java

JDK 8u201 Release Notes

Java™ SE Development Kit 8, Update 201 (JDK 8u201)

January 15, 2019

The full version string for this update release is 1.8.0_201-b09 (where "b" means "build"). The version number is 8u201.

IANA Data 2018g

JDK 8u201 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u201 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_201-b09
7 1.7.0_211-b07
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u201) will expire with the release of the next critical patch update scheduled for April 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u201) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Issues Fixed

core-libs/java.net
Restriction on Windows NTLM Transparent Authentication

This change limits the use of transparent HTTP authentication on Microsoft Windows for the NTLM scheme. In that scheme, the security credentials based on the currently logged in user's name and password are obtained directly from the operating system, without prompting the user.

A new networking system property, jdk.http.ntlm.transparentAuth, has been added with the following possible values:

  • "disabled" means transparent authentication is not used and the user application is always prompted for NTLM credentials. This is the default and preferred setting. NTLM authentication is still usable in this mode through the java.net.Authenticator class.
  • "trustedHosts" means transparent authentication is only used for hosts identified as trusted in the Windows networking configuration.
  • "allHosts" means transparent authentication is always used.

Any other value, or no value, is treated the same as "disabled". Care should be taken before enabling this mechanism.

See JDK-8209094

Changes

security-libs/javax.net.ssl

TLS anon and NULL Cipher Suites are Disabled

The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.

See JDK-8211883

security-libs/java.security

jarsigner Prints When a timestamp Will Expire

The jarsigner tool now shows more information about the lifetime of a timestamped JAR. New warning and error messages are displayed when a timestamp has expired or is expiring within one year.

See JDK-8191438

hotspot/runtime

Linux Native Code Checks 

Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.

JDK-8196902 (not public)

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8201818 client-libs 2d [macosx] Printing attributes break page size set via "java.awt.print.Book" object
2 JDK-8141491 core-libs java.nio Unaligned memory access in Bits.c
3 JDK-8171049 core-libs java.time Era.getDisplayName doesn't work with non-IsoChronology
4 JDK-8205330 core-libs javax.naming InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
5 JDK-8157913 deploy packager Launcher can not find path to libpackager.so
6 JDK-8213011 deploy plugin Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError
7 JDK-8212457 deploy webstart JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled
8 JDK-8212793 deploy webstart Fix for JDK-8189783 fails
9 JDK-8147555 docs   Document that % and " characters are not supported in keys and values of a property for Java Web Start
10 JDK-8161741 docs guides Typo within section "22.2.3 File Names"
11 JDK-8189182 install install JDK8 RPM postinstall scriptlet assumes /usr/share/man/man1 exists
12 JDK-8203884 javafx graphics Update libjpeg to version 9c
13 JDK-8214035 javafx graphics Unable to render cmyk jpeg image
14 JDK-8212158 javafx other FX: Update copyright year in docs, readme files to 2019
15 JDK-8209652 javafx samples Ensemble: Update version of Lucene to 7.4.0
16 JDK-8213837 javafx samples FX samples cannot load media from download.java.net over http
17 JDK-8211304 javafx window-toolkit [macOS] Crash on focus loss from dialog on macOS 10.14 Mojave
18 JDK-8027781 security-libs java.security New jarsigner timestamp warning is grammatically incorrect
19 JDK-8209129 security-libs javax.crypto Further improvements to cipher buffer management
20 JDK-8208583 security-libs javax.crypto Better management of internal KeyStore buffers
21 JDK-8207775 security-libs javax.crypto Better management of CipherCore buffers
22 JDK-8209862 security-libs javax.crypto CipherCore performance improvement
23 JDK-8211883 security-libs javax.net.ssl Disable anon and NULL cipher suites