java

JDK 8u301 Release Notes

Java SE 8u301 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u301 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u301 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-6801613 client-libs 2d Cross-platform pageDialog and printDialog top margin entry broken
JDK-8268965 security-libs javax.net.ssl TCP Connection Reset when connecting simple socket to SSL server

 

Changes in Java SE 8u301 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8261287 (Confidential) client-libs 2d Ductus renderer does not work properly on aarch64, all graphics primitives appear broken
JDK-8271206 (Confidential) deploy webstart Passing system property jnlp.sis.session requires multi-clicks
JDK-8271087 (Confidential) install install [macos] postinstall script should provide verbose output
JDK-8271854 core-libs java.nio Explicitly reclaim cached thread-local direct buffers at thread exit
JDK-8205540 core-svc debugger test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 commands

 

Changes in Java SE 8u301 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8268213 xml jax-ws Racecondition at ContextClassloaderLocal.java:45

Java™ SE Development Kit 8, Update 301 (JDK 8u301)

July 20, 2021

The full version string for this update release is 8u301-b09 (where "b" means "build"). The version number is 8u301.

IANA TZ Data 2021a

JDK 8u301 contains IANA time zone data 2021a.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u301 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u301-b09
7 7u311-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u301) be used after the next critical patch update scheduled for October 19, 2021.

Java SE Subscription customers managing JRE updates/installs for large numbers of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u301) on 2021-11-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/org.ietf.jgss:krb5
 Support cross-realm MSSFU

The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.

By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.

[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94

See JDK-8005819

security-libs/java.security
 Customizing PKCS12 keystore Generation

New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security file.

Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256

See JDK-8076190

Removed Features and Options

security-libs/java.security
 Removed Root Certificates with 1024-bit Keys

The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts keystore:

+ alias name "thawtepremiumserverca [jdk]"

  Distinguished Name: EMAILADDRESS=premium-server@thawte.com, 
  CN=Thawte Premium Server CA, OU=Certification Services Division, 
  O=Thawte Consulting cc, 
  L=Cape Town, ST=Western Cape, C=ZA

+ alias name "verisignclass2g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, 
  OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
  OU=Class 2 Public Primary Certification Authority - G2, 
  O="VeriSign, Inc.", C=US

+ alias name "verisignclass3ca [jdk]"
  Distinguished Name: OU=Class 3 Public Primary Certification Authority, 
  O="VeriSign, Inc.", C=US

+ alias name "verisignclass3g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, 
  OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
  OU=Class 3 Public Primary Certification Authority - G2, 
  O="VeriSign, Inc.", C=US

+ alias name "verisigntsaca [jdk]"
  Distinguished Name: CN=Thawte Timestamping CA, 
  OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

+ alias name "gtecybertrustglobalca [jdk]"
  Distinguished Name:CN=GTE CyberTrust Global Root, 
  OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US 


See JDK-8243559

security-libs/java.security
 Removed Telia Company's Sonera Class2 CA certificate

The following root certificate has been removed from the cacerts truststore:

+ Telia Company

  + soneraclass2ca
    DN: CN=Sonera Class2 CA, O=Sonera, C=FI
See JDK-8225081

Other Notes

install/install
 Updated List of Capabilities Provided by JDK RPMs

The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs.

There are other rpms providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other RPMs to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.

JDK-8263575 (not public)

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

deploy/webstart
 Java WebStart Protocol Registration After macOS Upgrade

On the macOS platform, custom URL protocol handlers such as Java WebStart (jnlp and jnlps URI schemes) are deregistered after an OS upgrade. If the Java WebStart application uses jnlp or jnlps URI scheme(s), it is recommended that you check their registration status after the OS upgrade. The registration status of the custom URL protocol handlers can be obtained via the 'lsregister' command.

For example:

lsregister -dump URLSchemeBinding | sort | grep 'jnlp|java|jar'

The Java WebStart protocol handler is registered and no-further action is required if the output of the above command contains the following lines:

jnlp: Java Network Launch Protocol (0x4680) (0x4682)
jnlps: Secure Java Network Launch Protocol (0x4684) (0x4686)

Otherwise, it is necessary to upgrade or reinstall the JRE in order to register the Java WebStart protocol.

