java

Release Notes for JDK 8 and JDK 8 Update Releases

This page contains all of the release notes for General Availability (GA) releases and Bundled Patch Release (BPR) builds of JDK 8.

Consolidated Release Notes for JDK 8 and JDK 8 Update Releases

BPR builds are available only as commercial offerings to Oracle customers. They include fixes critical to customers that could not wait until the next scheduled release. Fixes introduced on BPRs are added to later GA releases.

  • JDK 8u231 (GA and BPR builds)
  • JDK 8u221 (GA and BPR builds)
  • JDK 8u212 (GA and BPR builds)
  • JDK 8u211 (GA)
  • JDK 8u202 (GA and BPR builds)
  • JDK 8u201 (GA)
  • JDK 8u192 (GA and BPR builds)
  • JDK 8u191 (GA)
  • JDK 8u181 (GA and BPR builds)
  • JDK 8u172 (GA and BPR builds)
  • JDK 8u171 (GA)
  • JDK 8u162 (GA and BPR builds)
  • JDK 8u161 (GA)
  • JDK 8u152 (GA and BPR builds)
  • JDK 8u151 (GA)
  • JDK 8u144 (GA and BPR builds)
  • JDK 8u141 (GA and BPR builds)
  • JDK 8u131 (GA and BPR builds)
  • JDK 8u121 (GA and BPR builds)
  • JDK 8u112 (GA and BPR builds)
  • JDK 8u111 (GA)
  • JDK 8u102 (GA and BPR builds)
  • JDK 8u101 (GA)
  • JDK 8u92 (GA and BPR builds)
  • JDK 8u91 (GA)
  • JDK 8u77 (GA and BPR builds)
  • JDK 8u74 (GA and BPR builds)
  • JDK 8u72 (GA and BPR builds)
  • JDK 8u73 (GA)
  • JDK 8u71 (GA)
  • JDK 8u66 (GA and BPR builds)
  • JDK 8u65 (GA)
  • JDK 8u60 (GA and BPR builds)
  • JDK 8u51 (GA and BPR builds)
  • JDK 8u45 (GA and BPR builds)
  • JDK 8u40 (GA and BPR builds)
  • JDK 8u31 (GA and BPR builds)
  • JDK 8u25 (GA and BPR builds
  • JDK 8u20 (GA and BPR builds)
  • JDK 8u11 (GA and BPR builds)
  • JDK 8u5 (GA and BPR builds)
  • JDK 8 (GA)

Java™ SE Development Kit 8, Update 441 Enterprise Performance Pack (JDK 8u441-PERF)

Release date: January 21, 2025

The full version string for this update release is 1.8.0_441-perf-b09 (where "b" means "build"). The version number is 1.8.0_441-perf.

 

IANA TZ Data 2024b

JDK 8u441 contains IANA time zone data 2024b which contains the following changes since the previous update.

  • Improve historical data for Mexico, Mongolia, and Portugal.
  • System V names are now obsolescent.
  • The main data form now uses %z.
  • The code now conforms to RFC 8536 for early timestamps.
  • Support POSIX.1-2024, which removes asctime_r and ctime_r.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u441 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
81.8.0_441-perf-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u441) be used after the next critical patch update scheduled for April 15, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u441) on 2025-05-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

Other Notes

core-svc/java.lang.management
 The ClassLoadingMXBean and MemoryMXBean isVerbose Methods Are Now Consistent with Their setVerbose Methods (JDK-8338139)

The ClassLoadingMXBean::setVerbose(boolean enabled) method will set class+load* logging on log output stdout to level info if enabled is true, and to level off otherwise. In contrast, the isVerbose method would check if exactly class+load logging was enabled at the info level on _any_ log output. This could result in counter-intuitive behavior when logging class+load=info to a file via the command-line, as it caused isVerbose to return true, even after a call to setVerbose(false) had been made. A similar problem existed for the MemoryMXBean::isVerbose method. Starting with this release, the behavior is as follows:

  • ClassLoadingMXBean::isVerbose will return true only if class+load* logging (note the wildcard use) has been enabled at the `info` level (or above) on the stdout log output.
  • MemoryMXBean::isVerbose will return true only if gc logging has been enabled at the info level (or above) on the stdout log output.

 

Changes in Java SE 8u441-Perf

Bug Fixes

JDK 8u441 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8337066hotspot/compilerRepeated call of StringBuffer.reverse with double byte string returns wrong result
2JDK-8335709hotspot/compilerC2: assert(!loop->is_member(get_loop(useblock))) failed: must be outside loop
3JDK-8315988hotspot/gcParallel: Make TestAggressiveHeap use createTestJvm
4JDK-8338389hotspot/jfr[JFR] Long strings should be added to the string pool
5JDK-8319818hotspot/runtimeAddress GCC 13.2.0 warnings (stringop-overflow and dangling-pointer)
6JDK-8340387hotspot/runtimeUpdate OS detection code to recognize Windows Server 2025
7JDK-8337410hotspot/testThe makefiles should set problemlist and adjust timeout basing on the given VM flags

Java™ SE Development Kit 8, Update 441 (JDK 8u441)

Release date: January 21, 2025

The full version string for this update release is 1.8.0_441-b07 (where "b" means "build"). The version number is 8u441. This JDK conforms to version 8.6 of the Java SE Specification (JSR 337 MR 6 2024-07-02).

 

IANA TZ Data 2024b

JDK 8u441 contains IANA time zone data 2024b which contains the following changes since the previous update.

  • Improve historical data for Mexico, Mongolia, and Portugal.
  • System V names are now obsolescent.
  • The main data form now uses %z.
  • The code now conforms to RFC 8536 for early timestamps.
  • Support POSIX.1-2024, which removes asctime_r and ctime_r.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u441 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
81.8.0_441-b07

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u441) be used after the next critical patch update scheduled for April 15, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u441) on 2025-05-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

JavaFX Will No Longer Be Included in JDK/JRE 8

This release, JDK and JRE 8 update 441, is the last release to bundle JavaFX. As announced in 2020, support for JavaFX on JDK 8, the last commercially supported version of JavaFX from Oracle, will end in March 2025. Accordingly, JDK 8 update 441 is the last upgrade of JDK/JRE 8 with JavaFX. Oracle continues to develop and release JavaFX as stand-alone modules via the OpenJFX project for the latest versions of Java only. For more details see the Java SE Spring 2024 Roadmap Update. Please contact Oracle Sales if you have any additional needs.

 

Other Notes

core-libs/java.lang
 ProcessBuilder on Windows Quotes Argument Strings Containing Any Space Character (JDK-8335428 (not public))

On Windows, the ProcessBuilder has expanded the quoting of argument strings when starting a process to ensure they are recognized by the application as a single command argument. The set of space characters has been expanded from space (0x20) to include all space characters as defined by java.lang.Character.isSpaceChar, which includes all Unicode space separator characters, such as EN-SPACE (0x2002), and line separator and paragraph separator characters.

core-libs/java.time
 Support for Time Zone Database 2024b (JDK-8339637)

IANA Time Zone Database has been upgraded to 2024b. This version mainly includes changes to improve historical data for Mexico, Mongolia, and Portugal. It also changes one timestamp abbreviation, for the time zone 'MET'. Also Asia/Choibalsan is now an alias for Asia/Ulaanbaatar.

The new tzdata changes also impact some legacy time zone IDs. As per 2024b changes "EST" links to "America/Panama", "HST" links to "Pacific/Honolulu" and "MST" links to "America/Phoenix". To maintain compatibility with the Java SE specification, the java.time.ZoneId.SHORT_IDS Map has not changed. Further details are available at JDK-8342331

 

Updates to Third Party Libraries

Library New Version Module JBS
Pipewire 0.3.68 java.desktop JDK-8280982
Sparkle 2.6.4 JDK-8342000 (not public)
GStreamer 1.24.6 javafx.media JDK-8336940
Glib 2.80.4 javafx.media JDK-8336939
libFFI 3.4.6 javafx.media JDK-8336938
libxslt 1.1.42 javafx.web JDK-8336941

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u441 release:

# BugId Component Summary
1JDK-8280993client-libs/java.awt[XWayland] Popup is not closed on click outside of area controlled by XWayland
2JDK-8309756client-libs/java.awt Occasional crashes with pipewire screen capture on Wayland
3JDK-8313697client-libs/java.awt[XWayland][Screencast] consequent getPixelColor calls are slow
4JDK-8331011client-libs/java.awt[XWayland] TokenStorage fails under Security Manager
5JDK-8321176client-libs/java.awt[Screencast] make a second attempt on screencast failure
6JDK-8280994client-libs/java.awt[XWayland] Drag and Drop does not work in java -> wayland app direction
7JDK-8158380client-libs/java.awt[macosx] Regression: java/awt/List/ActionEventTest/ActionEventTest.java
8JDK-8215921client-libs/java.awtThere is no change when select different Foreground and Background by mouse.
9JDK-8014503client-libs/java.awtAWT Choice implementation should be made consistent across platforms.
10JDK-8280982client-libs/java.awt[Wayland] [XWayland] java.awt.Robot taking screenshots
11JDK-8329667client-libs/javax.accessibility[macos] Issue with JTree related fix for JDK-8317771
12JDK-8319103client-libs/javax.swingPopups that request focus are not shown on Linux with Wayland
13JDK-8079841core-libs/java.util.jarBuffer underflow with empty zip entry names
14JDK-8219448hotspot/compilersplit-if update_uses accesses stale idom data
15JDK-8340387hotspot/runtimeUpdate OS detection code to recognize Windows Server 2025
16JDK-8338701javafx/mediaProvide media support for libavcodec version 61
17JDK-8337481javafx/webFile API: file.name contains path instead of name
18JDK-8340208javafx/webAdditional WebKit 619.1 fixes from WebKitGTK 2.44.4
19JDK-8334124javafx/webRendering issues with CSS "text-shadow" in WebView
20JDK-8328723security-libs/java.securityIP Address error when client enables HTTPS endpoint check on server socket

Java SE 8u431 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u431 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u431 b31

Bug Fixes

Release date: October 15, 2024
BugId Category Subcategory Summary
JDK-8215757 hotspot compiler C2: PhaseIdealLoop::create_new_if_for_predicate() computes wrong IDOM
JDK-8219448 hotspot compiler split-if update_uses accesses stale idom data

Java™ SE Development Kit 8, Update 431 Enterprise Performance Pack (JDK 8u431-PERF)

Release date: October 15, 2024

The full version string for this update release is 1.8.0_431-perf-b11 (where "b" means "build"). The version number is 1.8.0_431-perf.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u431 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
81.8.0_431-perf-b11

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u431) be used after the next critical patch update scheduled for January 21, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u431) on 2025-02-21. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/java.security
 Thread and Timestamp Options for java.security.debug System Property (JDK-8051959)

The java.security.debug system property now accepts arguments which add thread ID, thread name, caller information, and timestamp information to debug statements for all components or a specific component.

+timestamp can be appended to debug options to print a timestamp for that debug option. +thread can be appended to debug options to print thread and caller information for that debug option.

Examples: -Djava.security.debug=all+timestamp+thread adds timestamp and thread information to every debug statement generated.

-Djava.security.debug=properties+timestamp adds timestamp information to every debug statement generated for the properties component.

You can also specify -Djava.security.debug=help which will display a complete list of supported components and arguments.

See Printing Thread and Timestamp Information for more information.

 

Notable Issues Fixed

install/install
 JDK RPM Upgrade Leaves Orphan Alternatives Entry (JDK-8336107 (not public))

Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.

Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}), results in the older Java entries in the "java" and "javac" groups not being deleted.

The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java or keytool without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.

Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.

 

Other Notes

security-libs/java.security
 Added SSL.com TLS Root CA Certificates Issued in 2022 (JDK-8341057)

The following root certificates have been added to the cacerts truststore:

+ SSL.com

  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US

client-libs
 Relax the java.awt.Robot Specification (JDK-8307779)

This JDK release relaxes the specification of java.awt.Robot to account for possible platform and desktop environment access restrictions or limitations.

core-libs/java.text
 MessageFormat ArgumentIndex Now Has a Limit (JDK-8331446 (not public))

In the JDK, java.text.MessageFormat now has an implementation limit for the ArgumentIndex pattern element. The hard limit for the value is 10,000.

If an ArgumentIndex value is equal to or exceeds the upper limit, an IllegalArgumentException will now be thrown by

  • MessageFormats constructors
  • applyPattern(String pattern) instance method
  • format(String pattern, Object... arguments) static method

De-serializing a MessageFormat object with an ArgumentIndex value at or over the limit will throw an InvalidObjectException.

tools/launcher
 Available Locales Information Now Listed with -XshowSettings:locale Option (JDK-8310201)

The showSettings launcher option no longer prints available locales information by default, when -XshowSettings is used. The -XshowSettings:locale option will continue to print all settings related to available locales.

core-libs/java.net
 New Default Limits in the JDK HTTP Implementations (JDK-8328286 (not public))

New, default limits have been added to HTTP in the JDK.

The JDK built-in implementation of the URL protocol handler for HTTP (HttpURLConnection) now has a default limit on the maximum response headers size that will be accepted from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.

The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize system property on the command line, or in the conf/net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The JDK built-in implementation of the com.sun.net.httpserver.HttpServer implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.

 

Changes in Java SE 8u431-Perf

Bug Fixes

JDK 8u431 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8005885hotspot/compilerenhance PrintCodeCache to print more data
2JDK-8329126hotspot/compilerNo native wrappers generated anymore with -XX:-TieredCompilation after JDK-8251462

Java™ SE Development Kit 8, Update 431 (JDK 8u431)

Release date: October 15, 2024

The full version string for this update release is 1.8.0_431-b10 (where "b" means "build"). The version number is 8u431.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u431 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
81.8.0_431-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u431) be used after the next critical patch update scheduled for January 21, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u431) on 2025-02-21. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

Notable Issues Resolved

install/install
 JDK RPM Upgrade Leaves Orphan Alternatives Entry (JDK-8336107 (not public))

Fixed the issue with entries in the "java" and "javac" groups not being properly managed during an RPM upgrade.

Upgrading from an older Java RPM installed into a shared directory (/usr/lib/jvm/jdk-${FEATURE}-oracle-${ARCH}) to a Java RPM installing into a version-specific directory (/usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}), results in the older Java entries in the "java" and "javac" groups not being deleted.

The issue does not manifest until the new Java is uninstalled. When it is uninstalled and Java from the lower release is installed, running Java commands like java or keytool without the full path specified will result in the "command not found" error. For example, install 21.0.3; upgrade it to 21.0.4; uninstall 21.0.4; install any Java update of 17 or 11 or 8 release; run "java" from the command line. The command will fail with the "command not found" error.

Manually delete orphan Java entries in the "java" and "javac" groups to workaround the issue.

 

Other Notes

core-libs/java.net
 New Default Limits in the JDK HTTP Implementations (JDK-8328286 (not public))

New, default limits have been added to HTTP in the JDK.

The JDK built-in implementation of the URL protocol handler for HTTP (HttpURLConnection) now has a default limit on the maximum response headers size that will be accepted from a remote party. The limit is set by default at 384kB (393216 bytes) and is computed as the cumulative size of all header names and header values plus an overhead of 32 bytes per header name value pair.

The default value of the limit can be changed by specifying a positive value with the jdk.http.maxHeaderSize system property on the command line, or in the conf/net.properties file. A negative or zero value is interpreted as no limit. If the limit is exceeded, the request will fail with a protocol exception.

The JDK built-in implementation of the com.sun.net.httpserver.HttpServer implements a similar limit for the maximum request header size the server is prepared to accept. The HttpServer limit can be changed by specifying a positive value with the sun.net.httpserver.maxReqHeaderSize system property on the command line. A negative or zero value is interpreted as no limit. The limit is set by default at 384kB (393216 bytes) and the size is computed in the same way as explained above. If the limit is exceeded, the connection is closed.

security-libs/java.security
 Added SSL.com TLS Root CA Certificates Issued in 2022 (JDK-8341057)

The following root certificates have been added to the cacerts truststore:

+ SSL.com

  + ssltlsrootecc2022
    DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

+ SSL.com
  + ssltlsrootrsa2022
    DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US

security-libs/javax.net.ssl
 Disabled TLS_ECDH Cipher Suites (JDK-8279164)

The TLS_ECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLS_ECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLS_ECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLS_ECDH_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.

Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.

security-libs/javax.net.ssl
 Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024 (JDK-8337664)

The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048),

OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C

CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5

CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39

CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88

CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77

CN=AffirmTrust Commercial, O=AffirmTrust, C=US

03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7

CN=AffirmTrust Networking, O=AffirmTrust, C=US

0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B

CN=AffirmTrust Premium, O=AffirmTrust, C=US

70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A

CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.

client-libs
 Relax the java.awt.Robot Specification (JDK-8307779)

This JDK release relaxes the specification of java.awt.Robot to account for possible platform and desktop environment access restrictions or limitations.

core-libs/java.lang
 System Property for Java SE Specification Maintenance Version (JDK-8335224)

This JDK implements Maintenance Release 6 of the Java SE 8 specification JSR 337. This is indicated by the system property java.specification.maintenance.version having the value of "6".

core-libs/java.text
 MessageFormat ArgumentIndex Now Has a Limit (JDK-8331446 (not public))

In the JDK, java.text.MessageFormat now has an implementation limit for the ArgumentIndex pattern element. The hard limit for the value is 10,000.

If an ArgumentIndex value is equal to or exceeds the upper limit, an IllegalArgumentException will now be thrown by

  • MessageFormats constructors
  • applyPattern(String pattern) instance method
  • format(String pattern, Object... arguments) static method

De-serializing a MessageFormat object with an ArgumentIndex value at or over the limit will throw an InvalidObjectException.

install/uninstall
 The Java Uninstall Tool will repair the Windows registry (JDK-8343761 (not public))

There are some scenarios where upgrading from a JRE version 8u361 or below to a newer JRE version of Java 8 may break some of the Windows registry keys for the Java Runtime Environment. The Java Uninstall Tool will repair such situations, regardless if a JRE is selected for uninstall or not.

 

Updates to Third Party Libraries

Library New Version Module JBS
GIFlib 5.2.2 JDK-8328999
Libpng 1.6.43 JDK-8329004
Libxml2 2.12.17 JDK-8332539
WebKit 619.1 JDK-8328994

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u431 release:

# BugId Component Summary
1JDK-8325179client-libs/javax.swingRace in BasicDirectoryModel.validateFileCache
2JDK-8328953client-libs/javax.swingJEditorPane.read throws ChangedCharSetException
3JDK-8330415core-libs/java.langUpdate system property for Java SE specification maintenance version
4JDK-8267938core-libs/java.net(sctp) SCTP channel factory methods should check platform support
5JDK-8299058core-libs/java.netAssertionError in sun.net.httpserver.ServerImpl when connection is idle
6JDK-8332424core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-05-16
7JDK-8334418core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-06-14
8JDK-8334653core-libs/java.util:i18nISO 4217 Amendment 177 Update
9JDK-8337230docs/guidesUpdate JSSE security and system properties in Customizing JSSE
10JDK-8202948hotspot/compilerC2: assert(init_offset >= 0) failed: positive offset from object start
11JDK-8330462javafx/accessibilityStringIndexOutOfBoundException when typing anything into TextField
12JDK-8331881javafx/webWebView: Update Public Suffix List to 1cbd6e7
13JDK-8329011javafx/webUpdate SQLite to 3.45.3
14JDK-8338306javafx/webWebView Drag and Drop fails with WebKit 619.1
15JDK-8338307javafx/webAdditional WebKit 619.1 fixes from WebKitGTK 2.44.3
16JDK-8331765javafx/webWebsocket callbacks are not executed after WebKit 617.1 update
17JDK-8261433security-libs/javax.crypto:pkcs11Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit
18JDK-8219991security-libs/javax.net.sslNew fix of the deadlock in sun.security.ssl.SSLSocketImpl
19JDK-8341059security-libs/javax.net.sslChange Entrust TLS distrust date to November 12, 2024

Java SE 8u421 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u421 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u421 b34

Bug Fixes

Release date: August 23, 2024
BugId Category Subcategory Summary
JDK-8336952 (not public) install jre msi installer can fail if run after using MSI Advertise option

 

Changes in Java SE 8u421 b33

Bug Fixes

Release date: August 12, 2024
BugId Category Subcategory Summary
JDK-8336107 (not public) install JDK rpm upgrade from 11.0.23 to 11.0.25 leaves "orphan" alternatives entry

 

Changes in Java SE 8u421 b32

Bug Fixes

Release date: July 16, 2024
BugId Category Subcategory Summary
JDK-8331765 javafx web Websocket callbacks are not executed after WebKit 617.1 update
JDK-8333859 core-libs java.util.jar Pack200.newUnpacker().unpack() throws IOException
JDK-8333447 (not public) install install "alternatives" uninstallation results into intermittent “Java not available” issues

Java SE 8u421 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u421 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u421-Perf b31

Bug Fixes

Release date: July 16, 2024
BugId Category Subcategory Summary
JDK-8333859 core-libs java.util.jar Pack200.newUnpacker().unpack() throws IOException

Java™ SE Development Kit 8, Update 421 Enterprise Performance Pack (JDK 8u421-PERF)

Release date: July 16, 2024

The full version string for this update release is 8u421-perf-b07 (where "b" means "build"). The version number is 8u421-perf.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u421 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u421-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u421) be used after the next critical patch update scheduled for October 15, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u421) on 2024-11-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

Other Notes

security-libs/java.security
 Added GlobalSign R46 and E46 Root CA Certificates (JDK-8316138)

The following root certificates have been added to the cacerts truststore:

+ GlobalSign

  + globalsignr46
    DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE

+ GlobalSign
  + globalsigne46
    DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE

security-libs/javax.net.ssl
 Disabled DTLS 1.0 (JDK-8256660)

DTLS 1.0 has been disabled by default, by adding "DTLSv1.0" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. DTLS 1.0 has weakened over time and lacks support for stronger cipher suites. Any attempts to use DTLSv1.0 will fail with an SSLHandshakeException. Users can, at their own risk, re-enable the version by removing "DTLSv1.0" from the jdk.tls.disabledAlgorithms security property.

