The following sections summarize changes made in all Java SE 8u391 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8054022 | core-libs | java.net | HttpURLConnection timeouts with Expect: 100-Continue and no chunking |
JDK-8306784 | install | install | No default java after 8u371 upgrade |
BugId | Category | Subcategory | Summary |
---|---|---|---|
JDK-8312489 | security-libs | java.security | Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar |
Fixes from the prior BPR are included in this version.
October 17, 2023
The full version string for this update release is 8u391-b13 (where "b" means "build"). The version number is 8u391.
For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:
JRE Family Version | JRE Security Baseline (Full Version String) |
---|---|
8 | 8u391-b13 |
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.
Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
jdk.SecurityProviderService
(JDK-8254711)
A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm)
calls.
The new event name is jdk.SecurityProviderService
and contains the following fields:
Field name | Field Description |
---|---|
type | Type of Service |
algorithm | Algorithm Name |
provider | Security Provider |
This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.
-XshowSettings:locale
Output Now Includes Tzdata Version
(JDK-8305950)
The -XshowSettings
launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale
showSettings option.
Example output using -X:showSettings:locale
:
.....
Locale settings:
default locale = English
default display locale = English
default format locale = English
tzdata version = 2023c
.....
Media playback does not work on Ubuntu 23.10. This affects most media formats such as MP4 with H.264/H.265, MP3, AAC, and HTTP Live Streaming. This is because JavaFX Media does not support libavcodec version 60. Support for libavcodec version 60 will be added with JDK-8317508. As a workaround, install libavcodec version 59 compiled with support for at least the following:
The following root certificate from SECOM Trust System has been removed from the cacerts
keystore:
+ alias name "secomscrootca1 [jdk]"
Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP
Platform support for Linux ARM32 in JDK 8 has been removed. As a result, the ARM32 Hard Float ABI download will not be available. Operating Systems that supported ARM32 have reached their End of Life, thus there is no known OS support available.
The following root certificate has been added to the cacerts truststore:
+ Certigna (Dhimyotis)
+ certignarootca
DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR
java.security.manager
System Property
(JDK-8301118)
In JDK 12, two new token options for the java.security.manager
system property, "allow" and "disallow", were introduced.
Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager
, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.
Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager
Error and the application will not start up.
From this release onward, the "allow" and "disallow" options for the java.security.manager
system property will be ignored.
The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.
As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize
system property to 1024 (at their own risk).
This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.
In 8u371, the behavior of the JRE installer was changed from installing the JRE in a full-version-specific directory to installing the JRE into a common shared directory. It also removed all older JRE versions in that same family.
In JDK 8u391, a new argument, RETAIN_ALL_VERSIONS=1
, was introduced for the MSI installer. If the argument is used, the JRE will install into a jre$fullversion
directory. Other JREs of the Java SE 8 family will not be automatically removed. More information can be found in the MSI Enterprise JRE Installer Guide for Windows.
CORBA _DynAnyStub
and Associated Subclasses readObject
Accepts Only Stringified IORs in IOR: URI format
(JDK-8303384 (not public))
The readObject
method changes made to _DynAnyFactoryStub
in JDK-8285021, have been extended to a set of stub classes that have been categoriezed as pseudo IDL interfaces. These include:
org.omg.DynamicAny._DynArrayStub,
org.omg.DynamicAny._DynEnumStub,
org.omg.DynamicAny._DynFixedStub,
org.omg.DynamicAny._DynSequenceStub,
org.omg.DynamicAny._DynStructStub,
org.omg.DynamicAny._DynUnionStub,
org.omg.DynamicAny._DynValueStub,
org.omg.DynamicAny._DynAnyStub,
For each of these stub classes, the readObject
method has been amended such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI
format only. As the above stub classes are termed, locally or as ORB constrained types, it is not useful that serialized data should contain corbaname
or corbaloc
URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to an IOR of these stub classes. As such, using a corbaname
to reference an instance of these locally constrained stub classes is not meaningful.
A system property is introduced, com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR
, which when set to true, will revert the readObject
method to its current behavior and disable the additional IOR checks. The default value of this system property is false. This system property can also be used to disable the IOR check performed in the org.omg.DynamicAny._DynAnyFactoryStub readObject
method. As such, with respect to _DynAnyFactory
, it complements the system property org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck
introduced in JDK-8285021.