JDK-8273858 (not public)

security-libs/java.security
 Upgraded the Default PKCS12 Encryption Algorithms

The default encryption algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

See JDK-8153005

security-libs/java.security
 Disable SHA-1 JARs

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

See JDK-8196415

security-libs/javax.net.ssl
 Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.

See JDK-8254631

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8249142 client-libs java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
2 JDK-8166673 client-libs The new implementation of Robot.waitForIdle() may hang
3 JDK-8263311 client-libs 2d Watch registry changes for remote printers update instead of polling
4 JDK-8262829 client-libs 2d Native crash in Win32PrintServiceLookup.getAllPrinterNames()
5 JDK-8260380 client-libs 2d Upgrade to LittleCMS 2.12
6 JDK-6847157 client-libs 2d java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
7 JDK-8225105 client-libs java.awt java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10
8 JDK-8198335 client-libs java.awt java/awt/FullScreen/UninitializedDisplayModeChangeTest/UninitializedDisplayModeChangeTest.java fails in headless mode
9 JDK-6544871 client-libs java.awt java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
10 JDK-8196019 client-libs java.awt java/awt/Window/Grab/GrabTest.java fails on Windows
11 JDK-8224821 client-libs java.awt java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64
12 JDK-8215105 client-libs java.awt java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
13 JDK-8261231 client-libs java.awt Windows IME was disabled after DnD operation
14 JDK-7185258 client-libs java.awt [macOS] Deadlock in SunToolKit.realSync()
15 JDK-8240518 client-libs java.awt Incorrect JNU_ReleaseStringPlatformChars in Windows Print
16 JDK-8004148 client-libs java.awt NPE in sun.awt.SunToolkit.getWindowDeactivationTime
17 JDK-8262446 client-libs java.awt DragAndDrop hangs on Windows
18 JDK-8159898 client-libs java.beans Negative array size in java/beans/Introspector/Test8027905.java
19 JDK-8178403 client-libs javax.sound DirectAudio in JavaSound may hang and leak
20 JDK-8159135 client-libs javax.swing [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail
21 JDK-8264328 client-libs javax.swing Broken license in javax/swing/JComboBox/8072767/bug8072767.java
22 JDK-8240690 client-libs javax.swing Race condition between EDT and BasicDirectoryModel.FilesLoader.run0()
23 JDK-8239312 client-libs javax.swing [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
24 JDK-8196100 client-libs javax.swing javax/swing/text/JTextComponent/5074573/bug5074573.java fails
25 JDK-8177809 core-libs java.io File.lastModified() is losing milliseconds (always ends in 000)
26 JDK-8178161 core-libs java.net Default multicast interface on Mac
27 JDK-8263917 core-libs java.rmi Backout of 8049202 in 8u
28 JDK-8252883 core-libs java.util.logging AccessDeniedException caused by delayed file deletion on Windows
29 JDK-8262110 core-libs java.util:i18n DST starts from incorrect time in 2038
30 JDK-8255086 core-libs java.util:i18n Update the root locale display names
31 JDK-8247432 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-09-29
32 JDK-8241082 core-libs java.util:i18n Upgrade IANA Language Subtag Registry data to 03-16-2020 version
33 JDK-8242010 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-04-01
34 JDK-8073446 core-libs java.util:i18n TimeZone getOffset API does not return a DST offset between years 2038-2137
35 JDK-8258753 core-libs javax.naming StartTlsResponse.close() hangs due to synchronization issues
36 JDK-8247707 deploy plugin UAC prompt of unknown publisher after upgrading java 8u241
37 JDK-7123987 docs Request Documentation on JNLP/JNI with in 32-bit and 64-bit windows
38 JDK-8216154 hotspot compiler C4819 warnings at HotSpot sources on Windows
39 JDK-8211233 hotspot compiler MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better
40 JDK-8209420 hotspot compiler Track membars for volatile accesses so they can be properly optimized
41 JDK-8132148 hotspot gc G1 hs_err region dump legend out of sync with region values