 

Changes in Java SE 8u421-Perf

Bug Fixes

JDK 8u421 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8321599hotspot/compilerData loss in AVX3 Base64 decoding
2JDK-8310844hotspot/compiler[AArch64] C1 compilation fails because monitor offset in OSR buffer is too large for immediate
3JDK-8324050hotspot/compilerIssue store-store barrier after re-materializing objects during deoptimization
4JDK-8326638hotspot/compilerCrash in PhaseIdealLoop::remix_address_expressions due to unexpected Region instead of Loop
5JDK-8319372hotspot/compilerC2 compilation fails with "Bad immediate dominator info"
6JDK-8282414hotspot/compilerx86: Enhance the assembler to generate more compact instructions
7JDK-8298129hotspot/jfrLet checkpoint event sizes grow beyond u4 limit
8JDK-8298649hotspot/jfrJFR: RemoteRecordingStream support for checkpoint event sizes beyond u4
9JDK-8286740hotspot/jfrJFR: Active Setting event emitted incorrectly
10JDK-8326106hotspot/jfrWrite and clear stack trace table outside of safepoint
11JDK-8298472hotspot/runtimeAArch64: Detect Ampere-1 and Ampere-1A CPUs and set default options
12JDK-8278241hotspot/runtimeImplement JVM SpinPause on linux-aarch64
13JDK-8296437hotspot/runtimeNMT incurs costs if disabled
14JDK-8327036hotspot/runtime[macosx-aarch64] SIGBUS in MarkActivationClosure::do_code_blob reached from Unsafe_CopySwapMemory0
15JDK-8319048hotspot/runtimeMonitor deflation unlink phase prolongs time to safepoint
16JDK-8324933hotspot/runtimeConcurrentHashTable::statistics_calculate synchronization is expensive

Java™ SE Development Kit 8, Update 421 (JDK 8u421)

Release date: July 16, 2024

The full version string for this update release is 8u421-b09 (where "b" means "build"). The version number is 8u421.

 

IANA TZ Data 2024a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u421 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u421-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u421) be used after the next critical patch update scheduled for October 15, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u421) on 2024-11-15. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

install/install
 Adding Debug Log Files in macOS for Java Updater and JCP (JDK-8319745 (not public))

Debug log files for Java Updater and JCP have been added to the directory $HOME/Library/Application Support/Oracle/Java/Java Updater/ for macOS x64 and aarch64. Logs for Java Updater and JCP are separated into two log files: JavaUpdaterLog.txt and JCPUpdateLog.txt.

JavaUpdaterLog.txt is generated and logs debug lines if it does not already exist when Java Updater is run. Likewise, JCPUpdateLog.txt is generated and logs debug lines if it does not already exist when Java Control Panel is run.

If a log file already exists for Java Updater or JCP, the newly logged debug lines are appended at the end of the log file. Each log session has a header with a timestamp of when the application was run.

security-libs/java.security
 New Security Category for -XshowSettings Launcher Option (JDK-8281658)

The -XshowSettings launcher has a new security category. Settings from security properties, security providers and TLS related settings are displayed with this option. A security sub-category can be passed as an argument to the security category option. See the output from java -X:

   -XshowSettings:security

       show all security settings and continue
   -XshowSettings:security:*sub-category*
       show settings for the specified security sub-category and continue. Possible *sub-category* arguments for this option include:
       all: show all security settings and continue
       properties: show security properties and continue
       providers: show static security provider settings and continue
       tls: show TLS related security settings and continue

Third party security provider details will be reported if they are included in the application class path or module path and such providers are configured in the java.security file.

 

Known Issues

deploy/webstart
 Browser Keystore Usage on Windows (JDK-8330728 (not public))

On Windows, once the feature “Use certificates and keys in browser keystore” is enabled (which it is by default), Java WebStart and Java Plugin can access the certificates that are currently trusted by the local machine. There is no guarantee that the full list of trusted certificates is available, since the certificates are dynamically loaded. As a result, Java applets and Java WebStart applications might experience signature validation and secure connection issues caused by a lack of relevant certificates since the Deployment framework can only access the certificates that are 'active' at the time of an application's launch.

 

Notable Issues fixed

install
 No Default Java after 8u371 32-bit Upgrade (JDK-8306784)

To allow the java, javaw, and javaws executables to be run from any location, the JRE 8 Windows installers copy java.exe, javaw.exe, and javaws.exe helper files into the following directory:

C:\Program Files (x86)\Common Files\Oracle\Java\java8path

Also, the system PATH variable is updated to include this location.

These helper files are lightweight executables that launch the latest version installed. They pass any commandline arguments along to the real executables in the bin directory. They are not specificially tied to a version other than the FileVersion of the exe. The installers will leave the latest versions of the shims in this location until the last Java 8 is uninstalled.

Note: In 8u411 and later releases, the directory name was changed from "javapath" to "java8path" to ensure compatibility with newer JDK family versions.

 

Removed Features and Options

install/install
 Remove Obsolete Desktop Integration from Linux Installers (JDK-8322234 (not public))

Delete nonfunctional desktop integration functionality from Linux installers. The installers will stop depositing files in /usr/share/icons, /usr/share/mime, and /usr/share/applications subtrees.

 

Other Notes

install/install
 Adding the STATIC=1 Argument to the JRE Installer (JDK-8313223 (not public))

This fix will add the STATIC=1 installer argument and deprecating the RETAIN_ALL_VERSIONS=1 installer argument. Passing STATIC=1 will protect older JRE 8 versions from being uninstalled during a manual upgrade or an auto-update.

install/install
 Provide Transition RPM with Old Package Name "jdk1.8" (JDK-8323482 (not public))

The "Obsoletes" tag has been removed from "jdk-1.8" and "jre-1.8" RPM packages.

New stub "jdk1.8" and "jre1.8" RPM packages have been provided. These are the pre-8u371 names without a dash. These packages do not install any files, but require corresponding update releases for "jdk-1.8" and "jre-1.8" packages, the post-8u371 name with the dash, respectively.

Users who only have 8u371 or newer RPM packages installed do not need to use the new stub "jdk1.8" or "jre1.8" RPM packages, and will not be affected by this change.

Users who install the new stub "jdk1.8" package and would like to downgrade it to 8u361 or an older version, will need to first manually uninstall the "jdk-1.8" package before the downgrade to prevent the side-by-side installation of older and newer Java 8 JDK RPM packages. The same applies to the "jre1.8" and "jre-1.8" packages.

If the "jdk-1.8" package is stored in an RPM repository, maintainers of the repository need to place an additional stub "jdk1.8" package next to "jdk-1.8" in that RPM repository. The same applies to the "jre1.8" and "jre-1.8" packages.

Users who install the "jdk-1.8" package from something other than an RPM repository need to specify paths to the RPM files with "jdk1.8" and "jdk-1.8" packages in a single update command if they would like to upgrade from 8u361 or older "jdk1.8" package. The same applies to the "jre1.8" and "jre-1.8" packages.

security-libs/java.security
 Added GlobalSign R46 and E46 Root CA Certificates (JDK-8316138)

The following root certificates have been added to the cacerts truststore:

+ GlobalSign

  + globalsignr46
    DN: CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE

+ GlobalSign
  + globalsigne46
    DN: CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE

infrastructure/build
 Native Executables and Libraries on Linux Use RPATH Instead of RUNPATH (JDK-8326891)

Native executables and libraries on Linux have switched to using RPATH instead of RUNPATH in this release.

JDK native executables and libraries use embedded runtime search paths to locate other internal JDK native libraries. On Linux these can be defined as either RPATH or RUNPATH. The main difference is that the dynamic linker considers RPATH before the LD_LIBRARY_PATH environment variable, while RUNPATH is only considered after LD_LIBRARY_PATH.

By making the change to using RPATH, it is no longer possible to replace JDK internal native libraries using LD_LIBRARY_PATH.

install/install
 Install DEB and RPM Java Packages in Version Directory (JDK-8325265 (not public))

The installation directory name of the Oracle JDK in RPM and DEB packages has changed from /usr/lib/jvm/jdk-1.8-oracle-${ARCH} to /usr/lib/jvm/jdk-${VERSION}-oracle-${ARCH}.

The installation directory name of the Oracle JRE in RPM and DEB packages has changed from /usr/lib/jvm/jre-1.8-oracle-${ARCH} to /usr/lib/jvm/jre-${VERSION}-oracle-${ARCH}.

Every update release will be installed in a separate directory on Linux platforms.

Installers will create a /usr/java/jdk-1.8-oracle-${ARCH} link pointing to the installation directory to allow programs to find the latest JDK8 version.

Installers will create a /usr/java/jre-1.8-oracle-${ARCH} link pointing to the installation directory to allow programs to find the latest JRE8 version.

install/install
 Installer Will Create a Junction Directory in a New Location (JDK-8329700 (not public))

The JRE will be installed in the following location, C:\Program Files\Java\jre$fullversion, where $fullversion is the technical version of the JRE. For instance, 8u421 will install into C:\Program Files\Java\jre1.8.0_421.

"C:\Program Files" will be adjusted to "C:\Program Files (x86)" for 32-bit Java.

For 64-bit installs, a junction will be created at C:\Program Files\Java\latest\jre-1.8. It will point to the latest 64-bit JRE of the Java 8 family.

For 32-bit installs, a junction will be created at C:\Program Files (x86)\Java\latest\jre-1.8. It will point to the latest 32-bit JRE of the Java 8 family.

This change of the JRE installation directories will also be reflected in the public JRE that is shipped with the JDK installer. Such changes were part of STATIC support implementation introduced in the 8u421 release.

 

Updates to Third Party Libraries

Library New Version Module JBS
ICU4C 74.2 javafx JDK-8324326
LCMS 2.16 java.desktop JDK-8321489
JPEG Image Decoding Software 9f java.desktop JDK-8324233
Zlib Data Compression Library 1.3.1 java.base JDK-8324632

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u421 release:

# BugId Component Summary
1JDK-8317771client-libs/javax.accessibility[macos14] Expand/collapse a JTree using keyboard freezes the application in macOS 14 Sonoma
2JDK-8296878client-libs/javax.swingDocument Filter attached to JPasswordField and setText("") is not cleared instead inserted characters replaced with unicode null characters
3JDK-8218917client-libs/javax.swingKeyEvent.getModifiers() returns inconsistent values for ALT keys
4JDK-8322239client-libs/javax.swing[macos] a11y : java.lang.NullPointerException is thrown when focus is moved on the JTabbedPane
5JDK-8318599core-libs/java.netHttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809
6JDK-8180310core-libs/java.rmi[testlibrary] TestSocketFactory null pointer when updating match bytes
7JDK-8324632core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.3.1
8JDK-8315117core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.3
9JDK-8318322core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-10-16
10JDK-8304761core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-03-22
11JDK-8302512core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-02-14
12JDK-8306031core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-04-13
13JDK-8308021core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-05-11
14JDK-8327631core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-03-07
15JDK-8313702core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2023-08-02
16JDK-8325029core-libs/javax.namingConnection.java now requires custom socket factories to implement javax.net.SocketFactory
17JDK-8285835hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work
18JDK-8287432hotspot/compilerC2: assert(tn->in(0) != __null) failed: must have live top node
19JDK-8197901hotspot/runtimeCrash during GC when logging level is debug
20JDK-8059924hotspot/runtimecom/sun/management/DiagnosticCommandMBean/DcmdMBeanPermissionsTest.java: assert(Universe::verify_in_progress() || !SafepointSynchronize::is_at_safepoint()) failed: invariant
21JDK-8329705javafx/accessibilityAdd missing Application thread checks to platform specific a11y methods
22JDK-8309374javafx/accessibilityAccessibility Focus Rectangle on ListItem is not drawn when ListView is shown for first time
23JDK-8311492javafx/graphicsFontSmoothingType LCD produces wrong color when transparency is used
24JDK-8324233javafx/graphicsUpdate JPEG Image Decoding Software to 9f
25JDK-8324326javafx/webUpdate ICU4C to 74.2
26JDK-8327177javafx/window-toolkitmacOS: wrong GlobalRef deleted in GlassMenu
27JDK-8326643security-libs/java.securityJDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message
28JDK-8312383security-libs/javax.net.sslLog X509ExtendedKeyManager implementation class name in TLS/SSL connection
29JDK-8247907security-libs/javax.xml.cryptoXMLDsig logging does not work
30JDK-8303809security-libs/org.ietf.jgssDispose context in SPNEGO NegotiatorImpl

Java SE 8u411 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u411 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u411 b32

Bug Fixes

Release date: June 10, 2024

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 8, Update 411 Enterprise Performance Pack (JDK 8u411-PERF)

Release date: April 16, 2024

The full version string for this update release is 8u411-perf-b08 (where "b" means "build"). The version number is 8u411-perf.

 

IANA TZ Data 2024a

JDK 8u411 contains IANA time zone data 2024a which contains the following changes:

  • Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
  • Vostok, Antarctica changed time zones on 2023-12-18.
  • Casey, Antarctica changed time zones five times since 2020.
  • Code and data fixes for Palestine timestamps starting in 2072.
  • A new data file zonenow.tab for timestamps starting now.
  • Kazakhstan unifies on UTC+5 beginning 2024-03-01.
  • Palestine springs forward a week later after Ramadan.
  • zic no longer pretends to support indefinite-past DST.
  • localtime no longer mishandles Ciudad Juárez in 2422.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u411 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u411-perf-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u411) be used after the next critical patch update scheduled for July 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider Java Management Service (JMS).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u411-perf) on 2024-08-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

security-libs/javax.crypto
 Update XML Security for Java to 3.0.3 (JDK-8319124)

The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1, SHA3_256_RSA_MGF1, SHA3_384_RSA_MGF1, and SHA3_512_RSA_MGF1. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.

Additionally, support for the following EdDSA signatures has been added: ED25519 and ED448. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here() function by default. However, we recommend avoiding the use of the here() function in new signatures and replacing existing signatures that use the here() function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here() function by setting the security property jdk.xml.dsig.hereFunctionSupported to "false".

 

Other Notes

java-libs/java.awt
 AWT SystemTray API Is Not Supported on Most Linux Desktops (JDK-8322750)

The java.awt.SystemTray API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.

Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported() will return false where ever the JDK determines the platform bug is likely to be present.

The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.

security-libs/java.security
 Added Certainly R1 and E1 Root Certificates (JDK-8321408)

The following root certificates have been added to the cacerts truststore:

+ Certainly

  + certainlyrootr1
    DN: CN=Certainly Root R1, O=Certainly, C=US

+ Certainly
  + certainlyroote1
    DN: CN=Certainly Root E1, O=Certainly, C=US

 

Changes in Java SE 8u411-Perf

Bug Fixes

JDK 8u411 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8271118hotspot/compilerC2: StressGCM should have higher priority than frequency-based policy
2JDK-8316679hotspot/compilerC2 SuperWord: wrong result, load should not be moved before store if not comparable
3JDK-8274060hotspot/compilerC2: Incorrect computation after JDK-8273454
4JDK-8273454hotspot/compilerC2: Transform (-a)*(-b) into a*b
5JDK-8315920hotspot/compilerC2: "control input must dominate current control" assert failure
6JDK-8297968hotspot/compilerCrash in PrintOptoAssembly
7JDK-8321215hotspot/compilerIncorrect x86 instruction encoding for VSIB addressing mode
8JDK-8316414hotspot/compilerC2: large byte array clone triggers "failed: malformed control flow" assertion failure on linux-x86
9JDK-8320209hotspot/compilerVectorMaskGen clobbers rflags on x86_64
10JDK-8318889hotspot/compilerC2: add bailout after assert Bad graph detected in build_loop_late
11JDK-8317507hotspot/compilerC2 compilation fails with "Exceeded _node_regs array"
12JDK-8277919hotspot/jfrOldObjectSample event causing bloat in the class constant pool in JFR recording
13JDK-8287113hotspot/jfrJFR: Periodic task thread uses period for method sampling events
14JDK-8322321hotspot/runtimeAdd man page doc for -XX:+VerifySharedSpaces
15JDK-8312585hotspot/runtimeRename DisableTHPStackMitigation flag to THPStackMitigation
16JDK-8312182hotspot/runtimeTHPs cause huge RSS due to thread start timing issue
17JDK-8312620hotspot/runtimeWSL Linux build crashes after JDK-8310233
18JDK-8312394hotspot/runtime[linux] SIGSEGV if kernel was built without hugepage support
19JDK-8323243hotspot/runtimeJNI invocation of an abstract instance method corrupts the stack

Java™ SE Development Kit 8, Update 411 (JDK 8u411)

Release date: April 16, 2024

The full version string for this update release is 8u411-b09 (where "b" means "build"). The version number is 8u411.

 

IANA TZ Data 2024a

JDK 8u411 contains IANA time zone data 2024a which contains the following changes:

  • Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
  • Vostok, Antarctica changed time zones on 2023-12-18.
  • Casey, Antarctica changed time zones five times since 2020.
  • Code and data fixes for Palestine timestamps starting in 2072.
  • A new data file zonenow.tab for timestamps starting now.
  • Kazakhstan unifies on UTC+5 beginning 2024-03-01.
  • Palestine springs forward a week later after Ramadan.
  • zic no longer pretends to support indefinite-past DST.
  • localtime no longer mishandles Ciudad Juárez in 2422.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u411 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u411-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u411) be used after the next critical patch update scheduled for July 16, 2024.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u411) on 2024-08-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.crypto
 Update XML Security for Java to 3.0.3 (JDK-8319124)

The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1, SHA3_256_RSA_MGF1, SHA3_384_RSA_MGF1, and SHA3_512_RSA_MGF1. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.

Additionally, support for the following EdDSA signatures has been added: ED25519 and ED448. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here() function by default. However, we recommend avoiding the use of the here() function in new signatures and replacing existing signatures that use the here() function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here() function by setting the security property jdk.xml.dsig.hereFunctionSupported to "false".

 

Other Notes

client-libs/java.awt
 AWT SystemTray API Is Not Supported on Most Linux Desktops (JDK-8322750)

The java.awt.SystemTray API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.

Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported() will return false where ever the JDK determines the platform bug is likely to be present.

The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.

security-libs/java.security
 Added Certainly R1 and E1 Root Certificates (JDK-8321408)

The following root certificates have been added to the cacerts truststore:

+ Certainly

  + certainlyrootr1
    DN: CN=Certainly Root R1, O=Certainly, C=US

+ Certainly
  + certainlyroote1
    DN: CN=Certainly Root E1, O=Certainly, C=US

security-libs/javax.xml.crypto
 Enable XML Signature Secure Validation Mode by Default (JDK-8259801)

The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property.

If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation property to Boolean.FALSE with the DOMValidateContext.setProperty() API.

 

Updates to Third Party Libraries

Library New Version Module JBS
Libxslt 1.1.39 javafx JDK-8318388
WebKit 617.1 javafx JDK-8318614
Glib 2.78.1 javafx JDK-8318386
GStreamer 1.22.6 javafx JDK-8318387
libpng 1.6.40 java.desktop JDK-8316030
Joni 2.2.1 jdk.scripting.nashorn JDK-8322094
Xalan Java 2.7.3 java.xml JDK-8305814
XML Security for Java 3.0.3 java.xml.crypto JDK-8319124

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u411 release:

# BugId Component Summary
1JDK-8318951client-libs/2dAdditional negative value check in JPEG decoding
2JDK-8152924core-libs/java.util.concurrentImprove scalability of CompletableFuture with large number of dependents
3JDK-8186464core-libs/java.util.jarZipFile cannot read some InfoZip ZIP64 zip files
4JDK-8321480core-libs/java.util:i18nISO 4217 Amendment 176 Update
5JDK-8260556docs/guidesUpdate Security Guide for Enable XML Signature secure validation mode by default
6JDK-8244207hotspot/compilerSimplify usage of Compile::print_method() when debugging with gdb and enable its use with rr
7JDK-8144856hotspot/compilerfix assert in CompiledStaticCall::set_to_interpreted
8JDK-8236772hotspot/compilerFix build for windows 32-bit after 8212160 and 8234331.
9JDK-8231430hotspot/compilerC2: Memory stomp in max_array_length() for T_ILLEGAL type
10JDK-8318889hotspot/compilerC2: add bailout after assert Bad graph detected in build_loop_late
11JDK-8317507hotspot/compilerC2 compilation fails with "Exceeded _node_regs array"
12JDK-8147611hotspot/gcG1 - Missing memory barrier in start_cset_region_for_worker
13JDK-8061467hotspot/gcBad page size passed to setup_large_pages() on Solaris
14JDK-8212160hotspot/jvmtiJVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value"
15JDK-8227277hotspot/jvmtiHeapInspection::find_instances_at_safepoint walks dead objects
16JDK-8236124hotspot/jvmtiMinimal VM slowdebug build failed after JDK-8212160
17JDK-8322321hotspot/runtimeAdd man page doc for -XX:+VerifySharedSpaces
18JDK-8059586hotspot/runtimehs_err report should treat redirected core pattern.
19JDK-8323243hotspot/runtimeJNI invocation of an abstract instance method corrupts the stack
20JDK-8067447hotspot/svcFactor out the shared implementation of the VM flags manipulation code
21JDK-8284544javafx/accessibility[Win] Name-Property of Spinner cannot be changed
22JDK-8319079javafx/graphicsMissing range checks in decora
23JDK-8320267javafx/webWebView crashes on macOS 11 with WebKit 616.1
24JDK-8320260javafx/webWebView: Update Public Suffix List to b5bf572
25JDK-8323879javafx/webconstructor Path(Path) which takes another Path object fail to draw on canvas html
26JDK-8324337javafx/webCherry-pick WebKit 617.1 stabilization fixes
27JDK-8322703javafx/webIntermittent crash in WebView in a JFXPanel from IME calls on macOS
28JDK-8325258javafx/webAdditional WebKit 617.1 fixes from WebKitGTK 2.42.5
29JDK-8323880javafx/webCaret rendered at wrong position in case of a click event on RTL text
30JDK-8326989javafx/webText selection issues on WebView after WebKit 617.1
31JDK-8221261javafx/window-toolkitDeadlock on macOS in JFXPanel app when handling IME calls
32JDK-8319669javafx/window-toolkit[macos14] Running any JavaFX app prints Secure coding warning
33JDK-8319727other-libs/corba:idlHarden BufferManagerReadStream underflow logic
34JDK-8307185security-libs/javax.crypto:pkcs11pkcs11 native libraries make JNI calls into java code while holding GC lock
35JDK-8255867security-libs/javax.net.sslSignatureScheme JSSE property does not preserve ordering in handshake messages
36JDK-8308245tools/javacAdd -proc:full to describe current default annotation processing policy
37JDK-8317815xml/jaxpXerces-J - Version.java did not get updated in JDK-8282280

Java SE 8u401 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u401 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u401 b35

Bug Fixes

Release date: April 3, 2024
BugId Category Subcategory Summary
JDK-8326643 security-libs java.security JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message

 

Changes in Java SE 8u401 b34

Bug Fixes

Release date: March 14, 2024
BugId Category Subcategory Summary
JDK-8325580 (not public) install install Remove "alternatives --remove" call from Java rpm installer

 

Changes in Java SE 8u401 b33

Bug Fixes

Release date: February 22, 2024
BugId Category Subcategory Summary
JDK-8309374 javafx accessibility Accessibility Focus Rectangle on ListItem is not drawn when ListView is shown for first time
JDK-8311492 javafx graphics FontSmoothingType LCD produces wrong color when transparency is used
JDK-8325150 core-libs java.time (tz) Update Timezone Data to 2024a

 

Changes in Java SE 8u401 b32

Bug Fixes

Release date: February 5, 2024
BugId Category Subcategory Summary
JDK-8227277 hotspot jvmti HeapInspection::find_instances_at_safepoint walks dead objects
JDK-8322725 core-libs java.time (tz) Update Timezone Data to 2023d

 

Changes in Java SE 8u401 b31

Bug Fixes

Release date: January 16, 2024
BugId Category Subcategory Summary
JDK-8284544 javafx accessibility [Win] Name-Property of Spinner cannot be changed
JDK-8319727 other-libs corba:idl Harden BufferManagerReadStream underflow logic

Java SE 8u401 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u401 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u401-Perf b31

Bug Fixes

January 16, 2024

This BPR contains all of the fixes included in the previous JDK 8 Enterprise Performance Pack BPR.


