JDK 8u191 Release Notes

Java™ SE Development Kit 8, Update 191 (JDK 8u191)

October 16, 2018

The full version string for this update release is 1.8.0_191-b12 (where "b" means "build"). The version number is 8u191.

IANA Data 2018e

JDK 8u191 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u191 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_191-b12
7 1.7.0_201-b11
6 1.6.0_211-b11

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u191) will expire with the release of the next critical patch update scheduled for January 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u191) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features


Build Environment Update Linux x86/x64 Moved to gcc 7.3

On x86/x64 Linux, the toolchain used to build the JDK has been upgraded from GCC 4.3 to GCC 7.3.

JDK-8206409 (not public)



Changed Central File System Location for File

The file system location in Windows for the file has been moved from %ProgramData%\Oracle\Java\ to %ProgramFiles%\Java\conf

There is no change in the file path for Linux, Solaris, or macOS.

JDK-8204901 (not public)


Disabled all DES TLS Cipher Suites

DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.

See JDK-8208350


Removal of Several Symantec Root CAs

The following Symantec root certificates are no longer in use and have been removed:

  • Symantec
    • equifaxsecureca

      DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

    • equifaxsecureglobalebusinessca1

      DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

    • equifaxsecureebusinessca1

      DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

    • verisignclass1g3ca

      DN: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass2g3ca

      DN: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass1g2ca

      DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

    • verisignclass1ca

      DN: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

See JDK-8191031


Removal of Baltimore Cybertrust Code Signing CA

The following Baltimore CyberTrust Code Signing root certificate is no longer in use and has been removed:

  • baltimorecodesigningca

    DN: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE

See JDK-8189949


Removal of SECOM Root Certificate

The following SECOM root certificate is no longer in use and has been removed:

  • secomevrootca1

    DN: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP

See JDK-8191844


Java Improvements for Docker Containers

The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:

  • JDK-8146115 Improve docker container detection and resource configuration usage

The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:


In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:


This count overrides any other automatic CPU detection logic in the JVM.

  • JDK-8186248 Allow more flexibility in selecting Heap % of available RAM

Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:

  • -XX:InitialRAMPercentage
  • -XX:MaxRAMPercentage
  • -XX:MinRAMPercentage

These options replace the deprecated Fraction forms (-XX:InitialRAMFraction, -XX:MaxRAMFraction, and -XX:MinRAMFraction).

  • JDK-8179498 attach in linux should be relative to /proc/pid/root and namespace aware

This bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.

See JDK-8146115


Improved Cipher Inputs

The specification of javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.

JDK-8201756 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:


LDAPS Communication Failure

Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ) may encounter an exception when establishing the connection.

The top most frames from Exception stack traces of applications encountering such issues might resemble the following:

javax.naming.ServiceUnavailableException: <server:port>; socket closed
at   com.sun.jndi.ldap.Connection.readReply(Unknown Source) 
at   com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)

See JDK-8211107


Better HTTP Redirection Support

In this release, the behavior of methods which application code uses to set request properties in has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request.

JDK-8196902 (not public)


Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8152974 client-libs java.awt AWT hang occurrs when sequenced events arrive out of sequence
2 JDK-8208353 client-libs java.awt Upgrade JDK to libpng 1.6.35
3 JDK-8168628 core-libs java.nio (fc) SIGBUS when extending file size to map it
4 JDK-8171452 core-libs java.nio (ch) linux io_util_md: Operation not supported exception after 8168628
5 JDK-8211107 core-libs javax.naming LDAPS communication failure with jdk 1.8.0_181
6 JDK-8175871 docs guides file example is incorrect
7 JDK-8198835 docs guides Typo in URL for XML section in developer guides
8 JDK-8173224 docs guides Document jdk.tls.legacyAlgorithms security property
9 JDK-8164480 hotspot compiler Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
10 JDK-8146115 hotspot runtime Improve docker container detection and resource configuration usage
11 JDK-8206875 install install [L10N]Truncation issue happens on the final dialog for pt on Mac
12 JDK-8209191 javafx graphics [macOS] Distorted complex text rendering
13 JDK-8199527 javafx media Upgrade GStreamer to 1.14
14 JDK-8209049 javafx web Cherry pick GTK WebKit 2.20.4 changes
15 JDK-8208622 javafx web [WebView] IllegalStateException when invoking print API with html form controls
16 JDK-8204856 javafx web WebEngine document becomes null after PAGE_REPLACED event
17 JDK-8208114 javafx web Drag and drop of text contents and URL links functionalities are broken in Webview
18 JDK-8203698 javafx web JavaFX WebView crashes when visiting certain web sites
19 JDK-8199474 javafx web Update to 606.1 version of WebKit
20 JDK-8200629 javafx web Update SQLite to version 3.23.0
21 JDK-8197987 javafx web Update libxslt to version 1.1.32
22 JDK-8193368 javafx web [OS X] Remove redundant files
23 JDK-8142927 other-libs other Feed some text to STDIN in ProcessTools.executeProcess()
24 JDK-8180289 security-libs jarsigner treats timestamped signed jar invalid after the signer cert expires
25 JDK-8130132 security-libs jarsigner should emit warning if weak algorithms or keysizes are used
26 JDK-8191031 security-libs Remove several Symantec Root CAs
27 JDK-8191844 security-libs Remove SECOM root (secomevrootca1)
28 JDK-8189949 security-libs Remove Baltimore Cybertrust Code Signing CA
29 JDK-8074462 security-libs Handshake messages can be strictly ordered
30 JDK-8172529 security-libs Use PKIXValidator in jarsigner
31 JDK-8197518 security-libs org.ietf.jgss Kerberos krb5 authentication: AuthList's put method leads to performance issue