We’re sorry. We could not find a match for your search.

We suggest you try the following to help find what you’re looking for:

  • Check the spelling of your keyword search.
  • Use synonyms for the keyword you typed, for example, try "application" instead of "software."
  • Start a new search.
Cloud Account Sign in to Cloud
Oracle Account
java

JDK 8u261 Release Notes

Java SE 8u261 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u261 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u261 b36

Bug Fixes

BugId Component Subcomponent Summary
8252789 deploy deployment_toolkit Empty client certificate issue during TLS handshake
8249183 client-libs java.awt JVM crash in "AwtFrame::WmSize" method
8249846 core-libs java.util.concurrent Change of behavior after JDK-8237117: Better ForkJoinPool behavior
8252861 deploy Disable TLSv1.3 by default on deploy configurations

Changes in Java SE 8u261 b34

Bug Fixes

BugId Component Subcomponent Summary
8247839 javafx graphics Wrong position of GUI elements using multiple HiDPI displays in JavaFX 8
8193800 javafx controls TreeTableView selection changes on sorting

Changes in Java SE 8u261 b33

Bug Fixes

BugId Component Subcomponent Summary
8248505 security-libs java.security Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
8248990 (Confidential) docs guides Remove link to old license page from JDK 8 troubleshooting guide
8248523 (Confidential) docs guides In TLS overview page, change JDK 11 to JDK 8
8235932 (Confidential) docs guides Backport TLS 1.3 documentation for JDK 8u MR3
8245624 (Confidential) embedded hotspot Arm support missing for JDK-8176100
8062947 core-libs javax.naming Fix exception message to correctly represent LDAP connection failure
8217606 core-libs javax.naming LdapContext#reconnect always opens a new connection
8151678 core-libs javax.naming com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect
8243138 core-libs javax.naming Enhance BaseLdapServer to support starttls extended request
8247925 (Confidential) xml jaxp JDK8u251- XSL transformer fails with TransformerConfigurationException

Java™ SE Development Kit 8, Update 261 (JDK 8u261)

July 14, 2020

The full version string for this update release is 1.8.0_261-b12 (where "b" means "build"). The version number is 8u261.

IANA Data 2020a

JDK 8u261 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u261 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_261-b12
7 1.7.0_271-b10

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u261) be used after the next critical patch update scheduled for October 20, 2020.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u261) on November 17, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

hotspot/runtime
 JDK/JRE Runtime Windows Visual Studio Library (DLL) Dependency Changes

As part of ongoing maintenance, the Microsoft Visual Studio 2017 tool chain will be used to build JDK 7 and JDK 8 for Windows. JDK 8u261, in the July 2020 CPU, was built with Visual Studio 2017. With the release of the January 2021 CPU, JDK 7u291 will move to Visual Studio 2017.

Moving to Visual Studio 2017 for JDK 7 and JDK 8 requires changing the runtime library that the JDK/JRE depends on. Before this change, JDK/JRE implementations used and shipped the Microsoft Visual C++ 2010 SP1 Redistributable Package (x86/x64) that included MSVCR100.dll [a][b]. Microsoft Visual Studio 2017 uses a different set of libraries/DLLs.

Native applications (including JNI) that have depended on and assumed the presence of MSCVR100.dll in the JDK/JRE directory will fail to run. When this happens, users will see an error such as:

"The code execution cannot proceed because MSVCR100.dll was not found. Reinstalling the program may fix this problem."

These applications should be rebuilt and shipped with modern C++ runtime dependencies that use a later instance of Visual Studio. Applications should not depend on DLLs included with the JDK/JRE that are not documented in the product as offering support for the specification or other functionality in Java SE.

[a] http://support.microsoft.com/kb/2019667

[b] https://docs.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2020

JDK-8246783 (not public)

security-libs/javax.net.ssl
 TLS Support for RSASSA-PSS Signature Algorithms

Added support for RSASSA-PSS signature algorithms in JSSE implementation.

See JDK-8166595

security-libs/javax.net.ssl
 JEP 332: Transport Layer Security (TLS) 1.3

JDK 8u261 includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). For more details including a list of the features that are supported, refer to the Java Secure Socket Extension (JSSE) Reference Guide documentation and JEP 332.