Java™ SE Development Kit 8, Update 401 Enterprise Performance Pack (JDK 8u401-PERF)

January 16, 2024

The full version string for this update release is 8u401-perf-b10 (where "b" means "build"). The version number is 8u401-perf.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u401 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u401-perf-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u401) be used after the next critical patch update scheduled for April 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider Java Management Service (JMS).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u401-perf) on 2024-05-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


New Features

security-libs/javax.xml.crypto
 New System Property to Toggle XML Signature Secure Validation Mode (JDK-8301260)

A new system property named org.jcp.xml.dsig.secureValidation has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.

Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.

 

Known Issues

hotspot/compiler
 Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))

When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].

 

Other Notes

security-libs/java.security
 Added Four Root Certificates from DigiCert, Inc. (JDK-8318759)

The following root certificates have been added to the cacerts truststore:

+ DigiCert, Inc.

  + digicertcseccrootg5
    DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicertcsrsarootg5
    DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlseccrootg5
    DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlsrsarootg5
    DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

security-libs/java.security
 Added Three Root Certificates from eMudhra Technologies Limited (JDK-8319187)

The following root certificates have been added to the cacerts truststore:

+ eMudhra Technologies Limited

  + emsignrootcag1
    DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsigneccrootcag3
    DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsignrootcag2
    DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

security-libs/java.security
 Added ISRG Root X2 CA Certificate from Let's Encrypt (JDK-8317374)

The following root certificate has been added to the cacerts truststore:

+ Let's Encrypt

  + letsencryptisrgx2
    DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US

security-libs/javax.net.ssl
 Call X509KeyManager.chooseClientAlias Once for All Key Types (JDK-8262186)

The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .

 

Changes in Java SE 8u401-Perf

Bug Fixes

JDK 8u401 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Summary
1JDK-8299658hotspot/compilerC1 compilation crashes in LinearScan::resolve_exception_edge
2JDK-8301489hotspot/compilerC1: ShortLoopOptimizer might lift instructions before their inputs
3JDK-8313626hotspot/compilerC2 crash due to unexpected exception control flow
4JDK-8313402hotspot/compilerC1: Incorrect LoadIndexed value numbering
5JDK-8312909hotspot/compilerC1 should not inline through interface calls with non-subtype receiver
6JDK-8303279hotspot/compilerC2: crash in SubTypeCheckNode::sub() at IGVN split if
7JDK-8304954hotspot/compilerSegmentedCodeCache fails when using large pages
8JDK-8316178hotspot/compilerBetter diagnostic header for CodeBlobs
9JDK-8315377hotspot/compilerC2: assert(u->find_out_with(Op_AddP) == nullptr) failed: more than 2 chained AddP nodes?
10JDK-8316514hotspot/compilerBetter diagnostic header for VtableStub
11JDK-8314024hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work due to bad immediate dominator info
12JDK-8313262hotspot/compilerC2: Sinking node may cause required cast to be dropped
13JDK-8312440hotspot/compilerassert(cast != nullptr) failed: must have added a cast to pin the node
14JDK-8313756hotspot/compiler[BACKOUT] 8308682: Enhance AES performance
15JDK-8313760hotspot/compiler[REDO] Enhance AES performance
16JDK-8308103hotspot/compilerMassive (up to ~30x) increase in C2 compilation time since JDK 17
17JDK-8307683hotspot/compilerLoop Predication should not hoist range checks with trap on success projection by negating their condition
18JDK-8309119hotspot/compiler[17u/11u] Redo JDK-8297951: C2: Create skeleton predicates for all If nodes in loop predication
19JDK-8275333hotspot/gcPrint count in "Too many recored phases?" assert
20JDK-8316906hotspot/gcClarify TLABWasteTargetPercent flag
21JDK-8270894hotspot/runtimeUse acquire semantics in ObjectSynchronizer::read_stable_mark()
22JDK-8305994hotspot/runtimeGuarantee eventual async monitor deflation
23JDK-8309228hotspot/runtimeClarify EXPERIMENTAL flags comment in hotspot/share/runtime/globals.hpp
24JDK-8306825hotspot/runtimeMonitor deflation might be accidentally disabled by zero intervals
25JDK-8279545hotspot/runtimeBuffer overrun in reverse_words of sharedRuntime_x86_64.cpp:3517
26JDK-8283326hotspot/runtimeImplement SafeFetch statically
27JDK-8314679hotspot/svc-agentSA fails to properly attach to JVM after having just detached from a different JVM

Java™ SE Development Kit 8, Update 401 (JDK 8u401)

January 16, 2024

The full version string for this update release is 8u401-b10 (where "b" means "build"). The version number is 8u401.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u401 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
88u401-b10

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u401) be used after the next critical patch update scheduled for April 16, 2024.

Java SE Subscription products customers managing JRE updates/installs for large number of desktops should consider using Java Management Service (JMS).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u401) on 2024-05-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.xml.crypto
 New System Property to Toggle XML Signature Secure Validation Mode (JDK-8301260)

A new system property named org.jcp.xml.dsig.secureValidation has been added. It can be used to enable or disable the XML Signature secure validation mode. The system property should be set to "true" to enable, or "false" to disable. Any other value for the system property is treated as "false". If the system property is set, it supersedes the XMLCryptoContext property value.

Secure validation mode is enabled by default if you are running the code with a SecurityManager, otherwise it is disabled by default.

core-libs/java.io:serialization
 JDK Flight Recorder Event for Deserialization (JDK-8261160)

A new JDK Flight Recorder (JFR) event has been added to monitor deserialization of objects. When JFR is enabled and the JFR configuration includes deserialization events, JFR will emit an event whenever the running program attempts to deserialize an object. The deserialization event is named java/deserialization, and it is disabled by default. The deserialization event contains information that is used by the serialization filter mechanism. Additionally, if a filter is enabled, the JFR event indicates whether the filter accepted or rejected deserialization of the object.

The new Deserialization Event captures:

  • Whether a serialization filter is configured or not.
  • The serialization filter status, if one is configured.
  • The class of the object being deserialized.
  • The number of array elements when deserializing an array.
  • The current graph depth.
  • The current number of object references.
  • The current number of bytes in the stream that have been consumed.
  • The exception type and message, if thrown by the serialization filter.

Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.

 

Known Issues

hotspot/compiler
 Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))

When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].

hotspot/compiler
 High CPU on C2 After Updating to JDK 8u401 (JDK-8334725 (not public))

In a rare case, the C2 compiler attempts to apply the split-if loop optimization indefinitely. This regression manifests as continued high CPU use by C2 compiler threads.

The issue is fixed in 8u431. If the issue is encountered in 8u401, 8u411 or 8u421, the VM flag ``-XX:-SplitIfBlocks``, which disables this optimization, can be used as a workaround.

 

Other Notes

security-libs/java.security
 Increase Default Value of the System Property jdk.jar.maxSignatureFileSize (JDK-8312489)

The system property, jdk.jar.maxSignatureFileSize, allows applications to control the maximum size of signature files in a signed JAR. Its default value has been increased from 8000000 bytes (8 MB) to 16000000 bytes (16 MB).

security-libs/java.security
 Added Four Root Certificates from DigiCert, Inc. (JDK-8318759)

The following root certificates have been added to the cacerts truststore:

+ DigiCert, Inc.

  + digicertcseccrootg5
    DN: CN=CN=DigiCert CS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicertcsrsarootg5
    DN: CN=DigiCert CS RSA4096 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlseccrootg5
    DN: DigiCert TLS ECC P384 Root G5, O="DigiCert, Inc.", C=US

+ DigiCert, Inc.
  + digicerttlsrsarootg5
    DN: DigiCert TLS RSA4096 Root G5, O="DigiCert, Inc.", C=US

security-libs/java.security
 Added Three Root Certificates from eMudhra Technologies Limited (JDK-8319187)

The following root certificates have been added to the cacerts truststore:

+ eMudhra Technologies Limited

  + emsignrootcag1
    DN: CN=emSign Root CA - G1, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsigneccrootcag3
    DN: CN=emSign ECC Root CA - G3, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

+ eMudhra Technologies Limited
  + emsignrootcag2
    DN: CN=emSign Root CA - G2, O=eMudhra Technologies Limited, OU=emSign PKI, C=IN

security-libs/java.security
 Added Telia Root CA v2 Certificate (JDK-8317373)

The following root certificate has been added to the cacerts truststore:

+ Telia Root CA v2

  + teliarootcav2
    DN: CN=Telia Root CA v2, O=Telia Finland Oyj, C=FI

security-libs/java.security
 Added ISRG Root X2 CA Certificate from Let's Encrypt (JDK-8317374)

The following root certificate has been added to the cacerts truststore:

+ Let's Encrypt

  + letsencryptisrgx2
    DN: CN=ISRG Root X2, O=Internet Security Research Group, C=US

security-libs/javax.net.ssl
 Call X509KeyManager.chooseClientAlias Once for All Key Types (JDK-8262186)

The (D)TLS implementation in JDK now calls X509KeyManager.chooseClientAlias() only once during handshaking for client authentication, even if there are multiple algorithms requested .

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u401 release:

# BugId Component Summary
1JDK-8286481client-libs/java.awtException printed to stdout on Windows when storing transparent image in clipboard
2JDK-6176679client-libs/java.awtApplication freezes when copying an animated gif image to the system clipboard
3JDK-8153090client-libs/javax.swingTAB key cannot change input focus after the radio button in the Color Selection dialog
4JDK-8313657core-libs/javax.namingcom.sun.jndi.ldap.Connection.cleanup does not close connections on SocketTimeoutErrors
5JDK-8314063core-libs/javax.namingThe socket is not closed in Connection::createSocket when the handshake failed for LDAP connection
6JDK-8302577docs/guidesUpdate JSSE Guide for JDK-8301700: Increase the default TLS Diffie-Hellman group size from 1024-bit to 2048-bit
7JDK-8283441hotspot/compilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
8JDK-8059735hotspot/compilermake_not_entrant_or_zombie sees zombies
9JDK-8075922hotspot/compilerassert(t == t_no_spec) fails in phaseX.cpp
10JDK-8067247hotspot/compilerCrash: assert(method_holder->data() == 0 ...) failed: a) MT-unsafe modification of inline cache
11JDK-8086053hotspot/compilerAddress inconsistencies regarding ZeroTLAB
12JDK-8169177hotspot/gcaarch64: SIGSEGV when "-XX:+ZeroTLAB" is specified along with GC options
13JDK-8149343hotspot/gcassert(rp->num_q() == no_of_gc_workers) failed: sanity
14JDK-8316906hotspot/gcClarify TLABWasteTargetPercent flag
15JDK-8032223hotspot/jvmtinsk/regression/b4663146 gets assert(SafepointSynchronize::is_at_safepoint() || JvmtiEnv::is_thread_fully_suspended(get_thread(), false, &debug_bits))
16JDK-8165496hotspot/jvmtiassert(_exception_caught == false) failed: _exception_caught is out of phase
17JDK-8193386hotspot/runtimeCompressedClassSize too large with MaxMetaspace
18JDK-8194246hotspot/runtimeJVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class
19JDK-8163146hotspot/runtimeRemove os::check_heap on Windows
20JDK-8227815hotspot/svcMinimal VM: set_state is not a member of AttachListener
21JDK-8313856javafx/graphicsReplace VLA with malloc in pango
22JDK-8317508javafx/mediaProvide media support for libavcodec version 60
23JDK-8313900javafx/mediaPossible NULL pointer access in NativeAudioSpectrum and NativeVideoBuffer
24JDK-8311097javafx/webSynchron XMLHttpRequest not receiving data
25JDK-8315074javafx/window-toolkitPossible null pointer access in native glass
26JDK-8315958javafx/window-toolkitMissing range checks in GlassPasteboard
27JDK-8315657javafx/window-toolkitApplication window not activated in macOS 14 Sonoma
28JDK-8319066javafx/window-toolkitApplication window not always activated in macOS 14 Sonoma
29JDK-8320597security-libs/java.securityRSA signature verification fails on signed data that does not encode params correctly
30JDK-8302017security-libs/java.securityAllocate BadPaddingException only if it will be thrown
31JDK-8284910security-libs/javax.securityBuffer clean in PasswordCallback

Java SE 8u391 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u391 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u391 b33

Bug Fixes

December 14, 2023
BugId Category Subcategory Summary
JDK-8054022 core-libs java.net HttpURLConnection timeouts with Expect: 100-Continue and no chunking
JDK-8306784 install install No default java after 8u371 upgrade

 

Changes in Java SE 8u391 b32

Bug Fixes

November 6, 2023
BugId Category Subcategory Summary
JDK-8312489 security-libs java.security Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

 

Changes in Java SE 8u391 b31

Bug Fixes

Fixes from the prior BPR are included in this version.


Java SE 8u391 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u391 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u391-Perf b33

Bug Fixes

October 19, 2023

This BPR contains all of the fixes included in the previous JDK 8 Enterprise Performance Pack BPR.


Java™ SE Development Kit 8, Update 391 Enterprise Performance Pack (JDK 8u391-PERF)

October 17, 2023

The full version string for this update release is 8u391-perf-b13 (where "b" means "build"). The version number is 8u391-perf.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u391-perf-b13

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.


Other Notes

hotspot/compiler
 GregorianCalender.computeTime() JVM Crash (JDK-8308884)

A virtual machine crash was observed in JDK 11.0.19 and 17.0.7 when executing the GregorianCalender.computeTime() method (JDK-8307683). It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. To mitigate this, the fix has been reverted in JDK 11.0.20 and 17.0.8 and will be reapplied once JDK-8307683 is resolved.

 

Changes in Java SE 8u391-Perf

Bug Fixes

JDK 8u391 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Subcomponent Summary
1JDK-8274243hotspotcompilerImplement fast-path for ASCII-compatible CharsetEncoders on aarch64
2JDK-8299544hotspotcompilerImprove performance of CRC32C intrinsics (non-AVX-512) for small inputs
3JDK-8153837hotspotcompilerAArch64: Handle special cases for MaxINode & MinINode
4JDK-8272586hotspotcompileremit abstract machine code in hs-err logs
5JDK-8308192hotspotcompilerError in parsing replay file when staticfield is an array of single dimension
6JDK-8309266hotspotcompilerC2: assert(final_con == (jlong)final_int) failed: final value should be integer
7JDK-8300584hotspotcompilerAccelerate AVX-512 CRC32C for small buffers
8JDK-8274986hotspotcompilermax code printed in hs-err logs should be configurable
9JDK-8310126hotspotcompilerC1: Missing receiver null check in Reference::get intrinsic
10JDK-8284760hotspotcompilerCorrect type/array element offset in LibraryCallKit::get_state_from_digest_object()
11JDK-8299158hotspotcompilerImprove MD5 intrinsic on AArch64
12JDK-8303154hotspotcompilerInvestigate and improve instruction cache flushing during compilation
13JDK-8252990hotspotcompilerIntrinsify Unsafe.storeStoreFence
14JDK-8305088hotspotcompilerSIGSEGV in Method::is_method_handle_intrinsic
15JDK-8296545hotspotcompilerC2 Blackholes should allow load optimizations
16JDK-8292713hotspotcompilerUnsafe.allocateInstance should be intrinsified without UseUnalignedAccesses
17JDK-8302736hotspotcompilerMajor performance regression in Math.log on aarch64
18JDK-8307572hotspotcompilerAArch64: Vector registers are clobbered by some macroassemblers
19JDK-8280396hotspotgcG1: Full gc mark stack draining should prefer to make work available to other threads
20JDK-8308643hotspotgcIncorrect value of 'used' jvmstat counter
21JDK-8284532hotspotjfrMemory leak in BitSet::BitMapFragmentTable in JFR leak profiler
22JDK-8283520hotspotjfrJFR: Memory leak in dcmd_arena
23JDK-8307526hotspotjfr[JFR] Better handling of tampered JFR repository
24JDK-8309862hotspotjfrUnsafe list operations in JfrStringPool
25JDK-8307331hotspotjvmtiCorrectly update line maps when class redefine rewrites bytecodes
26JDK-8306428hotspotruntimeRunThese30M.java crashed with assert(early->flag() == current->flag() || early->flag() == mtNone)
27JDK-8297887hotspotruntimeUpdate Siphash
28JDK-8305425hotspotruntimeThread.isAlive0 doesn't need to call into the VM
29JDK-8269466hotspotruntimeFactor out the common code for initializing and starting internal VM JavaThreads
30JDK-8287854hotspotruntimeDangling reference in ClassVerifier::verify_class
31JDK-8303215hotspotruntimeMake thread stacks not use huge pages
32JDK-8290067hotspotruntimeShow stack dimensions in UL logging when attaching threads
33JDK-8283849hotspotsvcAsyncGetCallTrace may crash JVM on guarantee
34JDK-8301170hotspotsvcperfMemory_windows.cpp add free_security_attr to early returns
35JDK-8295657hotspotsvc-agentSA: Allow larger object alignments

Java™ SE Development Kit 8, Update 391 (JDK 8u391)

October 17, 2023

The full version string for this update release is 8u391-b13 (where "b" means "build"). The version number is 8u391.

 

IANA TZ Data 2023c

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u391 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u391-b13

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u391) be used after the next critical patch update scheduled for January 16, 2024.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u391) on 2024-02-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/java.security
 New JFR Event: jdk.SecurityProviderService (JDK-8254711)

A new Java Flight Recorder (JFR) event has been added to record details of java.security.Provider.getService(String type, String algorithm) calls.

The new event name is jdk.SecurityProviderService and contains the following fields:

Field name Field Description
type Type of Service
algorithm Algorithm Name
provider Security Provider

This event is disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

tools/launcher
 -XshowSettings:locale Output Now Includes Tzdata Version (JDK-8305950)

The -XshowSettings launcher option has been enhanced to print the tzdata version configured with the JDK. The tzdata version is displayed as part of the locale showSettings option.

Example output using -X:showSettings:locale:

.....

Locale settings:
    default locale = English
    default display locale = English
    default format locale = English
    tzdata version = 2023c
    .....

 

Known Issues

javafx/media
 Media Playback Does Not Work on Ubuntu 23.10 (JDK-8317508)

Media playback does not work on Ubuntu 23.10. This affects most media formats such as MP4 with H.264/H.265, MP3, AAC, and HTTP Live Streaming. This is because JavaFX Media does not support libavcodec version 60. Support for libavcodec version 60 will be added with JDK-8317508. As a workaround, install libavcodec version 59 compiled with support for at least the following:

  • decoder: aac, mp3, mp3float, h264, hevc
  • parser: aac, h264, hevc
  • demuxer: aac, h264, hevc, mpegts, mpegtsraw

 

Removed Features and Options

security-libs/java.security
 Removed SECOM Trust System's RootCA1 Root Certificate (JDK-8295894)

The following root certificate from SECOM Trust System has been removed from the cacerts keystore:

+ alias name "secomscrootca1 [jdk]"

  Distinguished Name: OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP

infrastructure/build
 Removal of Linux ARM32 Support for JDK 8 (JDK-8305927 (not public))

Platform support for Linux ARM32 in JDK 8 has been removed. As a result, the ARM32 Hard Float ABI download will not be available. Operating Systems that supported ARM32 have reached their End of Life, thus there is no known OS support available.

