Java SE 8u241 BPRs, are based on the current Java SE 8u241 release and are available for Java SE Subscription customers.
For more information on installation and licensing of Java SE Products, visit Java SE Products Overview.
Find information about Java SE Subscriptions at Oracle Java SE Subscriptions.
The following sections summarize changes made in all Java SE 8u241 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8163251 | security-libs | javax.smartcardio | Hard coded loop limit prevents reading of smart card data greater than 8k |
8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
8239033 (Confidential) | security-libs | javax.xml.crypto | Oracle JDK 8u Base64XmlEncode.java test fails for windows platform |
8236832 | javafx | media | [macos 10.15] JavaFX Application hangs on video play on Catalina |
8239803 (Confidential) | javafx | build | [macOS 10.15] Wrong SDK recorded in dylib files prevents notarization |
8160768 | core-libs | javax.naming | Add capability to custom resolve host/domain names within the default JNDI LDAP provider |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8234468 | security-libs | java.security | Application startup failed on JRE 8u231 |
Bug Fixes
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8193445 | javafx | controls | JavaFX CSS is applied redundantly leading to significant performance degradation |
January 14, 2020
The full version string for this update release is 1.8.0_241-b07 (where "b" means "build"). The version number is 8u241.
JDK 8u241 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u241 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_241-b07 |
7 | 1.7.0_251-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u241) be used after the next critical patch update scheduled for April 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u241) on May 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.security
➜ Allow SASL Mechanisms to Be Restricted
A security property named jdk.sasl.disabledMechanisms
has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms
argument of Sasl.createSaslClient
or the mechanism
argument of Sasl.createSaslServer
. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.
See JDK-8200400
security-libs/javax.crypto:pkcs11
➜ SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40
The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
See JDK-8080462
security-libs/java.security
➜ New Checks on Trust Anchor Certificates
New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
A new system property named jdk.security.allowNonCaAnchor
has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.
The default value of this property, if not set, is "false".
Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).
This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.
JDK-8230318 (not public)
security-libs/java.security
➜ Exact Match Required for Trusted TLS Server Certificate
A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.
JDK-8227758 (not public)
security-libs/java.security
➜ Added LuxTrust Global Root 2 Certificate
The following root certificate has been added to the cacerts truststore:
+ LuxTrust
+ luxtrustglobalroot2ca
DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU
See JDK-8232019
security-libs/java.security
➜ Added 4 Amazon Root CA Certificates
The following root certificates have been added to the cacerts truststore:
+ Amazon
+ amazonrootca1
DN: CN=Amazon Root CA 1, O=Amazon, C=US
+ amazonrootca2
DN: CN=Amazon Root CA 2, O=Amazon, C=US
+ amazonrootca3
DN: CN=Amazon Root CA 3, O=Amazon, C=US
+ amazonrootca4
DN: CN=Amazon Root CA 4, O=Amazon, C=US
See JDK-8233223
core-libs/java.rmi
➜ Improve Registry Support
The java.rmi.Remote
marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:
java.rmi.Remote
can be invoked remotelyRemote
directly or indirectly cannot be invoked remotelyThis affects remote objects in the java.rmi.registry.Registry
and any other remote object.
JDK-8230967 (not public)
The following are some of the notable bug fixes included in this release:
client-libs/2d
➜ Support for OpenType CFF Fonts
Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf
fonts) into the standard logical fonts (such as "Dialog" and "SansSerif"). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.
Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.
Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.
See JDK-8209672
core-libs/java.io:serialization
➜ Better Serial Filter Handling
The jdk.serialFilter
system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter
. Setting the jdk.serialFilter with java.lang.System.setProperty
has no effect.
