JDK 8u271 Release Notes

Java SE 8u271 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u271 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.


Changes in Java SE 8u271 b37

Bug Fixes

BugId Component Subcomponent Summary
JDK-8256818 security-libs SSLSocket that is never bound or connected leaks socket resources
JDK-8257670 security-libs sun/security/ssl/SSLSocketImpl/ reports leaks
JDK-8257997 security-libs sun/security/ssl/SSLSocketImpl/ again reports leaks after JDK-8257884
JDK-8255908 core-libs ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem
JDK-8250627 core-libs Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
JDK-8256685 xml jaxp Behavior change in XML since jdk1.8.0_271
JDK-8238579 core-libs HttpsURLConnection drops the timeout and hangs forever in read
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8250984 hotspot runtime Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities



Changes in Java SE 8u271 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8255559 security-libs javax.xml.crypto Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()


Changes in Java SE 8u271 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8253502 (Confidential) hotspot svc No certificates in "Request Authentication" dialog after upgrading to 8u261
JDK-8252455 (Confidential) core-libs Performance issue caused by 8232854
JDK-8206925 security-libs Support the certificate_authorities extension
JDK-8250676 (Confidential) hotspot svc JFR recording MonitorEnter events - Stack trace caching


Changes in Java SE 8u271 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.

Java™ SE Development Kit 8, Update 271 (JDK 8u271)

October 20, 2020

The full version string for this update release is 1.8.0_271-b09 (where "b" means "build"). The version number is 8u271.

IANA Data 2020a

JDK 8u271 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u271 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_271-b09
7 1.7.0_281-b06

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u271) be used after the next critical patch update scheduled for January 19, 2021.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u271) on February 20, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

 Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default

Weak named curves are disabled by default by adding them to the following disabledAlgorithms security properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed below.

With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves, is implemented that can list the named curves common to all of the disabledAlgorithms properties. To use the new property in the disabledAlgorithms properties, precede the full property name with the keyword include. Users can still add individual named curves to disabledAlgorithms properties separate from this new property. No other properties can be included in the disabledAlgorithms properties.

To restore the named curves, remove the include jdk.disabled.namedCurves either from specific or from all disabledAlgorithms security properties. To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves property.

Curves that are disabled through jdk.disabled.namedCurves include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448

See JDK-8233228

 Support for Kerberos Cross-Realm Referrals (RFC 6806)

The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.

As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).

Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the security or system property to false. To configure a custom maximum number of referral hops, set the security or system property to any positive value.

See further information in JDK-8223172.

See JDK-8215032

 Improve Certificate Chain Handling

A new system property, jdk.tls.maxHandshakeMessageSize, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).

A new system property, jdk.tls.maxCertificateChainLength, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.

JDK-8245417 (not public)

 Tools Warn If Weak Algorithms Are Used

The keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the security property in the configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.

See JDK-8172404

 Support for canonicalize in krb5.conf

The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.

The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the system or security properties).

See JDK-8239385

Removed Features and Options

 Java Plugin is Removed from JDK 8u for Linux, Solaris, and MacOS Platforms

NPAPI is considered to be a vulnerable plugin and has been disabled in many browsers. No browsers currently support Java Plugin, which is NPAPI-based, on Linux, Solaris, and MacOS platforms.

Starting from 8u271, the part of Java Plugin responsible for integration and interaction with a browser (in particular libnpjp2 library) and an associated artifact will not be built and is not part of the JRE distribution on Linux, Solaris, and MacOS platforms.

JDK-8240210 (not public)

Other notes

 Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear Connections

A new environment property, jdk.jndi.ldap.mechsAllowedToSendCredentials, has been added to control which LDAP authentication mechanisms are allowed to send credentials over clear LDAP connections - a connection not secured with TLS. An encrypted LDAP connection is a connection opened by using ldaps scheme, or a connection opened by using ldap scheme and then upgraded to TLS with a STARTTLS extended operation.