 

Other Notes

security-libs/java.security
 Added Certigna Root CA Certificate (JDK-8314960)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)

  + certignarootca
    DN: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR

security-libs/java.security
 Ignore Allow and Disallow Options for java.security.manager System Property (JDK-8301118)

In JDK 12, two new token options for the java.security.manager system property, "allow" and "disallow", were introduced.

Many applications and frameworks are designed to run on multiple JDKs. For those that enable the SecurityManager at runtime via System.setSecurityManager, they have to specify the "allow" option as of JDK 18 (see JDK-8203316). However, these applications would also prefer to use the same command line across multiple versions of the JDK, especially if it is not known what JDK version a user will use.

Currently, if these options are specified in JDK 12 or earlier, the runtime attempts to load a SecurityManager implementation with the classname "allow" or "disallow", which results in a Could not create SecurityManager Error and the application will not start up.

From this release onward, the "allow" and "disallow" options for the java.security.manager system property will be ignored.

security-libs/javax.net.ssl
 The Default TLS Diffie-Hellman Group Size Has Been Increased from 1024-bit to 2048-bit (JDK-8301700)

The JDK implementation of TLS 1.2 now uses a default Diffie Hellman keysize of 2048 bits when a TLS_DHE cipher suite is negotiated and either the client or server does not support FFDHE, which can negotiate a stronger keysize. The JDK TLS implementation supports FFDHE and it is enabled by default.

As a workaround, users can revert to the previous size by setting the jdk.tls.ephemeralDHKeySize system property to 1024 (at their own risk).

This change does not affect TLS 1.3 as the minimum DH group size is already 2048 bits.

install/install
 Allow JDK 8 Installed by MSI to Install Side-by-Side with Other JRE 8 Installations (JDK-8306899 (not public))

In 8u371, the behavior of the JRE installer was changed from installing the JRE in a full-version-specific directory to installing the JRE into a common shared directory. It also removed all older JRE versions in that same family.

In JDK 8u391, a new argument, RETAIN_ALL_VERSIONS=1, was introduced for the MSI installer. If the argument is used, the JRE will install into a jre$fullversion directory. Other JREs of the Java SE 8 family will not be automatically removed. More information can be found in the MSI Enterprise JRE Installer Guide for Windows.

other-libs/corba:idl
 CORBA _DynAnyStub and Associated Subclasses readObject Accepts Only Stringified IORs in IOR: URI format (JDK-8303384 (not public))

The readObject method changes made to _DynAnyFactoryStub in JDK-8285021, have been extended to a set of stub classes that have been categoriezed as pseudo IDL interfaces. These include:

org.omg.DynamicAny._DynArrayStub,

org.omg.DynamicAny._DynEnumStub,
org.omg.DynamicAny._DynFixedStub, 
org.omg.DynamicAny._DynSequenceStub, 
org.omg.DynamicAny._DynStructStub, 
org.omg.DynamicAny._DynUnionStub, 
org.omg.DynamicAny._DynValueStub,
org.omg.DynamicAny._DynAnyStub, 

For each of these stub classes, the readObject method has been amended such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format only. As the above stub classes are termed, locally or as ORB constrained types, it is not useful that serialized data should contain corbaname or corbaloc URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to an IOR of these stub classes. As such, using a corbaname to reference an instance of these locally constrained stub classes is not meaningful.

A system property is introduced, com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR, which when set to true, will revert the readObject method to its current behavior and disable the additional IOR checks. The default value of this system property is false. This system property can also be used to disable the IOR check performed in the org.omg.DynamicAny._DynAnyFactoryStub readObject method. As such, with respect to _DynAnyFactory, it complements the system property org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck introduced in JDK-8285021.

Additionally, the readObject method of the remote CORBA service stub classes:

org.omg.CosNaming._NamingContextStub.java,

org.omg.CosNaming._BindingIteratorStub.java,
org.omg.CosNaming._NamingContextExtStub.java,
org.omg.PortableServer._ServantActivatorStub.java,
org.omg.PortableServer._ServantLocatorStub.java,
com.sun.corba.se.spi.activation._ServerManagerStub.java,
com.sun.corba.se.spi.activation._ActivatorStub.java,
com.sun.corba.se.spi.activation._RepositoryStub.java,
com.sun.corba.se.spi.activation._InitialNameServiceStub.java,
com.sun.corba.se.spi.activation._LocatorStub.java,
com.sun.corba.se.spi.activation._ServerStub.java,

included in the JDK, have been similarly amended to include an IOR check when reading a stringified IOR from serialised data. To enable the IOR check, and prohibit corbaname or corbaloc URLs in a stringified IOR, the setting of the com.sun.CORBA.DynamicAny.Stubs.allowCorbanameInIOR system property to true is required.

A system property is introduced, com.sun.CORBA.IDL.Stubs.allowCorbanameInIOR, which when set to false, will activate an IOR check when reading a stringified IOR from serialised data and constrain a stringified IOR to that of IOR: URI format. Thus, prohibiting corbaname or corbaloc as a valid stringified IOR format. The default value of this system property is true. That is, corbaname or corbaloc are allowed in stringified IORs.

security-libs/javax.net.ssl
 Use Server Cipher Suites Preference by Default (JDK-8168261)

For TLS connections, the cipher suite selection, by default, is updated to use the server cipher suites preference. Applications can configure the behavior by using the SSLParameters.setUseCipherSuitesOrder​() method.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u391 release:

# BugId Component Summary
1JDK-8311689client-libs/java.awtWrong visible amount in Adjustable of ScrollPane
2JDK-8310054client-libs/java.awtScrollPane insets are incorrect
3JDK-8297923client-libs/java.awtjava.awt.ScrollPane broken after multiple scroll up/down
4JDK-8305815client-libs/java.awtUpdate Libpng to 1.6.39
5JDK-8305517core-libs/java.netMemory leak in Java Solaris native code when calling NetworkInterface.getHardwareAddress()
6JDK-8300098core-libs/java.util.concurrentjava/util/concurrent/ConcurrentHashMap/ConcurrentAssociateTest.java fails with internal timeout when executed with TieredCompilation1/3
7JDK-8234808core-svc/debuggerjdb quoted option parsing broken
8JDK-8290451hotspot/compilerIncorrect result when switching to C2 OSR compilation from C1
9JDK-8213419hotspot/compilerC2 may hang in MulLNode::Ideal()/MulINode::Ideal() with gcc 8.2.1
10JDK-8183910hotspot/gcgc/arguments/TestAggressiveHeap.java fails intermittently
11JDK-8257239hotspot/gc[8u] G1: guarantee(!obj->is_forwarded()) failed: Object must not be forwarded
12JDK-8182703hotspot/gcCorrect G1 barrier queue lock orderings
13JDK-8207011hotspot/runtimeRemove uses of the register storage class specifier
14JDK-8297887hotspot/runtimeUpdate Siphash
15JDK-8284542javafx/accessibility[Accessibility] [Win] Missing attribute for toggle state of CheckBox in CheckBoxTreeItem
16JDK-8309508javafx/graphicsPossible memory leak in JPEG image loader
17JDK-8306328javafx/mediaUpdate libFFI to 3.4.4
18JDK-8306918javafx/webWebView: Update Public Suffix List to 88467c9
19JDK-8303748javafx/webWebKit build fails with Visual Studio 2022 17.5.0
20JDK-8306329javafx/webUpdate ICU4C to 73.1
21JDK-8310681javafx/webUpdate WebKit to 616.1
22JDK-8313177javafx/webWeb Workers timeout with Webkit 616.1
23JDK-8314212javafx/webCrash when loading cnn.com in WebView
24JDK-8313711javafx/webCherry-pick WebKit 616.1 stabilization fixes
25JDK-8313181javafx/webEnabling modern media controls on webkit 616.1 does not load button images on HTML5 video Element
26JDK-8144781javafx/window-toolkitAssertion failure in debug build running any JavaFX program on Mac
27JDK-8296452security-libs/javax.cryptoSolaris Ucrypto context memory leak on CRYPTO_BUFFER_TOO_SMALL error
28JDK-8236671security-libs/javax.cryptoNullPointerException in JKS keystore
29JDK-8232950security-libs/javax.crypto:pkcs11SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
30JDK-8183107security-libs/javax.crypto:pkcs11PKCS11 regression regarding checkKeySize

Java SE 8u381 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u381 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u381 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-6176679 client-libs java.awt Application freezes when copying an animated gif image to the system clipboard
JDK-8286481 client-libs java.awt Exception printed to stdout on Windows when storing transparent image in clipboard
JDK-8314188 (not public) install install [macOS] Installation complete confirmation message not displayed

 

Changes in Java SE 8u381 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8306899 (not public) install install JRE 8u371 MSI unable to install side-by-side JREs
JDK-8311244 (not public) hotspot gc frequent crashes at g1CollectedHeap.cpp:5923 after updating to JDK8u371

 

Changes in Java SE 8u381 b31

Bug Fixes

BugId Category Subcategory Summary
JDK-8284542 jfx accessibility Missing attribute for toggle state of CheckBox in CheckBoxTreeItem
JDK-8309557 (not public) install Update the JRE 8 Description in RPM packages

Java SE 8u381 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u381 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u381-Perf b31

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.


Other Notes

hotspot/runtime
 ASLR Support for CDS Archive (JDK-8294323 (not public))

Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.

This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.

In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0. The usage of such flags is not recommended.

 

Changes in Java SE 8u381-Perf

Bug Fixes

JDK 8u381 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Subcomponent Summary
1JDK-8280007hotspotcompilerEnable Neoverse N1 optimizations for Arm Neoverse V1 & N2
2JDK-8299179hotspotcompilerArrayFill with store on backedge needs to reduce length by 1
3JDK-8302595hotspotcompileruse-after-free related to GraphKit::clone_map
4JDK-8299959hotspotcompilerC2: CmpU::Value must filter overflow computation against local sub computation
5JDK-8303564hotspotcompilerC2: "Bad graph detected in build_loop_late" after a CMove is wrongly split thru phi
6JDK-8303508hotspotcompilerVector.lane() gets wrong value on x86
7JDK-8299570hotspotcompiler[JVMCI] Insufficient error handling when CodeBuffer is exhausted
8JDK-8300079hotspotcompilerSIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
9JDK-8299259hotspotcompilerC2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
10JDK-8296318hotspotcompileruse-def assert: special case undetected loops nested in infinite loops
11JDK-8296412hotspotcompilerSpecial case infinite loops with unmerged backedges in IdealLoopTree::check_safepts
12JDK-8297730hotspotcompilerC2: Arraycopy intrinsic throws incorrect exception
13JDK-8301491hotspotcompilerC2: java.lang.StringUTF16::indexOfChar intrinsic called with negative character argument
14JDK-8303588hotspotcompiler[JVMCI] make JVMCI source directories conform with standard layout
15JDK-8201516hotspotcompilerDebugNonSafepoints generates incorrect information
16JDK-8302508hotspotcompilerAdd timestamp to the output TraceCompilerThreads
17JDK-8289748hotspotcompilerC2 compiled code crashes with SIGFPE with -XX:+StressLCM and -XX:+StressGCM
18JDK-8308884hotspotcompiler[17u/11u] Backout JDK-8297951
19JDK-8303511hotspotcompilerC2: assert(get_ctrl(n) == cle_out) during unrolling
20JDK-8291456hotspotjvmticom/sun/jdi/ClassUnloadEventTest.java failed with: Wrong number of class unload events: expected 10 got 4
21JDK-8280784hotspotruntimeVM_Cleanup unnecessarily processes all thread oops
22JDK-8294677hotspotruntimechunklevel::MAX_CHUNK_WORD_SIZE too small for some applications
23JDK-8277946hotspotruntimeNMT: Remove VM.native_memory shutdown jcmd command option
24JDK-8301123hotspotruntimeEnable Symbol refcounting underflow checks in PRODUCT
25JDK-8295974hotspotruntimejni_FatalError and Xcheck:jni warnings should print the native stack when there are no Java frames
26JDK-8287007hotspotruntime[cgroups] Consistently use stringStream throughout parsing code
27JDK-8278965hotspotruntimecrash in SymbolTable::do_lookup
28JDK-8301749hotspotruntimeTracking malloc pooled memory size

Java™ SE Development Kit 8, Update 381 (JDK 8u381)

July 18, 2023

The full version string for this update release is 8u381-b09 (where "b" means "build"). The version number is 8u381.

 

IANA TZ Data 2023c

JDK 8u381 contains IANA time zone data 2023c which contains the following changes since the previous update.

  • Egypt now uses DST again, from April through October.
  • This year Morocco springs forward April 23, not April 30.
  • Palestine delays the start of DST this year.
  • Much of Greenland still uses DST from 2024 on.
  • America/Yellowknife now links to America/Edmonton.
  • tzselect can now use current time to help infer timezone.
  • The code now defaults to C99 or later.
  • Fix use of C23 attributes.
  • This release's code and data are identical to 2023a.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u381 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u381-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u381) be used after the next critical patch update scheduled for October 17, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u381) on 2023-11-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

core-libs/java.lang
 Allow Additional Characters for GB18030-2022 Support (JDK-8301400)

The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 35 code points (U+9FCD - U+9FEF) from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 1 requirements.

core-libs/java.nio.charsets
 Support for GB18030-2022 (JDK-8307229)

The China National Standard body (CESI) has recently published GB18030-2022, which is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The Charset implementation for this new standard has now replaced the prior 2000 standard. However, this new standard has some incompatible changes from the prior implementation. For those who need to use the old mappings, a new system property, jdk.charset.GB18030, is introduced. By setting its value to 2000, the previous JDK releases' mappings for the GB18030 Charset are used, which are based on the 2000 standard.

core-libs/java.lang
 Allow Additional Characters for GB18030-2022 (Level 2) Support (JDK-8305681)

The China National Standard body (CESI) has recently published GB18030-2022. This is an updated version of the GB18030 standard and brings GB18030 in sync with Unicode version 11.0. The purpose of this enhancement is to incorporate 108 code points from CJK Unified Ideographs Extension E block from Unicode 11.0 into Java SE 8 to allow implementations to comply with their Implementation Level 2 requirements.

security-libs/javax.crypto
 JDK Now Accepts RSA Keys in PKCS#1 Format (JDK-8023980)

RSA private and public keys in PKCS#1 format can now be accepted by JDK providers, such as the RSA KeyFactory.impl from the SunRsaSign provider. The RSA private or public key object should have the PKCS#1 format and an encoding matching the ASN.1 syntax for a PKCS#1 RSA private key and public key.

 

Known Issues

install
 Problem Upgrading JDK on Windows if System User Is Using Shared Files (JDK-8310932 (not public))

Installing into the same, shared jdk-(family) directory is the default behavior for the JDK starting with the July 2023 CPU. It could lead to FilesInUse issues if JDK files are locked by the "System User". We recommend shutting down any apps using the JDK as the "System User" before upgrading.

hotspot/gc
 JVM Crashes with Internal Error (g1CollectedHeap.cpp:5923) after Upgrading to JDK 8u371 or JDK 8u381 (JDK-8311244 (not public))

There is the possibility of an application crash with the following error:

# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx
# guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be

 

This affects JDK 8u371 and JDK 8u381 runtimes using G1 GC on all supported platforms.

The failure is now corrected in the JDK 8u381 b32 Bundle Patch Release available via My Oracle Support.

install
 No Default Java after 8u371 32-bit Upgrade (JDK-8306784 (not public))

Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe command to not be found. For example:

  1. Install 32-bit 8u361
  2. Install 64-bit 8u371 (or later)
  3. Install 32-bit 8u371 (or later)

java.exe will now not work from all places. It will only work directly from the bin directory.

java.exe will not work unless you specify the full path to the bin directory of your JRE.

There are 2 workarounds:

  • Workaround 1: uninstall and reinstall the latest version of 64-bit 8u371 (or later)
  • Workaround 2: specify the full path to java.exe in the \bin directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe

 

Other Notes

hotspot/runtime
 Cgroup v2 Support and Improvements in 8u381 (JDK-8307634)

JDK 8u381 includes several enhancements and fixes to improve the cgroup v1 and v2 support for containers. The improvements include accurately detecting the resource limits of containers, correctly reporting the collected container metrics, printing additional container information, and improving application stability in containerized environments.

Some of the notable stability enhancements are:

JDK-8292083: Java applications may experience out-of-memory errors and run the risk of being killed by the OOM killer when running in a containerized environment where the container is configured with a higher memory limit than the available physical memory on the host system. JDK 8u381 addresses this stability issue. In the previous release, this situation can be avoided by using either -XX:-UseContainerSupport, or -XX:MaxRAM=<physical memory>, or by setting a memory limit for your container that is lower than the physical memory.

JDK-8286030: This release addresses an issue where Java applications may encounter a fatal error when the same /tmp directory is shared across multiple containers. In earlier releases, this crash can be avoided by mounting /tmp to different locations for different containers. Alternatively, the '-XX:-UsePerfData' JVM option can be used to prevent JVMs running within different containers from writing performance data to the shared /tmp folder and thus avoid this issue.

install/install
 Starting in 8u371, the New RPM Package Obsoletes Older JDK 8 Packages and Disallows Downgrades (JDK-8307400)

Added an "Obsoletes" tag to JDK 8 RPM packages to allow automatic upgrades from older JDK 8 RPM packages.

  • jdk-1.8 package obsoletes jdk1.8 package.
  • jre-1.8 package obsoletes jre1.8 package.
  • jdk-1.8-headful package obsoletes jdk1.8 package.
  • jre-1.8-headful package obsoletes jre1.8 package.

No "Obsoletes" tag was added to the jdk-1.8-headless package to prevent upgrading from the full to headless JDK.

The changes allow automatic upgrades for JDK 8 RPM packages starting from the 8u151 update when jdk1.8 and jre1.8 package names were first introduced. Older JDK 8 updates will not be eligible for automatic upgrades to 8u381 and newer updates.

Due to the limitations of "Obsoletes" tag downgrades from 8u381 to older versions are not supported.

install/install
 Missing /usr/java/default Symlink on Linux Restored (JDK-8306690)

A regression where the /usr/java/default symlink is not created by RPM installers on Linux platforms has been fixed. Installers will create the /usr/java/default symlink if it doesn't exist, targeting the /usr/java/latest symlink.

install/install
 Installation of JDK RPM Corrupts Alternatives (JDK-8308244)

The JDK RPM installer will remove incorrectly constructed entries of "java" and "javac" groups registered by older Oracle JDK RPM installers from the alternatives before registering new "java" and "javac" entries.

An incorrectly constructed entry of the "java" group contains commands that are supposed to belong to the "javac" group.

An incorrectly constructed entry of the "javac" group contains commands that are supposed to belong to the "java" group.

All incorrectly constructed entries belonging to Oracle JDK RPM packages will be removed from the alternatives to avoid corruption of the alternatives internal data.

The removal has a potential side effect for users who have installed multiple JDK versions that are not updated to the latest release. Commands from a removed "java" or "javac" group are now unavailable for system Java switch, which potentially changes the current system Java without a warning. For example, if there is an out-of-date JDK RPM from an 11+ release, say 11.0.17, with an incorrectly constructed single "java" group installed and 8u381 RPM with this patch is installed, it will remove an entry from the "java" group belonging to the 11.0.17 RPM and thus will switch the current system Java from 11.0.17 to 8u381. The side effect will only happen when you install a lower JDK family with the fix, such as 8u381, and there is an out-of-date JDK from a higher family, such as 11.0.17, installed on the system. In that case, 8u381 will replace the older 11.0.17 as the latest. The remedy for the user is to install the latest JDK 11.

security-libs/java.security
 Added TWCA Root CA Certificate (JDK-8305975)

The following root certificate has been added to the cacerts truststore:

+ TWCA

  + twcaglobalrootca
    DN: CN=TWCA Global Root CA, OU=Root CA, O=TAIWAN-CA, C=TW

security-libs/java.security
 Added 4 GTS Root CA Certificates (JDK-8307134)

The following root certificates have been added to the cacerts truststore:

+ Google Trust Services LLC

 + gtsrootcar1
  DN: CN=GTS Root R1, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootcar2
  DN: CN=GTS Root R2, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar3
  DN: CN=GTS Root R3, O=Google Trust Services LLC, C=US

+ Google Trust Services LLC
 + gtsrootecccar4
  DN: CN=GTS Root R4, O=Google Trust Services LLC, C=US

security-libs/java.security
 Added Microsoft Corporation's 2 TLS Root CA Certificates (JDK-8304760)

The following root certificates have been added to the cacerts truststore:

+ Microsoft Corporation

  + microsoftecc2017
    DN: CN=Microsoft ECC Root Certificate Authority 2017, O=Microsoft Corporation, C=US

+ Microsoft Corporation
  + microsoftrsa2017
    DN: CN=Microsoft RSA Root Certificate Authority 2017, O=Microsoft Corporation, C=US

core-libs/java.lang
 System Property java.specification.maintenance.version Set to 5 (JDK-8303028)

This JDK implements Maintenance Release 5 of the Java SE 8 specification (JSR 337). This is indicated by the system property java.specification.maintenance.version having the value of "5".

hotspot/runtime
 ASLR Support for CDS Archive (JDK-8294323 (not public))

Starting with the July 2023 CPU, on operating systems where ASLR (Address Space Layout Randomization) is enabled, the CDS archive will be placed at a random address picked by the operating system.

This change may have a minor performance impact: (a) Start-up time may increase because the JVM needs to patch pointers inside the CDS archive; (b) Memory usage may increase because the memory used by the CDS archive is no longer shareable across processes. We expect the impact to be small because such increases should be only a small fraction of the overall application usage.

In the unlikely event that you must disable ASLR for CDS, you can use the JVM flags -XX:+UnlockDiagnosticVMOptions -XX:ArchiveRelocationMode=0. The usage of such flags is not recommended.

security-libs/java.security
 Throw Error If Default java.security File Fails to Load (JDK-8155246)

A behavioral change has been made when the default conf/security/java.security security configuration file fails to load. In such a scenario, the JDK will now throw an InternalError.

