] clean up delete-non-virtual-dtor warnings in HotSpot | |
8239223 | hotspot | [8u] enable Wparentheses warnings in HotSpot | |
8239112 | hotspot | [8u] clean up empty-body warnings in HotSpot | |
8239053 | hotspot | runtime | [8u] clean up undefined-var-template warnings |
8238852 (Confidential) | install | install | [macos] AU to NEXTVER failed when AU from 8u251 to future |
8238700 (Confidential) | infrastructure | build | Signing reliability change not fully working on 8u |
8238225 | infrastructure | build | Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary |
8237820 | infrastructure | build | remove clang version check for optimization bug workaround from 8u |
8236971 | javafx | window-toolkit | [macos] Gestures handled incorrectly due to missing events |
8236956 (Confidential) | security-libs | javax.net.ssl | Backport test lib files from JDK-8228967 |
8235687 | infrastructure | build | Contents/MacOS/libjli.dylib cannot be a symlink |
8232580 (Confidential) | infrastructure | build | Sign Macosx binaries with hardened runtime enabled |
8232087 (Confidential) | security-libs | org.ietf.jgss | Migrate KDC from sca00jvo/burge0401/sca00kte/sca00lol/adc1140258/sca00joh to new OCI hosts |
8231438 | client-libs | java.awt | [macOS] Dark mode for the desktop is not supported |
8231092 (Confidential) | infrastructure | build | Implement Apple notarization support in the build |
8230555 (Confidential) | security-libs | javax.net.ssl | OCI migration on IIS |
8226306 (Confidential) | infrastructure | build | Improve signing reliability |
8214046 | client-libs | java.awt | [macosx] Undecorated Frame does not Iconify when set to |
8213838 (Confidential) | install | Upgrade sparkle to 1.23.0 | |
8202393 | javafx | media | App Transport Security blocks http media on macOS with JDK build using new compilers |
8200550 | hotspot | gc | Xcode 9.3 produce warning -Wexpansion-to-defined |
8196724 | infrastructure | build | Change macosx deployment target to 10.9 |
8196538 (Confidential) | infrastructure | build | Fix compilation errors when using Xcode 9.2/Macosx 10.13 in deploy and install |
8181872 | hotspot | compiler | C1: possible overflow when strength reducing integer multiply by constant |
8152856 | hotspot | runtime | Xcode 7.3 -Wshift-negative-value compile failure on Mac OS X |
8141056 | hotspot | gc | Erroneous assignment in HeapRegionSet.cpp |
8060721 | hotspot | runtime | Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler |
8043646 | client-libs | java.awt | libosxapp.dylib fails to build on Mac OS 10.9 with clang |
8030680 | hotspot | compiler | 292 cleanup from default method code assessment |
7188942 (Confidential) | client-libs | 2d | Remove support of pbuffers in OGL Java2d pipeline |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8239444 (Confidential) | security-libs | java.security | High contention java.security.Provider.getService()-JDK-7092821 |
7092821 | security-libs | java.security | java.security.Provider.getService() is synchronized and became scalability bottleneck |
8231387 | security-libs | java.security | java.security.Provider.getService returns random result due to race condition with mutating methods in the same class |
8228613 | security-libs | java.security | java.security.Provider#getServices order is no longer deterministic |
8239946 (Confidential) | security-libs | javax.crypto | Update JarVerifier class with new signing cert details |
8240439 (Confidential) | core-libs | java.net | java.net.PlainDatagramSocketImpl.receive0 seems to fail for UDP traffic spontaneously |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8231779 | hotspot | gc | crash HeapWord*ParallelScavengeHeap::failed_mem_allocate |
April 14, 2020
The full version string for this update release is 1.8.0_251-b08 (where "b" means "build"). The version number is 8u251. This JDK 8 Update release implements JSR 337 Maintenance Release 3 (approved Feb 2020).
JDK 8u251 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u251 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_251-b08 |
7 | 1.7.0_261-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u251) be used after the next critical patch update scheduled for July 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u251) on August 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.net.ssl
➜ TLS Application-Layer Protocol Negotiation Extension
JEP 244 has enhanced the Java Secure Socket Extension (JSSE) to provide support for the TLS Application-Layer Protocol Negotiation (ALPN) Extension (RFC 7301). New methods have been added to the javax.net.ssl
classes SSLEngine
, SSLSocket
, and SSLParameters
to allow clients and servers to negotiate an application layer value as part of the TLS handshake.
This API change was required by JSR 337 MR 3.
See JDK-8051498
security-libs/javax.crypto
➜ RSASSA-PSS Signature Support Added to SunMSCAPI
The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider.
See JDK-8205445
security-libs/java.security
➜ Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature
The SunRsaSign and SunJCE providers have been enhanced with support for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS signature and OAEP using FIPS 180-4 digest algorithms. New constructors and methods have been added to relevant JCA/JCE classes under the java.security.spec
and javax.crypto.spec
packages for supporting additional RSASSA-PSS parameters.
This API change was required by JSR 337 MR 3.
See JDK-8146293
javafx/web
➜ WebEngine Limits JavaScript Method Calls for Certain Classes
JavaScript programs that are run in the context of a web page loaded by WebEngine can communicate with Java objects passed from the application to the JavaScript program. JavaScript programs that reference java.lang.Class
objects are now limited to the following methods:
getCanonicalName
getEnumConstants
getFields
getMethods
getName
getPackageName
getSimpleName
getSuperclass
getTypeName
getTypeParameters
isAssignableFrom
isArray
isEnum
isInstance
isInterface
isLocalClass
isMemberClass
isPrimitive
isSynthetic
toGenericString
toString
No methods can be called on the following classes:
java.lang.ClassLoader
java.lang.Module
java.lang.Runtime
java.lang.System
java.lang.invoke.*
java.lang.module.*
java.lang.reflect.*
java.security.*
sun.misc.*
JDK-8236798 (not public)
security-libs/javax.xml.crypto
➜ New Oracle Specific JDK 8 Updates System Property to Fallback to Legacy Base64 Encoding Format
Oracle JDK 8u231 upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue where XML signature using Base64 encoding resulted in appending 
or 
to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without 
or 
.
Therefore, a new Oracle JDK 8 Updates only system property, - com.sun.org.apache.xml.internal.security.lineFeedOnly,
is made available to fall back to legacy Base64 encoded format.
Users can set this flag in one of two ways:
-Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")
This new system property is disabled by default. It has no effect on default behavior nor when com.sun.org.apache.xml.internal.security.ignoreLineBreaks
property is set.
Later JDK family versions might only support the recommended property: com.sun.org.apache.xml.internal.security.ignoreLineBreaks
See JDK-8236645
security-libs/javax.crypto
➜ Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA
, SHA256withECDSA
, etc.) are also supported.
See JDK-8026953
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8232154 | client-libs | 2d | Update Mesa 3-D Headers to version 19.2.1 |
2 | JDK-8214578 | client-libs | java.awt | [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings |
3 | JDK-8230597 | client-libs | java.awt | Update GIFlib library to the 5.2.1 |
4 | JDK-8230926 | client-libs | java.awt | [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout |
5 | JDK-4949105 | client-libs | javax.accessibility | Access Bridge lacks html tags parsing |
6 | JDK-8223158 | client-libs | javax.swing | Docked MacBook cannot start any Java Swing applications |
7 | JDK-8224475 | client-libs | javax.swing | JTextPane does not show images in HTML rendering |
8 | JDK-8226892 | client-libs | javax.swing | ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys |
9 | JDK-8230235 | client-libs | javax.swing | Rendering HTML with empty img attribute and documentBaseKey cause Exception |
10 | JDK-8235744 | client-libs | javax.swing | PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 |
11 | JDK-8229022 | core-libs | java.io | BufferedReader performance can be improved by using StringBuilder |
12 | JDK-6996807 | core-libs | java.io:serialization | FieldReflectorKey hash code computation can be improved |
13 | JDK-8067796 | core-libs | java.lang | (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null |
14 | JDK-8208715 | core-libs | java.lang | Conversion of milliseconds to nanoseconds in UNIXProcess contains bug. |
15 | JDK-8051853 | core-libs | java.net | new URI("x/").resolve("..").getSchemeSpecificPart() returns null! |
16 | JDK-8230856 | core-libs | java.net | Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return |
17 | JDK-8233022 | core-libs | java.net | [test] backout accidental change to SetLoopbackMode.java |
18 | JDK-8232003 | core-libs | java.nio | (fs) Files.write can leak file descriptor in the exception case |
19 | JDK-8237368 | core-libs | java.rmi | Problem with NullPointerException in RMI TCPEndpoint.read |
20 | JDK-8227127 | core-libs | java.text | Era designator not displayed correctly using the COMPAT provider |
21 | JDK-8234466 | core-libs | java.util.jar | Class loading deadlock involving X509Factory#commitEvent() |
22 | JDK-8066652 | core-libs | java.util:i18n | Default TimeZone is GMT not local if user.timezone is invalid on Mac OS |
23 | JDK-8225435 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry to the latest for JDK14 |
24 | JDK-8033215 | hotspot | compiler | clang: node.cpp:284 IDX_INIT macro use uninitialized field _out |
25 | JDK-8146792 | hotspot | compiler | Predicate moved after partial peel may lead to broken graph |
26 | JDK-8231988 | hotspot | compiler | Unexpected test result caused by C2 IdealLoopTree::do_remove_empty_loop |
27 | JDK-8222122 | hotspot | jfr | Provision to disable XML validation in .jfc file in JFR |
28 | JDK-8215355 | hotspot | runtime | Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) |
29 | JDK-8229345 | hotspot | runtime | Memory leak due to vtable stubs not being shared on SPARC |
30 | JDK-8146293 | security-libs | java.security | Add support for RSASSA-PSS Signature algorithm |
31 | JDK-8175029 | security-libs | java.security | StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider) |
32 | JDK-8206171 | security-libs | java.security | Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized |
33 | JDK-8214096 | security-libs | java.security | sun.security.util.SignatureUtil passes null parameter, so JCE validation fails |
34 | JDK-8215694 | security-libs | java.security | keytool cannot generate RSASSA-PSS certificates |
35 | JDK-8225180 | security-libs | java.security | SignedObject with invalid Key not throwing the InvalidKeyException in Windows |
36 | JDK-8225745 | security-libs | java.security | NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support |
37 | JDK-8236470 | security-libs | java.security | Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId |
38 | JDK-8193262 | security-libs | javax.crypto | JNI array not released in libsunmscapi convertToLittleEndian |
39 | JDK-8205445 | security-libs | javax.crypto | Add RSASSA-PSS Signature support to SunMSCAPI |
40 | JDK-8221407 | security-libs | javax.crypto | Windows 32bit build error in libsunmscapi/security.cpp |
41 | JDK-8223003 | security-libs | javax.crypto | SunMSCAPI keys are not cleaned up |
42 | JDK-8145849 | security-libs | javax.net.ssl | ALPN: getHandshakeApplicationProtocol() always return null |
43 | JDK-8158978 | security-libs | javax.net.ssl | ALPN not working when values are set directly on a SSLServerSocket |
44 | JDK-8170282 | security-libs | javax.net.ssl | Enable ALPN parameters to be supplied during the TLS handshake |
45 | JDK-8171443 | security-libs | javax.net.ssl | (spec) An ALPN callback function may also ignore ALPN |
46 | JDK-8216039 | security-libs | javax.net.ssl | TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange |
47 | JDK-8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
48 | JDK-8207760 | xml | javax.xml.transform | SAXException: Invalid UTF-16 surrogate detected: d83c ? |
49 | JDK-8046274 | xml | jaxp | Removing dependency on jakarta-regexp |
50 | JDK-8163121 | xml | jaxp | BCEL: update to the latest 6.0 release |
51 | JDK-8233548 | xml | jaxp | Update CUP to v0.11b |
Java SE 8u241 BPRs, are based on the current Java SE 8u241 release and are available for Java SE Subscription customers.
For more information on installation and licensing of Java SE Products, visit Java SE Products Overview.
Find information about Java SE Subscriptions at Oracle Java SE Subscriptions.
The following sections summarize changes made in all Java SE 8u241 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8163251 | security-libs | javax.smartcardio | Hard coded loop limit prevents reading of smart card data greater than 8k |
8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
8239033 (Confidential) | security-libs | javax.xml.crypto | Oracle JDK 8u Base64XmlEncode.java test fails for windows platform |
8236832 | javafx | media | [macos 10.15] JavaFX Application hangs on video play on Catalina |
8239803 (Confidential) | javafx | build | [macOS 10.15] Wrong SDK recorded in dylib files prevents notarization |
8160768 | core-libs | javax.naming | Add capability to custom resolve host/domain names within the default JNDI LDAP provider |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8234468 | security-libs | java.security | Application startup failed on JRE 8u231 |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8193445 | javafx | controls | JavaFX CSS is applied redundantly leading to significant performance degradation |
January 14, 2020
The full version string for this update release is 1.8.0_241-b07 (where "b" means "build"). The version number is 8u241.
JDK 8u241 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u241 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_241-b07 |
7 | 1.7.0_251-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u241) be used after the next critical patch update scheduled for April 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u241) on May 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.security
➜ Allow SASL Mechanisms to Be Restricted
A security property named jdk.sasl.disabledMechanisms
has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms
argument of Sasl.createSaslClient
or the mechanism
argument of Sasl.createSaslServer
. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.
See JDK-8200400
security-libs/javax.crypto:pkcs11
➜ SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
See JDK-8080462
security-libs/java.security
➜ New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named jdk.security.allowNonCaAnchor
has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
JDK-8230318 (not public)
security-libs/java.security
➜ Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
JDK-8227758 (not public)
security-libs/java.security
➜ Added LuxTrust Global Root 2 Certificate
The following root certificate has been added to the cacerts truststore:
+ LuxTrust
+ luxtrustglobalroot2ca
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU
See JDK-8232019
security-libs/java.security
➜ Added 4 Amazon Root CA Certificates
The following root certificates have been added to the cacerts truststore:
+ Amazon
+ amazonrootca1
DN: CN=Amazon Root CA 1, O=Amazon, C=US
+ amazonrootca2
DN: CN=Amazon Root CA 2, O=Amazon, C=US
+ amazonrootca3
DN: CN=Amazon Root CA 3, O=Amazon, C=US
+ amazonrootca4
DN: CN=Amazon Root CA 4, O=Amazon, C=US
See JDK-8233223
core-libs/java.rmi
➜ Improve Registry Support
The java.rmi.Remote
marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:
java.rmi.Remote
can be invoked remotelyRemote
directly or indirectly cannot be invoked remotelyThis affects remote objects in the java.rmi.registry.Registry
and any other remote object.
JDK-8230967 (not public)
The following are some of the notable bug fixes included in this release:
client-libs/2d
➜ Support for OpenType CFF Fonts
Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf
fonts) into the standard logical fonts (such as "Dialog" and "SansSerif"). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.
Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.
Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.
See JDK-8209672
core-libs/java.io:serialization
➜ Better Serial Filter Handling
The jdk.serialFilter
system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter
. Setting the jdk.serialFilter with java.lang.System.setProperty
has no effect.
JDK-8231422 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8080465 | client-libs | The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel". | |
2 | JDK-8185538 | client-libs | 2d | JDK 9 is really slow initialising some OTF/CFF fonts. |
3 | JDK-8146238 | client-libs | 2d | [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts |
4 | JDK-8209672 | client-libs | 2d | Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init |
5 | JDK-8225101 | client-libs | java.awt | Crash at sun.awt.X11.XlibWrapper.XkbGetUpdatedMap when change keybord map |
6 | JDK-8230782 | client-libs | java.awt | Robot.createScreenCapture() fails if ???awt.robot.gtk??? is set to false |
7 | JDK-8221246 | client-libs | java.awt | NullPointerException within Win32ShellFolder2 |
8 | JDK-8213119 | client-libs | java.awt | [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails |
9 | JDK-8225505 | client-libs | javax.swing | ctrl-F1 does not show the tooltip of a menu item (JMenuItems) |
10 | JDK-8134424 | core-libs | java.io:serialization | BlockDataInputStream.readUTFBody: size local StringBuffer with the given length |
11 | JDK-8185898 | core-libs | java.net | setRequestProperty(key, null) results in HTTP header without colon in request |
12 | JDK-8230085 | core-libs | java.nio | (fs) FileStore::isReadOnly is always true on macOS Catalina |
13 | JDK-8223490 | core-libs | java.util | Optimize search algorithm for determining default time zone |
14 | JDK-8227018 | core-libs | java.util.concurrent | CompletableFuture should not call Runtime.availableProcessors on fast path |
15 | JDK-8204290 | core-libs | jdk.nashorn | Add check to limit number of capture groups |
16 | JDK-8232984 | core-libs | jdk.nashorn | Upgrading Joni License version to 2.1.16 |
17 | JDK-8204288 | core-libs | jdk.nashorn | Matching the end of a string followed by an empty greedy regex and a word boundary fails |
18 | JDK-8230303 | core-svc | debugger | JDB hangs when running monitor command |
19 | JDK-8179348 | deploy | webstart | User friendly warning when Java WebStart Temporary Internet Files is disabled. |
20 | JDK-8133949 | deploy | webstart | deploy-test build broken by fix to JDK-6921877 |
21 | JDK-6921877 | deploy | webstart | JCP JNLP Shortcut settings for JDK 9 |
22 | JDK-7024585 | deploy | webstart | enhance the list of secure jnlp vm-args for plugin and web start |
23 | JDK-8223925 | docs | No document covering default property files and system properties of the Preferences API | |
24 | JDK-8060000 | docs | guides | Endpoint identification algorithm is not only in TLS 1.2 |
25 | JDK-8207028 | docs | guides | JSSE TrustManagerFactory ignores custom value of deployment.system.security.cacerts property |
26 | JDK-8227326 | docs | guides | Broken link to JNLP specifications in Java Web Start documentation |
27 | JDK-8077316 | docs | guides | JRE Installer Options Page should include JDK |
28 | JDK-8171356 | docs | tools | providerpath option should be added to all keytool commands which specify provider information's |
29 | JDK-8143925 | hotspot | compiler | enhancing CounterMode.crypt() for AESCrypt.implEncryptBlock() |
30 | JDK-8146581 | hotspot | compiler | Minor corrections to the patch submitted for earlier bug id - 8143925 |
31 | JDK-8171974 | hotspot | compiler | Fix for R10 Register clobbering with usage of ExternalAddress |
32 | JDK-8131778 | hotspot | compiler | java disables UseAES flag when using VIS=2 on sparc |
33 | JDK-8225141 | hotspot | compiler | Better handling of classes in error state by fast class initialization checks |
34 | JDK-8229420 | hotspot | gc | [Redo] jstat reports incorrect values for OU for CMS GC |
35 | JDK-8048556 | hotspot | gc | Unnecessary GCLocker-initiated young GCs |
36 | JDK-8226798 | hotspot | runtime | JVM crash in klassItable::initialize_itable_for_interface(int, InstanceKlass*, bool, Thread*) |
37 | JDK-8041620 | hotspot | runtime | Solaris Studio 12.4 C++ 5.13 change in behavior for placing friend declarations within surrounding scope |
38 | JDK-8231854 | javafx | other | Change Mercurial to git in various README files |
39 | JDK-8231590 | javafx | other | Update location of jfx repo to GitHub in third-party legal files |
40 | JDK-8232522 | javafx | other | FX: Update copyright year in docs, readme files to 2020 |
41 | JDK-8231126 | javafx | web | libxslt.md has incorrect version string |
42 | JDK-8224636 | javafx | web | CSS "pointer-events" property "stroke" is not respected for SVG renderings |
43 | JDK-8218640 | javafx | web | Update ICU4C to version 64.2 |
44 | JDK-8173956 | security-libs | java.security | KeyStore regression due to default keystore being changed to PKCS12 |
45 | JDK-8195667 | security-libs | javax.crypto:pkcs11 | ProblemList PKCS11 tests Secmod/AddTrustedCert.java and tls/TestKeyMaterial.java due to JDK-8180837 |
46 | JDK-8080462 | security-libs | javax.crypto:pkcs11 | Update SunPKCS11 provider with PKCS11 v2.40 support |
47 | JDK-8228835 | security-libs | javax.crypto:pkcs11 | Memory leak in PKCS11 provider when using AES GCM |
48 | JDK-8229243 | security-libs | javax.crypto:pkcs11 | SunPKCS11-Solaris provider tests failing on Solaris 11.4 |
49 | JDK-8225695 | security-libs | javax.crypto:pkcs11 | 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) |
50 | JDK-8133489 | security-libs | javax.net.ssl | Better messaging for PKIX path validation matching |
51 | JDK-8229767 | security-libs | javax.security | Typo in java.security: Sasl.createClient and Sasl.createServer |
52 | JDK-8200400 | security-libs | javax.security | Allow Sasl mechanisms to be restricted |
53 | JDK-8226607 | security-libs | javax.smartcardio | Inconsistent info between pcsclite.md and MUSCLE headers |
54 | JDK-8201627 | security-libs | org.ietf.jgss:krb5 | Kerberos sequence number issues |
The following sections summarize changes made in all Java SE 8u231 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8223158 | client-libs | javax.swing | Docked MacBook cannot start any Java Swing applications |
8134424 | core-libs | java.io:serialization | BlockDataInputStream.readUTFBody: size local StringBuffer with the given length |
8077707 (Confidential) |
client-libs | javax.accessibility | jdk9 b58 cannot run any graphical application on Win 8 with JAWS running |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8185538 | client-libs | 2d | JDK 9 is really slow initialising some OTF/CFF fonts. |
8223490 | core-libs | java.util | Optimize search algorithm for determining default time zone |
8209672 (Confidential) |
client-libs | 2d | Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init |
8080465 (Confidential) |
client-libs | The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel". |
Bug Fixes
October 15, 2019
The full version string for this update release is 1.8.0_231-b11 (where "b" means "build"). The version number is 8u231.
