The following sections summarize changes made in all Java SE 8u351 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8294307 | core-libs | java.util:i18n | ISO 4217 Amendment 173 Update |
JDK-8296239 | core-libs | java.util:i18n | ISO 4217 Amendment 174 Update |
JDK-8295173 | core-libs | java.time | (tz) Update Timezone Data to 2022e |
JDK-8296108 | core-libs | java.time | (tz) Update Timezone Data to 2022f |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8278027 | security-libs | javax.crypto | X509Key.decode exception while using JSafeJCE FIPS provider |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8224671 | hotspot | compiler | AArch64: mauve System.arraycopy test failure |
JDK-8292695 | hotspot | runtime | SIGQUIT and jcmd attaching mechanism does not work with signal chaining library |
JDK-8202014 | hotspot | runtime | Possible to receive signal before signal semaphore created |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8291973 | install | install | Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash |
JDK-8294357 | core-libs | java.time | (tz) Update Timezone Data to 2022d |
JDK-8293795 | javafx | accessibility | Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField |
October 18, 2022
The full version string for this update release is 8u351-b10 (where "b" means "build"). The version number is 8u351.
JDK 8u351 contains IANA time zone data 2022b, 2022c.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u351 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u351-b10 |
7 | 7u361-b08 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u351) be used after the next critical patch update scheduled for January 17, 2023.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u351) on 2023-02-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12
in the java.security
file for detailed information.
The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.
For compatibility, use the keystore.pkcs12.legacy
system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.
On platforms that support the concept of a thread name on their native threads, the java.lang.Thread.setName()
method will also set that native thread name. However, this will only occur when called by the current thread, and only for threads started through the java.lang.Thread
class (not for native threads that have attached via JNI). The presence of a native thread name can be useful for debugging and monitoring purposes. Some platforms may limit the native thread name to a length much shorter than that used by the java.lang.Thread
, which may result in some threads having the same native name.
The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation.
However, Java Access Bridge can still be enabled and disabled by following these steps:
%JAVAHOME%\bin\windowsaccessbridge-64.dll
to %WINDOWSHOME%\SYSTEM32
. A reboot might be required after this step.%JAVAHOME%\bin\jabswitch /enable
and %JAVAHOME%\bin\jabswitch /disable
.Note: %WINDOWSHOME%
is the directory where Microsoft Windows is installed (for example, C:\WINDOWS
) %JAVAHOME%
is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11
)
JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.
To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:
This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs
on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.
For example:
- Signed by "CN="Signer""
Digest algorithm: SHA-1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 2048-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01
JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.
Users can, at their own risk, remove these restrictions by modifying the java.security
configuration file (or override it by using the java.security.properties
system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms
security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms
security property.
The des3-hmac-sha1
and rc4-hmac
Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true
in the krb5.conf
configuration file to re-enable them (along with other weak etypes including des-cbc-crc
and des-cbc-md5
) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes
, default_tgs_enctypes
, or permitted_enctypes
settings.
This enhancement changes phantom references to be automatically cleared by the garbage collector as soft and weak references.
An object becomes phantom reachable after it has been finalized. This change may cause the phantom reachable objects to be GC'ed earlier - previously the referent is kept alive until PhantomReference objects are GC'ed or cleared by the application. This potential behavioral change might only impact existing code that would depend on PhantomReference being enqueued rather than when the referent be freed from the heap.
java.lang.ref.Reference.enqueue
method clears the reference object before it is added to the registered queue. When the enqueue
method is called, the reference object is cleared and get()
method will return null in JDK 9.
Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear
method to avoid memory leak because its referent is no longer referenced. In other words the get
method is expected not to be called in common cases once the enqueue
method is called. In the case when the get
method from an enqueued reference object and existing code attempts to access members of the referent, NullPointerException
may be thrown. Such code will need to be updated.
java.lang.ref.Reference::clone
method always throws CloneNotSupportedException
. Reference
objects cannot be meaningfully cloned. To create a new Reference object, call the constructor to create a Reference
object with the same referent and reference queue instead.
This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.
As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.
For more details, refer to the announcement of 2022b.
This JDK implements Maintenance Release 4 of the Java SE 8 specification (JSR 337). Implementing this maintenance release is indicated by the new system property java.specification.maintenance.version
having the value of "4"
.