Such a scenario should never occur. The default security file should always be present. Prior to this change, a static security configuration was loaded.

security-libs/java.security
 New System Property to Control the Maximum Size of Signature Files (JDK-8300596 (not public))

A new system property, jdk.jar.maxSignatureFileSize, has been added to allow applications to control the maximum size of signature files in a signed JAR. The value of the system property is the desired size in bytes. The default value is 8000000 bytes.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u381 release:

# BugId Component Summary
1JDK-8304636client-libs/java.awtjava/awt/Mouse/EnterExitEvents/DragWindowTest.java fails with Compilation Error on JDK 8u
2JDK-8189604client-libs/java.awtpossible hang in sun.awt.shell.Win32ShellFolder2$KnownFolderDefinition::<clinit>
3JDK-8159956client-libs/java.awtEXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins
4JDK-8302151client-libs/javax.imageioBMPImageReader throws an exception reading BMP images
5JDK-8003399client-libs/javax.swingJFileChooser gives wrong path to selected file when saving to Libraries folder on Windows 7
6JDK-8017487client-libs/javax.swingfilechooser in Windows-Libraries folder: columns are mixed up
7JDK-8284756core-libs[11u] Remove unused isUseContainerSupport in CgroupV1Subsystem
8JDK-8212528core-libsWrong cgroup subsystem being used for some CPU Container Metrics
9JDK-8275735core-libs[linux] Remove deprecated Metrics api (kernel memory limit)
10JDK-8305681core-libs/java.langAllow additional characters for GB18030-2022 (Level 2) support
11JDK-8241786core-libs/java.netImprove heuristic to determine default network interface on macOS
12JDK-8211382core-libs/java.nio.charsetsISO2022JP and GB18030 NIO converter issues
13JDK-8301119core-libs/java.nio.charsetsSupport for GB18030-2022
14JDK-8172347core-libs/java.rmiRefactoring src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java to improve testability of rmiregistry
15JDK-8212970core-libs/java.timeTZ database in "vanguard" format support
16JDK-8305400core-libs/java.util:i18nISO 4217 Amendment 175 Update
17JDK-8254001core-svc[Metrics] Enhance parsing of cgroup interface files for version detection
18JDK-8293540core-svc[Metrics] Incorrectly detected resource limits with additional cgroup fs mounts
19JDK-8292541core-svc/java.lang.management[Metrics] Reported memory limit may exceed physical machine memory
20JDK-8301282docs/guidesJMX simple and delegation security samples don't work because of missing access control entries
21JDK-8293821docs/guidesJDK LTS backports for Doc Tasks for JEP C206/C208: Modernize Oracle JDK Linux RPMs and installers on Windows and macOS
22JDK-8233023hotspot/compilerassert(Opcode() == mem->Opcode() || phase->C->get_alias_index(adr_type()) == Compile::AliasIdxRaw) failed: no mismatched stores, except on raw memory
23JDK-8210389hotspot/compilerC2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
24JDK-8217230hotspot/compilerassert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()
25JDK-8062258hotspot/compilercompiler/debug/TraceIterativeGVN.java segfaults in trace_PhaseIterGVN
26JDK-8281297hotspot/gcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
27JDK-8167196hotspot/gcWhiteBox methods should throw an exception if used with inappropriate collector.
28JDK-8264593hotspot/runtimedebug.cpp utilities should be available in product builds.
29JDK-8281274hotspot/runtimedeal with ActiveProcessorCount in os::Linux::print_container_info
30JDK-8266490hotspot/runtimeExtend the OSContainer API to support the pids controller of cgroups
31JDK-8273526hotspot/runtimeExtend the OSContainer API pids controller with pids.current
32JDK-8231610hotspot/runtimeRelocate the CDS archive if it cannot be mapped to the requested address
33JDK-8287741hotspot/runtimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete
34JDK-8287107hotspot/runtimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
35JDK-8286030hotspot/runtimeAvoid JVM crash when containers share the same /tmp dir
36JDK-8287011hotspot/runtimeImprove container information
37JDK-8293472hotspot/runtimeIncorrect container resource limit detection if manual cgroup fs mounts present
38JDK-8292083hotspot/runtimeDetected container memory limit may exceed physical machine memory
39JDK-8272124hotspot/runtimeCgroup v1 initialization causes NullPointerException when cgroup path contains colon
40JDK-8281517install/installImprove the error message shown when a user tries to install the aarch64 bundle on an intel mac
41JDK-8284662javafx/accessibility[Win][Accessibility][ListCell] Screen reader fails to read ListView/ComboBox item count if > 100
42JDK-8251862javafx/graphicsWrong position of Popup windows at the intersection of 2 screens
43JDK-8301009javafx/webUpdate libxml2 to 2.10.3
44JDK-8306115javafx/webUpdate libxml2 to 2.10.4
45JDK-8304441javafx/window-toolkit[macos] Crash when putting invalid unicode char on clipboard
46JDK-8296654javafx/window-toolkit[macos] Crash when launching JavaFX app with JDK that targets SDK 13
47JDK-8292297security-libs/java.securityFix up loading of override java.security properties file
48JDK-8173181security-libs/java.securityEmpty string alias in KeyStore throws StringIndexOutOfBoundsException for getEntry()
49JDK-8293858security-libs/java.securityChange PKCS7 code to use default SecureRandom impl instead of SHA1PRNG
50JDK-8294906security-libs/javax.crypto:pkcs11Memory leak in PKCS11 NSS TLS server
51JDK-8274205security-libs/org.ietf.jgss:krb5Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
52JDK-8301269xml/jaxpUpdate Commons BCEL to Version 6.7.0

Java SE 8u371 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u371 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u371 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8307400 (not public) install install The new Java 8u371 RPMs break the standard RHEL OS update mechanism
JDK-8307777 (not public) install install JDK rpm packages have wrong license
JDK-8307831 (not public) install install Move dependency on libfreetype.so.6 from JDK8 headless to headful jdk

 

Changes in Java SE 8u371 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8159956 client-libs java.awt EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins
JDK-8305113 core-libs java.time (tz) Update Timezone Data to 2023c
JDK-8212970 core-libs java.time TZ database in "vanguard" format support
JDK-8306690 install install Restore missing /usr/java/default symlink on Linux
JDK-8305976 install install Installation of OL-specific x64 jdk rpms pulls in i686 dependencies
JDK-8305177 (not public) infrastructure build Perf and milestone suffix missing in rpm bundle names
JDK-8302112 (not public) hotspot test remove windows 2012 from task definitions

 

Changes in Java SE 8u371 b31

Bug Fixes

Fixes from the prior BPR are included in this version.


Java SE 8u371 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u371 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u371-Perf b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8159956 client-libs java.awt EXCEPTION_ACCESS_VIOLATION in sun.awt.windows.ThemeReader.getThemeMargins
JDK-8305113 core-libs java.time (tz) Update Timezone Data to 2023c
JDK-8212970 core-libs java.time TZ database in "vanguard" format support
JDK-8306690 install install Restore missing /usr/java/default symlink on Linux
JDK-8305976 install install Installation of OL-specific x64 jdk rpms pulls in i686 dependencies
JDK-8305177 (not public) infrastructure build Perf and milestone suffix missing in rpm bundle names
JDK-8302112 (not public) hotspot test remove windows 2012 from task definitions

 

Changes in Java SE 8u371-Perf b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8303452 (not public) hotspot jfr [JFR] Larger strings arent added to string pool

 

Changes in Java SE 8u371-Perf

Bug Fixes

JDK 8u371 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component/Subcomponent Summary
1JDK-8297656performance/hotspotAArch64: Enable AES/GCM Intrinsics
2JDK-8268276hotspot/compilerBase64 Decoding optimization for x86 using AVX-512
3JDK-8269404hotspot/compilerBase64 Encoding optimization enhancements for x86 using AVX-512
4JDK-8273108hotspot/compilerRunThese24H crashes with SEGV in markWord::displaced_mark_helper() after JDK-8268276
5JDK-8273459hotspot/compilerUpdate code segment alignment to 64 bytes
6JDK-8296958hotspot/compiler[JVMCI] add API for retrieving ConstantValue attributes
7JDK-8296961hotspot/compiler[JVMCI] Access to j.l.r.Method/Constructor/Field for ResolvedJavaMethod/ResolvedJavaField
8JDK-8296960hotspot/compiler[JVMCI] list HotSpotConstantPool.loadReferencedType to ConstantPool
9JDK-8296967hotspot/compiler[JVMCI] rationalize relationship between getCodeSize and getCode in ResolvedJavaMethod
10JDK-8282528hotspot/compilerAArch64: Incorrect replicate2L_zero rule
11JDK-8277137hotspot/compilerSet OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1
12JDK-8294902hotspot/compilerUndefined Behavior in C2 regalloc with null references
13JDK-8290322hotspot/compilerOptimize Vector.rearrange over byte vectors for AVX512BW targets.
14JDK-8295066hotspot/compilerFolding of loads is broken in C2 after JDK-8242115
15JDK-8296912hotspot/compilerC2: CreateExNode::Identity fails with assert(i < _max) failed: oob: i=1, _max=1
16JDK-8294538hotspot/compilermissing is_unloading() check in SharedRuntime::fixup_callers_callsite()
17JDK-8292602hotspot/compilerZGC: C2 late barrier analysis uses invalid dominator information
18JDK-8292660hotspot/compilerC2: blocks made unreachable by NeverBranch-to-Goto conversion are removed incorrectly
19JDK-8292285hotspot/compilerC2: remove unreachable block after NeverBranch-to-Goto conversion
20JDK-8290964hotspot/compilerC2 compilation fails with assert "non-reduction loop contains reduction nodes"
21JDK-8281122hotspot/compiler[IR Framework] Cleanup IR matching code in preparation for JDK-8280378
22JDK-8276064hotspot/compilerCheckCastPP with raw oop input floats below a safepoint
23JDK-8296924hotspot/compilerC2: assert(is_valid_AArch64_address(dest.target())) failed: bad address
24JDK-8290850hotspot/compilerC2: create_new_if_for_predicate() does not clone pinned phi input nodes resulting in a broken graph
25JDK-8297431hotspot/compiler[JVMCI] HotSpotJVMCIRuntime.encodeThrowable should not throw an exception
26JDK-8296136hotspot/compilerUse correct register in aarch64_enc_fast_unlock()
27JDK-8285835hotspot/compilerSIGSEGV in PhaseIdealLoop::build_loop_late_post_work
28JDK-8295788hotspot/compilerC2 compilation hits "assert((mode == ControlAroundStripMined && use == sfpt) || !use->is_reachable_from_root()) failed: missed a node"
29JDK-8297951hotspot/compilerC2: Create skeleton predicates for all If nodes in loop predication
30JDK-8297264hotspot/compilerC2: Cast node is not processed again in CCP and keeps a wrong too narrow type which is later replaced by top
31JDK-8295116hotspot/compilerC2: assert(dead->outcnt() == 0 && !dead->is_top()) failed: node must be dead
32JDK-8296389hotspot/compilerC2: PhaseCFG::convert_NeverBranch_to_Goto must handle both orders of successors
33JDK-8242115hotspot/compilerC2 SATB barriers are not safepoint-safe
34JDK-8292301hotspot/compiler[REDO v2] C2 crash when allocating array of size too large
35JDK-8272985hotspot/gcReference discovery is confused about atomicity and degree of parallelism
36JDK-8296733hotspot/jfrJFR: File Read event for RandomAccessFile::write(byte[]) is incorrect
37JDK-8283199hotspot/runtimeLinux os::cpu_microcode_revision() stalls cold startup
38JDK-8287011hotspot/runtimeImprove container information
39JDK-8271506hotspot/runtimeAdd ResourceHashtable support for deleting selected entries
40JDK-8294160hotspot/runtimemisc crash dump improvements
41JDK-8286030hotspot/runtimeAvoid JVM crash when containers share the same /tmp dir
42JDK-8048190hotspot/runtimeNoClassDefFoundError omits original ExceptionInInitializerError
43JDK-8293472hotspot/runtimeIncorrect container resource limit detection if manual cgroup fs mounts present
44JDK-8262386hotspot/svc-agentresourcehogs/serviceability/sa/TestHeapDumpForLargeArray.java timed out

Java™ SE Development Kit 8, Update 371 (JDK 8u371)

April 18, 2023

The full version string for this update release is 8u371-b11 (where "b" means "build"). The version number is 8u371.

 

IANA TZ Data 2022g

JDK 8u371 contains IANA time zone data 2022g which contains the following changes since the previous update.

  • The northern edge of Chihuahua changes to US timekeeping.
  • Much of Greenland stops changing clocks after March 2023.
  • Fix some pre-1996 timestamps in northern Canada.
  • C89 is now deprecated; please use C99 or later.
  • Portability fixes for AIX, libintl, MS-Windows, musl, z/OS.
  • In C code, use more C23 features if available.
  • C23 timegm now supported by default.
  • Fixes for unlikely integer overflows.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u371 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u371-b11

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. Use the Security Baseline page to determine the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u371) after the next critical patch update release, scheduled for July 18, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u371) on 2023-08-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/org.ietf.jgss
 Added a Default Native GSS-API Library on Windows (JDK-6722928)

A native GSS-API library named sspi_bridge.dll has been added to the JDK on the Windows platform. The library is client-side only and uses the default credentials. It will be loaded when the sun.security.jgss.native system property is set to "true". A user can still load a third-party native GSS-API library by setting the sun.security.jgss.lib system property to its path.

Native GSS automatically uses cached credentials from operating systems, thus the javax.security.auth.useSubjectCredsOnly system property should be set to false.

com.sun.security.auth.module.Krb5LoginModule does not call native JGSS. Avoid using com.sun.security.auth.module.Krb5LoginModule from JAAS config.

 

Removed Features and Options

other-libs
 javax.script Engine Implementation and com.apple.concurrent.Dispatch Are Removed for macOS AArch64 (DK-8297475 (Not Public))

The AppleScript engine implementing the javax.script engine API has been removed without replacement. The AppleScript engine has worked inconsistently. The services configuration (META-INF/services) file was missing and only worked by accident when installing JDK 7 or JDK 8 on systems that had Apple's version of AppleScriptEngine.jar already on the system.

The com.apple.concurrent.Dispatch API was a Mac-only API. It was carried into JDK 7u4 with the port of Apple's JDK 6 code. Developers are encouraged to use the standard java.util.concurrent.Executor and java.util.concurrent.ExecutorService APIs instead.

 

Known Issues

install/install
 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8305976 (Not Public))

This issue prevents yum from automatically installing the correct packages required by Oracle Linux specific x86_64 headless and headful JDK packages. Instead of x86_64 packages, it will install i686 packages. To workaround the issue, you may manually install packages with the same names as indicated by yum but with the x86_64 architecture.

After you have the x86_64 headless and/or headful jdk packages installed, you can get the list of required x86_64 packages by running the following script:

rpm -qa | grep -E -e '^jdk-.*-headful-.*\.x86_64$' -e '^jdk-.*-headless-.*\.x86_64$' | xargs -r rpm -q --requires | sort -u | cut -d ' ' -f 1 | grep -v '^rpmlib' | xargs -r rpm -q --whatprovides | sort -u | grep -e '.i[3456]86$' | xargs -r rpm -q --queryformat '%{name}.x86_64\n' | xargs -r echo

It will output a space-separated list of names of required x86_64 packages to stdout. You can pass this list to a sudo yum install command to ensure the installation of the required packages.

install/install
 Installation of Oracle Linux Specific x64 JDK RPMs Pulls in i686 Dependencies (JDK-8306690 (Not Public))

Fixed a regression where the /usr/java/default symlink is not created by RPM installers on Linux platforms. Now, installers will create the /usr/java/default symlink if it doesn't exist, targeting the /usr/java/latest symlink.

hotspot
 JVM Crashes with `Internal Error (g1CollectedHeap.cpp:5923)` after Upgrading to JDK 8u371 (JDK-8311244 (not public))

After upgrading to JDK 8u371 or later, there is the possibility of an application crash. The error log has a stack trace that starts with the following:

# Internal Error (g1CollectedHeap.cpp:5923), pid=xxxxx, tid=xxxxxx
# guarantee(!dcqs.completed_buffers_exist_dirty()) failed: must be

 

The above error may impact applications using G1 GC on all supported platforms.

Those who encounter the above error are encouraged to create a Service Request through My Oracle Support so that we can provide an interim solution to resolve the error.

 

Other Notes

client-libs/javax.swing
 System Property to Handle HTML ObjectView Creation (JDK-8296832 (Not Public))

Some Swing components, such as JLabels and JButtons, which display application text, will try to interpret that text as HTML, principally to enable styled text. The HTML processing of the text for these components will no longer recognize the <object> tag which allows for subclasses of java.awt.Component to be rendered on the component. To re-enable this, applications must specify -Dswing.html.object=true.

install/install
 RPM JDK Installer Changes (JDK-8292838 (Not Public))

The installation directory name of the Oracle JRE in an RPM package has changed from /usr/java/jre-1.8.0_${UPDATE}-${ARCH} to /usr/lib/jvm/jre-1.8-oracle-${ARCH}. The installation directory name of the Oracle JDK in an RPM package has changed from /usr/java/jdk-1.8.0_${UPDATE}-${ARCH} to /usr/lib/jvm/jdk-1.8-oracle-${ARCH}. Thus the 8u371 and 8u381 releases of JDK for x64 will both be installed in the /usr/lib/jvm/jdk-1.8-oracle-x64 directory and the JRE for x64 will both be installed in the /usr/lib/jvm/jre-1.8-oracle-x64 directory. Both JDK and JRE RPM packages will create /usr/java/jdk-1.8.0-${ARCH} and /usr/java/jre-1.8.0-${ARCH} links respectively pointing to the installation directories for backward compatibility.

For the x86_64 platform, the value of the ${ARCH} suffix has changed from amd64 to x64. For the x86_32 platform, the value of the ${ARCH} has changed from i586 to x86.

The JRE RPM package name has changed from jre1.8 to jre-1.8 to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JRE and then install the new JRE. For example, sudo rpm -e jre1.8; sudo rpm -i jre-8u371-linux-x64.rpm. The JDK RPM package name has changed from jdk1.8 to jdk-1.8 to make it consistent with other release families. To prevent confusion between the old and new naming patterns, the new package cannot be upgraded using a single "rpm -i ..." or "rpm -U ..." command. Please uninstall the old JDK and then install the new JDK. For example, sudo rpm -e jdk1.8; sudo rpm -i jdk-8u371-linux-x64.rpm.

Communication with the alternatives framework for the JDK RPM package has changed. JDK RPM packages of prior versions registered a single java group of commands with the alternatives framework. The JDK 1.8 RPM package registers java and javac groups with the alternatives framework. The java group is for commands used to run applications: java, javaws, jcontrol, jjs, keytool, orbd, pack200, policytool, rmic, rmid, rmiregistry, servertool, tnameserv, unpack200. The javac group is used for all other commands. The set of commands registered by the package has not changed.

Three new Oracle Linux (OL)-specific JDK RPM packages have been added: jdk-1.8-headless, jdk-1.8-headful, and jre-1.8-headful. These packages are available in OL7, OL8, and OL9 repositories. They are not available for download from oracle.com.

  • jdk-1.8-headless is a Headless Java Runtime for running non-GUI applications.
  • jdk-1.8-headful is a Headful Java Runtime with Development Tools for developing and running applications of all types.
  • jre-1.8-headful is a Headful Java Runtime for running applications of all types.

The combination of the OL-specific jdk-1.8-headless and jdk-1.8-headful packages provides the same JDK image and the same capabilities as the jdk-1.8 oracle.com package. The jre-1.8-headful package provides the same JRE image and the same capabilities as the jre-1.8 oracle.com package. OL-specific JDK and JRE RPM packages specify required capabilities, and the "Release" property of these packages has a %{dist} suffix. The value of the Release property of all RPM packages contains the value of the build number instead of the milestone.

install/install
 Disable Side-by-Side Installations of Multiple JDK Updates in Windows JDK Installers (JDK-8292824 (Not Public))

Windows JDK installers must install the Oracle JDK in %Program Files%\Java\jdk-%FEATURE% instead of %Program Files%\Java\jdk-%VNUM%. That is, all updates of the same release must share one installation directory. It will not be possible to install older versions of a family if there is a newer JRE of that family already installed.

Thus the JDK 8u371 and JDK 8u381 releases will both install into %Program Files%\Java\jdk-1.8 by default, and they both cannot be installed at the same time.

Note: The Java 8u371 feature JDK-8293762 will now only allow one JRE of each family to be installed at one time. The REMOVEOLDERJRES=1 feature will no longer be supported with the standalone MSI. This is by design, as we only allow one JRE of each family of Java. The newer JREs will auto-upgrade older JREs of the same family.

install/install
 All JDK Update Releases Are Installed into the Same Directory on macOS (JDK-8292832 (Not Public))

The Oracle JDK installation directory name will be changed from /Library/Java/JavaVirtualMachines/jdk1.8.0_${UPDATE}.jdk to /Library/Java/JavaVirtualMachines/jdk-1.8.jdk. Thus the 8u371 and 8u381 releases will both install into the /Library/Java/JavaVirtualMachines/jdk-1.8.jdk installation directory. Installing an older JDK update release will log an error, and not install the JDK, if a newer version of the same feature release already exists. An error dialog will be shown except in the case of a silent installation. JDK 8 update releases shipped prior to this release, JDK 8u371, will not be uninstalled during installation of JDK 8u371 or later.

security-libs/java.security
 Added Certigna(Dhimyotis) CA Certificate (JDK-8245654)

The following root certificate has been added to the cacerts truststore:

+ Certigna (Dhimyotis)
   + certignaca
      DN: CN=Certigna, O=Dhimyotis, C=FR

security-libs/javax.net.ssl
 Removed SSLv2Hello and SSLv3 From Default Enabled TLS Protocols (JDK-8190492)

SSLv2Hello and SSLv3 have been removed from the default enabled TLS protocols.

