JDK 8u391 Release Notes

Java SE 8u391 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u391 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.


Changes in Java SE 8u391 b33

Bug Fixes

December 14, 2023
BugId Category Subcategory Summary
JDK-8054022 core-libs HttpURLConnection timeouts with Expect: 100-Continue and no chunking
JDK-8306784 install install No default java after 8u371 upgrade


Changes in Java SE 8u391 b32

Bug Fixes

November 6, 2023
BugId Category Subcategory Summary
JDK-8312489 security-libs Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar


Changes in Java SE 8u391 b31

Bug Fixes

Fixes from the prior BPR are included in this version.

Java™ SE Development Kit 8, Update 391 (JDK 8u391)

October 17, 2023

The full version string for this update release is 8u391-b13 (where "b" means "build"). The version number is 8u391.


IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)


Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

 New JFR Event: jdk.SecurityProviderService (JDK-8254711)

A new Java Flight Recorder (JFR) event has been added to record details of type, String algorithm) calls.

The new event name is jdk.SecurityProviderService and contains the following fields:

Field name Field Description
type Type of Service
algorithm Algorithm Name
provider Security Provider

This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

 -XshowSettings:locale Output Now Includes Tzdata Version (JDK-8305950)

The -XshowSettings launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale showSettings option.

Example output using -X:showSettings:locale:


Locale settings:
    default locale = English
    default display locale = English
    default format locale = English
    tzdata version = 2023c


Known Issues

 Media Playback Does Not Work on Ubuntu 23.10 (JDK-8317508)

Media playback does not work on Ubuntu 23.10. This affects most media formats such as MP4 with H.264/H.265, MP3, AAC, and HTTP Live Streaming. This is because JavaFX Media does not support libavcodec version 60. Support for libavcodec version 60 will be added with JDK-8317508. As a workaround, install libavcodec version 59 compiled with support for at least the following:

  • decoder: aac, mp3, mp3float, h264, hevc
  • parser: aac, h264, hevc
  • demuxer: aac, h264, hevc, mpegts, mpegtsraw


Removed Features and Options

 Removed SECOM Trust System's RootCA1 Root Certificate (JDK-8295894)

The following root certificate from SECOM Trust System has been removed from the cacerts keystore:

+ alias name "secomscrootca1 [jdk]"

  Distinguished Name: OU=Security Communication RootCA1, O=SECOM, C=JP

 Removal of Linux ARM32 Support for JDK 8 (JDK-8305927 (not public))

Platform support for Linux ARM32 in JDK 8 has been removed. As a result, the ARM32 Hard Float ABI download will not be available. Operating Systems that supported ARM32 have reached their End of Life, thus there is no known OS support available.


Other Notes

 Added Certigna Root CA Certificate (JDK-8314960)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)

  + certignarootca
    DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

 Ignore Allow and Disallow Options for System Property (JDK-8301118)

In JDK 12, two new token options for the system property, "allow" and "disallow", were introduced.

Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.

Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager Error and the application will not start up.

From this release onward, the "allow" and "disallow" options for the system property will be ignored.

 The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit (JDK-8301700)

The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.

As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize system property to 1024 (at their own risk).

This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.

 Allow JDK 8 Installed by MSI to Install Side-by-Side with Other JRE 8 Installations (JDK-8306899 (not public))

In 8u371, the behavior of the JRE installer was changed from installing the JRE in a full-version-specific directory to installing the JRE into a common shared directory. It also removed all older JRE versions in that same family.

In JDK 8u391, a new argument, RETAIN_ALL_VERSIONS=1, was introduced for the MSI installer. If the argument is used, the JRE will install into a jre$fullversion directory. Other JREs of the Java SE 8 family will not be automatically removed. More information can be found in the MSI Enterprise JRE Installer Guide for Windows.