The value of the property, which is by default not set, is a comma separated list of the mechanism names that are permitted to authenticate over a clear connection. If a value is not specified for the property, then all mechanisms are allowed. If the specified value is an empty list, then no mechanisms are allowed (except for none and anonymous). The default value for this property is 'null' ( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials") returns 'null'). To explicitly permit all mechanisms to authenticate over a clear connection, the property value can be set to "all". If a connection is downgraded from encrypted to clear, then only the mechanisms that are explicitly permitted are allowed.

The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.

Note: none and anonymous authentication mechanisms are exempted from these rules and are always allowed regardless of the property value.

JDK-8237990 (not public)

 Added 3 SSL Corporation Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ SSL Corporation

  + sslrootrsaca
    DN: Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrootevrsaca
    DN: EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrooteccca
    DN: Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
See JDK-8243320

 Added Entrust Root Certification Authority - G4 certificate

The following root certificate has been added to the cacerts truststore:

+ Entrust

  + entrustrootcag4
    DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", 
        OU=See, O="Entrust, Inc.", C=US
See JDK-8243321

 8u RPM Installer Failed to Install on SUSE When Updating Alternatives

Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java and javac. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac group with alternatives framework. All links unique to the javac group have been moved into the java group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.

The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command:

/usr/sbin/alternatives --auto java

JDK-8240919 (not public)

 [macos] Invisible (or Hidden) Text in the Installer Window Using Mac's Dark Mode

Some text in the Installer window is hidden/invisible when using Dark mode on macOS. To workaround this issue, switch to Light mode when running the installer. This issue should be resolved by JDK-8249683.

See JDK-8249683

 Enhanced Support of Proxy Class

The deserialization of java.lang.reflect.Proxy objects can be limited by setting the system property jdk.serialProxyInterfaceLimit. The limit is the maximum number of interfaces allowed per Proxy in the stream. Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.