JDK 8u231 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u231 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_231-b11 |
7 | 1.7.0_241-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u231) be used after the next critical patch update scheduled for January 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u231) on February 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.crypto
New jdk.jceks.iterationCount System Property
A new system property has been introduced to control the iteration count value used for the jceks
keystore. The default value remains at 200000 but values between 10000 and 5000000 may be specified. The new system property name is jdk.jceks.iterationCount
and the value supplied should be an integer in the accepted range. The default value will be used if a parsing error is encountered.
JDK-8223269 (not public)
security-libs/java.security
➜ New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
java/security_property
Security.setProperty(String key, String value)
method callsjava/tls_handshake
java/x509_validation
java/x509_certificate
See JDK-8148188
javafx/graphics
➜ Removal of T2K Rasterizer and ICU Layout Engine From JavaFX
The T2K rasterizer and ICU layout engine have been removed from JavaFX.
See JDK-8187147
client-libs
➜ [client-libs and javaFX] GTK3 Is Now the Default on Linux/Unix
Newer versions of Linux, Solaris, and other Unix flavor desktop environments use GTK3, while still supporting GTK2.
Previously, the JDK would default to loading the older GTK2 libraries. However, in this release, it defaults to loading GTK3 libraries. Loading is typically triggered by using the Swing GTK Look And Feel.
The old behavior can be restored by using the system property: -Djdk.gtk.version=2.2
See JDK-8222496
docs
➜ Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see http:/java/technologies/javase/jdk-jre-macos-catalina.html.
JDK-8230057 (not public)
security-libs/javax.net.ssl
➜ Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.
To re-enable these curves, use the jdk.tls.namedGroups
system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1,
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ...
JDK-8228825 (not public)
security-libs/javax.xml.crypto
➜Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto
module has been updated to version 2.1.3 of Apache Santuario. New features include:
See JDK-8219013
security-libs/javax.xml.crypto
➜ Updated xmldsig Implementation to Apache Santuario 2.1.1
The XMLDSig provider implementation in the java.xml.crypto
module has been updated to version 2.1.1 of Apache Santuario. New features include:
See JDK-8177334
security-libs/javax.crypto
➜ System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC
, which was introduced in the update releases 7u231 and 8u221, is turned off by default.
This option allows control of which implementation of ECC is in use.
When the system property, jdk.security.useLegacyECC
, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC
If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.
JDK-8224499 (not public)
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in 
or 
being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
An application may continue working with the encoded output data containing the carriage return character (
or 
) if the application coding logic allows such output.
The com.sun.org.apache.xml.internal.security.ignoreLineBreaks
system property may be set to a value of true
if an application is unable to handle encoded output data including the carriage return character (
or 
).
Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.
core-libs/java.lang
➜ Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec
and ProcessBuilder
have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.
In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands
to false
.
In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands
to true
.
Applications using Runtime.exec
or ProcessBuilder
with a security manager to invoke .bat
or .cmd
and command names that do not end in ".exe
" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.
For .exe
programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands
property is "false
" or there is no security manager and property is not "false
".
JDK-8221858 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8222496 | client-libs | [8u] Switch on GTK3 as a default GTK L&F in client-libs | |
2 | JDK-8217676 | client-libs | Upgrade libpng to 1.6.37 | |
3 | JDK-8219914 | client-libs | Change the environment variable for Java Access Bridge logging to have a directory | |
4 | JDK-8222108 | client-libs | 2d | Reduce minRefreshTime for updating remote printer list on Windows |
5 | JDK-8196681 | client-libs | javax.accessibility | Java Access Bridge logging and debug flags dynamically controlled |
6 | JDK-8226964 | client-libs | javax.swing | [Yaru] GTK L&F: There is no difference between menu selected and de-selected |
7 | JDK-8225423 | client-libs | javax.swing | GTK L&F: JSplitPane: There is no divider shown |
8 | JDK-8214702 | client-libs | javax.swing | Wrong text position for whitespaced string in printing Swing text |
9 | JDK-8216401 | core-libs | Allow "file:" URLs in Class-Path of local JARs | |
10 | JDK-8151486 | core-libs | java.lang | Class.forName causes memory leak |
11 | JDK-8197930 | core-libs | java.lang | JNI exception pending in initializeEncoding of jni_util.c |
12 | JDK-8225425 | core-libs | java.net | java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries |
13 | JDK-8214687 | core-libs | java.util:collections | Optimize Collections.nCopies().hashCode() and equals() |
14 | JDK-8222980 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry to Version 2019-04-03 |
15 | JDK-8219890 | core-libs | java.util:i18n | Calendar.getDisplayName() returns empty string for new Japanese Era on some locales |
16 | JDK-8203324 | core-libs | java.util:i18n | Use out of scope in getMacOSXLocale of java_props_macosx.c:120 |
17 | JDK-8139965 | core-libs | javax.naming | Hang seen when using com.sun.jndi.ldap.search.replyQueueSize |
18 | JDK-8217581 | docs | tools | JDK 8 javadoc man page does not list correct values for -source |
19 | JDK-8206879 | globalization | locale-data | Currency decimal marker incorrect for Peru |
20 | JDK-8202414 | hotspot | compiler | Unsafe write after primitive array creation may result in array length change |
21 | JDK-8219807 | hotspot | compiler | C2 crash in IfNode::up_one_dom(Node*, bool) |
22 | JDK-8218721 | hotspot | compiler | C1's CEE optimization produces safepoint poll with invalid debug information |
23 | JDK-8130341 | hotspot | compiler | GHASH 32bit intrinsics has AEADBadTagException |
24 | JDK-8080157 | hotspot | compiler | assert(allocates2(pc)) failed: not in CodeBuffer memory |
25 | JDK-8187147 | javafx | graphics | Remove T2K from JavaFX in JDK 10 |
26 | JDK-8201539 | javafx | graphics | Crash in DirectWrite CreateBitmap code when running TestFX test suite |
27 | JDK-8213510 | javafx | media | [Windows] MediaPlayer does not play some mp3 with artwork stream in mjpeg |
28 | JDK-8222780 | javafx | media | Visual Studio does not open media vs_projects files |
29 | JDK-8223046 | javafx | samples | AudioClip sample does not work in Ensemble when run via web-start |
30 | JDK-8230361 | javafx | web | [web] Cookies are not enabled in WebKit v608.1 |
31 | JDK-8229328 | javafx | web | [windows] PlatformFileHandle type should be JGObject rather than void * |
32 | JDK-8227431 | javafx | web | [Windows] Fix assertion failure on X86 32-bit when enabling CLOOP based JavaScript interpreter |
33 | JDK-8227079 | javafx | web | Cherry pick GTK WebKit 2.24.3 changes |
34 | JDK-8222912 | javafx | web | Websocket client doesn't work in WebView |
35 | JDK-8219362 | javafx | web | Update to 608.1 version of WebKit |
36 | JDK-8225203 | javafx | web | Update SQLite to version 3.28.0 |
37 | JDK-8222788 | javafx | web | javafx.web build fails on XCode 10.2 |
38 | JDK-8222497 | javafx | window-toolkit | [8u] Switch on GTK3 as a default GTK L&F in javafx |
39 | JDK-8226537 | javafx | window-toolkit | Multi-level Stage::initOwner can crash gnome-shell or X.org server |
40 | JDK-8211302 | javafx | window-toolkit | DragAndDrop no longer works with GTK3 |
41 | JDK-8212060 | javafx | window-toolkit | [GTK3] Stage sometimes shown at top-left before moving to correct position |
42 | JDK-8147502 | security-libs | java.security | Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size |
43 | JDK-8148188 | security-libs | java.security | Enhance the security libraries to record events of interest |
44 | JDK-8226543 | security-libs | javax.crypto | Reduce GC pressure during message digest calculations in password-based encryption |
45 | JDK-8073108 | security-libs | javax.crypto | Use x86 and SPARC CPU instructions for GHASH acceleration |
46 | JDK-8218780 | security-libs | javax.smartcardio | Update MUSCLE PCSC-Lite header files |
47 | JDK-8229868 | security-libs | javax.xml.crypto | Update Apache Santuario TPRM version |
48 | JDK-8218629 | security-libs | javax.xml.crypto | XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10 |
49 | JDK-8217878 | security-libs | javax.xml.crypto | ENVELOPING XML signature no longer works in JDK 11 |
50 | JDK-8219013 | security-libs | javax.xml.crypto | Update Apache Santuario (XML Signature) to version 2.1.3 |
51 | JDK-8177334 | security-libs | javax.xml.crypto | Update xmldsig implementation to Apache Santuario 2.1.1 |
The following sections summarize changes made in all Java SE 8u221 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8221246 | client-libs | java.awt | NullPointerException within Win32ShellFolder2 |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8080157 | hotspot | compiler | assert(allocates2(pc)) failed: not in CodeBuffer memory |
8130341 | hotspot | compiler | GHASH 32bit intrinsics has AEADBadTagException |
8073108 | security-libs | javax.crypto | Use x86 and SPARC CPU instructions for GHASH acceleration |
8048556 | hotspot | gc | Unnecessary GCLocker-initiated young GCs |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8226895 (Confidential) |
xml | jaxp | Problems when validating XML with STax |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8226543 | security-libs | javax.crypto | Reduce GC pressure during message digest calculations in password-based encryption |
8139965 | core-libs | javax.naming | Hang seen when using com.sun.jndi.ldap.search.replyQueueSize |
8225615 (Confidential) |
deploy | packager | Need javapackager to work with Inno Setup 6.x |
8223727 (Confidential) |
core-libs | javax.naming | com/sun/jndi/ldap/privconn/RunTest.java failed due to hang in LdapRequest.getReplyBer |
Please note that fixes from prior BPR are included in this version.
July 16, 2019
The full version string for this update release is 1.8.0_221-b11 (where "b" means "build"). The version number is 8u221.
JDK 8u221 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u221 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_221-b11 |
7 | 1.7.0_231-b08 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u221) will expire with the release of the next critical patch update scheduled for October 15, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u221) on November 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
hotspot/runtime
HotSpot Windows OS Detection Correctly Identifies Windows Server 2019
Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name
system property and the hs_err_pid
file.
See JDK-8211106
security-libs/java.security
Removal of Two DocuSign Root CA Certificates
Two DocuSign root CA certificates are expired and have been removed from the cacerts
keystore:
Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR
Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR
See JDK-8223499
security-libs/java.security
Removal of Two Comodo Root CA Certificates
Two Comodo root CA certificates are expired and have been removed from the cacerts
keystore:
Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
See JDK-8222136
security-libs/java.security
Removal of T-Systems Deutsche Telekom Root CA 2 Certificate
The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts
keystore:
Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE
See JDK-8222137
install
Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
security-libs/javax.crypto
System Property to Switch Between Implementations of ECC
A new boolean system property, jdk.security.useLegacyECC
, has been introduced that enables switching between implementations of ECC.
When the system property, jdk.security.useLegacyECC
, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC
in the command line.
If the option is explicitly set to "false", the provider decides which implementation of ECC is used.
The default value of the option is "true". Note that the default value might change in a future update release of the JDK.
JDK-8217763 (not public)
client-libs/2d
Missing Glyphs in AWT/Swing Components Due to Lack of CJK TrueType Fonts in RHEL 8
Red Hat Enterprise Linux 8 no longer includes packages which provided TrueType fonts used by JDK for CJK (Chinese, Japanese, and Korean) languages.
Text display for those languages will therefore result in missing glyphs.
See JDK-8209672 for a resolution to this issue.
See JDK-8230150
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8214252 | client-libs | Expanded & Collapsed nodes of a JTree look the same on GTK3 | |
2 | JDK-8153732 | client-libs | 2d | Windows remote printer changes do not reflect in lookupPrintServices() |
3 | JDK-8212202 | client-libs | 2d | [Windows] Exception if no printers are installed. |
4 | JDK-8218020 | client-libs | 2d | Fix version number in mesa.md 3rd party legal file |
5 | JDK-8215210 | client-libs | 2d | [macos] Hangul text does not shape to the precomposed form on JDK8u |
6 | JDK-8218605 | client-libs | 2d | Startup Splash Screen of SwingSet2 flashes in smaller coordinates before appearing in the final size |
7 | JDK-8214765 | client-libs | java.awt | All TrayIcon MessageType icons does not show up with gtk3 option set |
8 | JDK-8204142 | client-libs | java.awt | AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts. |
9 | JDK-8210886 | client-libs | java.awt | Remove references in xwindows.md to non-existent files. |
10 | JDK-8214109 | client-libs | java.awt | XToolkit is not correctly displayed color on 16-bit high color setting |
11 | JDK-8213183 | client-libs | java.awt:i18n | InputMethod cannot be used after its restarting |
12 | JDK-8214253 | client-libs | javax.swing | Tooltip is transparent rather than having a black background |
13 | JDK-8214112 | client-libs | javax.swing | The whole text in target JPasswordField image are not selected. |
14 | JDK-8214111 | client-libs | javax.swing | There is no icon in all JOptionPane target image |
15 | JDK-8220349 | client-libs | javax.swing | The fix done for JDK-8214253 have caused issues in JTree behaviour |
16 | JDK-8218674 | client-libs | javax.swing | HTML Tooltip with "img src=" on component doesn't show |
17 | JDK-8196775 | core-libs | java.net | java/net/Socket/asyncClose/Race.java failed intermittently on Windows with ConnectException: Connection refused |
18 | JDK-8044047 | core-libs | java.util.stream | Missing null pointer checks for streams |
19 | JDK-8213294 | core-libs | java.util:i18n | Upgrade IANA LSR data |
20 | JDK-8040211 | core-libs | java.util:i18n | Update LSR datafile for BCP 47 |
21 | JDK-8191404 | core-libs | java.util:i18n | Upgrading JDK with latest available LSR data from IANA. |
22 | JDK-8203872 | core-libs | java.util:i18n | Upgrading JDK with latest available LSR data from IANA. |
23 | JDK-8214935 | core-libs | java.util:i18n | Upgrade IANA LSR data |
24 | JDK-8218781 | core-libs | java.util:i18n | Localized names for Japanese Era Reiwa in COMPAT provider |
25 | JDK-8209775 | core-libs | java.util:i18n | ISO 4217 Amendment #169 Update |
26 | JDK-8210153 | core-libs | java.util:i18n | localized currency symbol of VES |
27 | JDK-8209951 | hotspot | compiler | Problematic sparc intrinsic: com.sun.crypto.provider.CipherBlockChaining |
28 | JDK-8211106 | hotspot | runtime | [windows] Update OS detection code to recognize Windows Server 2019 |
29 | JDK-8134030 | hotspot | svc | test/serviceability/dcmd/gc/HeapDumpTest fails to verify the dump |
30 | JDK-8202884 | hotspot | svc-agent | SA: Attach/detach might fail on Linux if debugee application create/destroy threads during attaching |
31 | JDK-8222812 | install | install | java usage unit tests are failing |
32 | JDK-8212742 | install | uninstall | More information link at Java Uninstall tool for MAC point to Windows page instructions |
33 | JDK-8215686 | javafx | build | FX build fails using gradle 5 |
34 | JDK-8217942 | javafx | build | Upgrade to libxslt 1.1.33 |
35 | JDK-8219008 | javafx | graphics | Update OpenGL Headers to version 4.6 |
36 | JDK-8204060 | javafx | graphics | [Canvas] Add API in GraphicsContext to control image smoothing |
37 | JDK-8215894 | javafx | media | Provide media support for libav version 58 |
38 | JDK-8133841 | javafx | media | Full HD video can not be played on standard 1080p screen in portrait mode |
39 | JDK-8222217 | javafx | media | FX build fails on 32-bit Windows after fix for JDK-8133841 |
40 | JDK-8218174 | javafx | other | Add missing license file for Mesa header files |
41 | JDK-8222883 | javafx | samples | Ensemble: Update version of Lucene to 7.7.1 |
42 | JDK-8219734 | javafx | web | [WebView] Get rid of macOS SDK private API usage |
43 | JDK-8215775 | javafx | web | Scrollbars from web pages appear to be absolute, overlapping everything |
44 | JDK-8220147 | javafx | web | Cherry pick GTK WebKit 2.22.7 changes |
45 | JDK-8219917 | javafx | web | [WebView] Sub-resource integrity check fails on Windows and Linux |
46 | JDK-8151225 | security-libs | java.security | Mark SpecTest.java as intermittently failing |
47 | JDK-8222137 | security-libs | java.security | Remove T-Systems root CA certificate |
48 | JDK-8223499 | security-libs | java.security | Remove two DocuSign root certificates that are expiring |
49 | JDK-8222136 | security-libs | java.security | Remove two Comodo root CA certificates that are expiring |
50 | JDK-8181594 | security-libs | javax.crypto | Efficient and constant-time modular arithmetic |
51 | JDK-8203228 | security-libs | javax.crypto | Branch-free output conversion for X25519 and X448 |
52 | JDK-8201317 | security-libs | javax.crypto | X25519/X448 code improvements |
53 | JDK-8208648 | security-libs | javax.crypto | ECC Field Arithmetic Enhancements |
54 | JDK-8204909 | security-libs | javax.crypto | Improved ECC Implementation |
55 | JDK-8193830 | xml | jaxp | Xalan Update: Xalan Java 2.7.2 |
The following sections summarize changes made in all Java SE 8u212 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Please note that fixes in 8u212 b34 are included in 8u221-b32.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8208666 | client-libs | 2d | Missing glyphs from custom made font when rendering on Graphics2D |
8178870 | hotspot | jvmti | instrumentation.retransformClasses cause coredump |
8155951 | hotspot | jvmti | VM crash in nsk/jvmti/RedefineClasses/StressRedefine: assert failed: Corrupted constant pool |
8151066 | hotspot | jvmti | assert(0 <= i && i < length()) failed: index out of bounds |
8221986 (Confidential) |
javafx | build | Intermittent FX Hudson build failure on Windows: cannot execute gperf |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8218674 | client-libs | javax.swing | HTML Tooltip with "img src=" on component doesn't show |
8223233 (Confidential) |
install | install | 8u 211 32 bit MSI uninstalls Java 8u211 64 bit, which is above the security baseline |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8204060 | javafx | graphics | [Canvas] Add API in GraphicsContext to control image smoothing |
8221263 | client-libs | 2d | [TEST_BUG] RemotePrinterStatusRefresh test is hard to use |
8153732 | client-libs | 2d | Windows remote printer changes do not reflect in lookupPrintServices() |
8221412 | client-libs | 2d | lookupPrintServices() does not always update the list of Windows remote printers |
8212202 | client-libs | 2d | [Windows] Exception if no printers are installed. |
8194653 | core-libs | java.lang | Deadlock involving FileSystems.getDefault and System.loadLibrary call |
8219410 (Confidential) |
javafx | graphics | [GraphicsContext] Backport doc changes |
Please note that fixes from prior BPR (8u202 b34) are included in this version.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8221355 | hotspot | compiler | Performance regression after JDK-8155635 backport into 8u |
April 16, 2019
The full version string for this update release is 1.8.0_212-b10 (where "b" means "build"). The version number is 8u212.
