The following sections summarize changes made in all Java SE 8u251 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8244579 | javafx | web | Windows "User Objects" leakage with WebView |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8241966 (Confidential) | install | Add Oracle copyright to modified Sparkle 1.23.0 files | |
8241965 (Confidential) | install | Update THIRD_PARTY_README for Sparkle 1.23.0 | |
8241814 (Confidential) | install | auto_update | [macos] 8u251b60 AU missing "Remind Me" button |
8241410 (Confidential) | infrastructure | 8u251 b60 Mac notarized build is missing the ant-javafx.jar | |
8241399 (Confidential) | client-libs | java.awt | jdk8 build broken on macOS 10.7 and sdk 10.8 |
8240780 | infrastructure | build[8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds | |
8239919 | hotspot | [8u] enable parentheses-equality warnings in HotSpot | |
8239808 (Confidential) | install | auto_update | Change URL In <cntry-lookup> Tag In mac-XXX-XX.xml |
8239400 | hotspot | [8u] clean up delete-non-virtual-dtor warnings in HotSpot | |
8239223 | hotspot | [8u] enable Wparentheses warnings in HotSpot | |
8239112 | hotspot | [8u] clean up empty-body warnings in HotSpot | |
8239053 | hotspot | runtime | [8u] clean up undefined-var-template warnings |
8238852 (Confidential) | install | install | [macos] AU to NEXTVER failed when AU from 8u251 to future |
8238700 (Confidential) | infrastructure | build | Signing reliability change not fully working on 8u |
8238225 | infrastructure | build | Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary |
8237820 | infrastructure | build | remove clang version check for optimization bug workaround from 8u |
8236971 | javafx | window-toolkit | [macos] Gestures handled incorrectly due to missing events |
8236956 (Confidential) | security-libs | javax.net.ssl | Backport test lib files from JDK-8228967 |
8235687 | infrastructure | build | Contents/MacOS/libjli.dylib cannot be a symlink |
8232580 (Confidential) | infrastructure | build | Sign Macosx binaries with hardened runtime enabled |
8232087 (Confidential) | security-libs | org.ietf.jgss | Migrate KDC from sca00jvo/burge0401/sca00kte/sca00lol/adc1140258/sca00joh to new OCI hosts |
8231438 | client-libs | java.awt | [macOS] Dark mode for the desktop is not supported |
8231092 (Confidential) | infrastructure | build | Implement Apple notarization support in the build |
8230555 (Confidential) | security-libs | javax.net.ssl | OCI migration on IIS |
8226306 (Confidential) | infrastructure | build | Improve signing reliability |
8214046 | client-libs | java.awt | [macosx] Undecorated Frame does not Iconify when set to |
8213838 (Confidential) | install | Upgrade sparkle to 1.23.0 | |
8202393 | javafx | media | App Transport Security blocks http media on macOS with JDK build using new compilers |
8200550 | hotspot | gc | Xcode 9.3 produce warning -Wexpansion-to-defined |
8196724 | infrastructure | build | Change macosx deployment target to 10.9 |
8196538 (Confidential) | infrastructure | build | Fix compilation errors when using Xcode 9.2/Macosx 10.13 in deploy and install |
8181872 | hotspot | compiler | C1: possible overflow when strength reducing integer multiply by constant |
8152856 | hotspot | runtime | Xcode 7.3 -Wshift-negative-value compile failure on Mac OS X |
8141056 | hotspot | gc | Erroneous assignment in HeapRegionSet.cpp |
8060721 | hotspot | runtime | Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler |
8043646 | client-libs | java.awt | libosxapp.dylib fails to build on Mac OS 10.9 with clang |
8030680 | hotspot | compiler | 292 cleanup from default method code assessment |
7188942 (Confidential) | client-libs | 2d | Remove support of pbuffers in OGL Java2d pipeline |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8239444 (Confidential) | security-libs | java.security | High contention java.security.Provider.getService()-JDK-7092821 |
7092821 | security-libs | java.security | java.security.Provider.getService() is synchronized and became scalability bottleneck |
8231387 | security-libs | java.security | java.security.Provider.getService returns random result due to race condition with mutating methods in the same class |
8228613 | security-libs | java.security | java.security.Provider#getServices order is no longer deterministic |
8239946 (Confidential) | security-libs | javax.crypto | Update JarVerifier class with new signing cert details |
8240439 (Confidential) | core-libs | java.net | java.net.PlainDatagramSocketImpl.receive0 seems to fail for UDP traffic spontaneously |
BugId | Component | Subcomponent | Summary |
---|---|---|---|
8231779 | hotspot | gc | crash HeapWord*ParallelScavengeHeap::failed_mem_allocate |
April 14, 2020
The full version string for this update release is 1.8.0_251-b08 (where "b" means "build"). The version number is 8u251. This JDK 8 Update release implements JSR 337 Maintenance Release 3 (approved Feb 2020).
