October 15, 2019
The full version string for this update release is 1.8.0_231-b11 (where "b" means "build"). The version number is 8u231.
JDK 8u231 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u231 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_231-b11 |
7 | 1.7.0_241-b09 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u231) be used after the next critical patch update scheduled for January 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u231) on February 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.crypto
New jdk.jceks.iterationCount System Property
A new system property has been introduced to control the iteration count value used for the jceks
keystore. The default value remains at 200000 but values between 10000 and 5000000 may be specified. The new system property name is jdk.jceks.iterationCount
and the value supplied should be an integer in the accepted range. The default value will be used if a parsing error is encountered.
JDK-8223269 (not public)
security-libs/java.security
➜ New Java Flight Recorder (JFR) Security Events
Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
java/security_property
Security.setProperty(String key, String value)
method callsjava/tls_handshake
java/x509_validation
java/x509_certificate
See JDK-8148188
javafx/graphics
➜ Removal of T2K Rasterizer and ICU Layout Engine From JavaFX
The T2K rasterizer and ICU layout engine have been removed from JavaFX.
See JDK-8187147
client-libs
➜ [client-libs and javaFX] GTK3 Is Now the Default on Linux/Unix
Newer versions of Linux, Solaris, and other Unix flavor desktop environments use GTK3, while still supporting GTK2.
Previously, the JDK would default to loading the older GTK2 libraries. However, in this release, it defaults to loading GTK3 libraries. Loading is typically triggered by using the Swing GTK Look And Feel.
The old behavior can be restored by using the system property: -Djdk.gtk.version=2.2
See JDK-8222496
docs
➜ Using the JDK or JRE on macOS Catalina (10.15)
Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see http:/java/technologies/javase/jdk-jre-macos-catalina.html.
JDK-8230057 (not public)
security-libs/javax.net.ssl
➜ Remove Obsolete NIST EC Curves from the Default TLS Algorithms
This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.
To re-enable these curves, use the jdk.tls.namedGroups
system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:
java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1,
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ...
JDK-8228825 (not public)
security-libs/javax.xml.crypto
➜ Updated xmldsig Implementation to Apache Santuario 2.1.3
The XML Signature implementation in this release has been updated to version 2.1.3 of Apache Santuario. New features include:
Earlier features from version 2.1.1 include:
See JDK-8177334
security-libs/javax.xml.crypto
➜ Updated xmldsig Implementation to Apache Santuario 2.1.1
The XMLDSig provider implementation in the java.xml.crypto
module has been updated to version 2.1.1 of Apache Santuario. New features include:
See JDK-8177334
security-libs/javax.crypto
➜ System Property jdk.security.useLegacyECC is Turned Off by Default
The system property jdk.security.useLegacyECC
, which was introduced in the update releases 7u231 and 8u221, is turned off by default.
This option allows control of which implementation of ECC is in use.
When the system property, jdk.security.useLegacyECC
, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC
If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.
JDK-8224499 (not public)
An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in 
or 
being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
An application may continue working with the encoded output data containing the carriage return character (
or 
) if the application coding logic allows such output.
The com.sun.org.apache.xml.internal.security.ignoreLineBreaks
system property may be set to a value of true
if an application is unable to handle encoded output data including the carriage return character (
or 
).
Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.
core-libs/java.lang
➜ Runtime.exec and ProcessBuilder Argument Restrictions
Runtime.exec
and ProcessBuilder
have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.
In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands
to false
.
In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands
to true
.
Applications using Runtime.exec
or ProcessBuilder
with a security manager to invoke .bat
or .cmd
and command names that do not end in ".exe
" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.
For .exe
programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands
property is "false
" or there is no security manager and property is not "false
".
JDK-8221858 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 8u231 Bug Fixes page.