JDK 8u212 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u212 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_211-b12 |
7 | 1.7.0_221-b08 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u212) will expire with the release of the next critical patch update scheduled for July 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u212) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8215364 | client-libs | JavaFX crashes on Ubuntu 18.04 with Wayland while using Swing-FX interop | |
2 | JDK-8207070 | client-libs | java.awt | Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor |
3 | JDK-8189926 | javafx | other | [Mac] Pulse timer should pause when idle |
4 | JDK-8210411 | javafx | window-toolkit | JavaFX crashes on Ubuntu 18.04 with Wayland |
5 | JDK-8211280 | javafx | window-toolkit | JavaFX build fails on Linux with gcc8 |
6 | JDK-8213952 | security-libs | java.security | Relax DNSName restriction as per RFC 1123 |
April 16, 2019
The full version string for this update release is 1.8.0_211-b12 (where "b" means "build"). The version number is 8u211.
JDK 8u211 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u211 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_211-b12 |
7 | 1.7.0_221-b08 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u211) will expire with the release of the next critical patch update scheduled for July 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u211) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
core-libs/java.time
An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3)
or JapaneseEra.valueOf("Reiwa")
. JDK 13 and later will have a new public field to represent this era.
The placeholder name, "NewEra
", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")
) will no longer work.
See JDK-8205432
core-libs/java.util:i18n
Square Character Support for Japanese New Era
The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character
class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.
See JDK-8211398
client-libs/2d
High DPI Auto-Scaling on Windows
If the Windows desktop DPI of the default screen is configured via Display Settings to be 150% or greater (that is 144 dpi or greater), JDK will now ask Windows to auto-scale the entire UI of a Java application to be consistent with the rest of the Windows desktop UI.
Below that value Java applications will appear at the same size as they did in previous releases.
This threshold is chosen as a trade-off between compatibility and legibility of the UI. At higher DPI settings, without this auto-scaling, the Java UI may be just too small to be read comfortably.
There may be some negative consequences such as
In the event that the negative consequences outweigh the benefits, an application can request the old behaviour by specifying:
-Dsun.java2d.dpiaware=true
Conversely, if the application would prefer to be auto-scaled even at lower DPI settings, then specify:
-Dsun.java2d.dpiaware=false
In the absence of either explicit setting, the default behaviour described above will apply.
JDK-8204512 (not public)
core-libs/java.lang
New Currency Code Points Added
The Java SE 8 Platform spec for java.lang.Character
now supports Unicode 6.2 plus an extension to allow new currency code points from Unicode 10.0.
The following currency code points have been added:
0BB NORDIC MARK SIGN
20BC MANAT SIGN
20BD RUBLE SIGN
20BE LARI SIGN
20BF BITCOIN SIGN
See JDK-8217710
install
Java Access Bridge Installation Workaround
There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll
in either the system directory (C:\Windows\System32
) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64
) for 32bit Java products.
To prevent breaking Java Access Bridge functionality, use one of the following workarounds:
The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.
JDK-8223293 (not public)
hotspot/compiler
Possible Performance Regression in JDK 8 Updates 202, 211, and 212
Due to a known issue with the fix for JDK-8155635, introduced in JDK 8 update 202, some applications may experience a performance regression (lower throughput and/or higher CPU consumption) when migrating from earlier releases. Examples of code that might trigger this regression include heavy use of sun.misc.Unsafe
and the Reflection API. This performance regression is addressed in JDK-8221355.
See JDK-8221355
security-libs/java.security
Added GlobalSign R6 Root Certificate
The following root certificate has been added to the cacerts truststore:
globalsignrootcar6
DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6
JDK-8216577 (not public)
security-libs/javax.net.ssl
Distrust TLS Server Certificates Anchored by Symantec Root CAs
The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.
TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).
An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.
The restrictions are enforced in the JDK implementation (the SunJSSE
Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.
An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:
"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"
If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies
security property in the java.security
configuration file.
The restrictions are imposed on the following Symantec Root certificates included in the JDK:
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US | FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A |
CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US | 37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C |
CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US | 5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66 |
CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US | B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4 |
CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US | A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12 |
CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US | 8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F |
CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US | A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57 |
CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US | 4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C |
EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA | 3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US | 3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1 |
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US | A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05 |
OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US | 83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B |
CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44 |
CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | 69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79 |
CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | 9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF |
CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | 23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C |
Distinguished Name | SHA-256 Fingerprint |
---|---|
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B |
CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US | A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED |
If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.
You can also use the keytool
utility from the JDK to print out details of the certificate chain, as follows:
keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>
If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.
See JDK-8207258
core-libs/java.time
Support New Japanese Era in java.time.chrono.JapaneseEraThe JapaneseEra class and its of(int)
, valueOf(String)
, and values()
methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.
See JDK-8212941
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8213983 | client-libs | java.awt | [macosx] Keyboard shortcut ???cmd +`??? stops working properly if popup window is displayed |
2 | JDK-8213583 | client-libs | java.awt | Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files |
3 | JDK-8076164 | client-libs | javax.swing | [JTextField] When input too long Thai character, cursor's behavior is odd |
4 | JDK-8132136 | client-libs | javax.swing | [PIT] RTL orientation in JEditorPane is broken |
5 | JDK-8133108 | client-libs | javax.swing | [PIT] Container size is wrong in JEditorPane |
6 | JDK-8187364 | client-libs | javax.swing | Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component |
7 | JDK-8216396 | core-libs | java.lang | Support new Japanese era and new currency code points in java.lang.Character for Java SE 8 |
8 | JDK-8218915 | core-libs | java.lang | Change isJavaIdentifierStart and isJavaIdentifierPart to handle new code points |
9 | JDK-8217710 | core-libs | java.lang | Add 5 currency code points to Java SE 8uX |
10 | JDK-8180469 | core-libs | java.time | Wrong short form text for supplemental Japanese era |
11 | JDK-8212941 | core-libs | java.time | Support new Japanese era in java.time.chrono.JapaneseEra |
12 | JDK-8211398 | core-libs | java.util:i18n | Square character support for the Japanese new era |
13 | JDK-8202088 | core-libs | java.util:i18n | Japanese new era implementation |
14 | JDK-8207152 | core-libs | java.util:i18n | Placeholder for Japanese new era should be two characters |
15 | JDK-8217609 | core-libs | java.util:i18n | New era placeholder not recognized by java.text.SimpleDateFormat |
16 | JDK-8159886 | deploy | plugin | Window of a newly launched Oracle Forms applet loses focus |
17 | JDK-8133984 | hotspot | runtime | print_compressed_class_space() is only defined in 64-bit VM |
18 | JDK-8180904 | hotspot | test | Hotspot tests running with -agentvm failing due to classpath |
19 | JDK-8187220 | install | install | postinstall fails if there is a space in user name |
20 | JDK-8214185 | javafx | media | Upgrade GStreamer to the latest (1.14.4) version |
21 | JDK-8200665 | javafx | samples | Ensemble: Update SyntaxHighlighter to version 4.0.1 |
22 | JDK-8207772 | javafx | web | File API and FileReader should be supported in WebView |
23 | JDK-8213541 | javafx | web | WebView does not handle HTTP response without ContentType |
24 | JDK-8215702 | javafx | web | SVG gradients are not rendered |
25 | JDK-8215799 | javafx | web | Complex text is not rendered by webkit on Windows |
26 | JDK-8214119 | javafx | web | Update to 607.1 version of WebKit |
27 | JDK-8211399 | javafx | web | libxslt fails to build with glibc 2.26 |
28 | JDK-8211454 | javafx | web | Update SQLite to version 3.26.0 |
29 | JDK-8214452 | javafx | web | Update libxml2 to version 2.9.9 |
30 | JDK-8213806 | javafx | web | WebView - JVM crashes for given HTML |
31 | JDK-8218611 | javafx | web | [DRT] fast/xslt tests fails with Unsupported encoding windows-1251 |
32 | JDK-8219539 | javafx | web | Cherry pick GTK WebKit 2.22.6 changes |
33 | JDK-8133802 | security-libs | replace some <tt> tags (obsolete in html5) in security-libs docs | |
34 | JDK-8216280 | security-libs | java.security | Allow later Symantec Policy distrust date for two Apple SubCAs |
35 | JDK-8215318 | security-libs | java.security | Amend the Standard Algorithm Names specification to clarify that names can be defined in later versions |
36 | JDK-8029661 | security-libs | javax.net.ssl | Support TLS v1.2 algorithm in SunPKCS11 provider |
37 | JDK-8207258 | security-libs | javax.net.ssl | Distrust TLS server certificates anchored by Symantec Root CAs |
38 | JDK-8129988 | security-libs | javax.net.ssl | JSSE should create a single instance of the cacerts KeyStore |
39 | JDK-8217579 | security-libs | javax.net.ssl | TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883 |
40 | JDK-8203190 | security-libs | javax.net.ssl | SessionId.hashCode generates too many collisions |
41 | JDK-8164656 | security-libs | org.ietf.jgss:krb5 | krb5 does not retry if TCP connection timeouts |
The following sections summarize changes made in all Java SE 8u202 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8204142 | client-libs | java.awt | AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts. |
8217227 (Confidential) |
deploy | plugin | Java Deployment Ruleset (DRS) not working for forms Web Start (webstart) config |
8221544 (Confidential) |
deploy | webstart | StackOverflowError and JWS fails to launch for some client PCs in cluster config |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8213583 | client-libs | java.awt | Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files |
8207070 | client-libs | java.awt | Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor |
8027434 | hotspot | runtime | "-XX:OnOutOfMemoryError" uses fork instead of vfork |
Please note that fixes from the prior BPR (8u192 b35) are included in this version.
January 15, 2019
The full version string for this update release is 1.8.0_202-b08 (where "b" means "build"). The version number is 8u202.
JDK 8u202 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u202 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_201-b09 |
7 | 1.7.0_211-b07 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u202) will expire with the release of the next critical patch update scheduled for April 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u202) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
client-libs
GTK+ 3.20 and Later Unsupported by Swing
Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.
See JDK-8219072
The following are some of the notable bug fixes included in this release:
deploy/webstart
Changes in Update Process of Java Web Start Cached Objects
The update mechanism of cached Java Web Start objects has been slightly changed. Now Java Web Start issues HTTP HEAD request instead of GET to test whether the updates for cached object are available or not. The downloading of the updates did not change and keeps working in the same way as before.
JDK-8211746 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8210384 | client-libs | 2d | SunLayoutEngine.isAAT() font is expensive on MacOS |
2 | JDK-8191178 | client-libs | java.awt | [macos] Problem with input of yen symbol |
3 | JDK-8130655 | client-libs | java.awt | OS X: keyboard input in textfield is not possible if the window contained textfield is owned by EmbeddedFrame |
4 | JDK-8205479 | client-libs | java.awt | OS X: requestFocus() does not work properly for embedded frame |
5 | JDK-8170937 | client-libs | java.awt | Swing apps are slow if displaying from a remote source to many local displays |
6 | JDK-8207322 | client-libs | java.awt | [Client-Libs] Backport GTK3 support on Linux to 8u |
7 | JDK-8201801 | client-libs | java.awt | RTL language (Hebrew) is presented from left to right |
8 | JDK-8182461 | client-libs | javax.imageio | IndexOutOfBoundsException when reading indexed color BMP |
9 | JDK-8207150 | client-libs | javax.sound | Clip.isRunning() may return true after Clip.stop() was called |
10 | JDK-8202264 | client-libs | javax.sound | Race condition in AudioClip.loop() |
11 | JDK-8206392 | client-libs | javax.swing | [macosx] Cycling through windows (JFrames) does not work with keyboard shortcut |
12 | JDK-8208638 | client-libs | javax.swing | Instead of circle rendered in appl window, but ellipse is produced JEditor Pane |
13 | JDK-8207060 | core-libs | java.io | Memory leak when malloc fails within WITH_UNICODE_STRING block |
14 | JDK-8207750 | core-libs | java.io | Native handle leak in java.io.WinNTFileSystem.list() |
15 | JDK-8200719 | core-libs | java.net | Cannot connect to IPv6 host when exists any active network interface without IPv6 address |
16 | JDK-8202261 | core-libs | java.nio | (fc) FileChannel.map and RandomAccessFile.setLength should not preallocate space |
17 | JDK-8207145 | core-libs | java.nio | (fs) Native memory leak in WindowsNativeDispatcher.LookupPrivilegeValue0 |
18 | JDK-8165852 | core-libs | java.nio | (fs) Mount point not found for a file which is present in overlayfs |
19 | JDK-8139507 | core-libs | java.util | WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs |
20 | JDK-8209184 | core-libs | java.util:i18n | JCK Test Failure due to ResourceBundle |
21 | JDK-8210038 | deploy | webstart | JNLP 'arch' attribute fails with NPE in SingleInstanceServiceImpl |
22 | JDK-8208183 | hotspot | update HSDIS plugin license to UPL | |
23 | JDK-8212709 | hotspot | Backout backport of JDK-8211394 from jdk 8u-dev | |
24 | JDK-8164920 | hotspot | compiler | ppc: enhancement of CRC32 intrinsic |
25 | JDK-8209639 | hotspot | compiler | assert failure in coalesce.cpp: attempted to spill a non-spillable item |
26 | JDK-8172850 | hotspot | compiler | Anti-dependency on membar causes crash in register allocator due to invalid instruction scheduling |
27 | JDK-8155635 | hotspot | compiler | C2: Mixed unsafe oop accesses break alias analysis |
28 | JDK-8131048 | hotspot | compiler | ppc: implement CRC32 intrinsic |
29 | JDK-8211150 | hotspot | gc | G1 Full GC not purging code root memory and hence causing memory leak |
30 | JDK-8064811 | hotspot | gc | Use THREAD instead of CHECK_NULL in return statements |
31 | JDK-8211909 | hotspot | jvmti | JDWP Transport Listener: dt_socket thread crash |
32 | JDK-8211387 | hotspot | runtime | [Zero] atomic_copy64: Use ldrexd for atomic reads on ARMv7 |
33 | JDK-8211124 | hotspot | runtime | HotSpot vm_version.cpp should recognise updated VS2017 |
34 | JDK-8205965 | hotspot | runtime | SIGSEGV on write to NativeCallStack::EMPTY_STACK |
35 | JDK-8196882 | hotspot | runtime | VS2017 Hotspot Defined vsnprintf Function Causes C2084 Already Defined Compilation Error |
36 | JDK-8209863 | hotspot | runtime | Add a test to verify that -XX:+EnableTracing works |
37 | JDK-8211394 | hotspot | runtime | CHECK_ must be used in the rhs of an assignment statement within a block (round 2) |
38 | JDK-8145788 | hotspot | svc | JVM crashes with -XX:+EnableTracing |
39 | JDK-8208091 | hotspot | svc-agent | SA: jhsdb jstack --mixed throws UnmappedAddressException on i686 |
40 | JDK-8164383 | hotspot | svc-agent | jhsdb dumps core on Solaris 12 when loading dumped core |
41 | JDK-8210219 | javafx | graphics | GlassClipboard.cpp fails to compile with newer versions of VS2017 |
42 | JDK-8148129 | javafx | web | Implement Accelerated composition for WebView |
43 | JDK-8209457 | javafx | web | [WebView] Canvas.toDataURL with image/jpeg MIME type fails |
44 | JDK-8202277 | javafx | web | WebView image capture fails with standalone FX due to dependency on javafx.swing |
45 | JDK-8196968 | javafx | web | One time crash on exit in JNIEnv_::CallObjectMethod |
46 | JDK-8207159 | javafx | web | Update ICU to version 62.1 |
47 | JDK-8212147 | javafx | window-toolkit | [JavaFX] Backport GTK3 support on Linux to 8u |
48 | JDK-8156709 | security-libs | java.security | Cannot call setSeed on NativePRNG on Mac if EGD is /dev/urandom |
49 | JDK-8187218 | security-libs | org.ietf.jgss | GSSCredential.getRemainingLifetime() returns negative value for TTL > 24 days. |
50 | JDK-8131051 | security-libs | org.ietf.jgss:krb5 | KDC might issue a renewable ticket even if not requested |
51 | JDK-8160928 | tools | javac | javac incorrectly copies over interior type annotations to bridge method |
January 15, 2019
The full version string for this update release is 1.8.0_201-b09 (where "b" means "build"). The version number is 8u201.
JDK 8u201 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u201 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_201-b09 |
7 | 1.7.0_211-b07 |
6 | 1.6.0_221 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u201) will expire with the release of the next critical patch update scheduled for April 16, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u201) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.net.ssl
TLS anon and NULL Cipher Suites are Disabled
The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms
security property and are now disabled by default.
See JDK-8211883
security-libs/java.security
jarsigner Prints When a timestamp Will Expire
The jarsigner
tool now shows more information about the lifetime of a timestamped JAR. New warning and error messages are displayed when a timestamp has expired or is expiring within one year.
See JDK-8191438
hotspot/runtime
Linux Native Code Checks
Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.
