JDK 8u401 Release Notes

Java SE 8u401 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u401 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.


Changes in Java SE 8u401 b35

Bug Fixes

Release date: April 3, 2024
BugId Category Subcategory Summary
JDK-8326643 security-libs JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message


Changes in Java SE 8u401 b34

Bug Fixes

Release date: March 14, 2024
BugId Category Subcategory Summary
JDK-8325580 (not public) install install Remove "alternatives --remove" call from Java rpm installer


Changes in Java SE 8u401 b33

Bug Fixes

Release date: February 22, 2024
BugId Category Subcategory Summary
JDK-8309374 javafx accessibility Accessibility Focus Rectangle on ListItem is not drawn when ListView is shown for first time
JDK-8311492 javafx graphics FontSmoothingType LCD produces wrong color when transparency is used
JDK-8325150 core-libs java.time (tz) Update Timezone Data to 2024a


Changes in Java SE 8u401 b32

Bug Fixes

Release date: February 5, 2024
BugId Category Subcategory Summary
JDK-8227277 hotspot jvmti HeapInspection::find_instances_at_safepoint walks dead objects
JDK-8322725 core-libs java.time (tz) Update Timezone Data to 2023d


Changes in Java SE 8u401 b31

Bug Fixes

Release date: January 16, 2024
BugId Category Subcategory Summary
JDK-8284544 javafx accessibility [Win] Name-Property of Spinner cannot be changed
JDK-8319727 other-libs corba:idl Harden BufferManagerReadStream underflow logic

Java™ SE Development Kit 8, Update 401 (JDK 8u401)

January 16, 2024

The full version string for this update release is 8u401-b10 (where "b" means "build"). The version number is 8u401.


IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.


Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u401 are specified in the following table:

Java Family Version Security Baseline (Full Version String)


Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u401) be used after the next critical patch update scheduled for April 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u401) on 2024-05-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

 New System Property to Toggle XML Signature Secure Validation Mode (JDK-8301260)

A new system property named has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.

Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.

 JDK Flight Recorder Event for Deserialization (JDK-8261160)

A new JDK Flight Recorder (JFR) event has been added to monitor deserialization of objects. When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named java/deserialization, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object.

The new Deserialization Event captures:

  • Whether a serialization filter is configured or not.
  • The serialization filter status, if one is configured.
  • The class of the object being deserialized.
  • The number of array elements when deserializing an array.
  • The current graph depth.
  • The current number of object references.
  • The current number of bytes in the stream that have been consumed.
  • The exception type and message, if thrown by the serialization filter.

Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.


Known Issues

 Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))

When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].


Other Notes

 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

 Added Four Root Certificates from DigiCert, Inc. (JDK-8318759)

The following root certificates have been added to the cacerts truststore:

+ DigiCert, Inc.

  + digicertcseccrootg5
    DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicertcsrsarootg5
    DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlseccrootg5
    DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlsrsarootg5
    DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

 Added Three Root Certificates from eMudhra Technologies Limited (JDK-8319187)

The following root certificates have been added to the cacerts truststore:

+ eMudhra Technologies Limited

  + emsignrootcag1
    DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsigneccrootcag3
    DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsignrootcag2
    DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

 Added Telia Root CA v2 Certificate (JDK-8317373)

The following root certificate has been added to the cacerts truststore:

+ Telia Root CA v2

  + teliarootcav2
    DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI

 Added ISRG Root X2 CA Certificate from Let's Encrypt (JDK-8317374)

The following root certificate has been added to the cacerts truststore:

+ Let's Encrypt

  + letsencryptisrgx2
    DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US

 Call X509KeyManager.chooseClientAlias Once for All Key Types (JDK-8262186)

The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .


Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u401 release:

# BugId Component Summary
1JDK-8286481client-libs/java.awtException printed to stdout on Windows when storing transparent image in clipboard
2JDK-6176679client-libs/java.awtApplication freezes when copying an animated gif image to the system clipboard
3JDK-8153090client-libs/javax.swingTAB key cannot change input focus after the radio button in the Color Selection dialog
4JDK-8313657core-libs/javax.namingcom.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors
5JDK-8314063core-libs/javax.namingThe socket is not closed in Connection::createSocket when the handshake failed for LDAP connection
6JDK-8302577docs/guidesUpdate JSSE Guide for JDK-8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit
7JDK-8283441hotspot/compilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
8JDK-8059735hotspot/compilermake_not_entrant_or_zombie sees zombies
9JDK-8075922hotspot/compilerassert(t == t_no_spec) fails in phaseX.cpp
10JDK-8067247hotspot/compilerCrash: assert(method_holder->data() == 0 ...) failed: a) MT-unsafe modification of inline cache
11JDK-8086053hotspot/compilerAddress inconsistencies regarding ZeroTLAB
12JDK-8169177hotspot/gcaarch64: SIGSEGV when "-XX:+ZeroTLAB" is specified along with GC options
13JDK-8149343hotspot/gcassert(rp->num_q() == no_of_gc_workers) failed: sanity
14JDK-8316906hotspot/gcClarify TLABWasteTargetPercent flag
15JDK-8032223hotspot/jvmtinsk/regression/b4663146 gets assert(SafepointSynchronize::is_at_safepoint() || JvmtiEnv::is_thread_fully_suspended(get_thread(), false, &debug_bits))
16JDK-8165496hotspot/jvmtiassert(_exception_caught == false) failed: _exception_caught is out of phase
17JDK-8193386hotspot/runtimeCompressedClassSize too large with MaxMetaspace
18JDK-8194246hotspot/runtimeJVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class
19JDK-8163146hotspot/runtimeRemove os::check_heap on Windows
20JDK-8227815hotspot/svcMinimal VM: set_state is not a member of AttachListener
21JDK-8313856javafx/graphicsReplace VLA with malloc in pango
22JDK-8317508javafx/mediaProvide media support for libavcodec version 60
23JDK-8313900javafx/mediaPossible NULL pointer access in NativeAudioSpectrum and NativeVideoBuffer
24JDK-8311097javafx/webSynchron XMLHttpRequest not receiving data
25JDK-8315074javafx/window-toolkitPossible null pointer access in native glass
26JDK-8315958javafx/window-toolkitMissing range checks in GlassPasteboard
27JDK-8315657javafx/window-toolkitApplication window not activated in macOS 14 Sonoma
28JDK-8319066javafx/window-toolkitApplication window not always activated in macOS 14 Sonoma
29JDK-8320597security-libs/java.securityRSA signature verification fails on signed data that does not encode params correctly
30JDK-8302017security-libs/java.securityAllocate BadPaddingException only if it will be thrown
31JDK-8284910security-libs/javax.securityBuffer clean in PasswordCallback