JDK 8u251 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u251 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 1.8.0_251-b08 |
7 | 1.7.0_261-b07 |
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u251) be used after the next critical patch update scheduled for July 14, 2020.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u251) on August 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
security-libs/javax.net.ssl
➜ TLS Application-Layer Protocol Negotiation Extension
JEP 244 has enhanced the Java Secure Socket Extension (JSSE) to provide support for the TLS Application-Layer Protocol Negotiation (ALPN) Extension (RFC 7301). New methods have been added to the javax.net.ssl
classes SSLEngine
, SSLSocket
, and SSLParameters
to allow clients and servers to negotiate an application layer value as part of the TLS handshake.
This API change was required by JSR 337 MR 3.
See JDK-8051498
security-libs/javax.crypto
➜ RSASSA-PSS Signature Support Added to SunMSCAPI
The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider.
See JDK-8205445
security-libs/java.security
➜ Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature
The SunRsaSign and SunJCE providers have been enhanced with support for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS signature and OAEP using FIPS 180-4 digest algorithms. New constructors and methods have been added to relevant JCA/JCE classes under the java.security.spec
and javax.crypto.spec
packages for supporting additional RSASSA-PSS parameters.
This API change was required by JSR 337 MR 3.
See JDK-8146293
javafx/web
➜ WebEngine Limits JavaScript Method Calls for Certain Classes
JavaScript programs that are run in the context of a web page loaded by WebEngine can communicate with Java objects passed from the application to the JavaScript program. JavaScript programs that reference java.lang.Class
objects are now limited to the following methods:
getCanonicalName
getEnumConstants
getFields
getMethods
getName
getPackageName
getSimpleName
getSuperclass
getTypeName
getTypeParameters
isAssignableFrom
isArray
isEnum
isInstance
isInterface
isLocalClass
isMemberClass
isPrimitive
isSynthetic
toGenericString
toString
No methods can be called on the following classes:
java.lang.ClassLoader
java.lang.Module
java.lang.Runtime
java.lang.System
java.lang.invoke.*
java.lang.module.*
java.lang.reflect.*
java.security.*
sun.misc.*
JDK-8236798 (not public)
security-libs/javax.xml.crypto
➜ New Oracle Specific JDK 8 Updates System Property to Fallback to Legacy Base64 Encoding Format
Oracle JDK 8u231 upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue where XML signature using Base64 encoding resulted in appending 
or 
to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.
Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without 
or 
.
Therefore, a new Oracle JDK 8 Updates only system property, - com.sun.org.apache.xml.internal.security.lineFeedOnly,
is made available to fall back to legacy Base64 encoded format.
Users can set this flag in one of two ways:
-Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")
This new system property is disabled by default. It has no effect on default behavior nor when com.sun.org.apache.xml.internal.security.ignoreLineBreaks
property is set.
Later JDK family versions might only support the recommended property: com.sun.org.apache.xml.internal.security.ignoreLineBreaks
See JDK-8236645
security-libs/javax.crypto
➜ Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA
, SHA256withECDSA
, etc.) are also supported.