JDK-8196902 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8201818 | client-libs | 2d | [macosx] Printing attributes break page size set via "java.awt.print.Book" object |
2 | JDK-8141491 | core-libs | java.nio | Unaligned memory access in Bits.c |
3 | JDK-8171049 | core-libs | java.time | Era.getDisplayName doesn't work with non-IsoChronology |
4 | JDK-8205330 | core-libs | javax.naming | InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection |
5 | JDK-8157913 | deploy | packager | Launcher can not find path to libpackager.so |
6 | JDK-8213011 | deploy | plugin | Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError |
7 | JDK-8212457 | deploy | webstart | JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled |
8 | JDK-8212793 | deploy | webstart | Fix for JDK-8189783 fails |
9 | JDK-8147555 | docs | Document that % and " characters are not supported in keys and values of a property for Java Web Start | |
10 | JDK-8161741 | docs | guides | Typo within section "22.2.3 File Names" |
11 | JDK-8189182 | install | install | JDK8 RPM postinstall scriptlet assumes /usr/share/man/man1 exists |
12 | JDK-8203884 | javafx | graphics | Update libjpeg to version 9c |
13 | JDK-8214035 | javafx | graphics | Unable to render cmyk jpeg image |
14 | JDK-8212158 | javafx | other | FX: Update copyright year in docs, readme files to 2019 |
15 | JDK-8209652 | javafx | samples | Ensemble: Update version of Lucene to 7.4.0 |
16 | JDK-8213837 | javafx | samples | FX samples cannot load media from download.java.net over http |
17 | JDK-8211304 | javafx | window-toolkit | [macOS] Crash on focus loss from dialog on macOS 10.14 Mojave |
18 | JDK-8027781 | security-libs | java.security | New jarsigner timestamp warning is grammatically incorrect |
19 | JDK-8209129 | security-libs | javax.crypto | Further improvements to cipher buffer management |
20 | JDK-8208583 | security-libs | javax.crypto | Better management of internal KeyStore buffers |
21 | JDK-8207775 | security-libs | javax.crypto | Better management of CipherCore buffers |
22 | JDK-8209862 | security-libs | javax.crypto | CipherCore performance improvement |
23 | JDK-8211883 | security-libs | javax.net.ssl | Disable anon and NULL cipher suites |
The following sections summarize changes made in all Java SE 8u192 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR. Note that bug fixes in previous BPR (8u181-b37) are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8213011 | deploy | plugin | Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError |
8187364 | client-libs | javax.swing | Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component |
8159886 | deploy | plugin | Window of a newly launched Oracle Forms applet loses focus |
8141491 | core-libs | java.nio | Unaligned memory access in Bits.c |
8029661 | security-libs | javax.net.ssl | Support TLS v1.2 algorithm in SunPKCS11 provider |
8129988 | security-libs | javax.net.ssl | JSSE should create a single instance of the cacerts KeyStore |
8203190 | security-libs | javax.net.ssl | SessionId.hashCode generates too many collisions |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8212457 | deploy | webstart | JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8139507 | core-libs | java.util | WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs |
8170937 | client-libs | java.awt | Swing apps are slow if displaying from a remote source to many local displays |
8193879 (Confidential) |
core-svc | debugger | Java debugger hangs on method invocation |
8163083 (Confidential) |
core-svc | debugger | SocketListeningConnector does not allow invocations with port 0 |
Please note that fixes from the prior BPR (8u181 b37) are included in this version.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8208638 | client-libs | javax.swing | Instead of circle rendered in appl window, but ellipse is produced JEditor Pane |
October 16, 2018
The full version string for this update release is 1.8.0_192-b12 (where "b" means "build"). The version number is 8u192.
JDK 8u192 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u192 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_191-b12 |
7 | 1.7.0_201-b11 |
6 | 1.6.0_211-b11 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u192) will expire with the release of the next critical patch update scheduled for January 15, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u192) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
Support for Customization of Default Enabled Cipher Suites via System Properties
The system property jdk.tls.client.cipherSuites
can be used to customize the default enabled cipher suites for the client side of SSL/TLS connections. In a similar way, the system property jdk.tls.server.cipherSuites
can be used for customization on the server side.
The system properties contain a comma-separated list of supported cipher suite names that specify the default enabled cipher suites. All other supported cipher suites are disabled for this default setting. Unrecognized or unsupported cipher suite names specified in properties are ignored. Explicit setting of enabled cipher suites will override the system properties.
Please refer to the "Java Cryptography Architecture Standard Algorithm Name Documentation" for the standard JSSE cipher suite names, and the "Java Cryptography Architecture Oracle Providers Documentation" for the cipher suite names supported by the SunJSSE provider.
Note that the actual use of enabled cipher suites is restricted by algorithm constraints.
Note also that these system properties are currently supported by the JDK Reference Implementation. They are not guaranteed to be supported by other implementations.
Warning: These system properties can be used to configure weak cipher suites, or the configured cipher suites may become more weak over time. We do not recommend using the system properties unless you understand the security implications. Use them at your own risk.
See JDK-8162362
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8201240 | client-libs | 2d | Improve releasing native resources of BufImgSurfaceData.ICMColorData |
2 | JDK-8188030 | client-libs | java.awt | AWT java apps fail to start when some minimal fonts are present |
3 | JDK-8200353 | client-libs | java.awt | Shift or Capslock not working in Textfield after accented keystrokes |
4 | JDK-8195738 | client-libs | java.awt | scroll position in ScrollPane is reset after calling validate() |
5 | JDK-8188083 | client-libs | java.awt | NullPointerExcpn-java.awt.image.FilteredImageSource.startProduction JDK-8079607 |
6 | JDK-8150954 | client-libs | java.awt | Taking screenshots on x11 composite desktop produce wrong result |
7 | JDK-8202696 | client-libs | javax.swing | Remove exclusion range for phonetic chars in windows fontconfig.properties |
8 | JDK-8195095 | client-libs | javax.swing | Images are not scaled correctly in JEditorPane |
9 | JDK-8206914 | core-libs | add jdk8u-dev test failures to ProblemList.txt | |
10 | JDK-8201369 | core-libs | java.net | Inet4AddressImpl_getLocalHostName reverse lookup on Solaris only |
11 | JDK-8194412 | core-libs | java.time | Adding 256 units of IsoFields.QUARTER_YEARS broken |
12 | JDK-8176192 | core-libs | javax.naming | Incorrect usage of Iterator in Java 8 In com.sun.jndi.ldap.EventSupport.removeNamingListener |
13 | JDK-8156824 | core-libs | javax.naming | com.sun.jndi.ldap.pool.PoolCleaner should clear its context class loader |
14 | JDK-8186646 | core-libs | jdk.nashorn | Nashorn: "duplicate code" assertion when binding a vararg function that just passes arguments along |
15 | JDK-8201651 | deploy | plugin | Better error handling during JNLP2Manager initialisation |
16 | JDK-8204508 | deploy | webstart | Robot ScreenCapture fails on HiDPI system |
17 | JDK-8205343 | deploy | webstart | bug in backport of JDK-8185002 |
18 | JDK-8168415 | deploy | webstart | ShowDocument fails with URL using jnlp or jnlps protocol |
19 | JDK-8193711 | deploy | webstart | Launching JWS applet the default download progress dialog only shows if the java console is enabled |
20 | JDK-8195609 | deploy | webstart | DRS - cert based run rule not working when running offline |
21 | JDK-8008321 | hotspot | compiler | compile.cpp verify_graph_edges uses "bool" as "int" |
22 | JDK-8162540 | hotspot | compiler | Crash in C2 escape analysis with assert: "node should be registered" |
23 | JDK-8194642 | hotspot | compiler | Improve OOM error reporting for JDK8 |
24 | JDK-8158012 | hotspot | compiler | Use SW prefetch instructions instead of BIS for allocation prefetches on SPARC Core C4 |
25 | JDK-8148175 | hotspot | compiler | C1: G1 barriers don't preserve FP registers |
26 | JDK-8165489 | hotspot | gc | Missing G1 barrier in Unsafe_GetObjectVolatile |
27 | JDK-8173013 | hotspot | gc | JVMTI tagged object access needs G1 pre-barrier |
28 | JDK-8114823 | hotspot | gc | G1 doesn't honor request to disable class unloading |
29 | JDK-8081323 | hotspot | jvmti | ConstantPool::_resolved_references is missing in heap dump |
30 | JDK-8150426 | hotspot | runtime | Wrong cast in metadata_at_put |
31 | JDK-8196884 | hotspot | runtime | VS2017 Multiple Type Cast Conversion Compilation Errors |
32 | JDK-8196880 | hotspot | runtime | VS2017 Addition of Global Delete Operator with Size Parameter Conflicts with Arena's Chunk Provided One |
33 | JDK-8197868 | hotspot | runtime | VS2017 (C2065) 'timezone': Undeclared Identifier in share/runtime/os.cpp |
34 | JDK-8144201 | hotspot | runtime | openjdk aarch64: jdk/test/com/sun/net/httpserver/Test6a.java fails with --enable-unlimited-crypto |
35 | JDK-8189170 | hotspot | runtime | Add option to disable stack overflow checking in primordial thread for use with JNI_CreateJavaJVM |
36 | JDK-8206406 | hotspot | runtime | StubCodeDesc constructor publishes partially-constructed objects on StubCodeDesc::_list |
37 | JDK-8186461 | hotspot | runtime | Zero's atomic_copy64() should use SPE instructions on linux-powerpcspe |
38 | JDK-8185723 | hotspot | runtime | Zero: segfaults on Power PC 32-bit |
39 | JDK-8026331 | hotspot | runtime | hs_err improvement: Print if we have seen any OutOfMemoryErrors or StackOverflowErrors |
40 | JDK-8202600 | hotspot | runtime | [Zero] Undefined behaviour in src/os_cpu/linux_zero/vm/os_linux_zero.cpp |
41 | JDK-6730115 | hotspot | svc | Fastdebug VM crashes with "ExceptionMark destructor expects no pending exceptions" error |
42 | JDK-8204053 | hotspot | svc-agent | libsaproc.so not linked with -z,noexecstack |
43 | JDK-8189677 | javafx | controls | RadioMenuItem fires extra NULL value in property |
44 | JDK-8192800 | javafx | controls | Table auto resize ignores column resize policy |
45 | JDK-8198354 | javafx | graphics | [macOS] Corrupt Thai characters displayed in word wrapped label |
46 | JDK-8198316 | javafx | media | MediaPlayer crashes when playing m3u8 files on macOS High Sierra 10.13.2 |
47 | JDK-8202036 | javafx | other | Update OpenJFX license files to match OpenJDK |
48 | JDK-8147476 | javafx | web | Rendering issues with MathML token elements |
49 | JDK-8203845 | performance | backport of JDK-8034788 inadvertently rolled back JDK-8187045 changes to toolchain.m4 | |
50 | JDK-8165463 | security-libs | Native implementation of sunmscapi should use operator new (nothrow) for allocations | |
51 | JDK-8185855 | security-libs | java.security | Debug exception stacks should be clearer |
52 | JDK-8193171 | security-libs | java.security | keytool -list displays "JKS" for a PKCS12 keystore. |
53 | JDK-8081792 | security-libs | javax.crypto | buffer size calculation issue in NativeGCMCipher |
54 | JDK-8203182 | security-libs | javax.crypto:pkcs11 | Release session if initialization of SunPKCS11 Signature fails |
55 | JDK-8162362 | security-libs | javax.net.ssl | Introduce system property to control enabled ciphersuites |
October 16, 2018
The full version string for this update release is 1.8.0_191-b12 (where "b" means "build"). The version number is 8u191.
JDK 8u191 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u191 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_191-b12 |
7 | 1.7.0_201-b11 |
6 | 1.6.0_211-b11 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u191) will expire with the release of the next critical patch update scheduled for January 15, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u191) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
infrastructure/build
Build Environment Update Linux x86/x64 Moved to gcc 7.3
On x86/x64 Linux, the toolchain used to build the JDK has been upgraded from GCC 4.3 to GCC 7.3.
JDK-8206409 (not public)
core-svc
Changed Central File System Location for usagetracker.properties File
The file system location in Windows for the usagetracker.properties
file has been moved from %ProgramData%\Oracle\Java\
to %ProgramFiles%\Java\conf
There is no change in the file path for Linux, Solaris, or macOS.
JDK-8204901 (not public)
security-libs/javax.net.ssl
Disabled all DES TLS Cipher Suites
DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms
security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms
security property in the java.security
file or by dynamically calling the Security.setProperty()
method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites()
or SSLEngine.setEnabledCipherSuites()
methods.
Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms
security property.
See JDK-8208350
security-libs/java.security
Removal of Several Symantec Root CAs
The following Symantec root certificates are no longer in use and have been removed:
DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
DN: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DN: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
DN: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
See JDK-8191031
security-libs/java.security
Removal of Baltimore Cybertrust Code Signing CA
The following Baltimore CyberTrust Code Signing root certificate is no longer in use and has been removed:
DN: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
See JDK-8189949
security-libs/java.security
Removal of SECOM Root Certificate
The following SECOM root certificate is no longer in use and has been removed:
DN: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
See JDK-8191844
hotspot/runtime
Java Improvements for Docker Containers
The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:
The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:
-XX:-UseContainerSupport
In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:
-XX:ActiveProcessorCount=count
This count overrides any other automatic CPU detection logic in the JVM.
Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:
-XX:InitialRAMPercentage
-XX:MaxRAMPercentage
-XX:MinRAMPercentage
These options replace the deprecated Fraction forms (-XX:InitialRAMFraction
, -XX:MaxRAMFraction
, and -XX:MinRAMFraction
).
This bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.
See JDK-8146115
security-libs/javax.crypto
The specification of javax.crypto.CipherInputStream
has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.
JDK-8201756 (not public)
The following are some of the notable bug fixes included in this release:
core-libs/javax.naming
Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ) may encounter an exception when establishing the connection.
The top most frames from Exception stack traces of applications encountering such issues might resemble the following:
javax.naming.ServiceUnavailableException: <server:port>; socket closed
at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
...
See JDK-8211107
core-libs/java.net
Better HTTP Redirection Support
In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection
has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false)
for the original request.
JDK-8196902 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8152974 | client-libs | java.awt | AWT hang occurrs when sequenced events arrive out of sequence |
2 | JDK-8208353 | client-libs | java.awt | Upgrade JDK to libpng 1.6.35 |
3 | JDK-8168628 | core-libs | java.nio | (fc) SIGBUS when extending file size to map it |
4 | JDK-8171452 | core-libs | java.nio | (ch) linux io_util_md: Operation not supported exception after 8168628 |
5 | JDK-8211107 | core-libs | javax.naming | LDAPS communication failure with jdk 1.8.0_181 |
6 | JDK-8175871 | docs | guides | Deployment.properties file example is incorrect |
7 | JDK-8198835 | docs | guides | Typo in URL for XML section in developer guides |
8 | JDK-8173224 | docs | guides | Document jdk.tls.legacyAlgorithms security property |
9 | JDK-8164480 | hotspot | compiler | Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same |
10 | JDK-8146115 | hotspot | runtime | Improve docker container detection and resource configuration usage |
11 | JDK-8206875 | install | install | [L10N]Truncation issue happens on the final dialog for pt on Mac |
12 | JDK-8209191 | javafx | graphics | [macOS] Distorted complex text rendering |
13 | JDK-8199527 | javafx | media | Upgrade GStreamer to 1.14 |
14 | JDK-8209049 | javafx | web | Cherry pick GTK WebKit 2.20.4 changes |
15 | JDK-8208622 | javafx | web | [WebView] IllegalStateException when invoking print API with html form controls |
16 | JDK-8204856 | javafx | web | WebEngine document becomes null after PAGE_REPLACED event |
17 | JDK-8208114 | javafx | web | Drag and drop of text contents and URL links functionalities are broken in Webview |
18 | JDK-8203698 | javafx | web | JavaFX WebView crashes when visiting certain web sites |
19 | JDK-8199474 | javafx | web | Update to 606.1 version of WebKit |
20 | JDK-8200629 | javafx | web | Update SQLite to version 3.23.0 |
21 | JDK-8197987 | javafx | web | Update libxslt to version 1.1.32 |
22 | JDK-8193368 | javafx | web | [OS X] Remove redundant files |
23 | JDK-8142927 | other-libs | other | Feed some text to STDIN in ProcessTools.executeProcess() |
24 | JDK-8180289 | security-libs | java.security | jarsigner treats timestamped signed jar invalid after the signer cert expires |
25 | JDK-8130132 | security-libs | java.security | jarsigner should emit warning if weak algorithms or keysizes are used |
26 | JDK-8191031 | security-libs | java.security | Remove several Symantec Root CAs |
27 | JDK-8191844 | security-libs | java.security | Remove SECOM root (secomevrootca1) |
28 | JDK-8189949 | security-libs | java.security | Remove Baltimore Cybertrust Code Signing CA |
29 | JDK-8074462 | security-libs | javax.net.ssl | Handshake messages can be strictly ordered |
30 | JDK-8172529 | security-libs | jdk.security | Use PKIXValidator in jarsigner |
31 | JDK-8197518 | security-libs | org.ietf.jgss | Kerberos krb5 authentication: AuthList's put method leads to performance issue |
The following sections summarize changes made in all Java SE 8u181 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8211107 | core-libs | javax.naming | LDAPS communication failure with jdk 1.8.0_181 |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8204513 (Confidential) |
deploy | deployment_toolkit | Context lost after resizing the browser window in applet with Forms |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8201818 | client-libs | 2d | [macosx] Printing attributes break page size set via "java.awt.print.Book" object |
Bug Fixes
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8202696 | client-libs | javax.swing | Remove exclusion range for phonetic chars in windows fontconfig.properties |
8206242 (Confidential) |
deploy | webstart | Java Web Start checks "user.dir" read permission when opening http connection |
Please note that fixes from the prior BPR (8u172 b37) are included in this version.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8195095 | client-libs | javax.swing | Images are not scaled correctly in JEditorPane |
July 17, 2018
The full version string for this update release is 1.8.0_181-b13 (where "b" means "build"). The version number is 8u181.
JDK 8u181 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u181 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_181-b13 |
7 | 1.7.0_191-b08 |
6 | 1.6.0_201-b07 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u181) will expire with the release of the next critical patch update scheduled for October 16, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u181) on November 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
other-libs/javadb
Java DB, also known as Apache Derby, has been removed in this release.
We recommend that you obtain the latest Apache Derby directly from the Apache project at:
JDK-8197871 (not public)
core-libs/javax.naming
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification
.
Define this system property (or set it to true
) to disable endpoint identification algorithms.
JDK-8200666 (not public)
core-libs/java.io:serialization
New access checks have been added during the object creation phase of deserialization. This should not affect ordinary uses of deserialization. However, reflective frameworks that make use of JDK-internal APIs may be impacted. The new checks can be disabled if necessary by setting the system property jdk.disableSerialConstructorChecks to the value "true". This must be done by adding the argument -Djdk.disableSerialConstructorChecks=true to the Java command line.
JDK-8197925 (not public)
The following are some of the notable bug fixes included in this release:
core-svc/debugger
Unable to use the JDWP API in JDK 8 to debug JDK >=9
The implementation of VirtualMachineImpl.canGetInstanceInfo() has been corrected, so it is now able to see JDK JVMs >= JDK 9.
This correction allows certain debugger agents to operate correctly without any action required from a user (developer).
See JDK-8197943
hotspot/gc
A klass that has been considered unreachable by the concurrent marking of G1, can be looked up in the ClassLoaderData/SystemDictionary, and its _java_mirror or _class_loader fields can be stored in a root or any other reachable object making it alive again. Whenever a klass is resurrected in this manner, the SATB part of G1 needs to be notified about this, otherwise, the concurrent marking remark phase will erroneously unload that klass.