A new system property named jdk.httpserver.maxConnections
has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer
to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u351 release:
# | BugId | Component | Subcomponent | Summary |
---|---|---|---|---|
1 | JDK-8260616 | client-libs | Removing remaining JNF dependencies in the java.desktop module | |
2 | JDK-8270216 | client-libs | java.awt | [macOS] Update named used for Java run loop mode |
3 | JDK-8272602 | client-libs | java.awt | [macOS] not all KEY_PRESSED events sent when control modifier is used |
4 | JDK-8261352 | client-libs | javax.accessibility | Create implementation for component peer for all the components who should be ignored in a11y interactions |
5 | JDK-8263420 | client-libs | javax.accessibility | Incorrect function name in NSAccessibilityStaticText native peer implementation |
6 | JDK-8261198 | client-libs | javax.accessibility | [macOS] Incorrect JNI parameters in number conversion in A11Y code |
7 | JDK-8262981 | client-libs | javax.accessibility | Create implementation for NSAccessibilitySlider protocol |
8 | JDK-8287740 | client-libs | javax.accessibility | NSAccessibilityShowMenuAction not working for text editors |
9 | JDK-8275071 | client-libs | javax.accessibility | [macos] A11y cursor gets stuck when combobox is closed |
10 | JDK-8274383 | client-libs | javax.accessibility | JNI call of getAccessibleSelection on a wrong thread |
11 | JDK-8267387 | client-libs | javax.accessibility | Create implementation for NSAccessibilityOutline protocol |
12 | JDK-8267388 | client-libs | javax.accessibility | Create implementation for NSAccessibilityTable protocol |
13 | JDK-8262031 | client-libs | javax.accessibility | Create implementation for NSAccessibilityNavigableStaticText protocol |
14 | JDK-8275809 | client-libs | javax.accessibility | crash in [CommonComponentAccessibility getCAccessible:withEnv:] |
15 | JDK-8273678 | client-libs | javax.accessibility | TableAccessibility and TableRowAccessibility miss autorelease |
16 | JDK-8271071 | client-libs | javax.accessibility | accessibility of a table on macOS lacks cell navigation |
17 | JDK-8267066 | client-libs | javax.accessibility | New NSAccessibility peers should return they roles and subroles directly |
18 | JDK-8275720 | client-libs | javax.accessibility | CommonComponentAccessibility.createWithParent isWrapped causes mem leak |
19 | JDK-8267385 | client-libs | javax.accessibility | Create NSAccessibilityElement implementation for JavaComponentAccessibility |
20 | JDK-8275819 | client-libs | javax.accessibility | [TableRowAccessibility accessibilityChildren] method is ineffective |
21 | JDK-8284690 | client-libs | javax.accessibility | [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox |
22 | JDK-8286266 | client-libs | javax.accessibility | [macos] Voice over moving JTable column to be the first column JVM crashes |
23 | JDK-8284014 | client-libs | javax.accessibility | Menu items with submenus in JPopupMenu are not spoken on macOS |
24 | JDK-8283383 | client-libs | javax.accessibility | [macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name |
25 | JDK-8278609 | client-libs | javax.accessibility | [macos] accessibility frame is misplaced on a secondary monitor on macOS |
26 | JDK-8274735 | client-libs | javax.imageio | javax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image |
27 | JDK-8256109 | client-libs | javax.swing | Create implementation for NSAccessibilityButton protocol |
28 | JDK-8256108 | client-libs | javax.swing | Create implementation for NSAccessibilityElement protocol peer |
29 | JDK-8256126 | client-libs | javax.swing | Create implementation for NSAccessibilityImage protocol peer |
30 | JDK-8256110 | client-libs | javax.swing | Create implementation for NSAccessibilityStepper protocol |
31 | JDK-8256111 | client-libs | javax.swing | Create implementation for NSAccessibilityStaticText protocol |
32 | JDK-8261350 | client-libs | javax.swing | Create implementation for NSAccessibilityCheckBox protocol peer |
33 | JDK-8261351 | client-libs | javax.swing | Create implementation for NSAccessibilityRadioButton protocol |
34 | JDK-8264299 | client-libs | javax.swing | Create implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles |
35 | JDK-8264300 | client-libs | javax.swing | Create implementation for NSAccessibilityScrollBar protocol peer |
36 | JDK-8264290 | client-libs | javax.swing | Create implementation for NSAccessibilityComponentGroup protocol peer |
37 | JDK-8264304 | client-libs | javax.swing | Create implementation for NSAccessibilityToolbar protocol peer |
38 | JDK-8264302 | client-libs | javax.swing | Create implementation for Accessibility native peer for Splitpane java role |
39 | JDK-8264305 | client-libs | javax.swing | Create implementation for native accessibility peer for Statusbar java role |
40 | JDK-8264287 | client-libs | javax.swing | Create implementation for NSAccessibilityComboBox protocol peer |
41 | JDK-8264303 | client-libs | javax.swing | Create implementation for NSAccessibilityTabGroup protocol peer |
42 | JDK-8264297 | client-libs | javax.swing | Create implementation for NSAccessibilityProgressIndicator protocol peer |
