The following sections summarize changes made in all Java SE 8u271 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
|JDK-8256818||security-libs||javax.net.ssl||SSLSocket that is never bound or connected leaks socket resources|
|JDK-8257670||security-libs||javax.net.ssl||sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks|
|JDK-8257997||security-libs||javax.net.ssl||sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884|
|JDK-8255908||core-libs||ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem|
|JDK-8250627||core-libs||Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics|
|JDK-8256685||xml||jaxp||Behavior change in XML since jdk1.8.0_271|
|JDK-8238579||core-libs||java.net||HttpsURLConnection drops the timeout and hangs forever in read|
|JDK-8254982||core-libs||java.time||(tz) Upgrade time-zone data to tzdata2020c|
|JDK-8255226||core-libs||java.time||(tz) Upgrade time-zone data to tzdata2020d|
|JDK-8250984||hotspot||runtime||Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities|
|JDK-8255559||security-libs||javax.xml.crypto||Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()|
|JDK-8253502 (Confidential)||hotspot||svc||No certificates in "Request Authentication" dialog after upgrading to 8u261|
|JDK-8252455 (Confidential)||core-libs||java.net||Performance issue caused by 8232854|
|JDK-8206925||security-libs||javax.net.ssl||Support the certificate_authorities extension|
|JDK-8250676 (Confidential)||hotspot||svc||JFR recording MonitorEnter events - Stack trace caching|
|JDK-8254177||core-libs||java.time||(tz) Upgrade time-zone data to tzdata2020b.|
October 20, 2020
The full version string for this update release is 1.8.0_271-b09 (where "b" means "build"). The version number is 8u271.
JDK 8u271 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u271 are specified in the following table:
|JRE Family Version||JRE Security Baseline (Full Version String)|
Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u271) be used after the next critical patch update scheduled for January 19, 2021.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u271) on February 20, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
Weak named curves are disabled by default by adding them to the following
disabledAlgorithms security properties:
jdk.jar.disabledAlgorithms. The named curves are listed below.
With 47 weak named curves to be disabled, adding individual named curves to each
disabledAlgorithms property would be overwhelming. To relieve this, a new security property,
jdk.disabled.namedCurves, is implemented that can list the named curves common to all of the
disabledAlgorithms properties. To use the new property in the
disabledAlgorithms properties, precede the full property name with the keyword
include. Users can still add individual named curves to
disabledAlgorithms properties separate from this new property. No other properties can be included in the
To restore the named curves, remove the
include jdk.disabled.namedCurves either from specific or from all
disabledAlgorithms security properties.
To restore one or more curves, remove the specific named curve(s) from the
Curves that are disabled through
jdk.disabled.namedCurves include the following:
secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448
The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.
As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).
Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the
sun.security.krb5.disableReferrals security or system property to false. To configure a custom maximum number of referral hops, set the
sun.security.krb5.maxReferrals security or system property to any positive value.
See further information in JDK-8223172.
A new system property,
jdk.tls.maxHandshakeMessageSize, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).
A new system property,
jdk.tls.maxCertificateChainLength, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.
jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the
jdk.security.legacyAlgorithms security property in the
java.security configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.
The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.
The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).
NPAPI is considered to be a vulnerable plugin and has been disabled in many browsers. No browsers currently support Java Plugin, which is NPAPI-based, on Linux, Solaris, and MacOS platforms.
Starting from 8u271, the part of Java Plugin responsible for integration and interaction with a browser (in particular
libnpjp2 library) and an associated artifact will not be built and is not part of the JRE distribution on Linux, Solaris, and MacOS platforms.
A new environment property,
jdk.jndi.ldap.mechsAllowedToSendCredentials, has been added to
control which LDAP authentication mechanisms are allowed to send
clear LDAP connections - a connection not secured
with TLS. An
encrypted LDAP connection is a connection opened
ldaps scheme, or a connection opened by using
and then upgraded to TLS with a STARTTLS extended operation.
