The following sections summarize changes made in all Java SE 8u51 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
|8067422||tools||javac||Lambda method names are unnecessarily unstable|
The full version string for this update release is 1.8.0_51-b16 (where "b" means "build"). The version number is 8u51.
This update release contains several enhancements and changes including the following:
JDK 8u51 contains IANA time zone data version 2015d. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u51 are specified in the following table:
|JRE Family Version||JRE Security Baseline (Full Version String)|
For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u51) will expire with the release of the next critical patch update scheduled for October 20, 2015.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u51) on November 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
Ephemeral DH keys less than 768 bits deactivated
Ephemeral DH keys less than 768 bits are deactivated in JDK. New algorithm restriction
DH keySize < 768 is added to Security Property
JDK-8076328 (not public).
Operating system's restricted environment (Native Sandbox)
JDK 8u51 introduced the following changes to Native Sandbox:
Native sandbox is available on Windows platform only.
Native sandbox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system's restricted environment (native sandbox) or by setting
deployment.security.use.native.sandbox property to true in
Native sandbox is disabled by default.
When native sandbox is enabled, the sandbox applets or web-start applications will run in a restricted environment, that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.
Native sandbox will be disabled for applications included the in Exception Site List (ESL) or when Deployment Rule Set (DRS) is used.
Sandbox applets deployed with HTML applet tag which includes all-permissions JAR files from the
Class-Path manifest attribute, will run in native sandbox.
In such cases, a special warning dialog will display, informing the user that the applet may not work properly, when such an applet tries to access the all-permission JAR files.
Custom preloader will be disabled in certain cases when native sandbox is enabled:
This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.
The following are some of the notable bug fixes included in this release:
Synopsis: Add new Comodo roots to root CAs
Four new root certificates have been added for Commodo:
1. COMODO ECC Certification Authority alias: comodoeccca DN: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB 2. COMODO RSA Certification Authority alias: comodorsaca DN: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB 3. USERTrust ECC Certification Authority alias: usertrusteccca DN: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US 4. USERTrust RSA Certification Authority alias: usertrustrsaca DN: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
JDK-8077652 (not public)
Synopsis: Add new GlobalSign roots to root CAs
Two root certificates have been added for GlobalSign:
1. GlobalSign ECC Root CA - R4 alias: globalsigneccrootcar4 DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4 2. GlobalSign ECC Root CA - R5 alias: globalsigneccrootcar5 DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
JDK-8077653 (not public)
Synopsis: Add Actalis to root CAs
Added one new root certificate:
Actalis Authentication Root CA alias: actalisauthenticationrootca DN: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT
JDK-8077651 (not public)
Synopsis: Add new Entrust ECC root
Added one new root certificate:
Entrust Root Certification Authority - EC1 alias: entrustrootcaec1 DN: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
JDK-8072961 (not public)
Synopsis: Remove old Valicert Class 1 and 2 Policy roots
Removed two root certificates with 1024-bit keys:
1. ValiCert Class 1 Policy Validation Authority alias: secomvalicertclass1ca DN: EMAILADDRESSfirstname.lastname@example.org, CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network 2. ValiCert Class 2 Policy Validation Authority alias: valicertclass2ca DN: EMAILADDRESSemail@example.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
JDK-8077354 (not public)
Synopsis: Remove old Thawte roots
Removed two root certificates with 1024-bit keys:
1. Thawte Server CA alias: thawteserverca DN: EMAILADDRESSfirstname.lastname@example.org, CN=Thawte Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA 2. Thawte Personal Freemail CA alias: thawtepersonalfreemailca DN: EMAILADDRESSemail@example.com, CN=Thawte Personal Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA
JDK-8073271 (not public)
Synopsis: Remove more old Verisign, Equifax, and Thawte roots
Removed five root certificates with 1024-bit keys:
1. Verisign Class 3 Public Primary Certification Authority - G2 alias: verisignclass3g2ca DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US 2. Thawte Premium Server CA alias: thawtepremiumserverca DN: EMAILADDRESSfirstname.lastname@example.org, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA 3. Equifax Secure Certificate Authority alias: equifaxsecureca DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US 4. Equifax Secure eBusiness CA-1 alias: equifaxsecureebusinessca1 DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US 5. Equifax Secure Global eBusiness CA-1, alias: equifaxsecureglobalebusinessca1 DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
JDK-8075091 (not public)
Synopsis: Remove TrustCenter CA roots from cacerts
Removed three root certificates:
1. TC TrustCenter Universal CA I alias: trustcenteruniversalcai DN: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, O=TC TrustCenter GmbH, C=DE 2. TC TrustCenter Class 2 CA II alias: trustcenterclass2caii DN: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC TrustCenter GmbH, C=DE 3. TC TrustCenter Class 4 CA II alias: trustcenterclass4caii DN: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC TrustCenter GmbH, C=DE
JDK-8071699 (not public)
Synopsis: Deprecate RC4 in SunJSSE provider
RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property,
jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list.
JDK-8043201 (not public)
Synopsis: Prohibit RC4 cipher suites
RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods.
JDK-8043202 (not public)
Synopsis: Improved certification checking
With this fix, JSSE endpoint identification does not perform reverse name lookup for IP addresses by default in JDK.
If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks.
JDK-8067694 (not public)
|JDK-8071668||client-libs||java.awt||[macosx] Clipboard does not work with 3rd parties Clipboard Managers|
|JDK-8077685||core-libs||java.util:i18n||(tz) Support tzdata2015d|
|JDK-8075602||deploy||Applet throws java.security AccessControlException in java console when playing it|
|JDK-8079223||deploy||unnecessary performance degradation caused by fix to JDK-8052111|
|JDK-8069161||deploy||plugin||Slow cache performance since JRE 7u06|
|JDK-8076343||deploy||plugin||JNLP property apple.laf.useScreenMenuBar no longer treated as secure for Mac OS|
|JDK-8071897||deploy||webstart||JRE 8U25 and 8u31 b32 cannot launch Java Web Start with proxy pac but works fine for 7u67|
|JDK-8078815||deploy||webstart||Launching of jnlp app fails with JNLPException|
|JDK-8035938||hotspot||jvmti||Memory leak in JvmtiEnv::GetConstantPool|
|JDK-8064546||security-libs||javax.crypto||CipherInputStream throws BadPaddingException if stream is not fully read|
|JDK-8078439||security-libs||org.ietf.jgss||SPNEGO auth fails if client proposes MS krb5 OID|
|JDK-8073357||xml||jaxb||schema1.xsd has wrong content. Sequence of the enum values has been changed|
|JDK-8073385||xml||jaxp||Bad error message on parsing illegal character in XML attribute|
|JDK-8074297||xml||jaxp||substring in XSLT returns wrong character if string contains supplementary chars|
Synopsis: Java issue with Firefox 38, long delay with MyD loading
Java Plugin is unable to obtain proxy settings from Firefox 38 due to a bug in Mozilla framework. It may cause a long delay during RIA start up or can even cause start up failures. See the related issue:
According to Mozilla, Firefox 39 will contain a fix for this problem.
JDK-8081459 (not public)
Synopsis: JNLP files won't launch from IE11 on Windows 10 Creators Update
Web-start applications cannot be launched when clicking JNLP link from IE 11 on Windows 10 Creators Update when 64-bit JRE is installed. Workaround is to uninstall 64-bit JRE and use only 32-bit JRE.