43 | JDK-8264294 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuBar protocol peer |
44 | JDK-8264298 | client-libs | javax.swing | Create implementation for NSAccessibilityRow protocol peer |
45 | JDK-8264286 | client-libs | javax.swing | Create implementation for NSAccessibilityColumn protocol peer |
46 | JDK-8264291 | client-libs | javax.swing | Create implementation for NSAccessibilityCell protocol peer |
47 | JDK-8264292 | client-libs | javax.swing | Create implementation for NSAccessibilityList protocol peer |
48 | JDK-8264293 | client-libs | javax.swing | Create implementation for NSAccessibilityMenu protocol peer |
49 | JDK-8264295 | client-libs | javax.swing | Create implementation for NSAccessibilityMenuItem protocol peer |
50 | JDK-8264296 | client-libs | javax.swing | Create implementation for NSAccessibilityPopUpButton protocol peer |
51 | JDK-8257620 | core-libs | Do not use objc_msgSend_stret to get macOS version | |
52 | JDK-8071507 | core-libs | java.lang | (ref) Clear phantom reference as soft and weak references do |
53 | JDK-8287132 | core-libs | java.lang | Retire Runtime.runFinalizersOnExit so that it always throws UOE |
54 | JDK-8178832 | core-libs | java.lang | (ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored |
55 | JDK-8175797 | core-libs | java.lang | (ref) Reference::enqueue method should clear the reference object before enqueuing |
56 | JDK-8193780 | core-libs | java.lang | (ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property |
57 | JDK-8285497 | core-libs | java.lang | Add system property for Java SE specification maintenance version |
58 | JDK-8201793 | core-libs | java.lang | (ref) Reference object should not support cloning |
59 | JDK-8287917 | core-libs | java.lang:class_loading | System.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier |
60 | JDK-8288769 | core-libs | java.util.jar | Revert unintentional change to deflate.c |
61 | JDK-8283277 | core-libs | java.util:i18n | ISO 4217 Amendment 171 Update |
62 | JDK-8289549 | core-libs | java.util:i18n | ISO 4217 Amendment 172 Update |
63 | JDK-8277368 | core-libs | javax.script | Metaspace OOM thrown due to the leak of Nashorn ScriptEngine |
64 | JDK-6447817 | docs | Add additional Service Attributes to Standard Algorithm Names guide | |
65 | JDK-8291414 | docs | guides | Fix the incorrect wording about delayed provider selection in the PKCS11 documentation |
66 | JDK-8261071 | hotspot | compiler | AArch64: Refactor interpreter native wrappers |
67 | JDK-8234930 | hotspot | compiler | Use MAP_JIT when allocating pages for code cache on macOS |
68 | JDK-8253015 | hotspot | compiler | Aarch64: Move linux code out from generic CPU feature detection |
69 | JDK-8188066 | hotspot | gc | (ref) Examine the reachability of JNI WeakGlobalRef and interaction with phantom refs |
70 | JDK-8143847 | hotspot | gc | Remove REF_CLEANER reference category |
71 | JDK-8285621 | hotspot | jfr | Xcheck:jni warnings during JFR initialization |
72 | JDK-6885993 | hotspot | runtime | Named Thread: introduce print() and print_on(outputStream* st) methods |
73 | JDK-7102541 | hotspot | runtime | RFE: os::set_native_thread_name() cleanups |
74 | JDK-8261075 | hotspot | runtime | Create stubRoutines.inline.hpp with SafeFetch implementation |
75 | JDK-8151322 | hotspot | runtime | Implement os::set_native_thread_name() on Solaris |
76 | JDK-8061999 | hotspot | runtime | Enhance VM option parsing to allow options to be specified in a file |
77 | JDK-8078521 | hotspot | svc | AARCH64: Add AArch64 SA support |
78 | JDK-8289587 | javafx | web | IllegalArgumentException: Color.rgb's red parameter (-16776961) expects color values 0-255 |
79 | JDK-8088420 | javafx | web | JavaFX WebView memory leak via EventListener |
80 | JDK-8285881 | javafx | web | Update WebKit to 614.1 |
81 | JDK-8292609 | javafx | web | Cherry-pick WebKit 614.1 stabilization fixes |
82 | JDK-8268427 | security-libs | java.security | Improve AlgorithmConstraints:checkAlgorithm performance |
83 | JDK-8186143 | security-libs | java.security | keytool -ext option doesn't accept wildcards for DNS subject alternative names |
84 | JDK-8267880 | security-libs | java.security | Upgrade the default PKCS12 MAC algorithm |
85 | JDK-8263404 | security-libs | java.security | RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec |
86 | JDK-8269039 | security-libs | java.security | Disable SHA-1 Signed JARs |
87 | JDK-8275887 | security-libs | java.security | jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled |
88 | JDK-8270317 | security-libs | javax.net.ssl | Large Allocation in CipherSuite |
89 | JDK-8284694 | security-libs | javax.net.ssl | Avoid evaluating SSLAlgorithmConstraints twice |
90 | JDK-8286211 | security-libs | javax.smartcardio | Update PCSC-Lite for Suse Linux to 1.9.5 |
91 | JDK-8285398 | security-libs | jdk.security | Cache the results of constraint checks |
92 | JDK-8074835 | security-libs | org.ietf.jgss | Resolve disabled warnings for libj2gss |
93 | JDK-8074836 | security-libs | org.ietf.jgss:krb5 | Resolve disabled warnings for libosxkrb5 |
94 | JDK-8139348 | security-libs | org.ietf.jgss:krb5 | Deprecate 3DES and RC4 in Kerberos |
95 | JDK-8289486 | xml | jaxp | Improve XSLT XPath operators count efficiency |