After this update, if SSLv3 is removed from the jdk.tls.disabledAlgorithms security property, the SSLSocket.getEnabledProtocols(), SSLServerSocket.getEnabledProtocols(), SSLEngine.getEnabledProtocols() and SSLParameters.getProtocols() APIs will return "TLSv1.3, TLSv1.2, TLSv1.1, TLSv1". "SSLv3" will not be returned in this list.

If a client or server still needs to use the SSLv3 protocol they can do so by enabling it through the jdk.tls.client.protocols or jdk.tls.server.protocols system properties or with the SSLSocket.setEnabledProtocols(), SSLServerSocket.setEnabledProtocols() and SSLEngine.setEnabledProtocols() APIs.

hotspot/runtime
 JVM May Fail to Initialize on Some cgroups v1 Systems (JDK-8302716)

After updating to JDK 8u361, applications failed to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem.

The JVM sometimes failed to initialize on Linux systems where /proc/self/mountinfo does not contain any mounted filesystem or controllers for cgroup.

For background information, see also My Oracle Support see KM Doc ID 2923131.1.

infrastructure
 Toolchain Upgrade to Visual Studio 2022 (JDK-8283723)

As part of ongoing maintenance, the JDK for Windows is built using the Microsoft Visual Studio 2022 toolchain starting with this release.

If you have issues with a Java application and if you have native or JNI libraries that are compiled with a different release of the compiler, then you must consider compatibility issues between the runtimes. Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes. More information can be found in “C++ binary compatibility between Visual Studio versions”.

security-libs/java.security
 Crypto-J Exception for Diffie-Hellman and DSA AlgorithmParameters Requests (JDK-8278027)

Applications using the Dell BSAFE Crypto-J 3rd party security provider may encounter an IOException if decoding DH or DSA algorithm parameters with the following exception:

Exception in thread "main" java.io.IOException: Could not decode parameters. at com.rsa.cryptoj.o.ms.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293)

Dell BSAFE Crypto-J version 6.2.6.2 has been released to address this issue. Applications using this provider should upgrade to that version or later. For applications on older versions of this provider, an interoperability fix has been added to this release of the JDK.

install
 No Default Java after 8u371 32-bit Upgrade (JDK-8306784 (not public))

Upgrading from an 8u361 (or earlier) 32-bit JRE to an 8u371 (or later) 32-bit JRE when an 8u371 (or later) 64-bit JRE is already installed will cause the java.exe command to not be found. For example:

  1. Install 32-bit 8u361
  2. Install 64-bit 8u371 (or later)
  3. Install 32-bit 8u371 (or later)

java.exe will now not work from all places. It will only work directly from the bin directory.

java.exe will not work unless you specify the full path to the bin directory of your JRE.

There are 2 workarounds:

  • Workaround 1: uninstall and reinstall the latest version of 64-bit 8u371 (or later)
  • Workaround 2: specify the full path to java.exe in the \bin directory of the JRE, for example: C:\Program Files\Java\jre-1.8\bin\java.exe

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u371 release:

# BugId Component Summary
1JDK-8285399client-libs/2dJNI exception pending in awt_GraphicsEnv.c:1432
2JDK-8284023client-libs/java.awtjava.sun.awt.X11GraphicsDevice.getDoubleBufferVisuals() leaks XdbeScreenVisualInfo
3JDK-8296496client-libs/java.awtOverzealous check in sizecalc.h prevents large memory allocation
4JDK-8295685client-libs/java.awtUpdate Libpng to 1.6.38
5JDK-8294378core-libs/java.netURLPermission constructor exception when using tr locale
6JDK-8297569core-libs/java.netURLPermission constructor throws IllegalArgumentException: Invalid characters in hostname after JDK-8294378
7JDK-8299439core-libs/java.textjava/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
8JDK-8295530core-libs/java.util.jarUpdate Zlib Data Compression Library to Version 1.2.13
9JDK-8287180core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-08-08
10JDK-8267038core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2022-03-02
11JDK-8296239core-libs/java.util:i18nISO 4217 Amendment 174 Update
12JDK-8241900hotspot/compilerLoop unswitching may cause dependence on null check to be lost
13JDK-8179954hotspot/compilerAArch64: C1 and C2 volatile accesses are not sequentially consistent
14JDK-8210387hotspot/compilerC2 compilation fails with "assert(node->_last_del == _last) failed: must have deleted the edge just produced"
15JDK-8248552hotspot/compilerC2 crashes with SIGFPE due to division by zero
16JDK-8069191hotspot/compilermoving predicate out of loops may cause array accesses to bypass null check
17JDK-8250825hotspot/compilerC2 crashes with assert(field != __null) failed: missing field
18JDK-8255466hotspot/compilerC2 crashes at ciObject::get_oop() const+0x0
19JDK-8272985hotspot/gcReference discovery is confused about atomicity and degree of parallelism
20JDK-8005165hotspot/runtimeRemove CPU-dependent code in self-patching vtables
21JDK-8271506hotspot/runtimeAdd ResourceHashtable support for deleting selected entries
22JDK-8253797hotspot/runtime[cgroups v2] Account for the fact that swap accounting is disabled on some systems
23JDK-8239785hotspot/runtimeCgroups: Incorrect detection logic on old systems in hotspot
24JDK-8239559hotspot/runtimeCgroups: Incorrect detection logic on some systems
25JDK-8048190hotspot/runtimeNoClassDefFoundError omits original ExceptionInInitializerError
26JDK-8197859hotspot/runtimeVS2017 Complains about UINTPTR_MAX definition in globalDefinitions_VisCPP.hpp
27JDK-8254997hotspot/runtimeRemove unimplemented OSContainer::read_memory_limit_in_bytes
28JDK-8252359hotspot/runtimeHotSpot Not Identifying it is Running in a Container
29JDK-8253435hotspot/runtimeCgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist
30JDK-8284633hotspot/runtimeCompressedClassPointers.java fails on macos-aarch64
31JDK-8220658hotspot/runtimeImprove the readability of container information in the error log
32JDK-8291763hotspot/runtimeInclude virtualization information in hs_err crash log on Solaris
33JDK-8289424hotspot/runtimeInclude LD_HWCAP in hs_err log output
34JDK-8298349install/install/usr/java/latest points to wrong JDK
35JDK-8298330install/install/usr/java/latest is missing after one of JDK rpms is uninstalled
36JDK-8149508javafx/controlsPerformance issue when scrolling ListView due to excess CSS processing
37JDK-8294400javafx/mediaProvide media support for libavcodec version 59
38JDK-8257895javafx/mediaAllow building of JavaFX media libs for Apple Silicon
39JDK-8298167javafx/webOpacity in WebView not working anymore
40JDK-8295755javafx/webUpdate SQLite to 3.39.4
41JDK-8303217javafx/webWebview loaded webpage is not showing play, volume related buttons for embeded Audio/Video elements
42JDK-8301022javafx/webVideo distortion is observed while playing youtube video
43JDK-8300954javafx/webHTML default Range input control not rendered
44JDK-8301712javafx/web[linux] Crash on exit from WebKit 615.1
45JDK-8302684javafx/webCherry-pick WebKit 615.1 stabilization fixes (2)
46JDK-8302294javafx/webCherry-pick WebKit 615.1 stabilization fixes
47JDK-8299977javafx/webUpdate WebKit to 615.1
48JDK-8242151security-libs/java.securityImprove OID mapping and reuse among JDK security providers for aliases registration
49JDK-8242897security-libs/java.securityKeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException
50JDK-8280890security-libs/java.securityCannot use '-Djava.system.class.loader' with class loader in signed JAR
51JDK-8200468security-libs/org.ietf.jgssPort the native GSS-API bridge to Windows
52JDK-8253829security-libs/org.ietf.jgssWrong length compared in SSPI bridge
53JDK-8225687security-libs/org.ietf.jgssNewly added sspi.cpp in JDK-6722928 still contains some small errors
54JDK-8175000tools/launcherjexec fails to execute simple helloworld.jar

Java SE 8u361 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u361 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u361 b35

Bug Fixes

BugId Category Subcategory Summary
JDK-8299439 core-libs java.text java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR
JDK-8017487 client-libs javax.swing filechooser in Windows-Libraries folder: columns are mixed up
JDK-8301318 (Confidential) deploy webstart Few JVM arguments are not supported in JAVAWS/JNLP

 

Changes in Java SE 8u361 b34

Bug Fixes

BugId Category Subcategory Summary
JDK-8274205 security-libs org.ietf.jgss:krb5 Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
JDK-8284662 javafx accessibility Screen reader fails to read ListView/ComboBox item count if > 100

 

Changes in Java SE 8u361 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8251862 javafx graphics Wrong position of Popup windows at the intersection of 2 screens
JDK-8149508 javafx controls Performance issue when scrolling ListView due to excess CSS processing
JDK-8299741 install autoupdate A temporary file is left in 'locallow' temp directory after Java Update

 

Changes in Java SE 8u361 b32

hotspot/runtime
 JVM Will Fail to Initialize on Some cgroups v1 Systems (JDK-8302716)

The JVM will fail to initialize on Linux systems where /proc/self/mountinfo does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.

A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).

Bug Fixes

BugId Category Subcategory Summary
JDK-8089986 javafx controls Menu beeps when mnemonics is used
JDK-7131823 client-libs javax.imageio bug in GIFImageReader
JDK-6357887 client-libs 2d selected printertray is ignored under linux
JDK-8239559 hotspot runtime Cgroups: Incorrect detection logic on some systems
JDK-8239785 hotspot runtime Cgroups: Incorrect detection logic on old systems in hotspot
JDK-8048190 hotspot runtime NoClassDefFoundError omits original ExceptionInInitializerError
JDK-8271506 hotspot runtime Add ResourceHashtable support for deleting selected entries

 

Changes in Java SE 8u361 b31

Bug Fixes

BugId Category Subcategory Summary
JDK-8205959 core-libs java.net Do not restart close if errno is EINTR
JDK-8280890 security-libs java.security Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8299628 (Confidential) javafx graphics BMP top-down images fail to load after JDK-8289336
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

Java SE 8u361 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u361 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u361-Perf b35

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.

 

Changes in Java SE 8u361-Perf b34

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.

 

Changes in Java SE 8u361-Perf b33

Bug Fixes

This BPR contains all of the fixes included in the corresponding JDK 8 BPR.

 

Changes in Java SE 8u361-Perf b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-6357887 client-libs 2d selected printertray is ignored under linux
JDK-7131823 client-libs javax.imageio bug in GIFImageReader

 

Changes in Java SE 8u361-Perf b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8205959 core-libs java.net Do not restart close if errno is EINTR
JDK-8280890 security-libs java.security Cannot use '-Djava.system.class.loader' with class loader in signed JAR
JDK-8297804 core-libs java.time (tz) Update Timezone Data to 2022g

 

Changes in Java SE 8u361-Perf

Bug Fixes

JDK 8u361 Enterprise Performance Pack includes the following fixes from JDK 17:
# BugId Component Subcomponent Summary
1JDK-8293319hotspotcompiler[C2 cleanup] Remove unused other_path arg in Parse::adjust_map_after_if
2JDK-8280511hotspotcompilerAArch64: Combine shift and negate to a single instruction
3JDK-8276108hotspotcompilerWrong instruction generation in aarch64 backend
4JDK-8251216hotspotcompilerImplement MD5 intrinsics on AArch64
5JDK-8186670hotspotcompilerImplement _onSpinWait() intrinsic for AArch64
6JDK-8290781hotspotcompilerSegfault at PhaseIdealLoop::clone_loop_handle_data_uses
7JDK-8282347hotspotcompilerAARCH64: Untaken branch in has_negatives stub
8JDK-8282049hotspotcompilerAArch64: Use ZR for integer zero immediate volatile stores
9JDK-8291775hotspotcompilerC2: assert(r != __null && r->is_Region()) failed: this phi must have a region
10JDK-8290711hotspotcompilerassert(false) failed: infinite loop in PhaseIterGVN::optimize
11JDK-8287349hotspotcompilerAArch64: Merge LDR instructions to improve C1 OSR performance
12JDK-8277411hotspotcompilerC2 fast_unlock intrinsic on AArch64 has unnecessary ownership check
13JDK-8277358hotspotcompilerAccelerate CRC32-C
14JDK-8291599hotspotcompilerAssertion in PhaseIdealLoop::skeleton_predicate_has_opaque after JDK-8289127
15JDK-8290705hotspotcompilerStringConcat::validate_mem_flow asserts with "unexpected user: StoreI"
16JDK-8290529hotspotcompilerC2: assert(BoolTest(btest).is_canonical()) failure
17JDK-8288445hotspotcompilerAArch64: C2 compilation fails with guarantee(!true || (true && (shift != 0))) failed: impossible encoding
18JDK-8280872hotspotcompilerReorder code cache segments to improve code density
19JDK-8272094hotspotcompilercompiler/codecache/TestStressCodeBuffers.java crashes with "failed to allocate space for trampoline"
20JDK-8293816hotspotcompilerCI: ciBytecodeStream::get_klass() is not consistent
21JDK-8293044hotspotcompilerC1: Missing access check on non-accessible class
22JDK-8292158hotspotcompilerAES-CTR cipher state corruption with AVX-512
23JDK-8270947hotspotcompilerAArch64: C1: use zero_words to initialize all objects
24JDK-8287425hotspotcompilerRemove unnecessary register push for MacroAssembler::check_klass_subtype_slow_path
25JDK-8290451hotspotcompilerIncorrect result when switching to C2 OSR compilation from C1
26JDK-8268779hotspotgcZGC: runtime/InternalApi/ThreadCpuTimesDeadlock.java#id1 failed with "OutOfMemoryError: Java heap space"
27JDK-8278389hotspotgcSuspendibleThreadSet::_suspend_all should be volatile/atomic
28JDK-8288754hotspotgcGCC 12 fails to build zReferenceProcessor.cpp
29JDK-8279398hotspotjfrjdk/jfr/api/recording/time/TestTimeMultiple.java failed with "RuntimeException: getStopTime() > afterStop"
30JDK-8268297hotspotjfrjdk/jfr/api/consumer/streaming/TestLatestEvent.java times out
31JDK-8291459hotspotruntimeJVM crash with GenerateOopMap::error_work(char const*, __va_list_tag*)
32JDK-8292083hotspotruntimeDetected container memory limit may exceed physical machine memory
33JDK-8293156hotspotsvcDcmd VM.classloaders fails to print the full hierarchy

Java™ SE Development Kit 8, Update 361 (JDK 8u361)

January 17, 2023

The full version string for this update release is 8u361-b09 (where "b" means "build"). The version number is 8u361.

 

IANA TZ Data 2022d, 2022e, 2022f

JDK 8u361 contains IANA time zone data 2022d, 2022e, 2022f.
  • Palestine transitions are now Saturdays at 02:00.
  • Simplify three Ukraine zones into one.
  • Jordan and Syria switch from +02/+03 with DST to year-round +03.
  • Mexico will no longer observe DST except near the US border.
  • Chihuahua moves to year-round -06 on 2022-10-30.
  • Fiji no longer observes DST.
  • Move links to 'backward'.
  • In vanguard form, GMT is now a Zone and Etc/GMT a link.
  • zic now supports links to links, and vanguard form uses this.
  • Simplify four Ontario zones.
  • Fix a Y2438 bug when reading TZif data.
  • Enable 64-bit time_t on 32-bit glibc platforms.
  • Omit large-file support when no longer needed.
  • In C code, use some C23 features if available.
  • Remove no-longer-needed workaround for Qt bug 53071.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u361 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
88u361-b09

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u361) be used after the next critical patch update scheduled for April 18, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u361) on 2023-05-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/java.security
 Support for RSASSA-PSS in OCSP Response (JDK-8274471)

An OCSP response signed with the RSASSA-PSS algorithm is now supported.

 

Known Issues

hotspot/runtime
 JVM Will Fail to Initialize on Some cgroups v1 Systems (JDK-8302716)

After updating to JDK 8u361, applications may fail to start, with multiple Exceptions being thrown, ultimately identified by a java.lang.ArrayIndexOutOfBoundsException occurring at jdk.internal.platform.cgroupv2.CgroupV2Subsystem.initSubsystem.

The JVM will fail to initialize on Linux systems where /proc/self/mountinfo does not contain any mounted filesystem or controllers for cgroups. This failure occurs due to faulty detection logic where it incorrectly detects a cgroup v1 system, having no mounted controllers, as a cgroup v2 system.

A fix is available via the 8u361 b32 BPR available on My Oracle Support (see KM Doc ID 2923131.1).

 

Other Notes

hotspot/runtime
 CPU Shares Ignored When Computing Active Processor Count (JDK-8281181)

Previous JDK releases used an incorrect interpretation of the Linux cgroups parameter "cpu.shares". This might cause the JVM to use fewer CPUs than available, leading to an under utilization of CPU resources when the JVM is used inside a container.

Starting from this JDK release, by default, the JVM no longer considers "cpu.shares" when deciding the number of threads to be used by the various thread pools. The -XX:+UseContainerCpuShares command-line option can be used to revert to the previous behavior. This option is deprecated and may be removed in a future JDK release.

javafx/fxml
 FXML JavaScript Engine Disabled by Default (JDK-8294779 (not public))

The “JavaScript script engine” for FXML is now disabled by default. Any .fxml file that has a "javascript" Processing Instruction (PI) will no longer load by default, and an exception will be thrown.

It can be enabled by setting the system property: -Djavafx.allowjs=true

core-libs/java.lang
 Incorrect Handling of Quoted Arguments in ProcessBuilder (JDK-8282008)

ProcessBuilder on Windows is restored to address a regression caused by JDK-8250568. Previously, an argument to ProcessBuilder that started with a double-quote and ended with a backslash followed by a double-quote was passed to a command incorrectly and may cause the command to fail. For example the argument "C:\\Program Files\", would be seen by the command with extra double-quotes. This update restores the long standing behavior that does not treat the backslash before the final double-quote specially.

core-libs/java.net
 Make HttpURLConnection Default Keep Alive Timeout Configurable (JDK-8278067)

Two system properties have been added which control the keep alive behavior of HttpURLConnection in the case where the server does not specify a keep alive time. Two properties are defined for controlling connections to servers and proxies separately. They are http.keepAlive.time.server and http.keepAlive.time.proxy respectively. More information about them can be found in Networking Properties.

tools/visualvm
 VisualVM tool no longer bundled (JDK-8294184)

This version of the JDK no longer includes a copy of Java VisualVM. VisualVM is now available as a separate download from https://visualvm.github.io.

other-libs/corba
 CORBA _DynAnyFactoryStub readObject Accepts Only Stringified ior in IOR: URI format (JDK-8285021 (not public))

The readObject method of _DynAnyFactoryStub has been amended, such that, when reading the stringified IOR from serialized data, it will, by default, accept stringified IORs in IOR: URI format, only. As DynAnyFactory is a locally or ORB constrained type, it is not useful that serialized data should contain corbaname or corbaloc URIs. Furthermore, an ORB will prohibit the binding of a name in the INS to a DynAnyFactory IOR, as such, using a corbaname to reference an instance of DynAnyFactory is not meaningful.

A system property is introduced, org.omg.DynamicAny.DynAnyFactoryStub.disableIORCheck, which when set to true, will revert the _DynAnyFactoryStub::readObject to its current behavior and bypass the additional IOR checks.

security-libs/javax.net.ssl
 Change in SSLEngine.closeInbound() Behavior (JDK-8273553)

The SunJSSE close notification checks for SSLEngine to have been made less strict to conform to changes in the Transport Layer Security (TLS) RFCs. See also JDK-8253368.

Specifically, if an application tries to close its SSLEngine inbound side using SSLEngine.closeInbound() without having received a close notification message from its peer, the SSLEngine will no longer:

  1. trigger the transmission of a TLS fatal-level alert to the peer, and
  2. invalidate the current TLS session

The new behavior will still consider this condition an error and will throw a local javax.net.ssl.SSLException. But a fatal-level alert will no longer be generated to be sent to the peer, and the underlying session will remain valid.

