java

JDK 8u241 Release Notes

Java SE 8u241 Bundled Patch Release (BPR) - Bug Fixes and Updates

Java SE 8u241 BPRs, are based on the current Java SE 8u241 release and are available for Java SE Subscription customers.

For more information on installation and licensing of Java SE Products, visit Java SE Products Overview.

Find information about Java SE Subscriptions at Oracle Java SE Subscriptions.

The following sections summarize changes made in all Java SE 8u241 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u241 b33

Bug Fixes

BugId Component Subcomponent Summary
8163251 security-libs javax.smartcardio Hard coded loop limit prevents reading of smart card data greater than 8k
8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
8239033 (Confidential) security-libs javax.xml.crypto Oracle JDK 8u Base64XmlEncode.java test fails for windows platform
8236832 javafx media [macos 10.15] JavaFX Application hangs on video play on Catalina
8239803 (Confidential) javafx build [macOS 10.15] Wrong SDK recorded in dylib files prevents notarization
8160768 core-libs javax.naming Add capability to custom resolve host/domain names within the default JNDI LDAP provider

Changes in Java SE 8u241 b32

Bug Fixes

BugId Component Subcomponent Summary
8234468 security-libs java.security Application startup failed on JRE 8u231

Changes in Java SE 8u241 b31

Bug Fixes

BugId Component Subcomponent Summary
8193445 javafx controls JavaFX CSS is applied redundantly leading to significant performance degradation

Java™ SE Development Kit 8, Update 241 (JDK 8u241)

January 14, 2020

The full version string for this update release is 1.8.0_241-b07 (where "b" means "build"). The version number is 8u241.

IANA Data 2019c

JDK 8u241 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u241 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_241-b07
7 1.7.0_251-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u241) be used after the next critical patch update scheduled for April 14, 2020. 

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u241) on May 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features 

 

security-libs/javax.security
 Allow SASL Mechanisms to Be Restricted

A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.

See JDK-8200400

security-libs/javax.crypto:pkcs11
 SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40

The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

See JDK-8080462

 

Other notes

 

security-libs/java.security
 New Checks on Trust Anchor Certificates

New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.

A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.

The default value of this property, if not set, is "false".

Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).

This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.

JDK-8230318 (not public)

security-libs/java.security
 Exact Match Required for Trusted TLS Server Certificate 

A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.

JDK-8227758 (not public)

security-libs/java.security
 Added LuxTrust Global Root 2 Certificate 

The following root certificate has been added to the cacerts truststore:



+ LuxTrust
     + luxtrustglobalroot2ca
 
         DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU

See JDK-8232019

security-libs/java.security
 Added 4 Amazon Root CA Certificates

The following root certificates have been added to the cacerts truststore:



+ Amazon
     + amazonrootca1
         DN: CN=Amazon Root CA 1, O=Amazon, C=US
 
     + amazonrootca2
         DN: CN=Amazon Root CA 2, O=Amazon, C=US
 
     + amazonrootca3
         DN: CN=Amazon Root CA 3, O=Amazon, C=US
 
     + amazonrootca4
         DN: CN=Amazon Root CA 4, O=Amazon, C=US

See JDK-8233223

core-libs/java.rmi
 Improve Registry Support

The java.rmi.Remote marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:

  • Methods declared in interfaces that directly or indirectly extend java.rmi.Remote can be invoked remotely
  • Methods declared in interfaces that do not extend Remote directly or indirectly cannot be invoked remotely

This affects remote objects in the java.rmi.registry.Registry and any other remote object.

JDK-8230967 (not public)

 

Bug Fixes

The following are some of the notable bug fixes included in this release:

 

client-libs/2d
 Support for OpenType CFF Fonts

Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf fonts) into the standard logical fonts (such as "Dialog" and "SansSerif"). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.

Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.

Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.

See JDK-8209672

core-libs/java.io:serialization
 Better Serial Filter Handling

The jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with java.lang.System.setProperty has no effect.

JDK-8231422 (not public)