In this particular crash, while G1 was doing concurrent marking and had prepared its list of unreachable classes, JVMTI on a Java thread could traverse classes in the CLD and store thread-local JNIHandles for the java_mirror of the loaded classes. G1 did not have knowledge of these thread-local JNIHandles, and in the remark phase, it unloaded the classes per its prior knowledge of unreachable classes. When these JNIHandles were later scanned, it lead to a crash.
This fix for JDK-8187577 informs G1's SATB that a klass has been resurrected and it should not be unloaded.
See JDK-8187577
hotspot/gc
Better stability with older NUMA libraries (-XX+UseNuma)
A fix included in JDK 8 Update 152 introduced a regression that might cause the HotSpot JVM to crash during startup when the UseNUMA flag is used on Linux systems with versions of libnuma older than 2.0.9. This issue has been resolved.
See JDK-8198794
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8201433 | client-libs | 2d | Fix potential crash in BufImg_SetupICM |
2 | JDK-8198605 | client-libs | java.awt | Touch keyboard is shown for a non-focusable text component |
3 | JDK-8198606 | client-libs | java.awt | Touch keyboard does not hide, when a text component looses focus |
4 | JDK-8199748 | client-libs | java.awt | Touch keyboard is not shown, if text component gets focus from other text component |
5 | JDK-8187635 | client-libs | java.awt | On Windows Swing changes keyboard layout on a window activation |
6 | JDK-8203368 | core-libs | java.io:serialization | ObjectInputStream filterCheck method throws NullPointerException |
7 | JDK-8202996 | core-libs | java.rmi | Remove debug print statements from RMI fix |
8 | JDK-8197943 | core-svc | debugger | Unable to use JDWP API in JDK 8 to debug JDK 9 VM |
9 | JDK-8194690 | deploy | JRE bundled in App-V package will not start Java Web Start applications | |
10 | JDK-8190689 | deploy | plugin | Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive |
11 | JDK-8201133 | deploy | webstart | Security check failure for main jar downlaod with jnlp.versionEnabled and Deployment Rule Set feature |
12 | JDK-8189783 | deploy | webstart | Java Web Start application with file extension association is removed from cache when invoked for the second time from browser |
13 | JDK-8187223 | deploy | webstart | Long JNLP file is not parsed correctly and ends with javaws path |
14 | JDK-8199304 | deploy | webstart | javaws.exe failed to launch UTF-8 encoded JNLP file |
15 | JDK-8038636 | hotspot | compiler | speculative traps break when classes are redefined |
16 | JDK-8156137 | hotspot | compiler | SIGSEGV in ReceiverTypeData::clean_weak_klass_links |
17 | JDK-8188223 | hotspot | compiler | IfNode::range_check_trap_proj() should handle dying subgraph with single if proj |
18 | JDK-8169201 | hotspot | compiler | Montgomery multiply intrinsic should use correct name |
19 | JDK-8187577 | hotspot | gc | JVM crash during gc doing concurrent marking |
20 | JDK-8199406 | hotspot | gc | Performance drop with Java JDK 1.8.0_162-b32 |
21 | JDK-8055008 | hotspot | jvmti | Clean up code that saves the previous versions of redefined classes |
22 | JDK-8057570 | hotspot | jvmti | RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid |
23 | JDK-8198794 | hotspot | runtime | Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3 |
24 | JDK-8078628 | hotspot | runtime | linux-zero does not build without precompiled header |
25 | JDK-8202065 | install | install | jre/bin/javaw.exe is missing from server-jre for windows since 8u171 |
26 | JDK-8199650 | install | install | JDK installation uninstalls public JRE |
27 | JDK-8200418 | javafx | web | webPage.executeCommand("removeFormat", null) removes the style of the body element |
28 | JDK-8196011 | javafx | web | Intermittent crash when using WebView from JFXPanel application |
29 | JDK-8076117 | security-libs | java.security | EndEntityChecker should not process custom extensions after PKIX validation |
30 | JDK-8170035 | security-libs | javax.net.ssl | When determining the ciphersuite lists there is no debug output for disabled suites. |
31 | JDK-8074373 | tools | launcher | NMT is not enabled if NMT option is specified after class path specifiers |
32 | JDK-8196491 | xml | jax-ws | Newlines in JAXB string values of SOAP-requests are escaped to " " |
The following sections summarize changes made in all Java SE 8u172 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8189161 (Confidential) | deploy | deployment_toolkit | JWS: Method required to clean up all running instances by jnlp.sis.sessionid |
8189098 (Confidential) | deploy | webstart | JWS: Request for a method to limit the number of JVMs running on the client |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8200359 | core-libs | java.time | (tz) Upgrade time-zone data to tzdata2018d |
8196491 | xml | jax-ws | Newlines in JAXB string values of SOAP-requests are escaped to " " |
8164480 | hotspot | compiler | Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same |
8194690 | deploy | webstart | JRE bundled in App-V package will not start Java Web Start applications |
8199304 | deploy | webstart | javaws.exe failed to launch UTF-8 encoded JNLP file |
8196011 | javafx | web | Intermittent crash when using WebView from JFXPanel applications |
Please note that fixes from prior BPR (8u162 b37) are included in this version.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8198794 | hotspot | runtime | Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3 |
8197518 | security-libs | org.ietf.jgss | Kerberos krb5 authentication: AuthList's put method leads to performance issue |
8199406 | hotspot | gc | Performance drop with Java JDK 1.8.0_162-b32 |
April 17, 2018
The full version string for this update release is 1.8.0_172-b11 (where "b" means "build"). The version number is 8u172.
JDK 8u172 contains IANA time zone data version 2018c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u172 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_171-b11 |
7 | 1.7.0_181-b09 |
6 | 1.6.0_191-b09 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u172) will expire with the release of the next critical patch update scheduled for July 17, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u172) on August 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
Description for Toolkit.getImage() and Toolkit.createImage()
The changes made under JDK-8033530 introduced an inconsistency between the implementation for and the documentation of the following methods:
java.awt.Toolkit.getImage(URL u)
java.awt.Toolkit.createimage(URL u)
The description in the API document should read:
This method first checks if there is a security manager installed. If so, the method calls the security managers checkPermission()
method with the corresponding permission to ensure that the access to the image or the image creation is allowed. If the connection to the specified URL requires either URLPermission or SocketPermission, then URLPermission
is used for security checks.
JDK-8154405
Touch Keyboard for Swing/AWT Text Components
This release adds support for automatically showing the touch keyboard for Swing/AWT text components on Microsoft Windows 8 or later. A user can display the touch keyboard either by using a touch screen to tap the text component area or by using a mouse to click in the area, when a keyboard is not attached to a computer.
The system property awt.touchKeyboardAutoShowIsEnabled
controls whether this functionality is enabled in the JDK. This functionality is enabled by default. However, if the functionality is not needed, the user can switch it off from the command line by setting the system property to false
:
-Dawt.touchKeyboardAutoShowIsEnabled=false
See JDK-8166772
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8130400 | client-libs | 2d | Test java/awt/image/DrawImage/IncorrectClipXorModeSurface2Surface.java fails with ClassCastException |
2 | JDK-8080444 | client-libs | demo | Update SwingSet2 to use installed L&Fs instead of hard-coded list. |
3 | JDK-8147542 | client-libs | java.awt | Linux: ClassCastException when repainting after display resolution change |
4 | JDK-8166772 | client-libs | java.awt | Touch keyboard is not shown for text components on a screen touch |
5 | JDK-8188855 | core-libs | Fix VS10 build after "8187658: Bigger buffer for GetAdaptersAddresses" | |
6 | JDK-8154017 | core-libs | java.lang | Shutdown hooks are racing against shutdown sequence, if System.exit()-calling thread is interrupted |
7 | JDK-8187658 | core-libs | java.net | Bigger buffer for GetAdaptersAddresses |
8 | JDK-8165466 | core-libs | java.text | DecimalFormat percentage format can contain unexpected % |
9 | JDK-8136356 | core-libs | java.util:i18n | Add time zone mappings on Windows |
10 | JDK-8169424 | core-libs | javax.script | src/share/sample/scripting/scriptpad/src/scripts/memory.sh missing #! |
11 | JDK-8079510 | core-svc | java.lang.management | AIX: avoid UnsatisfiedLinkError by providing empty basic implementations of getSystemCpuLoad and getProcessCpuLoad |
12 | JDK-8177721 | core-svc | javax.management | Improve diagnostics in sun.management.Agent#startAgent() |
13 | JDK-8185498 | deploy | plugin | Console log shows that cert is expired (but TSA valid) although no certs in chain is expired. |
14 | JDK-8187822 | hotspot | compiler | C2 conditonal move optimization might create broken graph |
15 | JDK-8170358 | hotspot | gc | [REDO] 8k class metaspace chunks misallocated from 4k chunk freelist |
16 | JDK-8170395 | hotspot | gc | Metaspace initialization queries the wrong chunk freelist |
17 | JDK-8187629 | hotspot | runtime | NMT: Memory miscounting in compiler (C2) |
18 | JDK-8184991 | hotspot | runtime | NMT detail diff should take memory type into account |
19 | JDK-8139673 | hotspot | runtime | NMT stack traces in output should show mt component |
20 | JDK-8187685 | hotspot | runtime | NMT: Tracking compiler memory usage of thread's resource area |
21 | JDK-8187331 | hotspot | runtime | VirtualSpaceList tracks free space on wrong node |
22 | JDK-8055755 | hotspot | svc | Information about loaded dynamic libraries is wrong on MacOSX. |
23 | JDK-8031304 | hotspot | svc | Add dcmd to print all loaded dynamic libraries. |
24 | JDK-8059036 | hotspot | svc | Implement Diagnostic Commands for heap and finalizerinfo |
25 | JDK-8044107 | hotspot | svc | Add Diagnostic Command to list all ClassLoaders |
26 | JDK-8189265 | javafx | controls | Closing stage does not free internal resources |
27 | JDK-8183100 | javafx | controls | Styles not applied reliably after Java 8u92 |
28 | JDK-8178275 | javafx | samples | Ensemble: Upgrade version of Lucene to 7.1.0 |
29 | JDK-8189280 | javafx | swing | Memory leak in SwingNode if Stage is not shown |
30 | JDK-8185634 | javafx | swing | Java Fx-Swing dialogs appearing behind main stage |
31 | JDK-8187928 | javafx | web | [WebView] Images copied from clipboard not written in source file format |
32 | JDK-8187726 | javafx | web | [WebView] Copy and Paste of Image not resulting in expected behavior |
33 | JDK-8090011 | javafx | web | 'tab' key makes control loose focus |
34 | JDK-8191035 | javafx | web | WebView Canvas Graphics2D arc renders incorrectly |
35 | JDK-8088925 | javafx | web | Non opaque background cause NumberFormatException |
36 | JDK-8187985 | security-libs | java.security | Broken certificate number in debug output |
April 17, 2018
The full version string for this update release is 1.8.0_171-b11 (where "b" means "build"). The version number is 8u171.
JDK 8u171 contains IANA time zone data version 2018c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u171 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_171-b11 |
7 | 1.7.0_181-b09 |
6 | 1.6.0_191-b09 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u171) will expire with the release of the next critical patch update scheduled for July 17, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u171) on August 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
security-libs/javax.crypto
CipherOutputStream Usage
The specification of javax.crypto.CipherOutputStream
has been clarified to indicate that this class catches BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client is not informed that integrity checks have failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (for example, GCM) if the application requires explicit notification when authentication fails. These applications can use the Cipher API directly as an alternative to using this class.
JDK-8182362 (not public)
client-libs
Enhanced KeyStore MechanismsTwo files, jre/bin/javaw.exe
and jre/bin/jabswitch.exe,
were not included in 8u171. As a workaround, users who need those files can download the non-server JRE and copy those files from it into their server JRE image.
See JDK-8203544
security-libs/javax.crypto
Enhanced KeyStore Mechanisms
A new security property named jceks.key.serialFilter
has been introduced. If this filter is configured, the JCEKS KeyStore uses it during the deserialization of the encrypted Key object stored inside a SecretKeyEntry. If it is not configured or if the filter result is UNDECIDED (for example, none of the patterns match), then the filter configured by jdk.serialFilter
is consulted.
If the system property jceks.key.serialFilter
is also supplied, it supersedes the security property value defined here.
The filter pattern uses the same format as jdk.serialFilter
. The default pattern allows java.lang.Enum
, java.security.KeyRep
, java.security.KeyRep$Type
, and javax.crypto.spec.SecretKeySpec
but rejects all the others.
Customers storing a SecretKey that does not serialize to the above types must modify the filter to make the key extractable.
JDK-8189997 (not public)
core-svc/java.lang.management
System Property to Disable JRE Last Usage Tracking
A new system property jdk.disableLastUsageTracking
has been introduced to disable JRE last usage tracking for a running VM. This property can be set in the command line by using either -Djdk.disableLastUsageTracking=true
or -Djdk.disableLastUsageTracking
. With this system property set, JRE last usage tracking will be disabled regardless of the com.oracle.usagetracker.track.last.usage
property value set in usagetracker.properties
.
JDK-8192039 (not public)
security-libs/java.security
Additional TeliaSonera Root Certificate"TeliaSonera Root CA v1" has been added to the cacerts
keystore.
JDK-8190851 (not public)
security-libs/javax.xml.crypto
XML Signatures Signed with EC Keys Less Than 224 Bits Disabled
The secure validation mode of the XML Signature implementation has been enhanced to restrict EC keys less than 224 bits by default. The secure validation mode is enabled either by setting the property org.jcp.xml.dsig.secureValidation
to true with the javax.xml.crypto.XMLCryptoContext.setProperty()
method, or by running the code with a SecurityManager.
JDK-8186032 (not public)
security-libs/javax.net.ssl
3DES Cipher Suites Disabled
To improve the strength of SSL/TLS connections, 3DES cipher suites have been disabled in SSL/TLS connections in the JDK via the jdk.tls.disabledAlgorithms
Security Property.
JDK-8175075 (not public)
core-libs/java.util.logging
System Property Controls java.util.logging.FileHandler's MAX_LOCKS Limit
A new JDK implementation specific system property jdk.internal.FileHandlerLogging.maxLocks
has been introduced to control the java.util.logging.FileHandler
MAX_LOCKS limit. The default value of the current MAX_LOCKS (100) is retained if this new system property is not set or an invalid value is provided to the property. Valid values for this property are integers ranging from 1 to Integer.MAX_VALUE-1.
See JDK-8153955
install
Change to Internal Java Package Names in RPM Installers
On the Linux platform, the names of JRE and JDK packages provided by Java RPM installers have been changed. Names of JRE and JDK packages follow `jre
jre
and jdk
previously used. For example, the new names of JRE and JDK packages are jre1.8
and jdk1.8
respectively.
On Linux platform, the names of installation directories of Java products have also been changed. The installation directories of products from the 8u171 release are as follows:
/usr/java/jre1.8.0_171-i586 for 32bit JRE
/usr/java/jdk1.8.0_171-i586 for 32bit JDK
/usr/java/jre1.8.0_171-amd64 for 64bit JRE
/usr/java/jdk1.8.0_171-amd64 for 64bit JDK
See JDK-8191608
The following are some of the notable bug fixes included in this release:
core-libs/java.rmi
Server-side HTTP-tunneled RMI Connections Disabled
This release disables server side HTTP-tunneled RMI connections by default. The previous behavior can be re-enabled after due consideration of any impact by setting the runtime property sun.rmi.server.disableIncomingHttp
to false
. Note that this should not be confused with the sun.rmi.server.disableHttp
property, which disables HTTP-tunneling on the client side and is false by default.
JDK-8193833 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8179665 | client-libs | javax.swing | [Windows] java.awt.IllegalComponentStateException: component must be showing on the screen to determine its location |
2 | JDK-8054213 | core-libs | java.lang:reflect | Class name repeated in output of Type.toString() |
3 | JDK-8189789 | core-libs | java.util.jar | tomcat gzip-compressed response bodies appear to be broken in update 151 |
4 | JDK-8153955 | core-libs | java.util.logging | increase java.util.logging.FileHandler MAX_LOCKS limit |
5 | JDK-8195748 | deploy | webstart | When in <application-desc> is present "progress-class" attribute javaws cannot start |
6 | JDK-8185036 | docs | guides | Typo in one of the content link of "Location-Independent Access to Resources" doc |
7 | JDK-8177914 | docs | guides | Links to jaxp.java.net in Java SE docs will be broken when java.net is shut down |
8 | JDK-8066866 | docs | guides | Supported Encodings page for Java SE 8 is out of date |
9 | JDK-8195813 | infrastructure | build | Change download.java.net links in java.net created pages from http to https |
10 | JDK-8198838 | infrastructure | release_eng | 8u171-b08 and 8u172-b08 Need SECURE_ID Promoted |
11 | JDK-8191608 | install | Java RPMs should allow for side-by-side installation of JDK and JRE, 32 and 64 bit, and only one update for each major version | |
12 | JDK-8193522 | install | install | meta-index in 1.8.0_152 does not include jfxrt.jar entries |
13 | JDK-8189350 | javafx | web | Crash due to ASSERT(url == m_string) fail while loading URL |
14 | JDK-8187568 | javafx | web | JavaFX crash in libjfxwebkit.so |
15 | JDK-8089124 | javafx | web | HTML5: Number input allows non-numeric input |
16 | JDK-8187671 | javafx | web | [WebView] Drag and Drop of text or html results in an image |
17 | JDK-8157686 | javafx | web | JavaFX WebView fails to track URL changes for PJAX websites |
18 | JDK-8185940 | javafx | web | Web native compiled files not removed during gradle clean |
19 | JDK-8186148 | javafx | web | Few extension to MIME type mappings are missing |
20 | JDK-8183928 | javafx | web | [Linux] Remove Warnings [-Wunused-parameter] |
21 | JDK-8196374 | javafx | web | windows x86 webview-icu isAlphaNumericString crash |
22 | JDK-8196677 | javafx | web | Cherry pick GTK WebKit 2.18.6 changes |
23 | JDK-8187483 | javafx | web | Update to 605.1 version of WebKit |
24 | JDK-8189420 | javafx | web | Crash in :web:test in debug build |
25 | JDK-8089264 | javafx | web | DRT test fast/events/before-unload-returnValue.html times out |
26 | JDK-8194265 | javafx | web | Webengine (webkit) crash when reading files using FileReader |
27 | JDK-8194935 | javafx | web | Cherry pick GTK WebKit 2.18.5 changes |
28 | JDK-8193798 | javafx | web | Cherry pick GTK WebKit 2.18.4 changes |
29 | JDK-8197463 | javafx | web | Update libxml2 to version 2.9.7 |
30 | JDK-8150530 | security-libs | javax.crypto | Improve javax.crypto.BadPaddingException messages |
31 | JDK-8196952 | security-libs | javax.crypto | Bad primeCertainty value setting in DSAParameterGenerator |
32 | JDK-8186441 | xml | jax-ws | Change of behavior in the getMessage () method of the SOAPMessageContextImpl class |
The following sections summarize changes made in all Java SE 8u162 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8187635 | client-libs | java.awt | On Windows Swing changes keyboard layout on a window activation |
8187803 | client-libs | javax.swing | JDK part of JavaFX-Swing dialogs appearing behind main stage |
8185634 | javafx | swing | Java Fx-Swing dialogs appearing behind main stage |
8189280 | javafx | swing | Memory leak in SwingNode if Stage is not shown |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8076117 | security-libs | java.security | EndEntityChecker should not process custom extensions after PKIX validation |
8176072 | client-libs | java.awt | READING attributes are not available on TSF |
8183504 | client-libs | javax.swing | 8u131 Win 10, issue with wrong position of Sogou IME popup |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8171452 | core-libs | java.nio | (ch) linux io_util_md: Operation not supported exception after 8168628 |
8168628 | core-libs | java.nio | (fc) SIGBUS when extending file size to map it |
8187577 | hotspot | gc | JVM crash during gc doing concurrent marking |
8196912 | deploy | plugin | Java Plugin - CRL lookup does external search, with internal CRL configured |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8196332 (Confidential) |
deploy | plugin | settings are written to the root drive on Windows-10 with MSI installer |
8074373 | tools | launcher | NMT is not enabled if NMT option is specified after class path specifiers |
8192987 | security-libs | java.security | keytool should remember real storetype if it is not provided |
8187045 | infrastructure | build | [linux] Not all libraries in the VM are linked with -z,noexecstack |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8057570 | hotspot | jvmti | RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid |
8156137 | hotspot | compiler | SIGSEGV in ReceiverTypeData::clean_weak_klass_links |
8055008 | hotspot | jvmti | Clean up code that saves the previous versions of redefined classes |
8038636 | hotspot | compiler | speculative traps break when classes are redefined |
Please note that fixes from the prior BPR (8u152 b35) are included in this version.