In addition, the internal transport context for the SSLEngine will also now be closed. This may result in a different SSLEngineResult.HandshakeStatus value on the SSLEngine. Any outstanding outbound data must still be obtained (SSLEngine.wrap()) and sent in order to gracefully close the connection.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u361 release:

# BugId Component Summary
1JDK-8240756client-libs/2d[macos] SwingSet2:TableDemo:Printed Japanese characters were garbled
2JDK-8212677client-libs/java.awtX11 default visual support for IM status window on VNC
3JDK-8231445client-libs/java.awtcheck ZALLOC return values in awt coding
4JDK-8284033client-libs/java.awtLeak XVisualInfo in getAllConfigs in awt_GraphicsEnv.c
5JDK-8277497client-libs/javax.accessibilityLast column cell in the JTable row is read as empty cell
6JDK-8280950core-libs/java.utilRandomGenerator:NextDouble() default behavior non conformant after JDK-8280550 fix
7JDK-8281183core-libs/java.utilRandomGenerator:NextDouble() default behavior partially fixed by JDK-8280950
8JDK-8294307core-libs/java.util:i18nISO 4217 Amendment 173 Update
9JDK-8215571core-svc/debuggerjdb does not include jdk.* in the default class filter
10JDK-8197387core-svc/toolsjcmd started by "root" must be allowed to access all VM processes
11JDK-8294294docs/guidesDocument jdk.xml.xpathExprGrpLimit, jdk.xml.xpathExprOpLimit, and jdk.xml.xpathTotalOpLimit in the JAXP Security Guide
12JDK-8145458docs/hotspotJDK 8 man page incorrectly states -XX:ThreadStackSize=size sets the thread stack size (in bytes).
13JDK-8217359hotspot/compilerC2 compiler triggers SIGSEGV after transformation in ConvI2LNode::Ideal
14JDK-8255058hotspot/compilerC1: assert(is_virtual()) failed: type check
15JDK-8253816hotspot/compilerSupport macOS W^X
16JDK-8253795hotspot/compilerImplementation of JEP 391: macOS/AArch64 Port
17JDK-8168712hotspot/compiler[AOT] assert(false) failed: DEBUG MESSAGE: InterpreterMacroAssembler::call_VM_base: last_sp != NULL
18JDK-8261336hotspot/compilerIGV: enhance default filters
19JDK-8253817hotspot/runtimeSupport macOS Aarch64 ABI in Interpreter
20JDK-8200109hotspot/runtimeNMT: diff_malloc_site assert(early->flags() == current->flags(), "Must be the same memory type")
21JDK-8238676hotspot/runtimejni crashes on accessing it from process exit hook
22JDK-8230305hotspot/runtimeCgroups v2: Container awareness
23JDK-8027429hotspot/runtimeAdd diagnostic command VM.info to get hs_err print-out
24JDK-8253714hotspot/runtime[cgroups v2] Soft memory limit incorrectly using memory.high
25JDK-8253727hotspot/runtime[cgroups v2] Memory and swap limits reported incorrectly
26JDK-8255716hotspot/runtimeAArch64: Regression: JVM crashes if manually offline a core
27JDK-8191846hotspot/svcjstat prints debug message when debugging is disabled
28JDK-8038392hotspot/svcGenerating prelink cache breaks JAVA 'jinfo' utility normal behaviour
29JDK-8087557javafx/accessibility[Win] [Accessibility, Dialogs] Alert Dialog content is not fully read by Screen Reader
30JDK-8284281javafx/accessibility[Accessibility] [Win] [Narrator] Exceptions with TextArea & TextField when deleted last char
31JDK-8291087javafx/accessibilityWrong position of focus of screen reader on Windows with screen scale > 1
32JDK-8293795javafx/accessibility[Accessibility] [Win] [Narrator] Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField
33JDK-8289542javafx/graphicsUpdate JPEG Image Decoding Software to 9e
34JDK-8293971javafx/mediaLoading new Media from resources can sometimes fail when loading from FXML
35JDK-8289541javafx/webUpdate ICU4C to 71.1
36JDK-8257722security-libs/java.securityImprove "keytool -printcert -jarfile" output
37JDK-8273553security-libs/javax.net.sslsun.security.ssl.SSLEngineImpl.closeInbound also has similar error of JDK-8253368

Java SE 8u351 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u351 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u351 b34

Bug Fixes

BugId Category Subcategory Summary
JDK-8294307 core-libs java.util:i18n ISO 4217 Amendment 173 Update
JDK-8296239 core-libs java.util:i18n ISO 4217 Amendment 174 Update
JDK-8295173 core-libs java.time (tz) Update Timezone Data to 2022e
JDK-8296108 core-libs java.time (tz) Update Timezone Data to 2022f

 

Changes in Java SE 8u351 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8278027 security-libs javax.crypto X509Key.decode exception while using JSafeJCE FIPS provider

 

Changes in Java SE 8u351 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8224671 hotspot compiler AArch64: mauve System.arraycopy test failure
JDK-8292695 hotspot runtime SIGQUIT and jcmd attaching mechanism does not work with signal chaining library
JDK-8202014 hotspot runtime Possible to receive signal before signal semaphore created

 

Changes in Java SE 8u351 b31

Bug Fixes

BugId Category Subcategory Summary
JDK-8291973 install install Java RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d
JDK-8293795 javafx accessibility Exceptions When Deleting Text with Continuous Key Press in TextArea and TextField

Java SE 8u351 Enterprise Performance Pack - Bug Fixes and Updates

The following sections summarize changes made in Java SE 8u351 Enterprise Performance Pack. Bug fixes and any other changes are listed below in date order, most current update first. Note that bug fixes in the previous BPR are also included in the current update release.

 

Changes in Java SE 8u351 Perf b34

Bug Fixes

JBS Component Subcomponent Summary
JDK-8294307 core-libs java.util:i18n ISO 4217 Amendment 173 Update
JDK-8296239 core-libs java.util:i18n ISO 4217 Amendment 174 Update
JDK-8294357 core-libs java.time (tz) Update Timezone Data to 2022d
JDK-8295173 core-libs java.time (tz) Update Timezone Data to 2022e
JDK-8296108 core-libs java.time (tz) Update Timezone Data to 2022f

 

Changes in Java SE 8u351 Perf b33

Bug Fixes

JBS Component Subcomponent Summary
JDK-8278027 security-libs javax.crypto X509Key.decode exception while using JSafeJCE FIPS provider

 

Other Notes

JDK Flight Recorder

Enterprise Performance Pack supports JDK Flight Recorder (JFR).

JFR is a low-overhead data collection framework for troubleshooting Java applications and the HotSpot JVM in production. Recorded data can be opened in JDK Mission Control (JMC). To start recordings from within JMC, a new version of JMC is required. Currently, it is not released as part of the JDK but is available as a downloadable patch from Supported Java SE Downloads on MOS or from JDK Mission Control 8 Downloads. JFR comes with a supported API to produce and consume data programmatically.

Relevant Changes for JFR include JEP 328: Flight Recorder, JEP 349: JFR Event Streaming

 

Changes in Java SE 8u351 Perf

Bug Fixes

JDK 8u351 Enterprise Performance Pack includes the following fixes from JDK 17:
# JBS Component Subcomponent Summary
1 JDK-8282467 hotspot compiler add extra diagnostics for JDK-8268184
2 JDK-8284883 hotspot compiler JVM crash: guarantee(sect->end() <= sect->limit()) failed: sanity on AVX512
3 JDK-8285923 hotspot compiler [REDO] JDK-8285802 AArch64: Consistently handle offsets in MacroAssembler as 64-bit quantities
4 JDK-8282555 hotspot compiler Missing memory edge when spilling MoveF2I, MoveD2L etc
5 JDK-8286638 hotspot compiler C2: CmpU needs to do more precise over/underflow analysis
6JDK-8288303hotspotcompilerC1: Miscompilation due to broken Class.getModifiers intrinsic
7JDK-8270090hotspotcompilerC2: LCM may prioritize CheckCastPP nodes over projections
8JDK-8280696hotspotcompilerC2 compilation hits assert(is_dominator(c, n_ctrl)) failed
9JDK-8285820hotspotcompilerC2: LCM prioritizes locally dependent CreateEx nodes over projections after 8270090
10JDK-8287091hotspotcompileraarch64 : guarantee(val < (1ULL << nbits)) failed: Field too big for insn
11JDK-8287396hotspotcompilerLIR_Opr::vreg_number() and data() can return negative number
12JDK-8286625hotspotcompilerC2 fails with assert(!n->is_Store() && !n->is_LoadStore()) failed: no node with a side effect
13JDK-8288467hotspotcompilerremove memory_operand assert for spilled instructions
14JDK-8276546hotspotcompiler[IR Framework] Whitelist and ignore CompileThreshold
15JDK-8279622hotspotcompilerC2: miscompilation of map pattern as a vector reduction
16JDK-8286177hotspotcompilerC2: "failed: non-reduction loop contains reduction nodes" assert failure
17JDK-8284944hotspotcompilerassert(cnt++ < 40) failed: infinite cycle in loop optimization
18JDK-8287223hotspotcompilerC1: Inlining attempt through MH::invokeBasic() with null receiver
19JDK-8272736hotspotcompiler[JVMCI] Add API for reading and writing JVMCI thread locals
20JDK-8284358hotspotcompilerUnreachable loop is not removed from C2 IR, leading to a broken graph
21JDK-8288360hotspotcompilerCI: ciInstanceKlass::implementor() is not consistent for well-known classes
22JDK-8286314hotspotcompilerTrampoline not created for far runtime targets outside small CodeCache
23JDK-8288781hotspotcompilerC1: LIR_OpVisitState::maxNumberOfOperands too small
24JDK-8289127hotspotcompilerApache Lucene triggers: DEBUG MESSAGE: duplicated predicate failed which is impossible
25JDK-8283441hotspotcompilerC2: segmentation fault in ciMethodBlocks::make_block_at(int)
26JDK-8287432hotspotcompilerC2: assert(tn->in(0) != __null) failed: must have live top node
27JDK-8281297hotspotgcTestStressG1Humongous fails with guarantee(is_range_uncommitted)
28JDK-8283597hotspotjvmti[REDO] Invalid generic signature for redefined classes
29JDK-8278753hotspotruntimeRuntime crashes with access violation during JNI_CreateJavaVM call
30JDK-8283469hotspotruntimeDon't use memset to initialize members in FileMapInfo and fix memory leak
31JDK-8268773hotspotruntimeImprovements related to: Failed to start thread - pthread_create failed (EAGAIN)
32JDK-8289477hotspotruntimeMemory corruption with CPU_ALLOC, CPU_FREE on muslc
33JDK-8289799hotspotruntimeBuild warning in methodData.cpp memset zero-length parameter
34JDK-8290417hotspotruntimeCDS cannot archive lamda proxy with useImplMethodHandle
35JDK-8287107hotspotruntimeCgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller
36JDK-8287741hotspotruntimeFix of JDK-8287107 (unused cgv1 freezer controller) was incomplete

Java™ SE Development Kit 8, Update 351 (JDK 8u351)

October 18, 2022

The full version string for this update release is 8u351-b10 (where "b" means "build"). The version number is 8u351.

 

IANA TZ Data 2022b, 2022c

JDK 8u351 contains IANA time zone data 2022b, 2022c.

  • Chile's DST is delayed by a week in September 2022.
  • Iran no longer observes DST after 2022.
  • Rename Europe/Kiev to Europe/Kyiv.
  • New zic -R option
  • Vanguard form now uses %z.
  • Finish moving duplicate-since-1970 zones to 'backzone'.
  • New build option PACKRATLIST.
  • New tailored_tarballs target, replacing rearguard_tarballs.
  • Work around awk bug in FreeBSD, macOS, etc.
  • Improve tzselect on intercontinental Zones.
For more information, refer to Timezone Data Versions in the Java Runtime.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u351 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u351-b10
7 7u361-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u351) be used after the next critical patch update scheduled for January 17, 2023.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u351) on 2023-02-17. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/java.security
 Upgrade the Default PKCS12 MAC Algorithm (JDK-8267880)

The default MAC algorithm used in a PKCS #12 keystore has been updated. The new algorithm is based on SHA-256 and is stronger than the old one based on SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

The new SHA-256 based MAC algorithms were introduced in the 11.0.12, 8u301, and 7u311 JDK versions. Keystores created using this newer, stronger, MAC algorithm cannot be opened in JDK versions earlier than 11.0.12, 8u301, and 7u311. A 'java.security.NoSuchAlgorithmException' exception will be thrown in such circumstances.

For compatibility, use the keystore.pkcs12.legacy system property, which will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

hotspot/runtime
 os::set_native_thread_name() cleanups (JDK-7102541)

On platforms that support the concept of a thread name on their native threads, the java.lang.Thread.setName() method will also set that native thread name. However, this will only occur when called by the current thread, and only for threads started through the java.lang.Thread class (not for native threads that have attached via JNI). The presence of a native thread name can be useful for debugging and monitoring purposes. Some platforms may limit the native thread name to a length much shorter than that used by the java.lang.Thread, which may result in some threads having the same native name.

 

Other Notes

install/install
 Enable Java Access Bridge Check Box Option in Control Panel Is Not Available with JDK 11 Installer (JDK-8208637)

The Java Access Bridge checkbox in the Windows Control Panel is not available in JDK11. This registration was part of the public JRE installation.

However, Java Access Bridge can still be enabled and disabled by following these steps:

  1. Copy %JAVAHOME%\bin\windowsaccessbridge-64.dll to %WINDOWSHOME%\SYSTEM32. A reboot might be required after this step.
  2. Run %JAVAHOME%\bin\jabswitch /enable and %JAVAHOME%\bin\jabswitch /disable.

Note: %WINDOWSHOME% is the directory where Microsoft Windows is installed (for example, C:\WINDOWS) %JAVAHOME% is the directory where your JDK is installed (for example, C:\Program Files\Java\jdk-11)

security-libs/java.security
 Disabled SHA-1 Signed JARs (JDK-8269039)

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked. These restrictions also apply to signed JCE providers.

To reduce the compatibility risk for JARs that have been previously timestamped, there is one exception to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.

This exception may be removed in a future JDK release. To determine if your signed JARs are affected by this change, run jarsigner -verify -verbose -certs on the signed JAR, and look for instances of "SHA1" or "SHA-1" and "disabled" and a warning that the JAR will be treated as unsigned in the output.

For example:

-  Signed by "CN="Signer""

     Digest algorithm: SHA-1 (disabled)
     Signature algorithm: SHA1withRSA (disabled), 2048-bit key

WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:

  jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01

JARs affected by these new restrictions should be replaced or re-signed with stronger algorithms.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or override it by using the java.security.properties system property) and removing "SHA1 usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

security-libs/org.ietf.jgss:krb5
 Deprecate 3DES and RC4 in Kerberos (JDK-8139348)

The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default. Users can set allow_weak_crypto = true in the krb5.conf configuration file to re-enable them (along with other weak etypes including des-cbc-crc and des-cbc-md5) at their own risk. To disable a subset of the weak etypes, users can list preferred etypes explicitly in any of the default_tkt_enctypes, default_tgs_enctypes, or permitted_enctypes settings.

core-libs/java.lang
 Phantom references are automatically cleared as soft and weak references (JDK-8071507)

This enhancement changes phantom references to be automatically cleared by the garbage collector as soft and weak references.

An object becomes phantom reachable after it has been finalized. This change may cause the phantom reachable objects to be GC'ed earlier - previously the referent is kept alive until PhantomReference objects are GC'ed or cleared by the application. This potential behavioral change might only impact existing code that would depend on PhantomReference being enqueued rather than when the referent be freed from the heap.

core-libs/java.lang
 java.lang.ref.Reference.enqueue method clears the reference object before enqueuing (JDK-8175797)

java.lang.ref.Reference.enqueue method clears the reference object before it is added to the registered queue. When the enqueue method is called, the reference object is cleared and get() method will return null in JDK 9.

Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear method to avoid memory leak because its referent is no longer referenced. In other words the get method is expected not to be called in common cases once the enqueuemethod is called. In the case when the get method from an enqueued reference object and existing code attempts to access members of the referent, NullPointerException may be thrown. Such code will need to be updated.

core-libs/java.lang
 java.lang.ref.Reference Does Not Support Cloning (JDK-8201793)

java.lang.ref.Reference::clone method always throws CloneNotSupportedException. Reference objects cannot be meaningfully cloned. To create a new Reference object, call the constructor to create a Reference object with the same referent and reference queue instead.

core-libs/java.time
 Update Timezone Data to 2022c (JDK-8294042)

This version includes changes from 2022b that merged multiple regions that have the same timestamp data post-1970 into a single time zone data. All time zone IDs remain the same but the merged time zones will point to a shared zone data.

As a result, pre-1970 data may not be compatible with earlier JDK versions. The affected zones are Antarctica/Vostok, Asia/Brunei, Asia/Kuala_Lumpur, Atlantic/Reykjavik, Europe/Amsterdam, Europe/Copenhagen, Europe/Luxembourg, Europe/Monaco, Europe/Oslo, Europe/Stockholm, Indian/Christmas, Indian/Cocos, Indian/Kerguelen, Indian/Mahe, Indian/Reunion, Pacific/Chuuk, Pacific/Funafuti, Pacific/Majuro, Pacific/Pohnpei, Pacific/Wake, Pacific/Wallis, Arctic/Longyearbyen, Atlantic/Jan_Mayen, Iceland, Pacific/Ponape, Pacific/Truk, and Pacific/Yap.

For more details, refer to the announcement of 2022b.

core-libs/java.lang
 System Property java.specification.maintenance.version Set to 4 (JDK-8290849)

This JDK implements Maintenance Release 4 of the Java SE 8 specification (JSR 337). Implementing this maintenance release is indicated by the new system property java.specification.maintenance.version having the value of "4".

core-libs/java.net
 New System Property to Limit the Number of Open Connections to com.sun.net.httpserver.HttpServer (JDK-8286918 (not public))

A new system property named jdk.httpserver.maxConnections has been introduced to allow users to configure the com.sun.net.httpserver.HttpServer to limit the maximum number of open connections to the server at any given time. This system property takes an integer value and can be configured to be a positive integer. If the property is absent, set to 0, or a negative value, the server will not limit the number of open connections. By default, this system property is not set.

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u351 release:

# BugId Component Subcomponent Summary
1JDK-8260616client-libsRemoving remaining JNF dependencies in the java.desktop module
2JDK-8270216client-libsjava.awt[macOS] Update named used for Java run loop mode
3JDK-8272602client-libsjava.awt[macOS] not all KEY_PRESSED events sent when control modifier is used
4JDK-8261352client-libsjavax.accessibilityCreate implementation for component peer for all the components who should be ignored in a11y interactions
5JDK-8263420client-libsjavax.accessibilityIncorrect function name in NSAccessibilityStaticText native peer implementation
6JDK-8261198client-libsjavax.accessibility[macOS] Incorrect JNI parameters in number conversion in A11Y code
7JDK-8262981client-libsjavax.accessibilityCreate implementation for NSAccessibilitySlider protocol
8JDK-8287740client-libsjavax.accessibilityNSAccessibilityShowMenuAction not working for text editors
9JDK-8275071client-libsjavax.accessibility[macos] A11y cursor gets stuck when combobox is closed
10JDK-8274383client-libsjavax.accessibilityJNI call of getAccessibleSelection on a wrong thread
11JDK-8267387client-libsjavax.accessibilityCreate implementation for NSAccessibilityOutline protocol
12JDK-8267388client-libsjavax.accessibilityCreate implementation for NSAccessibilityTable protocol
13JDK-8262031client-libsjavax.accessibilityCreate implementation for NSAccessibilityNavigableStaticText protocol
14JDK-8275809client-libsjavax.accessibilitycrash in [CommonComponentAccessibility getCAccessible:withEnv:]
15JDK-8273678client-libsjavax.accessibilityTableAccessibility and TableRowAccessibility miss autorelease
16JDK-8271071client-libsjavax.accessibilityaccessibility of a table on macOS lacks cell navigation
17JDK-8267066client-libsjavax.accessibilityNew NSAccessibility peers should return they roles and subroles directly
18JDK-8275720client-libsjavax.accessibilityCommonComponentAccessibility.createWithParent isWrapped causes mem leak
19JDK-8267385client-libsjavax.accessibilityCreate NSAccessibilityElement implementation for JavaComponentAccessibility
20JDK-8275819client-libsjavax.accessibility[TableRowAccessibility accessibilityChildren] method is ineffective
21JDK-8284690client-libsjavax.accessibility[macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox
22JDK-8286266client-libsjavax.accessibility[macos] Voice over moving JTable column to be the first column JVM crashes
23JDK-8284014client-libsjavax.accessibilityMenu items with submenus in JPopupMenu are not spoken on macOS
24JDK-8283383client-libsjavax.accessibility[macos] a11y : Screen magnifier shows extra characters (0) at the end JButton accessibility name
25JDK-8278609client-libsjavax.accessibility[macos] accessibility frame is misplaced on a secondary monitor on macOS
26JDK-8274735client-libsjavax.imageiojavax.imageio.IIOException: Unsupported Image Type while processing a valid JPEG image
27JDK-8256109client-libsjavax.swingCreate implementation for NSAccessibilityButton protocol
28JDK-8256108client-libsjavax.swingCreate implementation for NSAccessibilityElement protocol peer
29JDK-8256126client-libsjavax.swingCreate implementation for NSAccessibilityImage protocol peer
30JDK-8256110client-libsjavax.swingCreate implementation for NSAccessibilityStepper protocol
31JDK-8256111client-libsjavax.swingCreate implementation for NSAccessibilityStaticText protocol
32JDK-8261350client-libsjavax.swingCreate implementation for NSAccessibilityCheckBox protocol peer
33JDK-8261351client-libsjavax.swingCreate implementation for NSAccessibilityRadioButton protocol
34JDK-8264299client-libsjavax.swingCreate implementation of native accessibility peer for ScrollPane and ScrollBar Java Accessibility roles
35JDK-8264300client-libsjavax.swingCreate implementation for NSAccessibilityScrollBar protocol peer
36JDK-8264290client-libsjavax.swingCreate implementation for NSAccessibilityComponentGroup protocol peer
37JDK-8264304client-libsjavax.swingCreate implementation for NSAccessibilityToolbar protocol peer
38JDK-8264302client-libsjavax.swingCreate implementation for Accessibility native peer for Splitpane java role
39JDK-8264305client-libsjavax.swingCreate implementation for native accessibility peer for Statusbar java role
40JDK-8264287client-libsjavax.swingCreate implementation for NSAccessibilityComboBox protocol peer
41JDK-8264303client-libsjavax.swingCreate implementation for NSAccessibilityTabGroup protocol peer
42JDK-8264297client-libsjavax.swingCreate implementation for NSAccessibilityProgressIndicator protocol peer
43JDK-8264294client-libsjavax.swingCreate implementation for NSAccessibilityMenuBar protocol peer
44JDK-8264298client-libsjavax.swingCreate implementation for NSAccessibilityRow protocol peer
45JDK-8264286client-libsjavax.swingCreate implementation for NSAccessibilityColumn protocol peer
46JDK-8264291client-libsjavax.swingCreate implementation for NSAccessibilityCell protocol peer
47JDK-8264292client-libsjavax.swingCreate implementation for NSAccessibilityList protocol peer
48JDK-8264293client-libsjavax.swingCreate implementation for NSAccessibilityMenu protocol peer
49JDK-8264295client-libsjavax.swingCreate implementation for NSAccessibilityMenuItem protocol peer
50JDK-8264296client-libsjavax.swingCreate implementation for NSAccessibilityPopUpButton protocol peer
51JDK-8257620core-libsDo not use objc_msgSend_stret to get macOS version
52JDK-8071507core-libsjava.lang(ref) Clear phantom reference as soft and weak references do
53JDK-8287132core-libsjava.langRetire Runtime.runFinalizersOnExit so that it always throws UOE
54JDK-8178832core-libsjava.lang(ref) jdk.lang.ref.disableClearBeforeEnqueue property is ignored
55JDK-8175797core-libsjava.lang(ref) Reference::enqueue method should clear the reference object before enqueuing
56JDK-8193780core-libsjava.lang(ref) Remove the undocumented "jdk.lang.ref.disableClearBeforeEnqueue" system property
57JDK-8285497core-libsjava.langAdd system property for Java SE specification maintenance version
58JDK-8201793core-libsjava.lang(ref) Reference object should not support cloning
59JDK-8287917core-libsjava.lang:class_loadingSystem.loadLibrary does not work on Big Sur if JDK is built with macOS SDK 10.15 and earlier
60JDK-8288769core-libsjava.util.jarRevert unintentional change to deflate.c
61JDK-8283277core-libsjava.util:i18nISO 4217 Amendment 171 Update
62JDK-8289549core-libsjava.util:i18nISO 4217 Amendment 172 Update
63JDK-8277368core-libsjavax.scriptMetaspace OOM thrown due to the leak of Nashorn ScriptEngine
64JDK-6447817docsAdd additional Service Attributes to Standard Algorithm Names guide
65JDK-8291414docsguidesFix the incorrect wording about delayed provider selection in the PKCS11 documentation
66JDK-8261071hotspotcompilerAArch64: Refactor interpreter native wrappers
67JDK-8234930hotspotcompilerUse MAP_JIT when allocating pages for code cache on macOS
68JDK-8253015hotspotcompilerAarch64: Move linux code out from generic CPU feature detection
69JDK-8188066hotspotgc(ref) Examine the reachability of JNI WeakGlobalRef and interaction with phantom refs
70JDK-8143847hotspotgcRemove REF_CLEANER reference category
71JDK-8285621hotspotjfrXcheck:jni warnings during JFR initialization
72JDK-6885993hotspotruntimeNamed Thread: introduce print() and print_on(outputStream* st) methods
73JDK-7102541hotspotruntimeRFE: os::set_native_thread_name() cleanups
74JDK-8261075hotspotruntimeCreate stubRoutines.inline.hpp with SafeFetch implementation
75JDK-8151322hotspotruntimeImplement os::set_native_thread_name() on Solaris
76JDK-8061999hotspotruntimeEnhance VM option parsing to allow options to be specified in a file
77JDK-8078521hotspotsvcAARCH64: Add AArch64 SA support
78JDK-8289587javafxwebIllegalArgumentException: Color.rgb's red parameter (-16776961) expects color values 0-255
79JDK-8088420javafxwebJavaFX WebView memory leak via EventListener
80JDK-8285881javafxwebUpdate WebKit to 614.1
81JDK-8292609javafxwebCherry-pick WebKit 614.1 stabilization fixes
82JDK-8268427security-libsjava.securityImprove AlgorithmConstraints:checkAlgorithm performance
83JDK-8186143security-libsjava.securitykeytool -ext option doesn't accept wildcards for DNS subject alternative names
84JDK-8267880security-libsjava.securityUpgrade the default PKCS12 MAC algorithm
85JDK-8263404security-libsjava.securityRsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
86JDK-8269039security-libsjava.securityDisable SHA-1 Signed JARs
87JDK-8275887security-libsjava.securityjarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled
88JDK-8270317security-libsjavax.net.sslLarge Allocation in CipherSuite
89JDK-8284694security-libsjavax.net.sslAvoid evaluating SSLAlgorithmConstraints twice
90JDK-8286211security-libsjavax.smartcardioUpdate PCSC-Lite for Suse Linux to 1.9.5
91JDK-8285398security-libsjdk.securityCache the results of constraint checks
92JDK-8074835security-libsorg.ietf.jgssResolve disabled warnings for libj2gss
93JDK-8074836security-libsorg.ietf.jgss:krb5Resolve disabled warnings for libosxkrb5
94JDK-8139348security-libsorg.ietf.jgss:krb5Deprecate 3DES and RC4 in Kerberos
95JDK-8289486xmljaxpImprove XSLT XPath operators count efficiency