 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8080465 client-libs   The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel".
2 JDK-8185538 client-libs 2d JDK 9 is really slow initialising some OTF/CFF fonts.
3 JDK-8146238 client-libs 2d [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts
4 JDK-8209672 client-libs 2d Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init
5 JDK-8225101 client-libs java.awt Crash at sun.awt.X11.XlibWrapper.XkbGetUpdatedMap when change keybord map
6 JDK-8230782 client-libs java.awt Robot.createScreenCapture() fails if ???awt.robot.gtk??? is set to false
7 JDK-8221246 client-libs java.awt NullPointerException within Win32ShellFolder2
8 JDK-8213119 client-libs java.awt [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails
9 JDK-8225505 client-libs javax.swing ctrl-F1 does not show the tooltip of a menu item (JMenuItems)
10 JDK-8134424 core-libs java.io:serialization BlockDataInputStream.readUTFBody: size local StringBuffer with the given length
11 JDK-8185898 core-libs java.net setRequestProperty(key, null) results in HTTP header without colon in request
12 JDK-8230085 core-libs java.nio (fs) FileStore::isReadOnly is always true on macOS Catalina
13 JDK-8223490 core-libs java.util Optimize search algorithm for determining default time zone
14 JDK-8227018 core-libs java.util.concurrent CompletableFuture should not call Runtime.availableProcessors on fast path
15 JDK-8204290 core-libs jdk.nashorn Add check to limit number of capture groups
16 JDK-8232984 core-libs jdk.nashorn Upgrading Joni License version to 2.1.16
17 JDK-8204288 core-libs jdk.nashorn Matching the end of a string followed by an empty greedy regex and a word boundary fails
18 JDK-8230303 core-svc debugger JDB hangs when running monitor command
19 JDK-8179348 deploy webstart User friendly warning when Java WebStart Temporary Internet Files is disabled.
20 JDK-8133949 deploy webstart deploy-test build broken by fix to JDK-6921877
21 JDK-6921877 deploy webstart JCP JNLP Shortcut settings for JDK 9
22 JDK-7024585 deploy webstart enhance the list of secure jnlp vm-args for plugin and web start
23 JDK-8223925 docs   No document covering default property files and system properties of the Preferences API
24 JDK-8060000 docs guides Endpoint identification algorithm is not only in TLS 1.2
25 JDK-8207028 docs guides JSSE TrustManagerFactory ignores custom value of deployment.system.security.cacerts property
26 JDK-8227326 docs guides Broken link to JNLP specifications in Java Web Start documentation
27 JDK-8077316 docs guides JRE Installer Options Page should include JDK
28 JDK-8171356 docs tools providerpath option should be added to all keytool commands which specify provider information's
29 JDK-8143925 hotspot compiler enhancing CounterMode.crypt() for AESCrypt.implEncryptBlock()
30 JDK-8146581 hotspot compiler Minor corrections to the patch submitted for earlier bug id - 8143925
31 JDK-8171974 hotspot compiler Fix for R10 Register clobbering with usage of ExternalAddress
32 JDK-8131778 hotspot compiler java disables UseAES flag when using VIS=2 on sparc
33 JDK-8225141 hotspot compiler Better handling of classes in error state by fast class initialization checks
34 JDK-8229420 hotspot gc [Redo] jstat reports incorrect values for OU for CMS GC
35 JDK-8048556 hotspot gc Unnecessary GCLocker-initiated young GCs
36 JDK-8226798 hotspot runtime JVM crash in klassItable::initialize_itable_for_interface(int, InstanceKlass*, bool, Thread*)
37 JDK-8041620 hotspot runtime Solaris Studio 12.4 C++ 5.13 change in behavior for placing friend declarations within surrounding scope
38 JDK-8231854 javafx other Change Mercurial to git in various README files
39 JDK-8231590 javafx other Update location of jfx repo to GitHub in third-party legal files
40 JDK-8232522 javafx other FX: Update copyright year in docs, readme files to 2020
41 JDK-8231126 javafx web libxslt.md has incorrect version string
42 JDK-8224636 javafx web CSS "pointer-events" property "stroke" is not respected for SVG renderings
43 JDK-8218640 javafx web Update ICU4C to version 64.2
44 JDK-8173956 security-libs java.security KeyStore regression due to default keystore being changed to PKCS12
45 JDK-8195667 security-libs javax.crypto:pkcs11 ProblemList PKCS11 tests Secmod/AddTrustedCert.java and tls/TestKeyMaterial.java due to JDK-8180837
46 JDK-8080462 security-libs javax.crypto:pkcs11 Update SunPKCS11 provider with PKCS11 v2.40 support
47 JDK-8228835 security-libs javax.crypto:pkcs11 Memory leak in PKCS11 provider when using AES GCM
48 JDK-8229243 security-libs javax.crypto:pkcs11 SunPKCS11-Solaris provider tests failing on Solaris 11.4
49 JDK-8225695 security-libs javax.crypto:pkcs11 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)
50 JDK-8133489 security-libs javax.net.ssl Better messaging for PKIX path validation matching
51 JDK-8229767 security-libs javax.security Typo in java.security: Sasl.createClient and Sasl.createServer
52 JDK-8200400 security-libs javax.security Allow Sasl mechanisms to be restricted
53 JDK-8226607 security-libs javax.smartcardio Inconsistent info between pcsclite.md and MUSCLE headers
54 JDK-8201627 security-libs org.ietf.jgss:krb5 Kerberos sequence number issues