The value of the property, which is by default not set, is a comma
separated list of the mechanism names that are permitted to authenticate
clear connection. If a value is not specified for the property, then all mechanisms
are allowed. If the specified value is an empty list, then no mechanisms are
allowed (except for
anonymous). The default value for this property is 'null'
System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials") returns 'null'). To explicitly permit all mechanisms to authenticate over a
clear connection, the property
value can be set to
"all". If a connection is downgraded from
clear, then only the mechanisms that are explicitly permitted are allowed.
The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.
anonymous authentication mechanisms are exempted
from these rules and are always allowed regardless of the property value.
The following root certificates have been added to the cacerts truststore:
+ SSL Corporation + sslrootrsaca DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US + sslrootevrsaca DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US + sslrooteccca DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
The following root certificate has been added to the cacerts truststore:
+ Entrust + entrustrootcag4 DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework,
javac. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the
javac group with alternatives framework. All links unique to the
javac group have been moved into the
java group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.
The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the
java group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command:
/usr/sbin/alternatives --auto java
Some text in the Installer window is hidden/invisible when using Dark mode on macOS. To workaround this issue, switch to Light mode when running the installer. This issue should be resolved by JDK-8249683.
The deserialization of
java.lang.reflect.Proxy objects can be limited by setting the system property
The limit is the maximum number of interfaces allowed per Proxy in the stream.
Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
|1||JDK-8198406||client-libs||2d||Test TestAATMorxFont is unstable|
|2||JDK-8220150||client-libs||2d||[macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs|
|3||JDK-8236996||client-libs||2d||Incorrect Roboto font rendering on Windows with subpixel antialiasing|
|4||JDK-8244818||client-libs||2d||[macos] Java2D Queue Flusher crash while moving application window to external monitor|
|5||JDK-6966205||client-libs||java.awt||closed/sun/awt/font/DeriveFont.java failed with compilation error|
|6||JDK-8183286||client-libs||java.awt||Some java/awt and javax/swing tests miss headful jtreg keyword|
|7||JDK-8198612||client-libs||java.awt||Headful closed tests should not be run in headless mode|
|9||JDK-8060027||client-libs||java.beans||Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java|
|10||JDK-8156579||client-libs||java.beans||Two JavaBeans tests failed|
|11||JDK-8156581||client-libs||java.beans||Cleanup of ProblemList.txt|
|12||JDK-8249278||client-libs||javax.accessibility||Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList|
|13||JDK-8183341||client-libs||javax.imageio||Better cleanup for javax/imageio/AllowSearch.java|
|14||JDK-8183349||client-libs||javax.imageio||Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java|
|15||JDK-8183351||client-libs||javax.imageio||Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh|
|17||JDK-8047222||client-libs||javax.sound||Test closed/javax/sound/sampled/Clip/bug6251460.java fails if run with 32-bit java on Windows 64-bit host|
|18||JDK-8148983||client-libs||javax.sound||Fix extra comma in changes for JDK-8148916|
|19||JDK-8153725||client-libs||javax.sound||Problem list javax/sound/sampled/DirectAudio/bug6400879.java for Linux|
|20||JDK-8156169||client-libs||javax.sound||Some sound tests rarely hangs because of incorrect synchronization|
|21||JDK-8160217||client-libs||javax.sound||JavaSound should clean up resources better|