January 16, 2018
The full version string for this update release is 1.8.0_162-b12 (where "b" means "build"). The version number is 8u162.
JDK 8u162 contains IANA time zone data version 2017c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u162 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_161-b12 |
7 | 1.7.0_171-b11 |
6 | 1.6.0_181-b10 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u162) will expire with the release of the next critical patch update scheduled for April 17, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u162) on May 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
core-libs/java.rmi
RMI Registry Filter Allows Binding Arrays of Any Type
The RMI Registry built-in serial filter has been modified to check only the array size and not the component type. The maximum array size has been increased to 1,000,000. The override filter can be used to decrease the limit. Array sizes greater than the maxarray limit will be rejected. Sizes less than the maxarray limit will be allowed.
The java.security
file contains more information about the sun.rmi.registry.registryFilter
property and the conf/security/java.security
configuration file has been updated to better describe the default behavior and how to override it.
See JDK-8185346
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-7162125 | client‑libs | 2d | [macosx] A font has different behaviour for ligatures depending on its creation mode |
2 | JDK-8147002 | client‑libs | 2d | [macosx] Arabic character cannot be rendered on MacOS X |
3 | JDK-8180370 | client‑libs | 2d | Characters are skipped on input of Korean text on OS X |
4 | JDK-8181659 | client‑libs | 2d | Create an alternative fix for JDK‑8167102, whose fix was backed out |
5 | JDK-8190280 | client‑libs | 2d | [macos] Font2DTest demo started failing for Arabic range from JDK 8 u162 b01 on Mac |
6 | JDK-7124271 | client‑libs | java.awt | [macosx] RealSync test failure |
7 | JDK-8080504 | client‑libs | java.awt | [macosx] SunToolkit.realSync() may hang |
8 | JDK-8139218 | client‑libs | java.awt | Dialog that opens and closes quickly changes focus in original focusowner |
9 | JDK-8155197 | client‑libs | java.awt | Focus transition issue |
10 | JDK-8078269 | client‑libs | javax.swing | JTabbedPane UI Property TabbedPane.tabAreaBackground no longer works |
11 | JDK-4354680 | core‑libs | java.lang | Runtime.runFinalization() silently clears interrupted flag in the calling thread |
12 | JDK-8031661 | core‑libs | java.net | java/net/Authenticator/B4769350.java failed intermittently |
13 | JDK-8184328 | core‑libs | java.net | JDK 8u131 socketRead0 hang at SSL read |
14 | JDK-8185346 | core‑libs | java.rmi | Relax RMI Registry Serial Filter to allow arrays of any type |
15 | JDK-8179086 | core‑libs | java.time | java.time.temporal.ValueRange has poor hashCode() |
16 | JDK-8184893 | core‑libs | jdk.nashorn | jdk8u152 b06 : issues with nashorn when running kraken benchmarks |
17 | JDK-6618335 | core‑svc | debugger | ThreadReference.stop(null) throws NPE instead of InvalidTypeException |
18 | JDK-8181419 | core‑svc | debugger | Race in jdwp invoker handling may lead to crashes or invalid results |
19 | JDK-8162530 | core‑svc | java.lang.management | src/jdk.management/share/native/libmanagement_ext/GcInfoBuilder.c doesn't handle JNI exceptions properly |
20 | JDK-8046778 | core‑svc | javax.management | Better error messages when starting JMX agent via attach or jcmd |
21 | JDK-6656031 | core‑svc | tools | SA: jmap ‑permstat number of classes is off by 1 |
22 | JDK-6977426 | core‑svc | tools | sun/tools tests can intermittently fail to find app's Java pid |
23 | JDK-8074812 | core‑svc | tools | More specific error message when the .java_pid well‑known file is not secure |
24 | JDK-8190758 | deploy | packager | javapackager fails to consider filesystem type |
25 | JDK-8191176 | deploy | packager | JavaFX Self-Contained Application fails with error "Failed to find library: jvm.dll" |
26 | JDK-8074544 | deploy | webstart | webstart app fails with CouldNotLoadArgumentException when account in Japanese |
27 | JDK-8185661 | deploy | webstart | JNLP files won't launch from IE11 on Windows 10 Creators Update |
28 | JDK-8160365 | deploy | webstart | Desktop shortcut of Web Start application is broken after JRE update |
29 | JDK-8072428 | hotspot | compiler | Enable UseLoopCounter ergonomically if on‑stack‑replacement is enabled |
30 | JDK-8073670 | hotspot | compiler | TypeF::eq and TypeD::eq do not handle NaNs correctly |
31 | JDK-8145913 | hotspot | compiler | PPC64: add Montgomery multiply intrinsic |
32 | JDK-8148786 | hotspot | compiler | xml.transform fails on x86‑64 |
33 | JDK-8164954 | hotspot | compiler | split_if creates empty phi and region nodes |
34 | JDK-8166742 | hotspot | compiler | SIGFPE in C2 Loop IV elimination |
35 | JDK-8168318 | hotspot | compiler | PPC64: Use cmpldi instead of li/cmpld |
36 | JDK-8170328 | hotspot | compiler | PPC64: Use andis instead of lis/and |
37 | JDK-8172751 | hotspot | compiler | OSR compilation at unreachable bci causes C1 crash |
38 | JDK-8177958 | hotspot | compiler | Possible uninitialized char* in vm_version_solaris_sparc.cpp |
39 | JDK-8178047 | hotspot | compiler | Aliasing problem with raw memory accesses |
40 | JDK-8180855 | hotspot | compiler | Null pointer dereference in OopMapSet::all_do of oopMap.cpp:394 |
41 | JDK-8181810 | hotspot | compiler | PPC64: Leverage extrdi for bitfield extract |
42 | JDK-8184009 | hotspot | compiler | Missing null pointer check in InterpreterRuntime::update_mdp_for_ret() |
43 | JDK-8184271 | hotspot | compiler | Time related C1 intrinsics produce inconsistent results when floating around |
44 | JDK-8185572 | hotspot | compiler | Enable AssumeMP by default on SPARC machines |
45 | JDK-8181055 | hotspot | gc | PPC64: "mbind: Invalid argument" still seen after 8175813 |
46 | JDK-8185164 | hotspot | jvmti | GetOwnedMonitorInfo() returns incorrect owned monitor |
47 | JDK-6651256 | hotspot | runtime | jstack: DeleteGlobalRef method call doesn't lead to descreasing of global refs count shown by jstack |
48 | JDK-8087291 | hotspot | runtime | InitialBootClassLoaderMetaspaceSize and CompressedClassSpaceSize should be checked consistent from MaxMetaspaceSize |
49 | JDK-8023667 | hotspot | svc | SA: ExceptionBlob and other C2 classes not available in client VM |
50 | JDK-8130721 | javafx | graphics | [macos] problem with editing thai in TextArea |
51 | JDK-8181922 | javafx | media | Provide media support for libav version 57 |
52 | JDK-8185691 | javafx | media | MediaPlayer reports error with HTTP Live Streams instead of EOS |
53 | JDK-8187594 | javafx | media | Media crashes with libavcodec 57 on Ubuntu 17.04 32‑bit |
54 | JDK-8188029 | javafx | media | [macos] MediaView Crashes on OS X 10.13 High Sierra |
55 | JDK-8191335 | javafx | media | Linux 32‑bit build fails after fix for JDK‑8187594 |
56 | JDK-8190249 | javafx | other | Missing content from cssref.html due to missed closing comment |
57 | JDK-8181786 | javafx | swing | Extra runLater causes impossible states to be possible using javafx.embed.singleThread=true |
58 | JDK-8187781 | javafx | swing | "InvalidDnDOperationException: Drag and drop in progress" while running javafx application with option ‑Djavafx.embed.singleThread=true |
59 | JDK-8182977 | javafx | web | NullPointerException with HTMLEditor when changing the scene graph |
60 | JDK-8185970 | javafx | web | Possible crash due to use‑after‑free |
61 | JDK-8158633 | security‑libs | javax.crypto | BASE64 encoded cert not correctly parsed with UTF‑16 |
62 | JDK-8187023 | security‑libs | javax.crypto:pkcs11 | Cannot read pkcs11 config file in UTF‑16 environment |
63 | JDK-8140436 | security‑libs | javax.net.ssl | Negotiated Finite Field Diffie‑Hellman Ephemeral Parameters for TLS |
64 | JDK-8066185 | tools | launcher | VM crashed with SIGSEGV VirtualMemoryTracker::add_reserved_region |
January 16, 2018
The full version string for this update release is 1.8.0_161-b12 (where "b" means "build"). The version number is 8u161.
JDK 8u161 contains IANA time zone data version 2017c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u161 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_161-b12 |
7 | 1.7.0_171-b11 |
6 | 1.6.0_181-b10 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u161) will expire with the release of the next critical patch update scheduled for April 17, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u161) on May 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
security-libs/javax.net.ssl
Added TLS session hash and extended master secret extension support
Support has been added for the TLS session hash and extended master secret extension (RFC 7627) in JDK JSSE provider. Note that in general, server certificate change is restricted if endpoint identification is not enabled and the previous handshake is a session-resumption abbreviated initial handshake, unless the identities represented by both certificates can be regarded as the same. However, if the extension is enabled or negotiated, the server certificate changing restriction is not necessary and will be discarded accordingly. In case of compatibility issues, an application may disable negotiation of this extension by setting the System Property jdk.tls.useExtendedMasterSecret
to false
in the JDK. By setting the System Property jdk.tls.allowLegacyResumption
to false
, an application can reject abbreviated handshaking when the session hash and extended master secret extension is not negotiated. By setting the System Property jdk.tls.allowLegacyMasterSecret
to false
, an application can reject connections that do not support the session hash and extended master secret extension.
See JDK-8148421
security-libs/javax.crypto
Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits
Enhance the JDK security providers to support 3072-bit DiffieHellman and DSA parameters generation, pre-computed DiffieHellman parameters up to 8192 bits and pre-computed DSA parameters up to 3072 bits.
See JDK-8072452
other-libs/corba
Add additional IDL stub type checks to org.omg.CORBA.ORBstring_to_object method
Applications that either explicitly or implicitly call org.omg.CORBA.ORB.string_to_object
, and wish to ensure the integrity of the IDL stub type involved in the ORB::string_to_object
call flow, should specify additional IDL stub type checking. This is an "opt in" feature and is not enabled by default.
To take advantage of the additional type checking, the list of valid IDL interface class names of IDL stub classes is configured by one of the following:
com.sun.CORBA.ORBIorTypeCheckRegistryFilter
located in the file conf/security/java.security
in Java SE 9 or in jre/lib/security/java.security
in Java SE 8 and earlier.com.sun.CORBA.ORBIorTypeCheckRegistryFilter
with the list of classes. If the system property is set, its value overrides the corresponding property defined in the java.security
configuration.If the com.sun.CORBA.ORBIorTypeCheckRegistryFilter
property is not set, the type checking is only performed against a set of class names of the IDL interface types corresponding to the built-in IDL stub classes.
JDK-8160104 (not public)
security-libs/javax.crypto
In 8u161, the RSA implementation in the SunRsaSign provider will reject any RSA public key that has an exponent that is not in the valid range as defined by PKCS#1 version 2.2. This change will affect JSSE connections as well as applications built on JCE.
JDK-8174756 (not public)
security-libs/javax.net.ssl
Restrict Diffie-Hellman keys less than 1024 bits
Diffie-Hellman keys less than 1024 bits are considered too weak to use in practice and should be restricted by default in SSL/TLS/DTLS connections. Accordingly, Diffie-Hellman keys less than 1024 bits have been disabled by default by adding "DH keySize < 1024" to the "jdk.tls.disabledAlgorithms" security property in the java.security file. Although it is not recommended, administrators can update the security property ("jdk.tls.disabledAlgorithms") and permit smaller key sizes (for example, by setting "DH keySize < 768").
JDK-8148108 (not public)
security-libs/javax.crypto
Provider default key size is updated
This change updates the JDK providers to use 2048 bits as the default key size for DSA instead of 1024 bits when applications have not explicitly initialized the java.security.KeyPairGenerator
and java.security.AlgorithmParameterGenerator
objects with a key size.
If compatibility issues arise, existing applications can set the system property jdk.security.defaultKeySize
introduced in JDK-8181048 with the algorithm and its desired default key size.
JDK-8178466 (not public)
security-libs/javax.crypto
The generateSecret(String)
method has been mostly disabled in the javax.crypto.KeyAgreement
services of the SunJCE and SunPKCS11 providers. Invoking this method for these providers will result in a NoSuchAlgorithmException
for most algorithm string arguments. The previous behavior of this method can be re-enabled by setting the value of the jdk.crypto.KeyAgreement.legacyKDF
system property to true
(case insensitive). Re-enabling this method by setting this system property is not recommended.
Prior to this change, the following code could be used to produce secret keys for AES using Diffie-Hellman:
KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");
ka.init(...);
ka.doPhase(...);
SecretKey sk = ka.generateSecret("AES");
The issue with this code is that it is unspecified how the provider should derive a secret key from the output of the Diffie-Hellman operation. There are several options for how this key derivation function can work, and each of these options has different security properties. For example, the key derivation function may bind the secret key to some information about the context or the parties involved in the key agreement. Without a clear specification of the behavior of this method, there is a risk that the key derivation function will not have some security property that is expected by the client.
To address this risk, the generateSecret(String) method of KeyAgreement was mostly disabled in the DiffieHellman services, and code like the example above will now result in a java.security.NoSuchAlgorithmException. Clients still may use the no-argument generateSecret method to obtain the raw Diffie-Hellman output, which can be used with an appropriate key derivation function to produce a secret key.
Existing applications that use the generateSecret(String) method of this service will need to be modified. Here are a few options:
A) Implement the key derivation function from an appropriate standard. For example, NIST SP 800-56Ar2[1] section 5.8 describes how to derive keys from Diffie-Hellman output.
B) Implement the following simple key derivation function:
requires the standard name of the secret-key algorithm (e.g. "AES")
This is a simple key derivation function that may provide adequate security in a typical application. Developers should note that this method provides no protection against the reuse of key agreement output in different contexts, so it is not appropriate for all applications. Also, some additional effort may be required to enforce key size restrictions like the ones in Table 2 of NIST SP 800-57pt1r4[2].
C) Set the jdk.crypto.KeyAgreement.legacyKDF system property to "true". This will restore the previous behavior of this KeyAgreement service. This solution should only be used as a last resort if the application code cannot be modified, or if the application must interoperate with a system that cannot be modified. The "legacy" key derivation function and its security are unspecified.
JDK-8185292 (not public)
security-libs/javax.crypto
Unlimited cryptography enabled by default
The JDK uses the Java Cryptography Extension (JCE) Jurisdiction Policy files to configure cryptographic algorithm restrictions. Previously, the Policy files in the JDK placed limits on various algorithms. This release ships with both the limited and unlimited jurisdiction policy files, with unlimited being the default. The behavior can be controlled via the new 'crypto.policy' Security property found in the /lib/java.security file. Please refer to that file for more information on this property.
See JDK-8170157
core-libs/java.rmi
The RMI Registry filter is relaxed to allow binding arrays of any type
The RMI Registry built-in serial filter is modified to check only the array size and not the component type. The maximum array size is increased to 1,000,000. The override filter can be used to decrease the limit. Array sizes greater than the maxarray limit will be rejected and otherwise will be allowed. The java.security
file contains more information about the sun.rmi.registry.registryFilter
property and it will be updated in the conf/security/java.security
configuration file to better describe the default behavior and how to override it.
See JDK-8185346
security-libs/javax.net.ssl
Disable exportable cipher suites
To improve the strength of SSL/TLS connections, exportable cipher suites have been disabled in SSL/TLS connections in the JDK by the jdk.tls.disabledAlgorithms
Security Property.
See JDK-8163237
security-libs/java.security
Disable JARs signed with DSA keys less than 1024 bits
DSA keys less than 1024 bits have been added to the jdk.jar.disabledAlgorithms
Security property in the java.security
file. This property contains a list of disabled algorithms and key sizes for signed JAR files. If a signed JAR file uses a disabled algorithm or key size less than the minimum length, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:
Running jarsigner -verify -verbose
on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.
For example, to check a JAR file named test.jar
, use this command: jarsigner -verify -verbose test.jar
If the file in this example was signed with a weak key such as 512 bit DSA, this output would be seen:
- Signed by "CN=weak_signer"
Digest algorithm: SHA1
Signature algorithm: SHA1withDSA, 512-bit key (weak)
To address the issue, the JAR file will need to be re-signed with a stronger key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms
security property; however, this option is not recommended. Before re-signing affected JARs, the existing signature(s) should be removed from the JAR file. This can be done with the zip
utility, as follows:
zip -d test.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'
Periodically check the Oracle JRE and JDK Cryptographic Roadmap at http://java.com/cryptoroadmap for planned restrictions to signed JARs and other security components.
JDK-8185909 (not public)
core-svc/javax.management
JMX Connections need deserialization filters
New public attributes, RMIConnectorServer.CREDENTIALS_FILTER_PATTERN
and RMIConnectorServer.SERIAL_FILTER_PATTERN
have been added to RMIConnectorServer.java
. With these new attributes, users can specify the deserialization filter pattern strings to be used while making a RMIServer.newClient()
remote call and while sending deserializing parameters over RMI to server respectively.
The user can also provide a filter pattern string to the default agent via management.properties. As a result, a new attribute is added to management.properties.
Existing attribute RMIConnectorServer.CREDENTIAL_TYPES
is superseded by RMIConnectorServer.CREDENTIALS_FILTER_PATTERN
and has been removed.
JDK-8159377 (not public)
xml/jaxp
JDK Transform, Validation and XPath use the system-default parser
Java SE 9 changes the JDK's Transform
, Validation
and XPath
implementations to use the JDK's system-default parser even when a third party parser is on the classpath. In order to override the JDK system-default parser, applications need to explicitly set the new System property jdk.xml.overrideDefaultParser
.
The overrideDefaultParser
property is supported by the following APIs:
The overrideDefaultParser
property can be set through the System.setProperty.
The overrideDefaultParser
property can be set in the JAXP configuration file jaxp.properties
.
The overrideDefaultParser
property follows the same rule as other JDK JAXP properties in that a setting of a narrower scope takes preference over that of a wider scope. A setting through the API overrides the System property which in turn overrides that in the jaxp.properties
file.
