JDK 8u231 Release Notes

Java SE 8u231 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u231 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u231 b34

Bug Fixes

BugId Component Subcomponent Summary
8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications
8134424 core-libs BlockDataInputStream.readUTFBody: size local StringBuffer with the given length
client-libs javax.accessibility jdk9 b58 cannot run any graphical application on Win 8 with JAWS running

Changes in Java SE 8u231 b33

Bug Fixes

BugId Component Subcomponent Summary
8185538 client-libs 2d JDK 9 is really slow initialising some OTF/CFF fonts.
8223490 core-libs java.util Optimize search algorithm for determining default time zone
client-libs 2d Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init
client-libs   The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed".

Changes in Java SE 8u231 b32

Bug Fixes

BugId Component Subcomponent Summary
8230085 core-libs java.nio (fs) FileStore::isReadOnly is always true on macOS Catalina
8146238 client-libs 2d [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts
8230303 core-svc debugger JDB hangs when running monitor command

Java™ SE Development Kit 8, Update 231 (JDK 8u231)

October 15, 2019

The full version string for this update release is 1.8.0_231-b11 (where "b" means "build"). The version number is 8u231.

IANA Data 2019b

JDK 8u231 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u231 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_231-b11
7 1.7.0_241-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u231) be used after the next critical patch update scheduled for January 14, 2020. 

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u231) on February 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

 New jdk.jceks.iterationCount System Property 

A new system property has been introduced to control the iteration count value used for the jceks keystore. The default value remains at 200000 but values between 10000 and 5000000 may be specified. The new system property name is jdk.jceks.iterationCount and the value supplied should be an integer in the accepted range. The default value will be used if a parsing error is encountered.

JDK-8223269 (not public)

 New Java Flight Recorder (JFR) Security Events 

Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

  • java/security_property

    • Records Security.setProperty(String key, String value) method calls
  • java/tls_handshake

    • Records TLS handshake activity. The event fields include:
      • Peer hostname
      • Peer port
      • TLS protocol version negotiated
      • TLS cipher suite negotiated
      • Certificate id of peer client
  • java/x509_validation

    • Records details of X.509 certificates negotiated in successful X.509 validation (chain of trust)
  • java/x509_certificate

    • Records details of X.509 Certificates. The event fields include:
      • Certificate algorithm
      • Certificate serial number
      • Certificate subject
      • Certificate issuer
      • Key type
      • Key length
      • Certificate id
      • Validity of certificate

See JDK-8148188

Removed Features and Options

 Removal of T2K Rasterizer and ICU Layout Engine From JavaFX 

The T2K rasterizer and ICU layout engine have been removed from JavaFX.

See JDK-8187147

Other notes

 [client-libs and javaFX] GTK3 Is Now the Default on Linux/Unix 

Newer versions of Linux, Solaris, and other Unix flavor desktop environments use GTK3, while still supporting GTK2.

Previously, the JDK would default to loading the older GTK2 libraries. However, in this release, it defaults to loading GTK3 libraries. Loading is typically triggered by using the Swing GTK Look And Feel.

The old behavior can be restored by using the system property: -Djdk.gtk.version=2.2

See JDK-8222496

 Using the JDK or JRE on macOS Catalina (10.15)

Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see http:/java/technologies/javase/jdk-jre-macos-catalina.html.

JDK-8230057 (not public)

 Remove Obsolete NIST EC Curves from the Default TLS Algorithms

This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.

To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:

java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, 
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ... 

JDK-8228825 (not public)

Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto module has been updated to version 2.1.3 of Apache Santuario. New features include:

  • Added support for embedding elliptic curve public keys in the KeyValue element

See JDK-8219013

 Updated xmldsig Implementation to Apache Santuario 2.1.1

The XMLDSig provider implementation in the java.xml.crypto module has been updated to version 2.1.1 of Apache Santuario. New features include:

  • Support for the SHA-224 and SHA-3 DigestMethod algorithms specified in RFC 6931.
  • Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.

See JDK-8177334

 System Property is Turned Off by Default

The system property, which was introduced in the update releases 7u231 and 8u221, is turned off by default.

This option allows control of which implementation of ECC is in use.

When the system property,, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify in the command line. Setting the option to true or the empty string is not recommended.

If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see

JDK-8224499 (not public)

security-libs/javax.xml.crypto System Property

An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in &#xd or &#13 being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

An application may continue working with the encoded output data containing the carriage return character (&#xd or &#13) if the application coding logic allows such output.

The system property may be set to a value of true if an application is unable to handle encoded output data including the carriage return character (&#xd or &#13).

Additional information can be found at

See JDK-8219013

 Runtime.exec and ProcessBuilder Argument Restrictions 

Runtime.exec and ProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.

In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands to false.

In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands to true.

Applications using Runtime.exec or ProcessBuilder with a security manager to invoke .bat or .cmd and command names that do not end in ".exe" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.

For .exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands property is "false" or there is no security manager and property is not "false".