JDK-8236862 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8198406 client-libs 2d Test TestAATMorxFont is unstable
2 JDK-8220150 client-libs 2d [macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
3 JDK-8236996 client-libs 2d Incorrect Roboto font rendering on Windows with subpixel antialiasing
4 JDK-8244818 client-libs 2d [macos] Java2D Queue Flusher crash while moving application window to external monitor
5 JDK-6966205 client-libs java.awt closed/sun/awt/font/ failed with compilation error
6 JDK-8183286 client-libs java.awt Some java/awt and javax/swing tests miss headful jtreg keyword
7 JDK-8198612 client-libs java.awt Headful closed tests should not be run in headless mode
8 JDK-8030123 client-libs java.beans java/beans/Introspector/ fails
9 JDK-8060027 client-libs java.beans Tests java/beans/XMLEncoder/ and java/beans/XMLEncoder/
10 JDK-8156579 client-libs java.beans Two JavaBeans tests failed
11 JDK-8156581 client-libs java.beans Cleanup of ProblemList.txt
12 JDK-8249278 client-libs javax.accessibility Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
13 JDK-8183341 client-libs javax.imageio Better cleanup for javax/imageio/
14 JDK-8183349 client-libs javax.imageio Better cleanup for jdk/test/javax/imageio/plugins/shared/ and
15 JDK-8183351 client-libs javax.imageio Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/
16 JDK-7109623 client-libs javax.sound javax/sound/sampled/DirectAudio/ failed
17 JDK-8047222 client-libs javax.sound Test closed/javax/sound/sampled/Clip/ fails if run with 32-bit java on Windows 64-bit host
18 JDK-8148983 client-libs javax.sound Fix extra comma in changes for JDK-8148916
19 JDK-8153725 client-libs javax.sound Problem list javax/sound/sampled/DirectAudio/ for Linux
20 JDK-8156169 client-libs javax.sound Some sound tests rarely hangs because of incorrect synchronization
21 JDK-8160217 client-libs javax.sound JavaSound should clean up resources better
22 JDK-6962725 client-libs javax.swing Regtest javax/swing/JFileChooser/6738668/ fails under Linux
23 JDK-8198004 client-libs javax.swing javax/swing/JFileChooser/6868611/ throws error
24 JDK-8198321 client-libs javax.swing javax/swing/JEditorPane/5076514/ fails
25 JDK-8249251 client-libs javax.swing [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
26 JDK-8168517 core-libs java.lang java/lang/ProcessBuilder/ failed with "java.lang.AssertionError: Some tests failed"
27 JDK-8151788 core-libs NullPointerException from ntlm.Client.type3
28 JDK-8192953 core-svc sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied
29 JDK-8242884 deploy plugin 8u241 32 bit SSV Helper causes long load time and page load on IE11
30 JDK-8145096 hotspot compiler Undefined behaviour in HotSpot
31 JDK-8215265 hotspot compiler C2: range check elimination may allow illegal out of bound access
32 JDK-8023697 hotspot runtime failed class resolution reports different class name in detail message for the first and subsequent times
33 JDK-8048933 hotspot runtime -XX:+TraceExceptions output should include the message
34 JDK-8064319 hotspot runtime Need to enable -XX:+TraceExceptions in release builds
35 JDK-8235243 hotspot runtime handle VS2017 15.9 and VS2019 in abstract_vm_version
36 JDK-8240295 hotspot runtime hs_err elapsed time in seconds is not accurate enough
37 JDK-8193800 javafx controls TreeTableView selection changes on sorting
38 JDK-8129582 javafx graphics Controls slow considerably when displaying RTL-languages text on Linux
39 JDK-8246204 javafx graphics No 3D support for newer Intel graphics drivers on Linux
40 JDK-8246348 javafx graphics Crash in libpango on Ubuntu 20.04 with some unicode chars
41 JDK-8239095 javafx media Upgrade libFFI to the latest 3.3 version
42 JDK-8248365 javafx media Debug build crashes on Windows when playing media file
43 JDK-8252107 javafx media Media pipeline initialization can crash if audio or video bin state change fails
44 JDK-8191758 javafx web Match WebKit's font weight rendering with JavaFX
45 JDK-8208169 javafx web can not print selected pages of web page
46 JDK-8245284 javafx web Update to 610.1 version of WebKit
47 JDK-8246357 javafx web Allow static build of webkit library on linux
48 JDK-8247963 javafx web Update SQLite to version 3.32.3
49 JDK-8249839 javafx web Cherry pick GTK WebKit 2.28.3 changes
50 JDK-8252381 javafx web Cherry pick GTK WebKit 2.28.4 changes
51 JDK-8248490 javafx window-toolkit [macOS] Undecorated stage does not minimize
52 JDK-8141457 security-libs keytool default cert fingerprint algorithm should be SHA-256
53 JDK-8211049 security-libs Second parameter of "initialize" method is not used
54 JDK-8242556 security-libs Cannot load RSASSA-PSS public key with non-null params from byte array
55 JDK-8245151 security-libs jarsigner should not raise duplicate warnings on verification
56 JDK-8205111 security-libs Develop new Test to verify different key types for supported TLS protocols.
57 JDK-8215443 security-libs The use of TransportContext.fatal() leads to bad coding style
58 JDK-8236464 security-libs SO_LINGER option is ignored by SSLSocket in JDK 11
59 JDK-8226719 security-libs org.ietf.jgss Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message"
60 JDK-8227381 security-libs org.ietf.jgss GSS login fails with PREAUTH_FAILED
61 JDK-8227437 security-libs org.ietf.jgss:krb5 S4U2proxy cannot continue because server's TGT cannot be found
62 JDK-8246193 security-libs org.ietf.jgss:krb5 Possible NPE in ENC-PA-REP search in AS-REQ
63 JDK-8250582 security-libs org.ietf.jgss:krb5 Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
64 JDK-8249717 tools javac langtools tests are failing on Windows in jdk8u-cpu
65 JDK-8248348 xml jaxp Regression caused by the update to BCEL 6.0