JDK-8186080 (not public)
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8079595 | client‑libs | java.awt | Resizing dialog which is JWindow parent makes JVM crash |
2 | JDK-8184016 | client‑libs | java.swing | Text in native popup is not always updated with Sogou IME |
3 | JDK-8035105 | core‑libs | javax.naming | DNS provider cleanups |
4 | JDK-8185661 | deploy | webstart | JNLP files won't launch from IE11 on Windows 10 Creators Update |
5 | JDK-8186344 | deploy | webstart | 64 bit java install not setting jnlp associate if lower 32bit versions exist |
6 | JDK-8157548 | hotspot | runtime | JVM crashes sometimes while starting |
7 | JDK-8191607 | install | install | undo 8189805: 64 and 32 bit RPMS must co‑exist |
8 | JDK-8178728 | security‑libs | java.security | Check the AlgorithmParameters in algorithm constraints |
9 | JDK-8184673 | security‑libs | java.security | Fix compatibility issue in AlgorithmChecker for 3rd party JCE providers |
10 | JDK-8072452 | security‑libs | javax.crypto | Support DHE sizes up to 8192‑bits and DSA sizes up to 3072‑bits |
11 | JDK-8170157 | security‑libs | javax.crypto | Enable unlimited cryptographic policy by default in Oracle JDK builds |
12 | JDK-8156502 | security‑libs | javax.net.ssl | Use short name of SupportedEllipticCurvesExtension.java |
13 | JDK-8193683 | security‑libs | javax.net.ssl | Increase the number of clones in the CloneableDigest |
14 | JDK-8159240 | xml | jaxb | XSOM parser incorrectly processes type names with whitespaces |
The following sections summarize changes made in all Java SE 8u152 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8191608 | install | install | Java RPMs should allow for side-by-side installation of JDK and JRE, 32 and 64 bit, and only one update for each major version |
8193218 | install | install | Simplify build system building rpms |
8191607 | install | install | undo 8189805: 64 and 32 bit RPMS must co-exist |
8189805 | install | install | 64 and 32 bit RPMS must co-exist |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8179665 | client-libs | javax.swing | [Windows] java.awt.IllegalComponentStateException: component must be showing on the screen to determine its location |
8186441 | xml | jax-ws | Change of behavior in the getMessage () method of the SOAPMessageContextImpl class |
8185661 | deploy | webstart | JNLP files won't launch from IE11 on Windows 10 Creators Update |
8189612 (Confidential) |
deploy | webstart | com.sun.deploy.net.JARSigningException: Found unsigned entry in resource |
8173129 (Confidential) |
deploy | plugin | [deploy] System must be left clean after the uninstall process completes |
8193168 (Confidential) |
deploy | javafx | Failed to launch the FX application after clicking link 'click to launch this app as webstart' |
Bug Fixes
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
6988950 | core-svc | debugger | JDWP exit error JVMTI_ERROR_WRONG_PHASE(112) |
8134103 (Confidential) |
core-svc | debugger | JVMTI_ERROR_WRONG_PHASE(112): on checking for an interface |
8182402 (Confidential) |
client-libs | swing | Tooltip for Desktop button is in English when non-English locale is set |
Please note that fixes from prior BPR (8u144 b34) are included in this version.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8184328 | core-libs | java.net | JDK 8u131 socketRead0 hang at SSL read |
8185346 | core-libs | java.rmi | Relax RMI Registry Serial Filter to allow arrays of any type |
8185864 (Confidential) |
install | install | JDK 8 Install wizard is hidden after JRE silent install is used |
8160365 | deploy | webstart | Desktop shortcut of Web Start application is broken after JRE update |
October 17, 2017
The full version string for this update release is 1.8.0_152-b16 (where "b" means "build"). The version number is 8u152.
JDK 8u152 contains IANA time zone data version 2017b. For more information, refer to Timezone Data Versions in the JRE Software.
See JDK-8159684
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u152 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_151-b12 |
7 | 1.7.0_161-b13 |
6 | 1.6.0_171-b13 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u152) will expire with the release of the next critical patch update scheduled for January 16, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u152) on February 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
core-libs/java.util.jar
Decode error with Tomcat version 7.x
The zlib version shipped in the 8u151 and 7u161 JDK releases was updated to zlib v1.2.11. The deflate functionality in this version causes a compatibility issue with Tomcat v7.x. Server responses can appear as corrupt or can fail to be decoded. The issue is seen if Tomcat is using compression (e.g. compression="on" in server.xml). This issue is being fixed via JDK-8189789.
Users can disable the compression mode on their Tomcat servers as a workaround. Tomcat versions 8.x and later don't appear to be affected.
See JDK-8191040
security-libs/javax.crypto
New Security property to control crypto policy
This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy
Security property. If the new Security property (crypto.policy) is set in the java.security
file, or has been set dynamically using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security
file shipping with this release for more information.
Note : On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, or 8u111, then you should set the new crypto.policy Security property in the java.security
file.
Because the old JCE jurisdiction files are left in <java-home>/lib/security
, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used:
Caused by: java.lang.SecurityException: Jurisdiction policy files are not
signed by trusted signers!
at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:593)
at
javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:524)
See JDK-8157561
BigInteger performance improvements turned on by default
The performance improvements described in JDK-8130150 and JDK-8081778 have now been turned on by default. They can be turned off by using the following command options:
-XX:-UseMontgomerySquareIntrinsic
-XX:-UseMontgomeryMultiplyIntrinsic
-XX:-UseSquareToLenIntrinsic
-XX:-UseMultiplyToLenIntrinsic
See JDK-8154945
The following are some of the notable bug fixes included in this release:
Compilers accept modification of final fields outside initializer methods
According to the Java VM Specification, final fields can be modified by the putfield
byte code instruction only if the instruction appears in the instance initializer method <init>
of the field's declaring class. Similar, static final fields can be modified by a putstatic
instruction only if the instruction appears in the class initializer method <clinit>
of the field's declaring class. With the JDK 9 release, the HotSpot VM fully enforces the previously mentioned restrictions, but only for class files with version number >= 53. For class files with version numbers < 53, restrictions are only partially enforced (as it is done by releases preceding JDK 9). That is, for class files with version number < 53 final fields can be modified in any method of the class declaring the field (not only class/instance initializers).
See JDK-8157181
This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8160893 | client‑libs | [macosx] JMenuItems in JPopupMenu are not accessible | |
2 | JDK-8177315 | client‑libs | backout changes for 8176516 (backport of 8173791) | |
3 | JDK-8039412 | client‑libs | 2d | Stack overflow on Linux using DialogTypeSelection.NATIVE |
4 | JDK-8040635 | client‑libs | 2d | [macosx] Printing a shape filled with a texture doesn't work under Mac OS X |
5 | JDK-8058316 | client‑libs | 2d | lookupDefaultPrintService returns null on Solaris 11 when default printer is set using lpoptions command |
6 | JDK-8061258 | client‑libs | 2d | [macosx] PrinterJob's native Print Dialog does not reflect specified Copies or Page Ranges |
7 | JDK-8067059 | client‑libs | 2d | PrinterJob.pageDialog() with DialogSelectionType.NATIVE returns a PageFormat when cancelled. |
8 | JDK-8074562 | client‑libs | 2d | CID keyed OpenType fonts are not supported by T2K |
9 | JDK-8089573 | client‑libs | 2d | [macosx] Incorrect char to glyph mapping printing on OSX 10.10 |
10 | JDK-8158356 | client‑libs | 2d | SIGSEGV when attempting to rotate BufferedImage using AffineTransform by NaN degrees |
11 | JDK-8160664 | client‑libs | 2d | JVM crashed with font manager on Solaris 12 |
12 | JDK-8162488 | client‑libs | 2d | JDK should be updated to use LittleCMS 2.8 |
13 | JDK-8162796 | client‑libs | 2d | [macosx] LinearGradientPaint and RadialGradientPaint are not printed on OS X. |
14 | JDK-8167102 | client‑libs | 2d | [macosx] PrintRequestAttributeSet breaks page size set using PageFormat |
15 | JDK-8170552 | client‑libs | 2d | [macosx] Wrong rendering of diacritics on macOS |
16 | JDK-8170913 | client‑libs | 2d | Java "1.8.0_112" on Windows 10 displays different characters for EUDCs from ones created in eudcedit.exe. |
17 | JDK-8170950 | client‑libs | 2d | Text is displayed in bold when fonts are installed into symlinked folder |
18 | JDK-8175025 | client‑libs | 2d | The copyright section in the test/java/awt/font/TextLayout/DiacriticsDrawingTest.java should be updated |
19 | JDK-8176530 | client‑libs | 2d | JDK support for JavaFX modal print dialogs |
20 | JDK-4953367 | client‑libs | java.awt | MAWT: Java should be more careful manipulating NLSPATH, XFILESEARCHPATH env variables |
21 | JDK-6980209 | client‑libs | java.awt | Make tracking SecondaryLoop.enter/exit methods easier |
22 | JDK-8035568 | client‑libs | java.awt | [macosx] Cursor management unification |
23 | JDK-8040322 | client‑libs | java.awt | TextArea.replaceRange() and insert() are broken with setText(null) |
24 | JDK-8050478 | client‑libs | java.awt | [macosx] Cursor not updating correctly after closing a modal dialog |
25 | JDK-8075516 | client‑libs | java.awt | Deleting a file from either the open or save java.awt.FileDialog hangs. |
26 | JDK-8139189 | client‑libs | java.awt | VK_OEM_102 dead key detected as VK_UNDEFINED |
27 | JDK-8140525 | client‑libs | java.awt | AwtFrame::WmShowWindow() may steal focus |
28 | JDK-8156116 | client‑libs | java.awt | [macosx] two JNI locals to delete in AWTWindow.m, CGraphicsEnv.m |
29 | JDK-8156723 | client‑libs | java.awt | JVM crash at sun.java2d.windows.GDIBlitLoops.nativeBlit |
30 | JDK-8160570 | client‑libs | java.awt | [macosx] modal dialog can skip the activation/focus events |
31 | JDK-8160623 | client‑libs | java.awt | [PIT] Exception running java/awt/event/KeyEvent/KeyChar/KeyCharTest.java |
32 | JDK-8160696 | client‑libs | java.awt | IllegalArgumentException: adding a component to a container on a different GraphicsDevice |
33 | JDK-8160941 | client‑libs | java.awt | "text/uri‑list" dataflavor concats the first two strings |
34 | JDK-8163583 | client‑libs | java.awt | [macosx] Press "To Back" button on the Dialog,the Dialog moves behind the Frame |
35 | JDK-8165717 | client‑libs | java.awt | [macosx] Various memory leaks in jdk9 |
36 | JDK-8169355 | client‑libs | java.awt | Diacritics input works incorrectly on Windows if Spanish (Latin American) keyboard layout is used |
37 | JDK-8173853 | client‑libs | java.awt | IllegalArgumentException in java.awt.image.ReplicateScaleFilter |
38 | JDK-8173876 | client‑libs | java.awt | [macosx] Fast precise scrolling and DeltaAccumulator fix for macOS Sierra 10.12.2 |
39 | JDK-8176490 | client‑libs | java.awt | [macosx] Sometimes NSWindow.isZoomed hangs |
40 | JDK-8136570 | client‑libs | java.awt:i18n | Stop changing user environment variables related to /usr/dt |
41 | JDK-8159696 | client‑libs | java.beans | java.beans.MethodRef#get throws NullPointerException |
42 | JDK-8076249 | client‑libs | javax.accessibility | NPE in AccessBridge while editing JList model |
43 | JDK-8076554 | client‑libs | javax.accessibility | [macosx] Custom Swing text components need to allow standard accessibility |
44 | JDK-8145207 | client‑libs | javax.accessibility | [macosx] JList, VO can't access non‑visible list items |
45 | JDK-8165829 | client‑libs | javax.accessibility | Android Studio 2.x crashes with NPE at sun.lwawt.macosx.CAccessibility.getAccessibleIndexInParent |
46 | JDK-8171808 | client‑libs | javax.accessibility | Performance problems in dialogs with large tables when JAB activated |
47 | JDK-8175915 | client‑libs | javax.accessibility | NullPointerException from JComboBox and JList when Accessibility enabled |
48 | JDK-8168751 | client‑libs | javax.sound | Two "Direct Clip" threads are created to play the same "AudioClip" object, what makes clip sound corrupted |
49 | JDK-7172652 | client‑libs | javax.swing | With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin |
50 | JDK-8152981 | client‑libs | javax.swing | Double icons with JMenuItem setHorizontalTextPosition on Win 10 |
51 | JDK-8158325 | client‑libs | javax.swing | Memory leak in com.apple.laf.ScreenMenu: removed JMenuItems are still referenced |
52 | JDK-8161664 | client‑libs | javax.swing | Memory leak in com.apple.laf.AquaProgressBarUI: removed progress bar still referenced |
53 | JDK-8177450 | client‑libs | javax.swing | javax.swing.text.html.parser.Parser parseScript ignores a character after comment end |
54 | JDK-8163518 | core‑libs | java.io | Integer overflow in StringBufferInputStream.read() and CharArrayReader.read/skip() |
55 | JDK-8169556 | core‑libs | java.io | Wrap FileInputStream's native skip and available methods |
56 | JDK-8161039 | core‑libs | java.lang | System.getProperty("os.version") returns incorrect version number on Mac |
57 | JDK-8170153 | core‑libs | java.lang | PPC64/s390x/aarch64: Poor StrictMath performance due to non‑optimized compilation |
58 | JDK-8170873 | core‑libs | java.lang | PPC64/aarch64: Poor StrictMath performance due to non‑optimized compilation |
59 | JDK-8172053 | core‑libs | java.lang | (ppc64) Downport of 8170153 breaks build on linux/ppc64 (big endian) |
60 | JDK-8173654 | core‑libs | java.lang | Regression since 8u60: System.getenv doesn't return env var set in JNI code |
61 | JDK-8174729 | core‑libs | java.lang:reflect | Race Condition in java.lang.reflect.WeakCache |
62 | JDK-6947916 | core‑libs | java.net | JarURLConnection does not handle useCaches correctly |
63 | JDK-8022580 | core‑libs | java.net | sun.net.ftp.impl.FtpClient.nameList(String path) handles "null" incorrectly |
64 | JDK-8035158 | core‑libs | java.net | Remove dependency on sun.misc.RegexpPool and friends |
65 | JDK-8035653 | core‑libs | java.net | InetAddress.getLocalHost crash |
66 | JDK-8071424 | core‑libs | java.net | JCK test api/java_net/Socket/descriptions.html#Bind crashes on Windows |
67 | JDK-8075484 | core‑libs | java.net | SocketInputStream.socketRead0 can hang even with soTimeout set |
68 | JDK-8145732 | core‑libs | java.net | Duplicate entry in http.nonProxyHosts will ignore subsequent entries |
69 | JDK-8159410 | core‑libs | java.net | InetAddress.isReachable returns true for non existing IP addresses |
70 | JDK-8166747 | core‑libs | java.net | Add invalid network / computer name cases to isReachable known failure switch |
71 | JDK-8169865 | core‑libs | java.net | Downport minor fixes in java.net native code from JDK 9 to JDK 8 |
72 | JDK-8182672 | core‑libs | java.net | Java 8u121 on Linux intermittently returns null for MAC address |
73 | JDK-8145981 | core‑libs | java.nio | (fs) LinuxWatchService can reports events against wrong directory |
74 | JDK-8153925 | core‑libs | java.nio | (fs) WatchService hangs on GetOverlappedResult and locks directory (win) |
75 | JDK-8165231 | core‑libs | java.nio | java.nio.Bits.unaligned() doesn't return true on ppc |
76 | JDK-8180949 | core‑libs | java.rmi | Correctly handle exception in TCPChannel.createConnection |
77 | JDK-8054214 | core‑libs | java.time | JapaneseEra.getDisplayName doesn't return names if it's an additional era |
78 | JDK-8164366 | core‑libs | java.time | ZoneOffset.ofHoursMinutesSeconds() does not reject invalid input |
79 | JDK-8173423 | core‑libs | java.time | Wrong display name for supplemental Japanese era |
80 | JDK-8177678 | core‑libs | java.time | Overstatement of universality of Era.getDisplayName() implementation |
81 | JDK-8165243 | core‑libs | java.util | Base64.Encoder.wrap(os).write(byte[],int,int) with incorrect arguments should not produce output |
82 | JDK-8166507 | core‑libs | java.util.concurrent | ConcurrentSkipListSet.clear() can leave the Set in an invalid state |
83 | JDK-8179515 | core‑libs | java.util.concurrent | Class java.util.concurrent.ThreadLocalRandom fails to Initialize when using SecurityManager |
84 | JDK-8169056 | core‑libs | java.util.regex | StringIndexOutOfBoundsException in Pattern.compile with CANON_EQ flag |
85 | JDK-8129361 | core‑libs | java.util:i18n | ISO 4217 amendment 160 |
86 | JDK-8145952 | core‑libs | java.util:i18n | Currency update needed for ISO 4217 Amendment #161 |
87 | JDK-8164784 | core‑libs | java.util:i18n | Currency update needed for ISO 4217 Amendment #162. |
88 | JDK-8174736 | core‑libs | java.util:i18n | [JCP] [Mac]Cannot launch JCP on Mac os with language set to "Chinese, Simplified" while region is not China |
89 | JDK-8174779 | core‑libs | java.util:i18n | Locale issues with Mac 10.12 |
90 | JDK-8177776 | core‑libs | java.util:i18n | Create an equivalent test case for JDK9's SupplementalJapaneseEraTest |
91 | JDK-8149521 | core‑libs | javax.naming | automatic discovery of LDAP servers with Kerberos authentication |
92 | JDK-8163945 | core‑libs | jdk.nashorn | Honor Number type hint in toPrimitive on Numbers |
93 | JDK-8166902 | core‑libs | jdk.nashorn | Nested object literal property maps not reset in optimistic recompilation |
94 | JDK-8168373 | core‑libs | jdk.nashorn | "Bad local variable type" in ES6 Nashorn when reassigning a `let` within a `try` |
95 | JDK-8170565 | core‑libs | jdk.nashorn | JSObject call() is passed undefined for the argument 'thiz' |
96 | JDK-8170594 | core‑libs | jdk.nashorn | >>>=0 generates invalid bytecode for BaseNode LHS |
97 | JDK-8170977 | core‑libs | jdk.nashorn | SparseArrayData should not grow its underlying dense array data |
98 | JDK-8171219 | core‑libs | jdk.nashorn | Missing checks in sparse array shift() implementation |
99 | JDK-8171849 | core‑libs | jdk.nashorn | Can't unambiguously select between fixed arity signatures [(java.util.Collection), (java.util.Map)] |
100 | JDK-8176511 | core‑libs | jdk.nashorn | JSObject property access is broken for numeric keys outside the int range |
101 | JDK-8181191 | core‑libs | jdk.nashorn | getUint32 returning Long |
102 | JDK-8153711 | core‑svc | debugger | [REDO] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command |
103 | JDK-8160024 | core‑svc | debugger | jdb returns invalid argument count if first parameter to Arrays.asList is null |
104 | JDK-8164843 | core‑svc | tools | UsageTracker should limit records and avoid truncation |
105 | JDK-8169236 | core‑svc | tools | JRE 8u112 attempts to run ICACLS.EXE on startup in Windows 10 Version 1607, build 14393 |