Additionally, the readObject
method of the remote CORBA service stub classes:
org.omg.CosNaming._NamingContextStub.java,
org.omg.CosNaming._BindingIteratorStub.java,
org.omg.CosNaming._NamingContextExtStub.java,
org.omg.PortableServer._ServantActivatorStub.java,
org.omg.PortableServer._ServantLocatorStub.java,
com.sun.corba.se.spi.activation._ServerManagerStub.java,
com.sun.corba.se.spi.activation._ActivatorStub.java,
com.sun.corba.se.spi.activation._RepositoryStub.java,
com.sun.corba.se.spi.activation._InitialNameServiceStub.java,
com.sun.corba.se.spi.activation._LocatorStub.java,
com.sun.corba.se.spi.activation._ServerStub.java,
included in the JDK, have been similarly amended to include an IOR check when reading a stringified IOR from serialised data. To enable the IOR check, and prohibit corbaname
or corbaloc
URLs in a stringified IOR, the setting of the com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR
system property to true is required.
A system property is introduced, com.sun.CORBA.IDL.Stubs.allowCorbanameInIOR
, which when set to false, will activate an IOR check when reading a stringified IOR from serialised data and constrain a stringified IOR to that of IOR: URI
format. Thus, prohibiting corbaname
or corbaloc
as a valid stringified IOR format. The default value of this system property is true. That is, corbaname
or corbaloc
are allowed in stringified IORs.
For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder()
method.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u391 release:
# | BugId | Component | Summary |
---|---|---|---|
1 | JDK-8311689 | client-libs/java.awt | Wrong visible amount in Adjustable of ScrollPane |
2 | JDK-8310054 | client-libs/java.awt | ScrollPane insets are incorrect |
3 | JDK-8297923 | client-libs/java.awt | java.awt.ScrollPane broken after multiple scroll up/down |
4 | JDK-8305815 | client-libs/java.awt | Update Libpng to 1.6.39 |
5 | JDK-8305517 | core-libs/java.net | Memory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress() |
6 | JDK-8300098 | core-libs/java.util.concurrent | java/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3 |
7 | JDK-8234808 | core-svc/debugger | jdb quoted option parsing broken |
8 | JDK-8290451 | hotspot/compiler | Incorrect result when switching to C2 OSR compilation from C1 |
9 | JDK-8213419 | hotspot/compiler | C2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1 |
10 | JDK-8183910 | hotspot/gc | gc/arguments/TestAggressiveHeap.java fails intermittently |
11 | JDK-8257239 | hotspot/gc | [8u] G1: guarantee(!obj->is_forwarded()) failed: Object must not be forwarded |
12 | JDK-8182703 | hotspot/gc | Correct G1 barrier queue lock orderings |
13 | JDK-8207011 | hotspot/runtime | Remove uses of the register storage class specifier |
14 | JDK-8297887 | hotspot/runtime | Update Siphash |
15 | JDK-8284542 | javafx/accessibility | [Accessibility] [Win] Missing attribute for toggle state of CheckBox in CheckBoxTreeItem |
16 | JDK-8309508 | javafx/graphics | Possible memory leak in JPEG image loader |
17 | JDK-8306328 | javafx/media | Update libFFI to 3.4.4 |
18 | JDK-8306918 | javafx/web | WebView: Update Public Suffix List to 88467c9 |
19 | JDK-8303748 | javafx/web | WebKit build fails with Visual Studio 2022 17.5.0 |
20 | JDK-8306329 | javafx/web | Update ICU4C to 73.1 |
21 | JDK-8310681 | javafx/web | Update WebKit to 616.1 |
22 | JDK-8313177 | javafx/web | Web Workers timeout with Webkit 616.1 |
23 | JDK-8314212 | javafx/web | Crash when loading cnn.com in WebView |
24 | JDK-8313711 | javafx/web | Cherry-pick WebKit 616.1 stabilization fixes |
25 | JDK-8313181 | javafx/web | Enabling modern media controls on webkit 616.1 does not load button images on HTML5 video Element |
26 | JDK-8144781 | javafx/window-toolkit | Assertion failure in debug build running any JavaFX program on Mac |
27 | JDK-8296452 | security-libs/javax.crypto | Solaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error |
28 | JDK-8236671 | security-libs/javax.crypto | NullPointerException in JKS keystore |
29 | JDK-8232950 | security-libs/javax.crypto:pkcs11 | SUNPKCS11 Provider incorrectly check key length for PSS Signatures. |
30 | JDK-8183107 | security-libs/javax.crypto:pkcs11 | PKCS11 regression regarding checkKeySize |