For TLS 1.3, the following new standard algorithm names are defined:

  1. TLS protocol version name: TLSv1.3
  2. SSLContext algorithm name: TLSv1.3
  3. TLS cipher suite names for TLS 1.3: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384

TLS 1.3 is disabled for default SSLContext("SSL" or "TLS") for client end-point.

The TLS 1.3 protocol can be enabled using several mechanisms already available in the JDK. For example, TLS 1.3 protocol can be enabled on SSL/TLS connections using SSLSocket/SSLEngine/SSLServerSocket APIs and system properties by the following:

  1. sslSocket.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2"});
  2. Setting up and using a TLSv1.3 based SSLContext : SSLContext ctx = SSLContext.getInstance("TLSv1.3");
  3. Using the SSLParameters API: sslParameters.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
  4. The jdk.tls.client.protocols system property can also be used to control the protocols in use for a TLS connection. One may launch their application with this property. For example, java -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2" enables TLSv1.3 and TLSv1.2 on client SSLSockets.
  5. The https.protocols system property can also be used to control the protocols on connection obtained through use of the HttpsURLConnection class or URL.openStream() operations. For example, -Dhttps.protocols=TLSv1.3,TLSv1.2.

A new system property, jdk.tls.server.protocols, has been added to configure the default enabled protocol suite in the server side of the SunJSSE provider.

A new security property, jdk.tls.keyLimits, has been added for TLS 1.3. When the specified amount of data of a specific algorithm has been processed, a post-handshake Key and IV Update is triggered to derive new keys.

Note that TLS 1.3 is not directly compatible with previous versions. Although TLS 1.3 can be implemented with a backward-compatibility mode, there are still several compatibility risks to take into account when upgrading to TLS 1.3:

  1. TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there might be compatibility issues when upgrading to TLS 1.3. A new system property, jdk.tls.acknowledgeCloseNotify, is added. The default value of the system property is "false". If the system property is set to "true", a corresponding close_notify alert will be sent when receiving a close_notify alert, and the connection will be duplex closed.
  2. The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application can use unsupported signature algorithms.
  3. The DSA signature algorithm is not supported in TLS 1.3. If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.
  4. The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions. If an application hard-codes cipher suites that are no longer supported, it cannot use TLS 1.3 without modifying the application code.
  5. The TLS 1.3 session resumption and key update behaviors are different from TLS 1.2 and prior versions. The compatibility impact should be minimal; however, there could be a risk if an application depends on the handshake details of the TLS protocols.
  6. The legacy com.sun.net.ssl.dhKeyExchangeFix system property has been removed from the new TLS implementation.

Improved JSSE debug logging format has been introduced to record the logger name, the logger level, the thread ID, the thread name, the time and the caller for each log item. Use the javax.net.debug=all system property to get full debug logs.

See JDK-8145252

security-libs/javax.crypto
 JCE Jurisdiction Policy Files updated

Since January 2018 (8u161, 7u171) unlimited Java Cryptography Extension (JCE) Jurisdiction Policy files have been bundled with the JDK and enabled by default (see JDK Cryptographic Roadmap).

The certificate for the old stand alone jar has expired, and if used the following exception will be seen:

Caused By: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.) at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:336) at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378) at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323) at javax.crypto.JceSecurity.access$000(JceSecurity.java:50) at javax.crypto.JceSecurity$1.run(JceSecurity.java:85) at java.security.AccessController.doPrivileged(Native Method) at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)

If still required for older releases the re-signed files can be found at https://www.oracle.com/java/technologies/oracle-java-archive-downloads.html

JDK-8245319 (not public)

security-libs/javax.net.ssl
 New System Properties to Configure the TLS Signature Schemes

Two new system properties have been added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes has been added for the TLS client side, and jdk.tls.server.SignatureSchemes has been added for the server side.

Each system property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.

The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.

See JDK-8242141

security-libs/javax.net.ssl
 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS

The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process the supported_groups TLS extension or the named groups in the extension, applications can either customize the supported group names with jdk.tls.namedGroups, or turn off the FFDHE mechanisms by setting the System Property jsse.enableFFDHE to false.

See JDK-8140436

infrastructure
 Toolchain Upgrade to Xcode 10.1

Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.

