JDK 8u351 Release Notes

Java SE 8u351 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u351 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.


Changes in Java SE 8u351 b34

Bug Fixes

BugId Category Subcategory Summary
JDK-8294307 core-libs java.util:i18n ISO 4217 Amendment 173 Update
JDK-8296239 core-libs java.util:i18n ISO 4217 Amendment 174 Update
JDK-8295173 core-libs java.time (tz) Update Timezone Data to 2022e
JDK-8296108 core-libs java.time (tz) Update Timezone Data to 2022f


Changes in Java SE 8u351 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8278027 security-libs javax.crypto X509Key.decode exception while using JSafeJCE FIPS provider


Changes in Java SE 8u351 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8224671 hotspot compiler AArch64: mauve System.arraycopy test failure
JDK-8292695 hotspot runtime SIGQUIT and jcmd attaching mechanism does not work with signal chaining library
JDK-8202014 hotspot runtime Possible to receive signal before signal semaphore created


Changes in Java SE 8u351 b31

Bug Fixes

BugId Category Subcategory Summary
JDK-8291973 install install Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d
JDK-8293795 javafx accessibility Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField

Java™ SE Development Kit 8, Update 351 (JDK 8u351)

October 18, 2022

The full version string for this update release is 8u351-b10 (where "b" means "build"). The version number is 8u351.


IANA TZ Data 2022b, 2022c

JDK 8u351 contains IANA time zone data 2022b, 2022c.

  • Chile's DST is delayed by a week in September 2022.
  • Iran no longer observes DST after 2022.
  • Rename Europe/Kiev to Europe/Kyiv.
  • New zic -R option
  • Vanguard form now uses %z.
  • Finish moving duplicate-since-1970 zones to 'backzone'.
  • New build option PACKRATLIST.
  • New tailored_tarballs target, replacing rearguard_tarballs.
  • Work around awk bug in FreeBSD, macOS, etc.
  • Improve tzselect on intercontinental Zones.
For more information, refer to Timezone Data Versions in the Java Runtime.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u351 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u351-b10
7 7u361-b08


Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u351) be used after the next critical patch update scheduled for January 17, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u351) on 2023-02-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

 Upgrade the Default PKCS12 MAC Algorithm (JDK-8267880)

The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12 in the file for detailed information.

The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A '' exception will be thrown in such circumstances.

For compatibility, use the keystore.pkcs12.legacy system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

 os::set_native_thread_name() cleanups (JDK-7102541)

On platforms that support the concept of a thread name on their native threads, the java.lang.Thread.setName() method will also set that native thread name. However, this will only occur when called by the current thread, and only for threads started through the java.lang.Thread class (not for native threads that have attached via JNI). The presence of a native thread name can be useful for debugging and monitoring purposes. Some platforms may limit the native thread name to a length much shorter than that used by the java.lang.Thread, which may result in some threads having the same native name.


Other Notes

 Enable Java Access Bridge Check Box Option in Control Panel Is Not Available with JDK 11 Installer (JDK-8208637)

The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation.

However, Java Access Bridge can still be enabled and disabled by following these steps:

  1. Copy %JAVAHOME%\bin\windowsaccessbridge-64.dll to %WINDOWSHOME%\SYSTEM32. A reboot might be required after this step.
  2. Run %JAVAHOME%\bin\jabswitch /enable and %JAVAHOME%\bin\jabswitch /disable.

Note: %WINDOWSHOME% is the directory where Microsoft Windows is installed (for example, C:\WINDOWS) %JAVAHOME% is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11)

 Disabled SHA-1 Signed JARs (JDK-8269039)

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

-  Signed by "CN="Signer""

     Digest algorithm: SHA-1 (disabled)
     Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the configuration file (or override it by using the system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

 Deprecate 3DES and RC4 in Kerberos (JDK-8139348)

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

 Phantom references are automatically cleared as soft and weak references (JDK-8071507)

This enhancement changes phantom references to be automatically cleared by the garbage collector as soft and weak references.

An object becomes phantom reachable after it has been finalized. This change may cause the phantom reachable objects to be GC'ed earlier - previously the referent is kept alive until PhantomReference objects are GC'ed or cleared by the application. This potential behavioral change might only impact existing code that would depend on PhantomReference being enqueued rather than when the referent be freed from the heap.

 java.lang.ref.Reference.enqueue method clears the reference object before enqueuing (JDK-8175797)

java.lang.ref.Reference.enqueue method clears the reference object before it is added to the registered queue. When the enqueue method is called, the reference object is cleared and get() method will return null in JDK 9.

Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear method to avoid memory leak because its referent is no longer referenced. In other words the get method is expected not to be called in common cases once the enqueuemethod is called. In the case when the get method from an enqueued reference object and existing code attempts to access members of the referent, NullPointerException may be thrown. Such code will need to be updated.

 java.lang.ref.Reference Does Not Support Cloning (JDK-8201793)

java.lang.ref.Reference::clone method always throws CloneNotSupportedException. Reference objects cannot be meaningfully cloned. To create a new Reference object, call the constructor to create a Reference object with the same referent and reference queue instead.