 CORBA _DynAnyStub and Associated Subclasses readObject Accepts Only Stringified IORs in IOR: URI format (JDK-8303384 (not public))

The readObject method changes made to _DynAnyFactoryStub in JDK-8285021, have been extended to a set of stub classes that have been categoriezed as pseudo IDL interfaces. These include:



For each of these stub classes, the readObject method has been amended such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format only. As the above stub classes are termed, locally or as ORB constrained types, it is not useful that serialized data should contain corbaname or corbaloc URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to an IOR of these stub classes. As such, using a corbaname to reference an instance of these locally constrained stub classes is not meaningful.

A system property is introduced, com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR, which when set to true, will revert the readObject method to its current behavior and disable the additional IOR checks. The default value of this system property is false. This system property can also be used to disable the IOR check performed in the org.omg.DynamicAny._DynAnyFactoryStub readObject method. As such, with respect to _DynAnyFactory, it complements the system property org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck introduced in JDK-8285021.

Additionally, the readObject method of the remote CORBA service stub classes:,,,,,,,,,,,

included in the JDK, have been similarly amended to include an IOR check when reading a stringified IOR from serialised data. To enable the IOR check, and prohibit corbaname or corbaloc URLs in a stringified IOR, the setting of the com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR system property to true is required.

A system property is introduced, com.sun.CORBA.IDL.Stubs.allowCorbanameInIOR, which when set to false, will activate an IOR check when reading a stringified IOR from serialised data and constrain a stringified IOR to that of IOR: URI format. Thus, prohibiting corbaname or corbaloc as a valid stringified IOR format. The default value of this system property is true. That is, corbaname or corbaloc are allowed in stringified IORs.

 Use Server Cipher Suites Preference by Default (JDK-8168261)

For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder​() method.


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u391 release:

# BugId Component Summary
1JDK-8311689client-libs/java.awtWrong visible amount in Adjustable of ScrollPane
2JDK-8310054client-libs/java.awtScrollPane insets are incorrect
3JDK-8297923client-libs/java.awtjava.awt.ScrollPane broken after multiple scroll up/down
4JDK-8305815client-libs/java.awtUpdate Libpng to 1.6.39
5JDK-8305517core-libs/java.netMemory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress()
6JDK-8300098core-libs/java.util.concurrentjava/util/concurrent/ConcurrentHashMap/ fails with internal timeout when executed with TieredCompilation1/3
7JDK-8234808core-svc/debuggerjdb quoted option parsing broken
8JDK-8290451hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1
9JDK-8213419hotspot/compilerC2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1
10JDK-8183910hotspot/gcgc/arguments/ fails intermittently
11JDK-8257239hotspot/gc[8u] G1: guarantee(!obj->is_forwarded()) failed: Object must not be forwarded
12JDK-8182703hotspot/gcCorrect G1 barrier queue lock orderings
13JDK-8207011hotspot/runtimeRemove uses of the register storage class specifier
14JDK-8297887hotspot/runtimeUpdate Siphash
15JDK-8284542javafx/accessibility[Accessibility] [Win] Missing attribute for toggle state of CheckBox in CheckBoxTreeItem
16JDK-8309508javafx/graphicsPossible memory leak in JPEG image loader
17JDK-8306328javafx/mediaUpdate libFFI to 3.4.4
18JDK-8306918javafx/webWebView: Update Public Suffix List to 88467c9
19JDK-8303748javafx/webWebKit build fails with Visual Studio 2022 17.5.0
20JDK-8306329javafx/webUpdate ICU4C to 73.1
21JDK-8310681javafx/webUpdate WebKit to 616.1
22JDK-8313177javafx/webWeb Workers timeout with Webkit 616.1
23JDK-8314212javafx/webCrash when loading in WebView
24JDK-8313711javafx/webCherry-pick WebKit 616.1 stabilization fixes
25JDK-8313181javafx/webEnabling modern media controls on webkit 616.1 does not load button images on HTML5 video Element
26JDK-8144781javafx/window-toolkitAssertion failure in debug build running any JavaFX program on Mac
27JDK-8296452security-libs/javax.cryptoSolaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error
28JDK-8236671security-libs/javax.cryptoNullPointerException in JKS keystore
29JDK-8232950security-libs/javax.crypto:pkcs11SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
30JDK-8183107security-libs/javax.crypto:pkcs11PKCS11 regression regarding checkKeySize