JDK-8232007 (not public)

Removed Features and Options

security-libs/java.security
Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts keystore:

  • alias name "keynectisrootca [jdk]"

    Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

See JDK-8225068

Other Notes

javafx/media
 Media Playback Does Not Work on Ubuntu 20.04

Media playback does not work on Ubuntu 20.04. This affects all media formats (such as, mp4, mp3, wav, etc.). In some cases, an error will be thrown. In other cases, the media player will switch to the ready state, but playback will not start. There is no workaround for this issue. This issue should be resolved by JDK-8239095.

JDK-8245501 (not public)

core-libs/java.util:collections
 Better Listing of Arrays

The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection). In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.

JDK-8231800 (not public)

security-libs/javax.net.ssl
 Problem looking up Client Certificates in keystore

Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements javax.net.ssl.X509KeyManager, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType String array in the first call to chooseClientAlias: String chooseClientAlias​(String[] keyType, Principal[] issuers, Socket socket)

See JDK-8261624

install/install
 Java Mission Control Is No Longer Bundled With the JDK

This version of the JDK no longer includes Java Mission Control (JMC). The jmc launcher has been removed from the JDK bin directory, and the missioncontrol directory has been removed from the JDK lib directory. The .jfr file association is not registered by JDK installers. JMC is now available as a separate download. Please visit https://www.oracle.com/javase/jmc for more information.

JDK-8244662 (not public)

docs/release_notes
 SSL Handshake Issues Encountered Post Upgrade to 8u261

JDK 8u261 release includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). The following are descriptions of "Known Issues" which an application might encounter during a SSL handshake, post upgrade to Oracle JDK/JRE 8u261:

  1. SSL handshake fails on client side with an exception message "Received fatal alert: handshake_failure"
javax.net.ssl|SEVERE|C8|....|TransportContext.java:319|Fatal (HANDSHAKE_FAILURE): Received fatal

alert: handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:187)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1198)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1107)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:372)

Cause: One possible cause is old server intolerance to FFDHE arguments. As per TLS RFC 7919 on server behavior If a compatible TLS server receives a Supported Groups extension from a client that includes any FFDHE group (i.e., any codepoint between 256 and 511, inclusive, even if unknown to the server), and if none of the client-proposed FFDHE groups are known and acceptable to the server, then the server MUST NOT select an FFDHE cipher suite. In this case, the server SHOULD select an acceptable non-FFDHE cipher suite from the client's offered list. If the extension is present with FFDHE groups, none of the client's offered groups are acceptable by the server, and none of the client's proposed non-FFDHE cipher suites are acceptable to the server, the server MUST end the connection with a fatal TLS alert of type insufficient_security(71).

Solution: In Oracle JDK 8u261, Finite Field Diffie-Hellman Ephemeral (FFDHE) is enabled by default. User can disable FFDHE via security property "-Djsse.enableFFDHE=false on the server (See JDK-8252716)

  1. Post upgrade to 8u261 client application encounters close_notify exception during a ClientHello SSL handshake.
javax.net.ssl.SSLProtocolException: Received close_notify during handshake


       at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
        at sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at sun.security.ssl.SSLTransport.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown

Cause: In case of an SSL abbreviated handshake (session resumption) SSL client is adding extra extensions than the agreed protocol's supported extensions. While it is TLS RFC complaint, some old non-compliant server implementations may reject this ClientHello.

Solution: As a work around specify System property -Djdk.tls.client.protocols= or use setEnabledProtocols API to set on the client end to mitigate the issue.

  1. On upgrade to 8u261, under certain conditions user application may observe higher CPU utilization and slower response time.

Following method reference count would increase in memory profilers

   HashMap$Node[] java.util.HashMap.resize()

   void sun.security.ssl.SSLSessionContextImpl.put(SSLSessionImpl)
   void sun.security.util.MemoryCache.put(Object, Object)
   Object java.util.HashMap.put(Object, Object)
   Object java.util.HashMap.putVal(int, Object, Object, boolean, boolean)
   HashMap$Node[] java.util.HashMap.resize()

Cause: In 8u261, System Property SSLSessionContext.getSessionCacheSize default value was changed from 0 to 20480 ( see JDK-8210985 ) The change was made since with larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.

Solution: Revert back to JDK 8u251 behaviour by setting System Property "-Djavax.net.ssl.sessionCacheSize=0" (set number of entries in the SSL session cache to infinite)

  1. TLS connection issues with applications using javax.net.ssl.SSLEngine

Cause: The internal implementation of the SSLEngine and associated classes has been reworked with the introduction of TLS v1.3 support. Buffer usage has been improved in the SSLEngine area.