 Update Timezone Data to 2022c (JDK-8294042)

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b.

 System Property java.specification.maintenance.version Set to 4 (JDK-8290849)

This JDK implements Maintenance Release 4 of the Java SE 8 specification (JSR 337). Implementing this maintenance release is indicated by the new system property java.specification.maintenance.version having the value of "4".

 New System Property to Limit the Number of Open Connections to (JDK-8286918 (not public))

A new system property named jdk.httpserver.maxConnections has been introduced to allow users to configure the to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u351 release:

# BugId Component Subcomponent Summary
1JDK-8260616client-libsRemoving remaining JNF dependencies in the java.desktop module
2JDK-8270216client-libsjava.awt[macOS] Update named used for Java run loop mode
3JDK-8272602client-libsjava.awt[macOS] not all KEY_PRESSED events sent when control modifier is used
4JDK-8261352client-libsjavax.accessibilityCreate implementation for component peer for all the components who should be ignored in a11y interactions
5JDK-8263420client-libsjavax.accessibilityIncorrect function name in NSAccessibilityStaticText native peer implementation
6JDK-8261198client-libsjavax.accessibility[macOS] Incorrect JNI parameters in number conversion in A11Y code
7JDK-8262981client-libsjavax.accessibilityCreate implementation for NSAccessibilitySlider protocol
8JDK-8287740client-libsjavax.accessibilityNSAccessibilityShowMenuAction not working for text editors
9JDK-8275071client-libsjavax.accessibility[macos] A11y cursor gets stuck when combobox is closed
10JDK-8274383client-libsjavax.accessibilityJNI call of getAccessibleSelection on a wrong thread
11JDK-8267387client-libsjavax.accessibilityCreate implementation for NSAccessibilityOutline protocol
12JDK-8267388client-libsjavax.accessibilityCreate implementation for NSAccessibilityTable protocol
13JDK-8262031client-libsjavax.accessibilityCreate implementation for NSAccessibilityNavigableStaticText protocol
14JDK-8275809client-libsjavax.accessibilitycrash in [CommonComponentAccessibility getCAccessible:withEnv:]
15JDK-8273678client-libsjavax.accessibilityTableAccessibility and TableRowAccessibility miss autorelease
16JDK-8271071client-libsjavax.accessibilityaccessibility of a table on macOS lacks cell navigation
17JDK-8267066client-libsjavax.accessibilityNew NSAccessibility peers should return they roles and subroles directly
18JDK-8275720client-libsjavax.accessibilityCommonComponentAccessibility.createWithParent isWrapped causes mem leak
19JDK-8267385client-libsjavax.accessibilityCreate NSAccessibilityElement implementation for JavaComponentAccessibility
20JDK-8275819client-libsjavax.accessibility[TableRowAccessibility accessibilityChildren] method is ineffective
21JDK-8284690client-libsjavax.accessibility[macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
22JDK-8286266client-libsjavax.accessibility[macos] Voice over moving JTable column to be the first column JVM crashes
23JDK-8284014client-libsjavax.accessibilityMenu items with submenus in JPopupMenu are not spoken on macOS
24JDK-8283383client-libsjavax.accessibility[macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
25JDK-8278609client-libsjavax.accessibility[macos] accessibility frame is misplaced on a secondary monitor on macOS
26JDK-8274735client-libsjavax.imageiojavax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
27JDK-8256109client-libsjavax.swingCreate implementation for NSAccessibilityButton protocol
28JDK-8256108client-libsjavax.swingCreate implementation for NSAccessibilityElement protocol peer
29JDK-8256126client-libsjavax.swingCreate implementation for NSAccessibilityImage protocol peer
30JDK-8256110client-libsjavax.swingCreate implementation for NSAccessibilityStepper protocol
31JDK-8256111client-libsjavax.swingCreate implementation for NSAccessibilityStaticText protocol
32JDK-8261350client-libsjavax.swingCreate implementation for NSAccessibilityCheckBox protocol peer
33JDK-8261351client-libsjavax.swingCreate implementation for NSAccessibilityRadioButton protocol
34JDK-8264299client-libsjavax.swingCreate implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles
35JDK-8264300client-libsjavax.swingCreate implementation for NSAccessibilityScrollBar protocol peer
36JDK-8264290client-libsjavax.swingCreate implementation for NSAccessibilityComponentGroup protocol peer
37JDK-8264304client-libsjavax.swingCreate implementation for NSAccessibilityToolbar protocol peer
38JDK-8264302client-libsjavax.swingCreate implementation for Accessibility native peer for Splitpane java role
39JDK-8264305client-libsjavax.swingCreate implementation for native accessibility peer for Statusbar java role
