October 16, 2018
The full version string for this update release is 1.8.0_191-b12 (where "b" means "build"). The version number is 8u191.
JDK 8u191 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u191 are specified in the following table:
|JRE Family Version||JRE Security Baseline |
(Full Version String)
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u191) will expire with the release of the next critical patch update scheduled for January 15, 2019.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u191) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
On x86/x64 Linux, the toolchain used to build the JDK has been upgraded from GCC 4.3 to GCC 7.3.
Manually linking the Java plugin libraries to the Mozilla plugins directory may cause the Firefox browser to crash on Linux during startup, due to incompatibilities with
glibc versions in JDK 8u191 and later. The crash can also occur if the link was manually created for an earlier JRE and a user updates to JDK 8u191 or later.
The error might be similar to the following:
/usr/lib64/firefox/firefox: symbol lookup error: /etc/alternatives/jre-1.8.0_64/jre1.8.0_221-amd64/lib/amd64/libnpjp2.so:
To work around this issue, remove any symbolic link to
libnpjp2.so present in the following directories:
Note that Firefox no longer supports the interface, NPAPI, which is required to run Java applets. The symbolic link is not required to run Java.
The file system location in Windows for the
usagetracker.properties file has been moved from
There is no change in the file path for Linux, Solaris, or macOS.
DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the
jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the
jdk.tls.disabledAlgorithms security property in the
java.security file or by dynamically calling the
Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the
Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the
jdk.tls.disabledAlgorithms security property.
The following Symantec root certificates are no longer in use and have been removed:
DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
DN: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DN: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
DN: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
The following Baltimore CyberTrust Code Signing root certificate is no longer in use and has been removed:
DN: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE
The following SECOM root certificate is no longer in use and has been removed:
DN: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP
The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:
The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:
In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:
This count overrides any other automatic CPU detection logic in the JVM.
Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:
These options replace the deprecated Fraction forms (
This bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.
The specification of
javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.
The following are some of the notable bug fixes included in this release:
Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ) may encounter an exception when establishing the connection.
The top most frames from Exception stack traces of applications encountering such issues might resemble the following:
javax.naming.ServiceUnavailableException: <server:port>; socket closed
at com.sun.jndi.ldap.Connection.readReply(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
In this release, the behavior of methods which application code uses to set request properties in
java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling
HttpURLConnection.setInstanceFollowRedirects(false) for the original request.
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. For a more complete list of the bug fixes included in this release, see the JDK 8u191 Bug Fixes page.