JDK 8u301 Release Notes
Java SE 8u301 Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 8u301 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
Changes in Java SE 8u301 b34
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| JDK-6801613 | client-libs | 2d | Cross-platform pageDialog and printDialog top margin entry broken |
| JDK-8268965 | security-libs | javax.net.ssl | TCP Connection Reset when connecting simple socket to SSL server |
Changes in Java SE 8u301 b33
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| JDK-8261287 (Confidential) | client-libs | 2d | Ductus renderer does not work properly on aarch64, all graphics primitives appear broken |
| JDK-8271206 (Confidential) | deploy | webstart | Passing system property jnlp.sis.session requires multi-clicks |
| JDK-8271087 (Confidential) | install | install | [macos] postinstall script should provide verbose output |
| JDK-8271854 | core-libs | java.nio | Explicitly reclaim cached thread-local direct buffers at thread exit |
| JDK-8205540 | core-svc | debugger | test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 |
Changes in Java SE 8u301 b32
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| JDK-8268213 | xml | jax-ws | Racecondition at ContextClassloaderLocal.java:45 |
Java™ SE Development Kit 8, Update 301 (JDK 8u301)
July 20, 2021
The full version string for this update release is 8u301-b09 (where "b" means "build"). The version number is 8u301.
IANA TZ Data 2021a
JDK 8u301 contains IANA time zone data 2021a.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u301 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 8 | 8u301-b09 |
| 7 | 7u311-b07 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u301) be used after the next critical patch update scheduled for October 19, 2021.
Java SE Subscription customers managing JRE updates/installs for large numbers of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u301) on 2021-11-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
New Features
The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.
By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.
New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security file.
Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256
Removed Features and Options
The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts keystore:
+ alias name "thawtepremiumserverca [jdk]"
Distinguished Name: EMAILADDRESS=premium-server@thawte.com,
CN=Thawte Premium Server CA, OU=Certification Services Division,
O=Thawte Consulting cc,
L=Cape Town, ST=Western Cape, C=ZA
+ alias name "verisignclass2g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network,
OU="(c) 1998 VeriSign, Inc. - For authorized use only",
OU=Class 2 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
+ alias name "verisignclass3ca [jdk]"
Distinguished Name: OU=Class 3 Public Primary Certification Authority,
O="VeriSign, Inc.", C=US
+ alias name "verisignclass3g2ca [jdk]"
Distinguished Name: OU=VeriSign Trust Network,
OU="(c) 1998 VeriSign, Inc. - For authorized use only",
OU=Class 3 Public Primary Certification Authority - G2,
O="VeriSign, Inc.", C=US
+ alias name "verisigntsaca [jdk]"
Distinguished Name: CN=Thawte Timestamping CA,
OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
+ alias name "gtecybertrustglobalca [jdk]"
Distinguished Name:CN=GTE CyberTrust Global Root,
OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US
The following root certificate has been removed from the cacerts truststore:
+ Telia Company
+ soneraclass2ca
DN: CN=Sonera Class2 CA, O=Sonera, C=FI
Other Notes
The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs.
There are other rpms providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other RPMs to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP passive mode.
jdk.net.ftp.trustPasvAddress.
In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command
On the macOS platform, custom URL protocol handlers such as Java WebStart (jnlp and jnlps URI schemes) are deregistered after an OS upgrade. If the Java WebStart application uses jnlp or jnlps URI scheme(s), it is recommended that you check their registration status after the OS upgrade. The registration status of the custom URL protocol handlers can be obtained via the 'lsregister' command.
For example:
lsregister -dump URLSchemeBinding | sort | grep 'jnlp|java|jar'
The Java WebStart protocol handler is registered and no-further action is required if the output of the above command contains the following lines:
jnlp: Java Network Launch Protocol (0x4680) (0x4682)
jnlps: Secure Java Network Launch Protocol (0x4684) (0x4686)
Otherwise, it is necessary to upgrade or reinstall the JRE in order to register the Java WebStart protocol.
The default encryption algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.
For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.
In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:
- Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
- Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK
cacertskeystore will not be restricted.
These exceptions may be removed in a future JDK release.
Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.
Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.
SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.
See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.
Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.
The following system property has been added for validation of server addresses in FTP passive mode.
jdk.net.ftp.trustPasvAddress.
In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.