JDK-8221858 (not public)

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8222496 client-libs   [8u] Switch on GTK3 as a default GTK L&F in client-libs
2 JDK-8217676 client-libs   Upgrade libpng to 1.6.37
3 JDK-8219914 client-libs   Change the environment variable for Java Access Bridge logging to have a directory
4 JDK-8222108 client-libs 2d Reduce minRefreshTime for updating remote printer list on Windows
5 JDK-8196681 client-libs javax.accessibility Java Access Bridge logging and debug flags dynamically controlled
6 JDK-8226964 client-libs javax.swing [Yaru] GTK L&F: There is no difference between menu selected and de-selected
7 JDK-8225423 client-libs javax.swing GTK L&F: JSplitPane: There is no divider shown
8 JDK-8214702 client-libs javax.swing Wrong text position for whitespaced string in printing Swing text
9 JDK-8216401 core-libs   Allow "file:" URLs in Class-Path of local JARs
10 JDK-8151486 core-libs java.lang Class.forName causes memory leak
11 JDK-8197930 core-libs java.lang JNI exception pending in initializeEncoding of jni_util.c
12 JDK-8225425 core-libs java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries
13 JDK-8214687 core-libs java.util:collections Optimize Collections.nCopies().hashCode() and equals()
14 JDK-8222980 core-libs java.util:i18n Upgrade IANA Language Subtag Registry to Version 2019-04-03
15 JDK-8219890 core-libs java.util:i18n Calendar.getDisplayName() returns empty string for new Japanese Era on some locales
16 JDK-8203324 core-libs java.util:i18n Use out of scope in getMacOSXLocale of java_props_macosx.c:120
17 JDK-8139965 core-libs javax.naming Hang seen when using
18 JDK-8217581 docs tools JDK 8 javadoc man page does not list correct values for -source
19 JDK-8206879 globalization locale-data Currency decimal marker incorrect for Peru
20 JDK-8202414 hotspot compiler Unsafe write after primitive array creation may result in array length change
21 JDK-8219807 hotspot compiler C2 crash in IfNode::up_one_dom(Node*, bool)
22 JDK-8218721 hotspot compiler C1's CEE optimization produces safepoint poll with invalid debug information
23 JDK-8130341 hotspot compiler GHASH 32bit intrinsics has AEADBadTagException
24 JDK-8080157 hotspot compiler assert(allocates2(pc)) failed: not in CodeBuffer memory
25 JDK-8187147 javafx graphics Remove T2K from JavaFX in JDK 10
26 JDK-8201539 javafx graphics Crash in DirectWrite CreateBitmap code when running TestFX test suite
27 JDK-8213510 javafx media [Windows] MediaPlayer does not play some mp3 with artwork stream in mjpeg
28 JDK-8222780 javafx media Visual Studio does not open media vs_projects files
29 JDK-8223046 javafx samples AudioClip sample does not work in Ensemble when run via web-start
30 JDK-8230361 javafx web [web] Cookies are not enabled in WebKit v608.1
31 JDK-8229328 javafx web [windows] PlatformFileHandle type should be JGObject rather than void *
32 JDK-8227431 javafx web [Windows] Fix assertion failure on X86 32-bit when enabling CLOOP based JavaScript interpreter
33 JDK-8227079 javafx web Cherry pick GTK WebKit 2.24.3 changes
34 JDK-8222912 javafx web Websocket client doesn't work in WebView
35 JDK-8219362 javafx web Update to 608.1 version of WebKit
36 JDK-8225203 javafx web Update SQLite to version 3.28.0
37 JDK-8222788 javafx web javafx.web build fails on XCode 10.2
38 JDK-8222497 javafx window-toolkit [8u] Switch on GTK3 as a default GTK L&F in javafx
39 JDK-8226537 javafx window-toolkit Multi-level Stage::initOwner can crash gnome-shell or server
40 JDK-8211302 javafx window-toolkit DragAndDrop no longer works with GTK3
41 JDK-8212060 javafx window-toolkit [GTK3] Stage sometimes shown at top-left before moving to correct position
42 JDK-8147502 security-libs Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
43 JDK-8148188 security-libs Enhance the security libraries to record events of interest
44 JDK-8226543 security-libs javax.crypto Reduce GC pressure during message digest calculations in password-based encryption
45 JDK-8073108 security-libs javax.crypto Use x86 and SPARC CPU instructions for GHASH acceleration
46 JDK-8218780 security-libs javax.smartcardio Update MUSCLE PCSC-Lite header files
47 JDK-8229868 security-libs javax.xml.crypto Update Apache Santuario TPRM version
48 JDK-8218629 security-libs javax.xml.crypto XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10
49 JDK-8217878 security-libs javax.xml.crypto ENVELOPING XML signature no longer works in JDK 11
50 JDK-8219013 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.1.3
51 JDK-8177334 security-libs javax.xml.crypto Update xmldsig implementation to Apache Santuario 2.1.1