106 | JDK-8173664 | core‑svc | tools | Typo in https://java.net/downloads/heap‑snapshot/hprof‑binary‑format.html |
107 | JDK-8174806 | deploy | packager | Packager update App Store runtime rules for libjfxwebkit.dylib |
108 | JDK-8164410 | deploy | plugin | JRE 6u121 causes applet to fail with: Reset deny session certificate store |
109 | JDK-8022291 | deploy | webstart | Mac OS: Unexpected JavaLaunchHelper message displaying |
110 | JDK-8161700 | deploy | webstart | Deadlock in Java Web Start application involving JNLPClassLoader |
111 | JDK-8161986 | deploy | webstart | Selecting 32/64 bit resources failed if user has installed both jre's |
112 | JDK-8167306 | deploy | webstart | Side effects of using url schema handler. |
113 | JDK-8038348 | hotspot | compiler | Instance field load is replaced by wrong data Phi |
114 | JDK-8043913 | hotspot | compiler | remove legacy code in SPARC's VM_Version::platform_features |
115 | JDK-8134119 | hotspot | compiler | Use new API to get cache line sizes |
116 | JDK-8134389 | hotspot | compiler | Crash in HotSpot with jvm.dll+0x42b48 ciObjectFactory::create_new_metadata |
117 | JDK-8134918 | hotspot | compiler | C2: Type speculation produces mismatched unsafe accesses |
118 | JDK-8140309 | hotspot | compiler | [REDO] failed: no mismatched stores, except on raw memory: StoreB StoreI |
119 | JDK-8143897 | hotspot | compiler | Weblogic12medrec assert(handler_address == SharedRuntime::compute_compiled_exc_handler(nm, pc, exception, force_unwind, true)) failed: Must be the same |
120 | JDK-8152172 | hotspot | compiler | PPC64: Support AES intrinsics |
121 | JDK-8153134 | hotspot | compiler | Infinite loop in handle_wrong_method in jmod |
122 | JDK-8153267 | hotspot | compiler | nmethod's exception cache not multi‑thread safe |
123 | JDK-8154945 | hotspot | compiler | Enable 8130150 and 8081778 intrinsics by default |
124 | JDK-8155781 | hotspot | compiler | C2: opaque unsafe access triggers an assert |
125 | JDK-8157181 | hotspot | compiler | Compilers accept modification of final fields outside initializer methods |
126 | JDK-8157306 | hotspot | compiler | Random infrequent null pointer exceptions in javac |
127 | JDK-8158639 | hotspot | compiler | C2 compilation fails with SIGSEGV |
128 | JDK-8162101 | hotspot | compiler | C2: Handle "wide" aliases for unsafe accesses |
129 | JDK-8162384 | hotspot | compiler | Performance regression: bimorphic inlining may be bypassed by type speculation |
130 | JDK-8162496 | hotspot | compiler | missing precedence edge for anti_dependence |
131 | JDK-8164002 | hotspot | compiler | Add a new CPU family (S_family) for SPARC S7 and above processors |
132 | JDK-8164293 | hotspot | compiler | HotSpot leaking memory in long‑running requests |
133 | JDK-8164508 | hotspot | compiler | unexpected profiling mismatch in c1 generated code |
134 | JDK-8165482 | hotspot | compiler | java in ldoms, with cpu‑arch=generic has problems |
135 | JDK-8173373 | hotspot | compiler | C1: NPE is thrown instead of LinkageError when accessing inaccessible field on NULL receiver |
136 | JDK-8175887 | hotspot | compiler | C1 value numbering handling of Unsafe.get*Volatile is incorrect |
137 | JDK-8177095 | hotspot | compiler | Range check dependent CastII/ConvI2L is prematurely eliminated |
138 | JDK-8140584 | hotspot | gc | nmethod::oops_do_marking_epilogue always runs verification code |
139 | JDK-8153176 | hotspot | gc | Long pause in ParOldGC, because ParallelTaskTerminator peeks wrong TaskQueueSet |
140 | JDK-8168914 | hotspot | gc | Crash in ClassLoaderData/JNIHandleBlock::oops_do during concurrent marking |
141 | JDK-8170409 | hotspot | gc | CMS: Crash in CardTableModRefBSForCTRS::process_chunk_boundaries |
142 | JDK-8175813 | hotspot | gc | PPC64: "mbind: Invalid argument" when ‑XX:+UseNUMA is used |
143 | JDK-8180048 | hotspot | gc | Interned string and symbol table leak memory during parallel unlinking |
144 | JDK-8034249 | hotspot | jvmti | need more workarounds for suspend equivalent condition issue |
145 | JDK-8081219 | hotspot | jvmti | hs_err improvement: Add event logging for class redefinition to the hs_err file |
146 | JDK-8162795 | hotspot | jvmti | [REDO] MemberNameTable doesn't purge stale entries |
147 | JDK-8049717 | hotspot | runtime | expose L1_data_cache_line_size for diagnostic/sanity checks |
148 | JDK-8087342 | hotspot | runtime | Crash in klassItable::initialize_itable_for_interface when running SelectionResolution InvokeInterfaceICCE.java |
149 | JDK-8162766 | hotspot | runtime | Unsafe_DefineClass0 accesses raw oops while in _thread_in_native |
150 | JDK-8163969 | hotspot | runtime | Cyclic interface initialization causes JVM crash |
151 | JDK-8165153 | hotspot | runtime | Crash in rebuild_cpu_to_node_map |
152 | JDK-8171155 | hotspot | runtime | Scanning method file for initialized final field updates can fail for non‑existent fields |
153 | JDK-8171194 | hotspot | runtime | Exception "Duplicate field name&signature in class file" should report the name and signature of the field |
154 | JDK-8177817 | hotspot | runtime | Remove assertions in 8u that were removed by 8056124 in 9. |
155 | JDK-8166208 | hotspot | svc | FlightRecorderOptions settings for defaultrecording ignored. |
156 | JDK-8173941 | hotspot | svc | SA does not work if executable is DSO |
157 | JDK-8161945 | install | install | REGRESSION: 8u91 update of 32 bit JRE removes preferences of the 64 bit JRE |
158 | JDK-8164096 | javafx | base | ListChangeListener on ReadOnlyListWrapper's getReadOnlyProperty() does not reset change |
159 | JDK-8139841 | javafx | controls | Axis class does not render ticks marks when tick labels are invisible |
160 | JDK-8139850 | javafx | controls | CategoryAxis rotates improperly as yAxis |
161 | JDK-8163486 | javafx | controls | NumberAxis: inaccurate rendering of ticks when tick unit is low |
162 | JDK-8166847 | javafx | controls | NumberAxis: sticked numbers sometimes |
163 | JDK-8168895 | javafx | controls | Tick marks position is not animated when toggling forceZeroInRange |
164 | JDK-8134600 | javafx | fxml | Can't pass ObservableList as argument using FXML |
165 | JDK-8087565 | javafx | graphics | Scaling problem on OSX Retina |
166 | JDK-8088205 | javafx | graphics | [Mac] WebView renders icons instead of letters on some sites |
167 | JDK-8088395 | javafx | graphics | Print dialogs are not blocking/modal w.r.t specified owner windows |
168 | JDK-8088857 | javafx | graphics | Menu slow to respond after resizing a window multiple times with animation running |
169 | JDK-8090176 | javafx | graphics | Pisces software renderer shows incomplete border images in particular situation |
170 | JDK-8148549 | javafx | graphics | Region is not rendered correctly when node cache is enabled |
171 | JDK-8151744 | javafx | graphics | wrong width/height in texture update |
172 | JDK-8154148 | javafx | graphics | [Mac] JavaFX crashes on startup when run on Mac in VMWare |
173 | JDK-8156078 | javafx | graphics | Stage alwaysOnTop property not reset to false if permission is denied |
174 | JDK-8163526 | javafx | graphics | protect FileChooser return from internal NPE |
175 | JDK-8169777 | javafx | graphics | MenuBar unoperable after moving Application to second monitor |
176 | JDK-8173468 | javafx | graphics | Font.loadFont returns null on some Ubuntu 32bits |
177 | JDK-8174688 | javafx | graphics | JavaFX Applet popup windows are in the wrong location on Mac |
178 | JDK-8178804 | javafx | graphics | Excessive memory consumption in TriangleMesh/MeshView |
179 | JDK-8156563 | javafx | media | JavaFX Ensemble8 media sample hang and crash |
180 | JDK-8159869 | javafx | media | HTTP Live Streaming not working anymore |
181 | JDK-8091485 | javafx | samples | Ensemble8: Review each sample description, playground, appearance, related docs and links |
182 | JDK-8134354 | javafx | samples | Ensemble Media samples sliders don't react to clicks |
183 | JDK-8136918 | javafx | samples | Ensemble uses deprecated flv (vp6) media files hosted on OTN |
184 | JDK-8136968 | javafx | samples | [Mac] Regression from JDK‑8087709 |
185 | JDK-8142439 | javafx | samples | Ensemble8 media player slider issues |
186 | JDK-8152858 | javafx | samples | Ensemble Timeline regression |
187 | JDK-8165373 | javafx | samples | Ensemble8 uses setAccessible to access methods and fields of various classes |
188 | JDK-8168095 | javafx | samples | Second image in Ensemble8/Image Creation sample does not load |
189 | JDK-8170421 | javafx | samples | Ensemble8 black flash at startup on b145+ |
190 | JDK-8130675 | javafx | scenegraph | Document that setting scene on stage changes stage size unless explicitly set |
191 | JDK-8164141 | javafx | scenegraph | [Javadoc] Replace references of Stage with Window in the Window class |
192 | JDK-8172554 | javafx | swing | [macos] deadlock on JFXPanel startup |
193 | JDK-8174154 | javafx | swing | NPE in JFXPanel$HostContainer#setEmbeddedStage |
194 | JDK-8088681 | javafx | web | Underscore not visible in HTML combo box options inside webview |
195 | JDK-8089915 | javafx | web | Input of type file doesn't honor "accept" attribute. |
196 | JDK-8090216 | javafx | web | HTMLEditor: font bold doesn't work when an indent is set |
197 | JDK-8136847 | javafx | web | DRT test fast/canvas/canvas‑fillRect‑shadow.html fails |
198 | JDK-8144263 | javafx | web | [WebView, OS X] Webkit rendering artifacts with inertia scrolling |
199 | JDK-8150982 | javafx | web | Crash when calling WebEngine.print on background thread |
200 | JDK-8158196 | javafx | web | WebView Form Post fails if connection is closed before keepAlive‑Timeout |
201 | JDK-8162922 | javafx | web | JavaFx WebView canvas doesn't support dash within strokeRec |
202 | JDK-8164314 | javafx | web | [WebView] Debug build is no longer working after JDK‑8089681 |
203 | JDK-8165098 | javafx | web | WebEngine.print will attempt to print even if the printer job is complete or has an error |
204 | JDK-8165173 | javafx | web | canvas/philip/tests/2d.path.clip.empty.html fails with 8u112 |
205 | JDK-8166231 | javafx | web | use @Native annotation in web classes |
206 | JDK-8166677 | javafx | web | HTMLEditor freezes after restoring previously maximized window |
207 | JDK-8167098 | javafx | web | Backport of JDK‑8158926 to JDK 8u mistakenly used preliminary patch |
208 | JDK-8167675 | javafx | web | Animated gifs are not working |
209 | JDK-8168887 | javafx | web | [WebView] ComboBox and DropDownList ‑ Render fragments of the scrollbar are visible |
210 | JDK-8169204 | javafx | web | Need to document JSObject Call and setSlot APIs to use weak references |
211 | JDK-8170938 | javafx | web | Memory leak in JavaFX WebView |
212 | JDK-8172361 | javafx | web | Update java‑wrappers for WebKit generated classes following WebKit update |
213 | JDK-8172495 | javafx | web | Ignore __cmake_systeminformation from web module build directory |
214 | JDK-8174919 | javafx | web | SocketException no longer handled by WebView when processing web pages |
215 | JDK-8144258 | javafx | window‑toolkit | Ensemble Advanced Media sample hangs after going full screen |
216 | JDK-8160241 | javafx | window‑toolkit | Maximizing an Window with Screen‑Size hides it |
217 | JDK-8166106 | javafx | window‑toolkit | JVM crash on resizing JavaFX application with title and icon |
218 | JDK-8172561 | javafx | window‑toolkit | Copying String with "\r\n" to Clipboard duplicates "\r" |
219 | JDK-8155211 | security‑libs | java.security | Ucrypto Library leaks native memory |
220 | JDK-8163896 | security‑libs | java.security | Finalizing one key of a KeyPair invalidates the other key |
221 | JDK-8164846 | security‑libs | java.security | CertificateException missing cause of underlying exception |
222 | JDK-8176536 | security‑libs | java.security | Improved algorithm constraints checking |
223 | JDK-8157561 | security‑libs | javax.crypto | Ship the unlimited policy files in JDK Updates |
224 | JDK-8165751 | security‑libs | javax.crypto | NPE hit with java.security.debug=provider |
225 | JDK-8173581 | security‑libs | javax.crypto | performance regression in com/sun/crypto/provider/OutputFeedback.java |
226 | JDK-8169229 | security‑libs | javax.net.ssl | RSAClientKeyExchange debug info is incorrect |
227 | JDK-8181205 | security‑libs | javax.net.ssl | JRE fails to load/register security providers when started from UNC pathname |
228 | JDK-8147772 | security‑libs | javax.security | Update KerberosTicket to describe behavior if it has been destroyed and fix NullPointerExceptions |
229 | JDK-8163104 | security‑libs | javax.security | Unexpected NPE still possible on some Kerberos ticket calls |
230 | JDK-8153438 | security‑libs | javax.smartcardio | Avoid repeated "Please insert a smart card" popup windows |
231 | JDK-8170278 | security‑libs | org.ietf.jgss:krb5 | ticket renewal won't happen with debugging turned on |
232 | JDK-8176329 | tools | jdeps to detect MR jar file and output a warning | |
233 | JDK-8180660 | tools | javac | missing LNT entry for finally block |
234 | JDK-8028363 | xml | XmlGregorianCalendarImpl.getTimeZone() bug when offset is less than 10 minutes | |
235 | JDK-8169112 | xml | javax.xml.transform | java.lang.VerifyError: (class: GregorSamsa, method: template$dot$0$outline$1 signature: (LGregorSamsa$48;)V) Register 10 contains wrong type |
236 | JDK-8146086 | xml | jax‑ws | Publishing two webservices on same port fails with "java.net.BindException: Address already in use" |
237 | JDK-8172297 | xml | jax‑ws | In java 8, the marshalling with JAX‑WS does not escape carriage return |
238 | JDK-8162598 | xml | jaxp | XSLTC transformer swallows empty namespace declaration which is needed to undeclare default namespace |
239 | JDK-8146961 | xml | org.w3c.dom | Fix PermGen memory leaks caused by static final Exceptions |
October 17, 2017
The full version string for this update release is 1.8.0_151-b12 (where "b" means "build"). The version number is 8u151.
JDK 8u151 contains IANA time zone data version 2017b. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u151 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_151-b12 |
7 | 1.7.0_161-b13 |
6 | 1.6.0_171-b13 |
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u151) will expire with the release of the next critical patch update scheduled for January 16, 2018.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u151) on February 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
core-libs/java.util.jar
Decode error with Tomcat version 7.x
The zlib
version shipped in the 8u151 and 7u161 JDK releases was updated to zlib
v1.2.11. The deflate functionality in this version causes a compatibility issue with Tomcat v7.x. Server responses can appear as corrupt or can fail to be decoded. The issue is seen if Tomcat is using compression (e.g. compression="on" in server.xml
). This issue is being fixed via JDK-8189789.
Users can disable the compression mode on their Tomcat servers as a workaround. Tomcat versions 8.x and later don't appear to be affected.
See JDK-8191040
security-libs/java.security
Due to the more rigorous procedure of reading a keystore content, some keystores (particularly, those created with old versions of the JDK or with a JDK from other vendors) might need to be regenerated.
The following procedure can be used to import the keystore:
1. Before you start, create a backup of your keystore. For example, if your keystore file is /DIR/KEYSTORE
, make a copy of it:
cp /DIR/KEYSTORE /DIR/KEYSTORE.BK
Download an older release of the JDK, prior CPU17_04, and install it in a separate location. For example: 6u161, 7u151, or 8u141. Suppose, that older JDK is installed in the directory /JDK8U141
2. Make sure that the keystore can be successfully read with the keytool from that older directory. For example, if the keystore file is located in /DIR/KEYSTORE
, the following command should successfully list its content:
/JDK8U141/bin/keytool -list /DIR/KEYSTORE
3. Import the keystore. For example:
/JDK8U141/bin/keytool -importkeystore \
-srckeystore /DIR/KEYSTORE \
-srcstoretype JCEKS \
-srcstorepass PASSWORD \
-destkeystore /DIR/KEYSTORE.NEW \
-deststoretype JCEKS \
-deststorepass PASSWORD
4. Verify that the newly created keystore is correct. At the very least, make sure that the keystore can be read with keytool from a newer JDK:
/NEW_JDK/bin/keytool -list /DIR/KEYSTORE.NEW
After successful verification, replace the old keystore with the new one:
mv /DIR/KEYSTORE.NEW /DIR/KEYSTORE
Keep the backup copy of the keystore at least until you are sure the imported keystore is correct.
JDK-8181370 (not public)
core-libs/java.net
Default timeouts have changed for FTP URL handler
Timeouts used by the FTP URL protocol handler have been changed from infinite to 5 minutes. This will result in an IOException from connect and read operations if the FTP server is unresponsive. For example, new URL("ftp://example.com").openStream().read(),
will fail with java.net.SocketTimeoutException
in case a connection or reading could not be completed within 5 minutes.
To revert this behaviour to that of previous releases, the following system properties may be used, sun.net.client.defaultReadTimeout=0
, sun.net.client.defaultConnectTimeout=0
JDK-8181612 (not public)
install
Demo references in Solaris install documentation
Demos were removed from package tar.Z
bundle(JDK-7066713). There is a separate Demos&Samples bundle beginning with 7u2 b08 and 6u32 b04, but Solaris patches still contain SUNWj7dmo/SUNWj6dmo
. The 64 bit packages are SUNWj7dmx/SUNWj6dmx
Demo packages remain in the existing Solaris patches; however, just because they are there doesn't mean that they are installed. They will be patched only if the end user has them installed on the system.
http://docs.oracle.com/javase/7/docs/webnotes/install/solaris/solaris-jdk.html
The link above is to the Solaris OS Install Directions for the JDK. The SUNWj7dmx
package is mentioned in the tar.Z
portion of the directions. This is confusing to some as, according to the cited bug, the SUNWj7dmx
package shouldn't be part of the tar.Z
bundle.
See JDK-8175866
Remove revoked Swisscom root certificate "swisscomrootevca2"
One Swisscom root certificate has been revoked by Swisscom and has been removed:
Swisscom Root EV CA 2
alias: "swisscomrootevca2 [jdk]"
DN: CN=Swisscom Root EV CA 2, OU=Digital Certificate Services, O=Swisscom, C=ch
JDK-8186330 (not public)
security-libs/javax.crypto
New Security property to control crypto policy
This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy
Security property. If the new Security property (crypto.policy
) is set in the java.security
file, or has been set dynamically by using the Security.setProperty()
call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security
directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy
to a value of 'unlimited'. See the notes in the java.security
file shipping with this release for more information.
Note: On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, 8u111, then you should set the new crypto.policy
Security property in the