Solution: If an SSLEngine application encounters issues after upgrading to JDK 8u261 or later, refer to the Java 8 API to ensure application code is correct. In particular, applications using SSLEngine should not just depend on SSLEngineResult.Status.BUFFER_UNDERFLOW or SSLEngineResult.Status.BUFFER_OVERFLOW results in order to flush pending data. Buffers should always be flushed after an SSLEngine wrap operation if such a call produces data (where SSLEngineResult.Status.OK may be returned).

  1. Post upgrading client machine with 8u261, during a SSL handshake, the "Request Authentication" popup dialog does not display any certificates if user has set deployment System Property deployment.security.clientauth.keystore.auto=false

Cause: If deployment.security.clientauth.keystore.auto=false in the deployment.properties file Java Plugin and Java Web Start show “Request Authentication” dialog regardless the number of available certificates. However due to some modifications introduced by TLS 1.3 framework sometimes the list of available certificates might be empty.

Solution: There are two possible ways to resolve the issue:

  1. Set deployment System Property deployment.security.clientauth.keystore.auto=true

  2. Upgrade to new version 8u281 of Oracle JDK contained the fix for the issue

(see JDK-8253502 )

  1. Post upgrade to 8u261, during a SSL handshake, user may observe the following "Warning" message in the log
javax.net.ssl|WARNING|03|Finalizer|2020-08-31 09:42:20.203 EDT|null:-1|SSLSocket duplex close failed (

"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.duplexCloseOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.close(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.finalize(Unknown Source)
at java.lang.System$2.invokeFinalize(Unknown Source)
at java.lang.ref.Finalizer.runFinalizer(Unknown Source)
at java.lang.ref.Finalizer.access$100(Unknown Source)
at java.lang.ref.Finalizer$FinalizerThread.run(Unknown Source)}

Cause: JDK 8u261 introduced a new format for TLS logging. Additional data is now captured per event and logged. Exceptions handled by the JDK TLS library code may print verbose information about the cause of such exceptions when logging is enabled.

Solution: User can safely ignore these Warning messages

  1. Ensure you 3rd party libraries are fully patched. Examples: Bouncy Castle, Apache, OpenSSL, Jetty

Symptoms: New/Unexpected issues from 3rd party library software being used in conjunction with the JDK.

Cause: The new TLS implementation introduces significant changes to the internal, underlying, design of the JDK TLS security libraries. The new design has exposed some bugs in 3rd party software libraries. For the most part, these issues have already been patched in such 3rd party libraries.

Examples include: Apache http-core Bouncy Castle Jetty

Solution: It's good practice to ensure that 3rd party library products being used in conjunction with the JDK TLS API are patched and up to date.

JDK-8258585 (not public)

deploy/plugin
 Possible Hang of Internet Explorer 11 With JDK 8u261 on Windows 7

On Windows 7, the Internet Explorer 11 (IE 11) JavaScript engine does not interact properly with Java Applets because, beginning with 8u261, the JDK/JRE is compiled with VisualStudio 2017. For example, an application that uses the JavaScript methods setTimeout() and setInterval() may cause IE 11 to hang when a modal dialog is shown by a Java Applet.

JDK-8244937 (not public)

install
 8u RPM Installer Failed to Install on SUSE When Updating Alternatives

Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java and javac. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac group with alternatives framework. All links unique to the javac group have been moved into the java group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.

The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command: /usr/sbin/alternatives --auto java

JDK-8240919 (not public)

core-svc/java.lang.management
 OperatingSystemMXBean Methods Inside a Container Return Container Specific Data

When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data:

  • getFreePhysicalMemorySize()
  • getTotalPhysicalMemorySize()
  • getFreeSwapSpaceSize()
  • getTotalSwapSpaceSize()
  • getSystemCpuLoad()
See JDK-8226575

security-libs
 Default SSL Session Cache Size Updated to 20480

The default SSL session cache size has been updated to 20480 in this JDK release

See JDK-8210985

security-libs/javax.net.ssl
 BoringSSL Rejects JSSE TLS 1.3 HTTPS Connections When status_request Extension Is Disabled

BoringSSL is an SSL library deployed on some popular websites such as those run by Google/YouTube. An interoperability issue with the BoringSSL library can lead to a connection failure if TLSv1.3 is presented as the only enabled protocol in the ClientHello message and the certificate status_request extension is disabled. Enabling the certificate status_request extension by setting the jdk.tls.client.enableStatusRequestExtension system property to true will provide mitigation in such scenarios.