See JDK-8026953
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8232154 | client-libs | 2d | Update Mesa 3-D Headers to version 19.2.1 |
2 | JDK-8214578 | client-libs | java.awt | [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings |
3 | JDK-8230597 | client-libs | java.awt | Update GIFlib library to the 5.2.1 |
4 | JDK-8230926 | client-libs | java.awt | [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout |
5 | JDK-4949105 | client-libs | javax.accessibility | Access Bridge lacks html tags parsing |
6 | JDK-8223158 | client-libs | javax.swing | Docked MacBook cannot start any Java Swing applications |
7 | JDK-8224475 | client-libs | javax.swing | JTextPane does not show images in HTML rendering |
8 | JDK-8226892 | client-libs | javax.swing | ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys |
9 | JDK-8230235 | client-libs | javax.swing | Rendering HTML with empty img attribute and documentBaseKey cause Exception |
10 | JDK-8235744 | client-libs | javax.swing | PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 |
11 | JDK-8229022 | core-libs | java.io | BufferedReader performance can be improved by using StringBuilder |
12 | JDK-6996807 | core-libs | java.io:serialization | FieldReflectorKey hash code computation can be improved |
13 | JDK-8067796 | core-libs | java.lang | (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null |
14 | JDK-8208715 | core-libs | java.lang | Conversion of milliseconds to nanoseconds in UNIXProcess contains bug. |
15 | JDK-8051853 | core-libs | java.net | new URI("x/").resolve("..").getSchemeSpecificPart() returns null! |
16 | JDK-8230856 | core-libs | java.net | Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return |
17 | JDK-8233022 | core-libs | java.net | [test] backout accidental change to SetLoopbackMode.java |
18 | JDK-8232003 | core-libs | java.nio | (fs) Files.write can leak file descriptor in the exception case |
19 | JDK-8237368 | core-libs | java.rmi | Problem with NullPointerException in RMI TCPEndpoint.read |
20 | JDK-8227127 | core-libs | java.text | Era designator not displayed correctly using the COMPAT provider |
21 | JDK-8234466 | core-libs | java.util.jar | Class loading deadlock involving X509Factory#commitEvent() |
22 | JDK-8066652 | core-libs | java.util:i18n | Default TimeZone is GMT not local if user.timezone is invalid on Mac OS |
23 | JDK-8225435 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry to the latest for JDK14 |
24 | JDK-8033215 | hotspot | compiler | clang: node.cpp:284 IDX_INIT macro use uninitialized field _out |
25 | JDK-8146792 | hotspot | compiler | Predicate moved after partial peel may lead to broken graph |
26 | JDK-8231988 | hotspot | compiler | Unexpected test result caused by C2 IdealLoopTree::do_remove_empty_loop |
27 | JDK-8222122 | hotspot | jfr | Provision to disable XML validation in .jfc file in JFR |
28 | JDK-8215355 | hotspot | runtime | Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1) |
29 | JDK-8229345 | hotspot | runtime | Memory leak due to vtable stubs not being shared on SPARC |
30 | JDK-8146293 | security-libs | java.security | Add support for RSASSA-PSS Signature algorithm |
31 | JDK-8175029 | security-libs | java.security | StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider) |
32 | JDK-8206171 | security-libs | java.security | Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized |
33 | JDK-8214096 | security-libs | java.security | sun.security.util.SignatureUtil passes null parameter, so JCE validation fails |
34 | JDK-8215694 | security-libs | java.security | keytool cannot generate RSASSA-PSS certificates |
35 | JDK-8225180 | security-libs | java.security | SignedObject with invalid Key not throwing the InvalidKeyException in Windows |
36 | JDK-8225745 | security-libs | java.security | NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support |
37 | JDK-8236470 | security-libs | java.security | Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId |
38 | JDK-8193262 | security-libs | javax.crypto | JNI array not released in libsunmscapi convertToLittleEndian |
39 | JDK-8205445 | security-libs | javax.crypto | Add RSASSA-PSS Signature support to SunMSCAPI |
40 | JDK-8221407 | security-libs | javax.crypto | Windows 32bit build error in libsunmscapi/security.cpp |
41 | JDK-8223003 | security-libs | javax.crypto | SunMSCAPI keys are not cleaned up |
42 | JDK-8145849 | security-libs | javax.net.ssl | ALPN: getHandshakeApplicationProtocol() always return null |
43 | JDK-8158978 | security-libs | javax.net.ssl | ALPN not working when values are set directly on a SSLServerSocket |
44 | JDK-8170282 | security-libs | javax.net.ssl | Enable ALPN parameters to be supplied during the TLS handshake |
45 | JDK-8171443 | security-libs | javax.net.ssl | (spec) An ALPN callback function may also ignore ALPN |
46 | JDK-8216039 | security-libs | javax.net.ssl | TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange |
47 | JDK-8236645 | security-libs | javax.xml.crypto | JDK 8u231 introduces a regression with incompatible handling of XML messages |
48 | JDK-8207760 | xml | javax.xml.transform | SAXException: Invalid UTF-16 surrogate detected: d83c ? |
49 | JDK-8046274 | xml | jaxp | Removing dependency on jakarta-regexp |
50 | JDK-8163121 | xml | jaxp | BCEL: update to the latest 6.0 release |
51 | JDK-8233548 | xml | jaxp | Update CUP to v0.11b |