To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
| # | BugId | Component | Subcomponent | Summary |
|---|---|---|---|---|
| 1 | JDK-8249142 | client-libs | java/awt/FontClass/CreateFont/DeleteFont.sh is unstable | |
| 2 | JDK-8166673 | client-libs | The new implementation of Robot.waitForIdle() may hang | |
| 3 | JDK-8263311 | client-libs | 2d | Watch registry changes for remote printers update instead of polling |
| 4 | JDK-8262829 | client-libs | 2d | Native crash in Win32PrintServiceLookup.getAllPrinterNames() |
| 5 | JDK-8260380 | client-libs | 2d | Upgrade to LittleCMS 2.12 |
| 6 | JDK-6847157 | client-libs | 2d | java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit |
| 7 | JDK-8225105 | client-libs | java.awt | java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10 |
| 8 | JDK-8198335 | client-libs | java.awt | java/awt/FullScreen/UninitializedDisplayModeChangeTest/UninitializedDisplayModeChangeTest.java fails in headless mode |
| 9 | JDK-6544871 | client-libs | java.awt | java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows. |
| 10 | JDK-8196019 | client-libs | java.awt | java/awt/Window/Grab/GrabTest.java fails on Windows |
| 11 | JDK-8224821 | client-libs | java.awt | java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64 |
| 12 | JDK-8215105 | client-libs | java.awt | java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color |
| 13 | JDK-8261231 | client-libs | java.awt | Windows IME was disabled after DnD operation |
| 14 | JDK-7185258 | client-libs | java.awt | [macOS] Deadlock in SunToolKit.realSync() |
| 15 | JDK-8240518 | client-libs | java.awt | Incorrect JNU_ReleaseStringPlatformChars in Windows Print |
| 16 | JDK-8004148 | client-libs | java.awt | NPE in sun.awt.SunToolkit.getWindowDeactivationTime |
| 17 | JDK-8262446 | client-libs | java.awt | DragAndDrop hangs on Windows |
| 18 | JDK-8159898 | client-libs | java.beans | Negative array size in java/beans/Introspector/Test8027905.java |
| 19 | JDK-8178403 | client-libs | javax.sound | DirectAudio in JavaSound may hang and leak |
| 20 | JDK-8159135 | client-libs | javax.swing | [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail |
| 21 | JDK-8264328 | client-libs | javax.swing | Broken license in javax/swing/JComboBox/8072767/bug8072767.java |
| 22 | JDK-8240690 | client-libs | javax.swing | Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() |
| 23 | JDK-8239312 | client-libs | javax.swing | [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java |
| 24 | JDK-8196100 | client-libs | javax.swing | javax/swing/text/JTextComponent/5074573/bug5074573.java fails |
| 25 | JDK-8177809 | core-libs | java.io | File.lastModified() is losing milliseconds (always ends in 000) |
| 26 | JDK-8178161 | core-libs | java.net | Default multicast interface on Mac |
| 27 | JDK-8263917 | core-libs | java.rmi | Backout of 8049202 in 8u |
| 28 | JDK-8252883 | core-libs | java.util.logging | AccessDeniedException caused by delayed file deletion on Windows |
| 29 | JDK-8262110 | core-libs | java.util:i18n | DST starts from incorrect time in 2038 |
| 30 | JDK-8255086 | core-libs | java.util:i18n | Update the root locale display names |
| 31 | JDK-8247432 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-09-29 |
| 32 | JDK-8241082 | core-libs | java.util:i18n | Upgrade IANA Language Subtag Registry data to 03-16-2020 version |
| 33 | JDK-8242010 | core-libs | java.util:i18n | Update IANA Language Subtag Registry to Version 2020-04-01 |
| 34 | JDK-8073446 | core-libs | java.util:i18n | TimeZone getOffset API does not return a DST offset between years 2038-2137 |
| 35 | JDK-8258753 | core-libs | javax.naming | StartTlsResponse.close() hangs due to synchronization issues |
| 36 | JDK-8247707 | deploy | plugin | UAC prompt of unknown publisher after upgrading java 8u241 |
| 37 | JDK-7123987 | docs | Request Documentation on JNLP/JNI with in 32-bit and 64-bit windows | |
| 38 | JDK-8216154 | hotspot | compiler | C4819 warnings at HotSpot sources on Windows |
| 39 | JDK-8211233 | hotspot | compiler | MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better |
| 40 | JDK-8209420 | hotspot | compiler | Track membars for volatile accesses so they can be properly optimized |
| 41 | JDK-8132148 | hotspot | gc | G1 hs_err region dump legend out of sync with region values |
| 42 | JDK-8166607 | hotspot | gc | G1 needs klass_or_null_acquire |
| 43 | JDK-8166862 | hotspot | gc | CMS needs klass_or_null_acquire |
| 44 | JDK-8166229 | hotspot | gc | Eliminate ParNew's use of klass_or_null() |