42 JDK-8166607 hotspot gc G1 needs klass_or_null_acquire
43 JDK-8166862 hotspot gc CMS needs klass_or_null_acquire
44 JDK-8166229 hotspot gc Eliminate ParNew's use of klass_or_null()
45 JDK-8166663 hotspot gc Simplify oops_on_card_seq_iterate_careful
46 JDK-8166583 hotspot gc Add oopDesc::klass_or_null_acquire()
47 JDK-8165808 hotspot gc Add release barriers when allocating objects with concurrent collection
48 JDK-8260704 hotspot gc ParallelGC: oldgen expansion needs release-store for _end
49 JDK-8259271 hotspot gc gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
50 JDK-8257746 hotspot runtime Regression introduced with JDK-8250984 - memory might be null in some machines
51 JDK-8203345 javafx accessibility Memory leak in VirtualFlow when screen reader is enabled
52 JDK-8160554 javafx controls Wrong unit measure in CornerRadiiConverter
53 JDK-8185854 javafx controls NPE on non-editable ComboBox in TabPane with custom Skin
54 JDK-8266966 javafx controls Wrong CSS properties are applied to other nodes after fix for JDK-8204568
55 JDK-8204568 javafx controls Relative CSS-Attributes don't work all time
56 JDK-8239589 javafx graphics JavaFX UI will not repaint after reconnecting via Remote Desktop
57 JDK-8259046 javafx graphics ViewPainter.ROOT_PATHS holds reference to Scene causing memory leak
58 JDK-8258986 javafx graphics getColor throws IOOBE when PixelReader reads the same pixel twice
59 JDK-8259356 javafx media MediaPlayer's seek freezes video
60 JDK-8262365 javafx media Update GStreamer to version 1.18.3
61 JDK-8262366 javafx media Update glib to version 2.66.7
62 JDK-8268152 javafx media gstmpegaudioparse does not provides timestamps for HLS MP3 streams
63 JDK-8260246 javafx samples Ensemble: Update version of Lucene to 7.7.3
64 JDK-8259680 javafx scenegraph Need API to query states of CAPS LOCK and NUM LOCK keys
65 JDK-8264990 javafx web WebEngine crashes with segfault when not loaded through system classloader
66 JDK-8259555 javafx web Webkit crashes on Apple Silicon
67 JDK-8263788 javafx web JavaFX application freezes completely after some time when using the WebView
68 JDK-8261927 javafx web WebKit build fails with Visual Studio 2017
69 JDK-8260245 javafx web Update ICU4C to version 68.2
70 JDK-8251555 javafx window-toolkit Remove unused focusedWindow field in glass Window to avoid leak
71 JDK-8263169 javafx window-toolkit [macOS] JavaFX windows open as tabs when system preference for documents is set
72 JDK-8266293 security-libs Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
73 JDK-8263817 security-libs java.security java.util.MissingResourceException if add cert with GOST key in cacerts
74 JDK-8218553 security-libs java.security Enhance keystore load debug output
75 JDK-8243559 security-libs java.security Remove root certificates with 1024-bit keys
76 JDK-8225081 security-libs java.security Remove Telia Company CA certificate expiring in April 2021
77 JDK-8153005 security-libs java.security Upgrade the default PKCS12 encryption/MAC algorithms
78 JDK-8267599 security-libs java.security Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
79 JDK-8214513 security-libs java.security A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11
80 JDK-8202837 security-libs java.security PBES2 AlgorithmId encoding error in PKCS12 KeyStore
81 JDK-8267100 security-libs java.security [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
82 JDK-8196415 security-libs java.security Disable SHA-1 Signed JARs
83 JDK-8076190 security-libs java.security Customizing the generation of a PKCS12 keystore
84 JDK-8260300 security-libs javax.net.ssl Restrict TLS signature schemes in 8u
85 JDK-8254631 security-libs javax.net.ssl Better support ALPN byte wire values in SunJSSE
86 JDK-8005819 security-libs org.ietf.jgss:krb5 Support cross-realm MSSFU
87 JDK-8180478 tools tools/launcher/MultipleJRE.sh fails on Windows because of extra-''
88 JDK-8260568 xml Xerces version string output does not match actual version in JDK
89 JDK-8235368 xml jaxp Update BCEL to Version 6.4.1
90 JDK-8213734 xml org.xml.sax SAXParser.parse(File, ..) does not close resources when Exception occurs.