|22||JDK-6962725||client-libs||javax.swing||Regtest javax/swing/JFileChooser/6738668/bug6738668.java fails under Linux|
|23||JDK-8198004||client-libs||javax.swing||javax/swing/JFileChooser/6868611/bug6868611.java throws error|
|25||JDK-8249251||client-libs||javax.swing||[dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel|
|26||JDK-8168517||core-libs||java.lang||java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed"|
|27||JDK-8151788||core-libs||java.net||NullPointerException from ntlm.Client.type3|
|28||JDK-8192953||core-svc||java.lang.management||sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied|
|29||JDK-8242884||deploy||plugin||8u241 32 bit SSV Helper causes long load time and page load on IE11|
|30||JDK-8145096||hotspot||compiler||Undefined behaviour in HotSpot|
|31||JDK-8215265||hotspot||compiler||C2: range check elimination may allow illegal out of bound access|
|32||JDK-8023697||hotspot||runtime||failed class resolution reports different class name in detail message for the first and subsequent times|
|33||JDK-8048933||hotspot||runtime||-XX:+TraceExceptions output should include the message|
|34||JDK-8064319||hotspot||runtime||Need to enable -XX:+TraceExceptions in release builds|
|35||JDK-8235243||hotspot||runtime||handle VS2017 15.9 and VS2019 in abstract_vm_version|
|36||JDK-8240295||hotspot||runtime||hs_err elapsed time in seconds is not accurate enough|
|37||JDK-8193800||javafx||controls||TreeTableView selection changes on sorting|
|38||JDK-8129582||javafx||graphics||Controls slow considerably when displaying RTL-languages text on Linux|
|39||JDK-8246204||javafx||graphics||No 3D support for newer Intel graphics drivers on Linux|
|40||JDK-8246348||javafx||graphics||Crash in libpango on Ubuntu 20.04 with some unicode chars|
|41||JDK-8239095||javafx||media||Upgrade libFFI to the latest 3.3 version|
|42||JDK-8248365||javafx||media||Debug build crashes on Windows when playing media file|
|43||JDK-8252107||javafx||media||Media pipeline initialization can crash if audio or video bin state change fails|
|44||JDK-8191758||javafx||web||Match WebKit's font weight rendering with JavaFX|
|45||JDK-8208169||javafx||web||can not print selected pages of web page|
|46||JDK-8245284||javafx||web||Update to 610.1 version of WebKit|
|47||JDK-8246357||javafx||web||Allow static build of webkit library on linux|
|48||JDK-8247963||javafx||web||Update SQLite to version 3.32.3|
|49||JDK-8249839||javafx||web||Cherry pick GTK WebKit 2.28.3 changes|
|50||JDK-8252381||javafx||web||Cherry pick GTK WebKit 2.28.4 changes|
|51||JDK-8248490||javafx||window-toolkit||[macOS] Undecorated stage does not minimize|
|52||JDK-8141457||security-libs||java.security||keytool default cert fingerprint algorithm should be SHA-256|
|53||JDK-8211049||security-libs||java.security||Second parameter of "initialize" method is not used|
|54||JDK-8242556||security-libs||java.security||Cannot load RSASSA-PSS public key with non-null params from byte array|
|55||JDK-8245151||security-libs||java.security||jarsigner should not raise duplicate warnings on verification|
|56||JDK-8205111||security-libs||javax.net.ssl||Develop new Test to verify different key types for supported TLS protocols.|
|57||JDK-8215443||security-libs||javax.net.ssl||The use of TransportContext.fatal() leads to bad coding style|
|58||JDK-8236464||security-libs||javax.net.ssl||SO_LINGER option is ignored by SSLSocket in JDK 11|
|59||JDK-8226719||security-libs||org.ietf.jgss||Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message"|
|60||JDK-8227381||security-libs||org.ietf.jgss||GSS login fails with PREAUTH_FAILED|
|61||JDK-8227437||security-libs||org.ietf.jgss:krb5||S4U2proxy cannot continue because server's TGT cannot be found|
|62||JDK-8246193||security-libs||org.ietf.jgss:krb5||Possible NPE in ENC-PA-REP search in AS-REQ|
|63||JDK-8250582||security-libs||org.ietf.jgss:krb5||Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets|
|64||JDK-8249717||tools||javac||langtools tests are failing on Windows in jdk8u-cpu|
|65||JDK-8248348||xml||jaxp||Regression caused by the update to BCEL 6.0|