| 45 | JDK-8166663 | hotspot | gc | Simplify oops_on_card_seq_iterate_careful |
| 46 | JDK-8166583 | hotspot | gc | Add oopDesc::klass_or_null_acquire() |
| 47 | JDK-8165808 | hotspot | gc | Add release barriers when allocating objects with concurrent collection |
| 48 | JDK-8260704 | hotspot | gc | ParallelGC: oldgen expansion needs release-store for _end |
| 49 | JDK-8259271 | hotspot | gc | gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" |
| 50 | JDK-8257746 | hotspot | runtime | Regression introduced with JDK-8250984 - memory might be null in some machines |
| 51 | JDK-8203345 | javafx | accessibility | Memory leak in VirtualFlow when screen reader is enabled |
| 52 | JDK-8160554 | javafx | controls | Wrong unit measure in CornerRadiiConverter |
| 53 | JDK-8185854 | javafx | controls | NPE on non-editable ComboBox in TabPane with custom Skin |
| 54 | JDK-8266966 | javafx | controls | Wrong CSS properties are applied to other nodes after fix for JDK-8204568 |
| 55 | JDK-8204568 | javafx | controls | Relative CSS-Attributes don't work all time |
| 56 | JDK-8239589 | javafx | graphics | JavaFX UI will not repaint after reconnecting via Remote Desktop |
| 57 | JDK-8259046 | javafx | graphics | ViewPainter.ROOT_PATHS holds reference to Scene causing memory leak |
| 58 | JDK-8258986 | javafx | graphics | getColor throws IOOBE when PixelReader reads the same pixel twice |
| 59 | JDK-8259356 | javafx | media | MediaPlayer's seek freezes video |
| 60 | JDK-8262365 | javafx | media | Update GStreamer to version 1.18.3 |
| 61 | JDK-8262366 | javafx | media | Update glib to version 2.66.7 |
| 62 | JDK-8268152 | javafx | media | gstmpegaudioparse does not provides timestamps for HLS MP3 streams |
| 63 | JDK-8260246 | javafx | samples | Ensemble: Update version of Lucene to 7.7.3 |
| 64 | JDK-8259680 | javafx | scenegraph | Need API to query states of CAPS LOCK and NUM LOCK keys |
| 65 | JDK-8264990 | javafx | web | WebEngine crashes with segfault when not loaded through system classloader |
| 66 | JDK-8259555 | javafx | web | Webkit crashes on Apple Silicon |
| 67 | JDK-8263788 | javafx | web | JavaFX application freezes completely after some time when using the WebView |
| 68 | JDK-8261927 | javafx | web | WebKit build fails with Visual Studio 2017 |
| 69 | JDK-8260245 | javafx | web | Update ICU4C to version 68.2 |
| 70 | JDK-8251555 | javafx | window-toolkit | Remove unused focusedWindow field in glass Window to avoid leak |
| 71 | JDK-8263169 | javafx | window-toolkit | [macOS] JavaFX windows open as tabs when system preference for documents is set |
| 72 | JDK-8266293 | security-libs | Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" | |
| 73 | JDK-8263817 | security-libs | java.security | java.util.MissingResourceException if add cert with GOST key in cacerts |
| 74 | JDK-8218553 | security-libs | java.security | Enhance keystore load debug output |
| 75 | JDK-8243559 | security-libs | java.security | Remove root certificates with 1024-bit keys |
| 76 | JDK-8225081 | security-libs | java.security | Remove Telia Company CA certificate expiring in April 2021 |
| 77 | JDK-8153005 | security-libs | java.security | Upgrade the default PKCS12 encryption/MAC algorithms |
| 78 | JDK-8267599 | security-libs | java.security | Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u |
| 79 | JDK-8214513 | security-libs | java.security | A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11 |
| 80 | JDK-8202837 | security-libs | java.security | PBES2 AlgorithmId encoding error in PKCS12 KeyStore |
| 81 | JDK-8267100 | security-libs | java.security | [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs |
| 82 | JDK-8196415 | security-libs | java.security | Disable SHA-1 Signed JARs |
| 83 | JDK-8076190 | security-libs | java.security | Customizing the generation of a PKCS12 keystore |
| 84 | JDK-8260300 | security-libs | javax.net.ssl | Restrict TLS signature schemes in 8u |
| 85 | JDK-8254631 | security-libs | javax.net.ssl | Better support ALPN byte wire values in SunJSSE |
| 86 | JDK-8005819 | security-libs | org.ietf.jgss:krb5 | Support cross-realm MSSFU |
| 87 | JDK-8180478 | tools | tools/launcher/MultipleJRE.sh fails on Windows because of extra-'' | |
| 88 | JDK-8260568 | xml | Xerces version string output does not match actual version in JDK | |
| 89 | JDK-8235368 | xml | jaxp | Update BCEL to Version 6.4.1 |
| 90 | JDK-8213734 | xml | org.xml.sax | SAXParser.parse(File, ..) does not close resources when Exception occurs. |