JDK 8u25 Release Notes

Java SE 8u25 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u25 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u25 b32

Bug Fixes

BugId Component Subcomponent Summary
8061643 deploy webstart JavaWS fails with proxy autoconfig due to missing "resolve" permission

Changes in Java SE 8u25 b31

Please note that fixes from the prior BPR (8u20 b32) are included in this BPR.

Java™ SE Development Kit 8, Update 25 (JDK 8u25)

The full version string for this update release is 1.8.0_25-b17 (where "b" means "build") except for Windows, where the version string is 1.8.0_25-b18 . The version number is 8u25.

IANA Data 2014c

JDK 8u25 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u25 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_25
7 1.7.0_71
6 1.6.0_85
5.0 1.5.0_75

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u25) will expire with the release of the next critical patch update scheduled for January 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u25) on February 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Instructions to disable SSL v3.0 in Oracle JDK and JRE

Oracle recommends that users and developers disable use of the SSLv3 protocol. Please follow the Instructions to disable SSL v3.0 in Oracle JDK and JRE.

Unsafe Server Certificate Change in SSL/TLS Renegotiations Not Allowed.

Starting with JDK 8u25, unsafe server certificate change in SSL/TLS renegotiations is not allowed by default. Server certificate change in an SSL/TLS renegotiation may be unsafe and should be restricted:

  • if endpoint identification is not enabled in an SSL/TLS handshaking; and
  • if the previous handshake is a session-resumption abbreviated initial handshake; and
  • the identities represented by both certificates (in previous handshake and this handshake) cannot be regraded as the same.

If unsafe server certificate change is really required, please set the system property, jdk.tls.allowUnsafeServerCertChange, to "true" before JSSE is initialized. Note that this would re-establish the unsafe server certificate change issue.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes in this release:

Area: security-libs/
Synopsis: Decrease the preference mode of RC4 in the enabled cipher suite list

This fix decreases the preference of RC4 based cipher suites in the default enabled cipher suite list of SunJSSE provider.

See 8043200 (not public).

Area: client-libs
Synopsis: JRE 8u20 crashes while using Japanese IM on Windows

The VM crashes while using Swing controls when some Japanese or Chinese characters are input on Windows platform. The issue is now fixed.

See 8058858 (not public).

Bug Fix List

BugId Component Subcomponent Summary
8047288 client-libs java.awt [macosx] Endless loop in EDT on Mac
8051588 client-libs java.awt [headless] DataTransferer.getInstance throws ClassCastException in headless mode
8057184 client-libs javax.swing JCK8's api/javax_swing/JDesktopPane/descriptions.html#getset failed with GTKLookAndFeel on Linux and Solaris run v.s. JDK8+
8057770 client-libs javax.swing api/javax_swing/JScrollPane/indexTGF.html#UpdateUI failed with MotifLookAndFeel on all platform
8048207 core-libs java.util CheckedQueue.offer calls wrong method on wrapped queue
8054904 deploy   Webstart cache path error for Java >= 7u65
8051891 deploy webstart SWT cannot load native look&feel
8046233 hotspot runtime VerifyError on backward branch
8051012 hotspot runtime Regression in verifier for <init> method call from inside of a branch
8035613 xml jaxb With active Securitymanager JAXBContext.newInstance fails