See JDK-8241360

core-libs/java.io:serialization
 Improved Serialization Handling

When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter the method must be called before reading any objects from the stream. If the methods readObject or readUnshared are called, the setObjectInputFilter method throws IllegalStateException.

JDK-8234836 (not public)

security-libs/javax.net.ssl
 Increase the priorities of GCM cipher suites

In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider.

In the SunJSSE provider, the following ciphersuites are now the most preferred by default:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.

See JDK-8028518

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8130737 client-libs 2d [macosx] AffineTransformOp can't handle child raster with non-zero x-offset
2 JDK-8211301 client-libs java.awt [macos] support full window content options
3 JDK-8214046 client-libs java.awt [macosx] Undecorated Frame does not Iconify when set to
4 JDK-8231438 client-libs java.awt [macOS] Dark mode for the desktop is not supported
5 JDK-8242498 client-libs java.awt Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
6 JDK-8226253 client-libs javax.accessibility JAWS reports wrong number of radio buttons when buttons are hidden
7 JDK-8238842 client-libs javax.imageio AIOOBE in GIFImageReader.initializeStringTable
8 JDK-8194298 core-libs java.net Add support for per Socket configuration of TCP keepalive
9 JDK-8232854 core-libs java.net URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails
10 JDK-8044365 core-libs java.nio (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
11 JDK-8229888 core-libs java.nio (zipfs) Updating an existing zip file does not preserve original permissions
12 JDK-8146356 core-libs java.time java.time.format.TextStyle.FULL_STANDALONE does not work well while formatting months.
13 JDK-8165936 core-libs java.util:i18n Potential Heap buffer overflow when seaching timezone info files
14 JDK-8228477 core-libs java.util:i18n Have calendar revert to default names if no standalone resources exist
15 JDK-8214440 core-libs javax.naming ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate"
16 JDK-8193137 core-libs jdk.nashorn Nashorn crashes when given an empty script file.
17 JDK-8226575 core-svc java.lang.management OperatingSystemMXBean should be made container aware
18 JDK-8239332 deploy plugin LiveConnect netscape.javascript.JSException: No such property "outerWidthX" on JavaScript object
19 JDK-8170074 docs guides Typos on "How Classes are Found" web page on Oracle site
20 JDK-8240337 docs guides JDK 8 Developer Guides index.html page has incorrect links
21 JDK-8241531 docs guides Update copyright page for JDK 8 docs
22 JDK-8243337 docs guides Java Print Service API User's Guide contains typos and formatting errors
23 JDK-8243584 docs guides Malformed HTML in the Serialization section of the JDK 8 developer guides
24 JDK-8181872 hotspot compiler C1: possible overflow when strength reducing integer multiply by constant
25 JDK-8062808 hotspot gc Turn on the -Wreturn-type warning
26 JDK-8064786 hotspot gc Fix debug build after 8062808: Turn on the -Wreturn-type warning
27 JDK-8141056 hotspot gc Erroneous assignment in HeapRegionSet.cpp
28 JDK-8176100 hotspot gc [REDO][REDO] G1 Needs pre barrier on dereference of weak JNI handles
29 JDK-8191393 hotspot gc Random crashes during cfree+0x1c
30 JDK-8225716 hotspot gc G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding
31 JDK-8231779 hotspot gc crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
32 JDK-8041626 hotspot jfr Shutdown tracing event
33 JDK-8213617 hotspot jfr JFR should record the PID of the recorded process
34 JDK-8035493 hotspot jvmti JVMTI PopFrame capability must instruct compilers not to prune locals
35 JDK-8060721 hotspot runtime Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler
36 JDK-8076475 hotspot runtime Misuses of strncpy/strncat
37 JDK-8187667 hotspot runtime Disable deprecation warning for readdir_r
38 JDK-8223671 infrastructure   The latest Java 8 is not ready to use in applications on future macOS versions
39 JDK-8237820 infrastructure build remove clang version check for optimization bug workaround from 8u
40 JDK-8240780 infrastructure build [8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds
41 JDK-8232811 javafx controls Dialog's preferred size no longer accommodates multi-line strings