JDK-8231422 (not public)
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8080465 | client-libs | The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel". | |
2 | JDK-8185538 | client-libs | 2d | JDK 9 is really slow initialising some OTF/CFF fonts. |
3 | JDK-8146238 | client-libs | 2d | [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts |
4 | JDK-8209672 | client-libs | 2d | Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init |
5 | JDK-8225101 | client-libs | java.awt | Crash at sun.awt.X11.XlibWrapper.XkbGetUpdatedMap when change keybord map |
6 | JDK-8230782 | client-libs | java.awt | Robot.createScreenCapture() fails if ???awt.robot.gtk??? is set to false |
7 | JDK-8221246 | client-libs | java.awt | NullPointerException within Win32ShellFolder2 |
8 | JDK-8213119 | client-libs | java.awt | [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails |
9 | JDK-8225505 | client-libs | javax.swing | ctrl-F1 does not show the tooltip of a menu item (JMenuItems) |
10 | JDK-8134424 | core-libs | java.io:serialization | BlockDataInputStream.readUTFBody: size local StringBuffer with the given length |
11 | JDK-8185898 | core-libs | java.net | setRequestProperty(key, null) results in HTTP header without colon in request |
12 | JDK-8230085 | core-libs | java.nio | (fs) FileStore::isReadOnly is always true on macOS Catalina |
13 | JDK-8223490 | core-libs | java.util | Optimize search algorithm for determining default time zone |
14 | JDK-8227018 | core-libs | java.util.concurrent | CompletableFuture should not call Runtime.availableProcessors on fast path |
15 | JDK-8204290 | core-libs | jdk.nashorn | Add check to limit number of capture groups |
16 | JDK-8232984 | core-libs | jdk.nashorn | Upgrading Joni License version to 2.1.16 |
17 | JDK-8204288 | core-libs | jdk.nashorn | Matching the end of a string followed by an empty greedy regex and a word boundary fails |
18 | JDK-8230303 | core-svc | debugger | JDB hangs when running monitor command |
19 | JDK-8179348 | deploy | webstart | User friendly warning when Java WebStart Temporary Internet Files is disabled. |
20 | JDK-8133949 | deploy | webstart | deploy-test build broken by fix to JDK-6921877 |
21 | JDK-6921877 | deploy | webstart | JCP JNLP Shortcut settings for JDK 9 |
22 | JDK-7024585 | deploy | webstart | enhance the list of secure jnlp vm-args for plugin and web start |
23 | JDK-8223925 | docs | No document covering default property files and system properties of the Preferences API | |
24 | JDK-8060000 | docs | guides | Endpoint identification algorithm is not only in TLS 1.2 |
25 | JDK-8207028 | docs | guides | JSSE TrustManagerFactory ignores custom value of deployment.system.security.cacerts property |
26 | JDK-8227326 | docs | guides | Broken link to JNLP specifications in Java Web Start documentation |
27 | JDK-8077316 | docs | guides | JRE Installer Options Page should include JDK |
28 | JDK-8171356 | docs | tools | providerpath option should be added to all keytool commands which specify provider information's |
29 | JDK-8143925 | hotspot | compiler | enhancing CounterMode.crypt() for AESCrypt.implEncryptBlock() |
30 | JDK-8146581 | hotspot | compiler | Minor corrections to the patch submitted for earlier bug id - 8143925 |
31 | JDK-8171974 | hotspot | compiler | Fix for R10 Register clobbering with usage of ExternalAddress |
32 | JDK-8131778 | hotspot | compiler | java disables UseAES flag when using VIS=2 on sparc |
33 | JDK-8225141 | hotspot | compiler | Better handling of classes in error state by fast class initialization checks |
34 | JDK-8229420 | hotspot | gc | [Redo] jstat reports incorrect values for OU for CMS GC |
35 | JDK-8048556 | hotspot | gc | Unnecessary GCLocker-initiated young GCs |
36 | JDK-8226798 | hotspot | runtime | JVM crash in klassItable::initialize_itable_for_interface(int, InstanceKlass*, bool, Thread*) |
37 | JDK-8041620 | hotspot | runtime | Solaris Studio 12.4 C++ 5.13 change in behavior for placing friend declarations within surrounding scope |
38 | JDK-8231854 | javafx | other | Change Mercurial to git in various README files |
39 | JDK-8231590 | javafx | other | Update location of jfx repo to GitHub in third-party legal files |
40 | JDK-8232522 | javafx | other | FX: Update copyright year in docs, readme files to 2020 |
41 | JDK-8231126 | javafx | web | libxslt.md has incorrect version string |
42 | JDK-8224636 | javafx | web | CSS "pointer-events" property "stroke" is not respected for SVG renderings |
43 | JDK-8218640 | javafx | web | Update ICU4C to version 64.2 |
44 | JDK-8173956 | security-libs | java.security | KeyStore regression due to default keystore being changed to PKCS12 |
45 | JDK-8195667 | security-libs | javax.crypto:pkcs11 | ProblemList PKCS11 tests Secmod/AddTrustedCert.java and tls/TestKeyMaterial.java due to JDK-8180837 |
46 | JDK-8080462 | security-libs | javax.crypto:pkcs11 | Update SunPKCS11 provider with PKCS11 v2.40 support |
47 | JDK-8228835 | security-libs | javax.crypto:pkcs11 | Memory leak in PKCS11 provider when using AES GCM |
48 | JDK-8229243 | security-libs | javax.crypto:pkcs11 | SunPKCS11-Solaris provider tests failing on Solaris 11.4 |
49 | JDK-8225695 | security-libs | javax.crypto:pkcs11 | 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support) |
50 | JDK-8133489 | security-libs | javax.net.ssl | Better messaging for PKIX path validation matching |
51 | JDK-8229767 | security-libs | javax.security | Typo in java.security: Sasl.createClient and Sasl.createServer |
52 | JDK-8200400 | security-libs | javax.security | Allow Sasl mechanisms to be restricted |
53 | JDK-8226607 | security-libs | javax.smartcardio | Inconsistent info between pcsclite.md and MUSCLE headers |
54 | JDK-8201627 | security-libs | org.ietf.jgss:krb5 | Kerberos sequence number issues |