40JDK-8264287client-libsjavax.swingCreate implementation for NSAccessibilityComboBox protocol peer
41JDK-8264303client-libsjavax.swingCreate implementation for NSAccessibilityTabGroup protocol peer
42JDK-8264297client-libsjavax.swingCreate implementation for NSAccessibilityProgressIndicator protocol peer
43JDK-8264294client-libsjavax.swingCreate implementation for NSAccessibilityMenuBar protocol peer
44JDK-8264298client-libsjavax.swingCreate implementation for NSAccessibilityRow protocol peer
45JDK-8264286client-libsjavax.swingCreate implementation for NSAccessibilityColumn protocol peer
46JDK-8264291client-libsjavax.swingCreate implementation for NSAccessibilityCell protocol peer
47JDK-8264292client-libsjavax.swingCreate implementation for NSAccessibilityList protocol peer
48JDK-8264293client-libsjavax.swingCreate implementation for NSAccessibilityMenu protocol peer
49JDK-8264295client-libsjavax.swingCreate implementation for NSAccessibilityMenuItem protocol peer
50JDK-8264296client-libsjavax.swingCreate implementation for NSAccessibilityPopUpButton protocol peer
51JDK-8257620core-libsDo not use objc_msgSend_stret to get macOS version
52JDK-8071507core-libsjava.lang(ref) Clear phantom reference as soft and weak references do
53JDK-8287132core-libsjava.langRetire Runtime.runFinalizersOnExit so that it always throws UOE
54JDK-8178832core-libsjava.lang(ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
55JDK-8175797core-libsjava.lang(ref) Reference::enqueue method should clear the reference object before enqueuing
56JDK-8193780core-libsjava.lang(ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
57JDK-8285497core-libsjava.langAdd system property for Java SE specification maintenance version
58JDK-8201793core-libsjava.lang(ref) Reference object should not support cloning
59JDK-8287917core-libsjava.lang:class_loadingSystem.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
60JDK-8288769core-libsjava.util.jarRevert unintentional change to deflate.c
61JDK-8283277core-libsjava.util:i18nISO 4217 Amendment 171 Update
62JDK-8289549core-libsjava.util:i18nISO 4217 Amendment 172 Update
63JDK-8277368core-libsjavax.scriptMetaspace OOM thrown due to the leak of Nashorn ScriptEngine
64JDK-6447817docsAdd additional Service Attributes to Standard Algorithm Names guide
65JDK-8291414docsguidesFix the incorrect wording about delayed provider selection in the PKCS11 documentation
66JDK-8261071hotspotcompilerAArch64: Refactor interpreter native wrappers
67JDK-8234930hotspotcompilerUse MAP_JIT when allocating pages for code cache on macOS
68JDK-8253015hotspotcompilerAarch64: Move linux code out from generic CPU feature detection
69JDK-8188066hotspotgc(ref) Examine the reachability of JNI WeakGlobalRef and interaction with phantom refs
70JDK-8143847hotspotgcRemove REF_CLEANER reference category
71JDK-8285621hotspotjfrXcheck:jni warnings during JFR initialization
72JDK-6885993hotspotruntimeNamed Thread: introduce print() and print_on(outputStream* st) methods
73JDK-7102541hotspotruntimeRFE: os::set_native_thread_name() cleanups
74JDK-8261075hotspotruntimeCreate stubRoutines.inline.hpp with SafeFetch implementation
75JDK-8151322hotspotruntimeImplement os::set_native_thread_name() on Solaris
76JDK-8061999hotspotruntimeEnhance VM option parsing to allow options to be specified in a file
77JDK-8078521hotspotsvcAARCH64: Add AArch64 SA support
78JDK-8289587javafxwebIllegalArgumentException: Color.rgb's red parameter (-16776961) expects color values 0-255
79JDK-8088420javafxwebJavaFX WebView memory leak via EventListener
80JDK-8285881javafxwebUpdate WebKit to 614.1
81JDK-8292609javafxwebCherry-pick WebKit 614.1 stabilization fixes
82JDK-8268427security-libsjava.securityImprove AlgorithmConstraints:checkAlgorithm performance
83JDK-8186143security-libsjava.securitykeytool -ext option doesn't accept wildcards for DNS subject alternative names
84JDK-8267880security-libsjava.securityUpgrade the default PKCS12 MAC algorithm
85JDK-8263404security-libsjava.securityRsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
86JDK-8269039security-libsjava.securityDisable SHA-1 Signed JARs
87JDK-8275887security-libsjava.securityjarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled Allocation in CipherSuite evaluating SSLAlgorithmConstraints twice
90JDK-8286211security-libsjavax.smartcardioUpdate PCSC-Lite for Suse Linux to 1.9.5
91JDK-8285398security-libsjdk.securityCache the results of constraint checks
92JDK-8074835security-libsorg.ietf.jgssResolve disabled warnings for libj2gss
93JDK-8074836security-libsorg.ietf.jgss:krb5Resolve disabled warnings for libosxkrb5
94JDK-8139348security-libsorg.ietf.jgss:krb5Deprecate 3DES and RC4 in Kerberos
95JDK-8289486xmljaxpImprove XSLT XPath operators count efficiency