42 JDK-8189092 javafx graphics ArrayIndexOutOfBoundsException on Linux in getCachedGlyph
43 JDK-8212034 javafx graphics Potential memory leaks in jpegLoader.c in error case
44 JDK-8234916 javafx graphics [macos 10.15] Garbled text running with native-image
45 JDK-8237782 javafx graphics Only read advances up to the minimum of the numHorMetrics or the available font data.
46 JDK-8237833 javafx graphics Check glyph size before adding to glyph texture cache.
47 JDK-8239107 javafx graphics Update libjpeg to version 9d
48 JDK-8241370 javafx graphics Crash in JPEGImageLoader after fix for JDK-8212034
49 JDK-8202393 javafx media App Transport Security blocks http media on macOS with JDK build using new compilers
50 JDK-8236832 javafx media [macos 10.15] JavaFX Application hangs on video play on Catalina
51 JDK-8240694 javafx media [macos 10.15] JavaFX Media hangs on some video files on Catalina
52 JDK-8241629 javafx media [macos10.15] Long startup delay playing media over https on Catalina
53 JDK-8242530 javafx media [macos] Some audio files miss spectrum data when another audio file plays first
54 JDK-8238434 javafx samples Ensemble: Update version of Lucene to 7.7.2
55 JDK-8132880 javafx scenegraph Unpredictable behaviour when trying to set negative scene width or height
56 JDK-8223298 javafx web SVG patterns are drawn wrong
57 JDK-8237889 javafx web Update libxml2 to version 2.9.10
58 JDK-8237944 javafx web webview native cl "-m32" unknown option for windows 32-bit build
59 JDK-8242209 javafx web Increase web native thread stack size for x86 mode
60 JDK-8244579 javafx web Windows "User Objects" leakage with WebView
61 JDK-8181476 javafx window-toolkit [macos] Stages with StageStyle.UTILITY are always on-top when initialized without an owner
62 JDK-8234474 javafx window-toolkit [macos 10.15] Crash in file dialog in sandbox mode
63 JDK-8236685 javafx window-toolkit [macOs] Remove obsolete file dialog subclasses
64 JDK-8236971 javafx window-toolkit [macos] Gestures handled incorrectly due to missing events
65 JDK-7092821 security-libs java.security java.security.Provider.getService() is synchronized and became scalability bottleneck
66 JDK-8028431 security-libs java.security NullPointerException in DerValue.equals(DerValue)
67 JDK-8028591 security-libs java.security NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
68 JDK-8181841 security-libs java.security A TSA server returns timestamp with precision higher than milliseconds
69 JDK-8228613 security-libs java.security java.security.Provider#getServices order is no longer deterministic
70 JDK-8231387 security-libs java.security java.security.Provider.getService returns random result due to race condition with mutating methods in the same class
71 JDK-8238452 security-libs java.security Keytool generates wrong expiration date if validity is set to 2050/01/01
72 JDK-8177784 security-libs javax.crypto Use CounterMode intrinsic for AES/GCM
73 JDK-8179098 security-libs javax.crypto Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
74 JDK-8201633 security-libs javax.crypto Problems with AES-GCM native acceleration
75 JDK-8220165 security-libs javax.crypto Encryption using GCM results in RuntimeException: input length out of bound
76 JDK-8233954 security-libs javax.crypto UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
77 JDK-8165275 security-libs javax.crypto:pkcs11 Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
78 JDK-4919790 security-libs javax.net.ssl Errors in alert ssl message does not reflect the actual certificate status
79 JDK-7013776 security-libs javax.net.ssl Multithreaded JSSE application debug information is hard to read
80 JDK-8028518 security-libs javax.net.ssl Increase the priorities of GCM cipher suites
81 JDK-8145854 security-libs javax.net.ssl SSLContextImpl.statusResponseManager should be generated if required
82 JDK-8166595 security-libs javax.net.ssl TLS Support for RSASSA-PSS Signature Algorithms
83 JDK-8185576 security-libs javax.net.ssl New handshake implementation
84 JDK-8206355 security-libs javax.net.ssl SSLSessionImpl.getLocalPrincipal() throws NPE
85 JDK-8206929 security-libs javax.net.ssl Check session context for TLS 1.3 session resumption
86 JDK-8207009 security-libs javax.net.ssl TLS 1.3 half-close and synchronization issues
87 JDK-8207029 security-libs javax.net.ssl Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21
88 JDK-8207058 security-libs javax.net.ssl Backport System Property jdk.tls.server.protocols
89 JDK-8207223 security-libs javax.net.ssl SSL Handshake failures are reported with more generic SSLException
90 JDK-8207317 security-libs javax.net.ssl SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
91 JDK-8208166 security-libs javax.net.ssl Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
92 JDK-8209333 security-libs javax.net.ssl Socket reset issue for TLS 1.3 socket close
93 JDK-8209916 security-libs javax.net.ssl NPE in SupportedGroupsExtension
94 JDK-8209965 security-libs javax.net.ssl The "supported_groups" extension in ServerHellos
95 JDK-8210334 security-libs javax.net.ssl TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
96 JDK-8210846 security-libs javax.net.ssl TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
97 JDK-8210974 security-libs javax.net.ssl No extensions debug log for ClientHello
98 JDK-8210985 security-libs javax.net.ssl Update the default SSL session cache size to 20480
99 JDK-8210989 security-libs javax.net.ssl RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
100 JDK-8211339 security-libs javax.net.ssl NPE during SSL handshake caused by HostnameChecker
101 JDK-8211806 security-libs javax.net.ssl TLS 1.3 handshake server name indication is missing on a session resume
102 JDK-8211866 security-libs javax.net.ssl TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
103 JDK-8212738 security-libs javax.net.ssl Incorrectly named signature scheme ecdsa_secp512r1_sha512
104 JDK-8212885 security-libs javax.net.ssl TLS 1.3 resumed session does not retain peer certificate chain
105 JDK-8213202 security-libs javax.net.ssl Possible race condition in TLS 1.3 session resumption
106 JDK-8213782 security-libs javax.net.ssl NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers
107 JDK-8214098 security-libs javax.net.ssl sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards.
108 JDK-8214129 security-libs javax.net.ssl SSL session resumption/SNI with TLS1.2 causes StackOverflowError
109 JDK-8214339 security-libs javax.net.ssl SSLSocketImpl erroneously wraps SocketException
110 JDK-8214688 security-libs javax.net.ssl TLS 1.3 session resumption with hello retry request failed with "illegal_parameter"
111 JDK-8215524 security-libs javax.net.ssl Finished message validation failure should be decrypt_error alert
112 JDK-8215711 security-libs javax.net.ssl Missing key_share extension for (EC)DHE key exchange should alert missing_extension
113 JDK-8215790 security-libs javax.net.ssl Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
114 JDK-8216045 security-libs javax.net.ssl The size of key_exchange may be wrong on FFDHE
115 JDK-8216326 security-libs javax.net.ssl SSLSocket stream close() does not close the associated socket
116 JDK-8217610 security-libs javax.net.ssl TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
117 JDK-8219389 security-libs javax.net.ssl Delegated task created by SSLEngine throws BufferUnderflowException
118 JDK-8221253 security-libs javax.net.ssl TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes
119 JDK-8223482 security-libs javax.net.ssl Unsupported ciphersuites may be offered by a TLS client
120 JDK-8223940 security-libs javax.net.ssl Private key not supported by chosen signature algorithm
121 JDK-8225766 security-libs javax.net.ssl Curve in certificate should not affect signature scheme when using TLSv1.3
122 JDK-8228757 security-libs javax.net.ssl Fail fast if the handshake type is unknown
123 JDK-8235263 security-libs javax.net.ssl Revert TLS 1.3 change that wrapped IOExceptions
124 JDK-8235311 security-libs javax.net.ssl Tag mismatch may alert bad_record_mac
125 JDK-8235874 security-libs javax.net.ssl The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property.
126 JDK-8236039 security-libs javax.net.ssl JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
127 JDK-8237474 security-libs javax.net.ssl Default SSLEngine should create in server role
128 JDK-8239798 security-libs javax.net.ssl SSLSocket closes socket both socket endpoints on a SocketTimeoutException
129 JDK-8242141 security-libs javax.net.ssl New System Properties to configure the TLS signature schemes
130 JDK-8242294 security-libs javax.net.ssl JSSE Client does not throw SSLException when an alert occurs during handshaking
131 JDK-8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
132 JDK-8224157 xml jaxp BCEL: update to version 6.3.1
133 JDK-8238164 xml jaxp Update Apache Xerces to version 2.12.0 in JDK 8u