Enterprise Performance Pack - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Enterprise Performance Pack BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

 

Changes in 8u345-PERF-b31

Bug Fixes

BugId Category Subcategory Description
JDK-8292260 hotspot compiler C2 Compilation Errors Unpredictably Crashes

Java SE Subscription Enterprise Performance Pack Release Notes

The Java SE Subscription Enterprise Performance Pack (EPP) is a commercial feature release of the Java SE platform. It contains new features and enhancements in many functional areas. It is currently available only through My Oracle Support. It is available as part of an Oracle Java SE Subscription and Oracle Cloud Infrastructure (OCI) Subscription. The Release Notes below describe the features, important changes, enhancements, and other information about the Enterprise Performance Pack.

Enterprise Performance Pack runtime brings improved performance, new features, and enhancements from the Java Virtual Machine from JDK 17 to JDK 8. It reduces the memory footprint for Java SE 8 workloads. It is ideal if you want or need to use Java SE 8 and you are running those workloads at scale. If you need to develop applications, Oracle recommends that you use the full JDK.

Enterprise Performance Pack is for server-side, headless systems (systems that operate without a graphical user interface or peripheral devices like a keyboard or a mouse) running 64-bit Linux on Intel or ARM.

Links to other sources of information about the Enterprise Performance Pack are also provided below:

 

The full version string for this update release is 1.8.0_345-perf-97-b06 (where "b" means "build"). The version number is 8u345.

 

IANA Data 2022a

The Enterprise Performance Pack contains IANA time zone data version 2022a. For more information, refer to Timezone Data Versions in the JRE Software.

TOP


New Features and Information

This section describes Enterprise Performance Pack features and important information. In some cases, the descriptions provide links to additional detailed information about an issue or a change.

New Garbage Collector

Enterprise Performance Pack supports the latest garbage collector, ZGC.

The Z Garbage Collector, also known as ZGC, is a scalable low latency garbage collector (JEP 333). At its core, ZGC is a concurrent garbage collector, meaning that all heavy lifting work (marking, compaction, reference processing, string table cleaning, etc) is done while Java threads continue to execute. This greatly limits the negative impact that garbage collection has on application response times.

Applications moving from Parallel GC, CMS GC, or G1 GC to ZGC might observe higher CPU utilization and might require an increase in Java heap space. The tuning options for ZGC in the presence of observing allocation stalls are: increasing the max Java heap size (-Xmx), or setting -XX:SoftMaxHeapSize to a value less than -Xmx, or increasing the number of concurrent GC threads and disabling dynamic GC threads (-XX:ConcGCThreads=n -XX:-UseDynamicGCThreads), or some combination of those three.

See Enterprise Performance Pack documentation for more information about JVM options and Enterprise Performance Pack configuration.

Unified Logging

Enterprise Performance Pack supports a common logging system for all components of the JVM. This provides line-at-a-time, human readable log messages enabled at the command line through the -Xlog flag. See Printing JVM Information in the Enterprise Performance Pack User's Guide for more details.

Relevant Changes for Unified Logging:  Use Unified Logging for GC logging (JDK-8145092)     print_tracing_info Uses Unified Logging (JDK-8184286)     Deprecated Tracing Flags Are Obsolete and Must Be Replaced With Unified Logging Equivalents (JDK-8256718)

Compact Strings

This is a space-efficient internal representation of strings, which reduces memory footprint and garbage collection activity. See Compact Strings in the Java Virtual Machine Guide of JDK 17 for more details.

Relevant Changes for Compact Strings:  JEP 254: Compact Strings (JDK-8054307)

 

 New Class Hierarchy Analysis Implementation in the HotSpot JVM (JDK-8266074)

A new Class Hierarchy Analysis implementation is introduced in the HotSpot JVM. It features enhanced handling of abstract and default methods which improves inlining decisions made by the JIT-compilers. The new implementation supersedes the original one and is turned on by default.

To help diagnose possible issues related to the new implementation, the original implementation can be turned on by specifying the -XX:+UnlockDiagnosticVMOptions -XX:-UseVtableBasedCHA command-line flags.

The original implementation may be removed in a future release.

 

TOP


Important Enhancements

This section describes Enterprise Performance Pack enhancements. In some cases, the descriptions provide links to additional detailed information about an issue or a change.

Garbage Collectors

Enterprise Performance Pack's Garbage First (G1) collector should not require additional tuning or re-tuning; it's the default garbage collector. Moving from CMS GC to G1 should follow the guidance suggested in the Enterprise Performance Pack User's Guide. Only G1 supports String Deduplication. This feature continuously checks for duplicate String objects during garbage collection thus reducing overall heap size.

Since Enterprise Performance Pack has the Compact Strings feature which reduces the amount of Java heap space occupied by Java Strings, improved performance with Parallel GC may be realized by re-tuning Java heap sizes.

Relevant Changes for Garbage Collectors:  Parallel GC Enables Adaptive Parallel Reference Processing by Default (JDK-8204686)     G1 Enables Adaptive Parallel Reference Processing by Default (JDK-8205043)     JEP 345: NUMA-Aware Memory Allocation for G1 (JDK-8210473)     Parallel GC Improvements (JDK-8224666)     Improvements in Serial GC Young pause time report (JDK-8215221)     JEP 307: Parallel Full GC for G1 (JDK-8172890)     Concurrently Uncommit Memory in G1 (JDK-8236926)     Improved Ergonomics for G1 Heap Region Size (JDK-8241670)     Improve Ergonomics for Sparse PRT Entry Size (JDK-8223162)     New PerfCounters for STW Phases on Concurrent GC Are Available (JDK-8153333)     G1 May Uncommit Memory During Marking Cycle (JDK-6490394)     Garbage Collectors Adaptively Scale the Number of Threads by Default (JDK-8198510)     JEP 363: Remove the Concurrent Mark and Sweep (CMS) Garbage Collector (JDK-8229049)     Various GC combinations have now been removed (JDK-8044022)     JEP 366: Deprecate the ParallelScavenge + SerialOld GC Combination (JDK-8233301)     UseAutoGCSelectPolicy has been deprecated (JDK-8166461)

The java Command

Enterprise Performance Pack includes several runtime options from JDK 17. However, some options from JDK 8 are not available in Enterprise Performance Pack. For example, Enterprise Performance Pack uses Unified JVM Logging, which replaces options that print details about the JVM with -Xlog:gc options. See the Enterprise Performance Pack documentation for more information about the changes made to the JVM options.

Runtime Options

A number of runtime options have been added or removed from the Enterprise Performance Pack. See the Changes to JVM Runtime Options section of the Enterprise Performance Pack User's Guide.

Relevant Changes for Runtime Options:  Flags Controlling C1 Inlining Have New Names (JDK-8235673)     Improved CompileCommand Flag (JDK-8256508)     Improve the Behavior of MaxRAM Settings and UseCompressedOops (JDK-8222252)     VM Options AdaptiveSizePausePolicy and ParallelGCRetainPLAB are obsolete (JDK-8073861)     Added -XX:+AdjustStackSizeForTLS Flag (JDK-8225035)     Obsolete -XX:UseAdaptiveGCBoundary (JDK-8228991)     Removal of Obsolete -X Options (JDK-8179018)     Obsolete Support for Commercial Features (JDK-8202331)     Obsoleted -XX:+/-MonitorInUseLists (JDK-8211384)     Deprecated Java Options -Xverify:none and -noverify (JDK-8214719)     Command-Line Flag -XX:+ExtensiveErrorReports (JDK-8211845)

Class Data Sharing

This feature helps reduce the startup time and memory footprint between multiple Java Virtual Machines. See the Class Data Sharing section of the Java Virtual Machine Guide of JDK 17 for more information.

Relevant Changes for Class Data Sharing:  CDS Behavior Change With Non-existent Files During Archive Creation (JDK-8227370)

 

 Phantom References Are Now Automatically Cleared Just as Soft and Weak References (JDK-8071507)

This enhancement causes phantom references to be automatically cleared by the garbage collector just as soft and weak references are.

An object becomes phantom reachable after it has been finalized. This change may cause phantom reachable objects to be garbage collected earlier. Previously, the referent was kept alive until the associated PhantomReference objects were collected or cleared by the application. This behavioral change should only impact existing code that depends on a PhantomReference being enqueued rather than when the referent is freed from the heap.

 The java.lang.ref.Reference.enqueue Method Clears the Reference Object before Enqueuing (JDK-8175797)

The java.lang.ref.Reference.enqueue method clears the reference object before it is added to the registered queue. When the enqueue method is called, the reference object is cleared and the get() method will return null in Enterprise Performance Pack and later releases.

Typically when a reference object is enqueued, it is expected that the reference object is cleared explicitly via the clear method to avoid a memory leak because its referent is no longer referenced. In other words, the get method is not expected to be called in common cases once the enqueue method has been called. In the case when the get method from an enqueued reference object and existing code attempts to access members of the referent, a NullPointerException may be thrown. Such code will need to be updated.

 java.lang.ref.Reference Does Not Support Cloning (JDK-8201793)

The java.lang.ref.Reference::clone method always throws a CloneNotSupportedException. Therefore, Reference objects cannot be meaningfully cloned. To copy a Reference object, call the constructor to create a new Reference object with the same referent and reference queue instead.

 sun.misc.Unsafe.defineAnonymousClass No Longer Supports Constant-pool Patching (JDK-8288640, not public)

In Java SE Subscription Enterprise Performance Pack, constant pool patching of classes created by calling the unsupported sun.misc.Unsafe.defineAnonymousClass method is not enabled and could cause your application to crash. The cpPatches argument to defineAnonymousClass should be null.

 Removal of Rarely Used sun.misc.Unsafe Methods (JDK-8054494)

In Java SE Subscription Enterprise Performance Pack, the methods monitorEnter, monitorExit, and tryMonitorEnter have been removed from the unsupported sun.misc.Unsafe class. These methods are not used within the JDK itself and are very rarely used outside of the JDK.

 The sun.misc.Version VM Version API Reports 25.x (JDK-8285776, not public)

The Java SE 8 Enterprise Performance Pack follows the versioning format defined by JEP 322, and reports the actual VM version of 17.x, when, for example, java -version is invoked. However, for compatibility purposes, the sun.misc.Version methods jvmMajorVersion() and jvmMinorVersion() instead report the same VM version as Java SE 8 i.e. 25.x. This ensures that application code checking for a Java 8 runtime by looking for a major version greater than, or equal to, 25, will work correctly even though the actual VM version is 17.

 

TOP


Other Changes

The following notes describe additional changes and information about this release. In some cases, the following descriptions provide links to additional detailed information about an issue or a change.

Monitoring Tools

  • jcmd: JFR diagnostic commands are not available
  • JDK Mission Control (JMC): Although JMC extensively uses JFR (which is not available in Enterprise Performance Pack), you can still use JMC for other purposes such as real-time JMX monitoring
  • jvisualvm: jvisualvm is not included in Enterprise Performance Pack

See Running Tools and Using Libraries on Enterprise Performance Pack for more information.

Application Class Data Sharing (AppCDS)

Application Class Data Sharing (AppCDS) extends class data sharing (CDS) to enable application classes to be placed in a shared archive. See the Application Class Data Sharing section of the java command page.

Relevant Changes for AppCDS:  JEP 310: Application Class-Data Sharing (JEP 310)

 

 Stack Overflow Can Cause Segfaults on Linux (JDK-8182777)

Some linux kernel versions (including, but not limited to 3.13.0-121-generic and 4.4.0-81-generic) are known to contain an incorrect fix for a linux kernel stack overflow issue (See CVE-2017-1000364). The incorrect fix can trigger crashes in the Java Virtual Machine. Upgrading the kernel to a version that includes the corrected fix addresses the problem.

 Enforce Format Checks for NameAndType Strings (JDK-8161224)

This change enforces the unqualified name format checks for NameAndType strings as outlined in the JVM specification sections 4.4.6 and 4.2.2, meaning that some illegal names and descriptors that users may be utilizing in their classfiles will now be caught with a Class Format Error. This includes format checking for all strings under non-referenced NameAndType's. Users will see a change if they (A) are using Java classfile version 6 or below and have an illegal NameAndType descriptor with no Methodref or Fieldref reference to it; or (B) are using any Java classfile version and have an illegal NameAndType name with no Methodref or Fieldref reference to it.

In both (A) and (B) the users will now receive a ClassFormatError for those illegal strings, which is an enforcement of unqualified name formats as delineated in JVMS 4.2.2.

 Binary Format for HPROF Updated (JDK-8144732)

When dumping the heap in binary format, HPROF format 1.0.2 is always used now. Previously, format 1.0.1 was used for heaps smaller than 2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the serviceability agent.

 More Registers Available When Running Without Compressed References on x86_64 (JDK-8217909)

When running with compressed references on x86_64, one of the CPU registers holds the heap base pointer to be used for references encoding/decoding. This register is not available for register allocation.

Simple implementations before this release made this register unavailable (and thus unused) even if compressed references were disabled. In this release, the implementation was revised to put this unused register back into the available registers pool. Configurations with large heaps and/or -XX:-UseCompressedOops benefit from this improvement.

 NotifyFramePop Request Is Not Cleared If JVMTI_EVENT_FRAME_POP Is Disabled (JDK-8187289)

In the previous release, a NotifyFramePop request was only cleared when the JVMTI_EVENT_FRAME_POP was enabled. Now it is always cleared when the corresponding frame is popped, regardless of whether the JVMTI_EVENT_FRAME_POP is enabled or not.

 Make JVMTI Table Concurrent (JDK-8212879)

For improved performance, JVM/TI ObjectFree events are no longer posted within GC pauses. The events are still posted as requested, and will be posted before ObjectFree events are enabled or disabled with SetNotificationMode. SetNotificationMode can be used to explicitly flush ObjectFree events, if needed.

 Change to Default Value for BiasedLockingStartupDelay (JDK-8180421)

The default value for BiasedLockingStartupDelay has been changed to 0. The flag BiasedLockingStartupDelay previously had the default value 4000 which delayed the use of biased locking with 4 s (4000 ms). The reason for this delay was performance but recent performance runs show no difference between the 4000 ms delay and no delay. Since having the delay will cause other parts of the VM to do extra work, having the default set to 0 makes more sense.

 The JNI function DetachCurrentThread Must Tolerate Pending Exceptions (JDK-8155881)

The JNI function DetachCurrentThread has been added to the list of JNI functions that can safely be called with an exception pending. The HotSpot Virtual Machine has always supported this as it reports that the exception occurred in a similar manner to the default handling of uncaught exceptions at the Java level. Other implementations are not obligated to do anything with the pending exception.

 JNIDetachReleasesMonitors Is Obsolete (JDK-8131045)

The -XX:-JNIDetachReleasesMonitors flag requested that the VM run in a pre-JDK 6 compatibility mode with regard to not releasing monitors when a JNI attached thread detaches. This option is obsolete in JDK 9, and is ignored, as the VM always conforms to the JNI Specification and releases monitors. Use of this option will result in a warning being issued in JDK 9 and it may be removed completely in a future release.

 Object Monitors No Longer Keep Strong References to Their Associated Object (JDK-8247281)

When synchronization is performed on an object, an association is established between the object and the object monitor that implements the synchronization. In the past, the reference from a monitor to its associated object was a strong reference. These strong references would be observable through JVM TI functions that walk the heap (reported as JVMTI_HEAP_ROOT_MONITOR or JVMTI_HEAP_REFERENCE_MONITOR) and in heap dumps (reported as HPROF_GC_ROOT_MONITOR_USED). As of this release, a weak reference is used. These are not observable to JVM TI or heap dumps. Consequently, JVMTI_HEAP_ROOT_MONITOR, JVMTI_HEAP_REFERENCE_MONITOR and HPROF_GC_ROOT_MONITOR_USED are longer reported.

 Removal of FlatProfiler (JDK-8173715)

The FlatProfiler, deprecated in JDK 9, has been made obsolete by removing the implementation code. The FlatProfiler was enabled by setting the -Xprof VM argument. The -Xprof flag remains recognized in this release; however, setting it will print out a warning message.

 Parts of the Signal-Chaining API Are Deprecated (JDK-8257572)

The signal-chaining facility was introduced in JDK 1.4 and supported three different Linux signal-handling API's: sigset, signal and sigaction. Only sigaction is a cross-platform, supported, API for multi-threaded processes. Both signal and sigset are considered obsolete on those platforms that still define them. Consequently, the use of signal and sigset with the signal-chaining facility are now deprecated, and support for their use will be removed in a future release.


Java SE 8u341 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u341 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u341 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8291973 install install JavaSE 8 RPMs Are Built with Older RPM and Thus Do Not Contain Some Necessary Hash

 

Changes in Java SE 8u341 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8197387 core-svc tools jcmd Started by "root" Must Be Allowed to Access All VM Processes
JDK-8072439 hotspot runtime Further refinement of the fix JDK-8047720 - Xprof hangs on Solaris
JDK-8087557 javafx accessibility Alert Dialog Content Is Not Fully Read by Screen Reader
JDK-8291087 javafx accessibility Wrong Position of Focus of Screen Reader on Windows with Screen Scale > 1
JDK-8197387 javafx accessibility Exceptions with TextArea & TextField when Deleted Last Char

 

Changes in Java SE 8u341 b31

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 8, Update 341 (JDK 8u341)

July 19, 2022

The full version string for this update release is 8u341-b10 (where "b" means "build"). The version number is 8u341.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u341 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u341-b10
7 7u351-b07

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u341) be used after the next critical patch update scheduled for October 18, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u341) on 2022-11-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.net.ssl
 Enable TLSv1.3 by Default on JDK 8u for Client Roles

The TLSv1.3 implementation is available in JDK 8u from 8u261 and enabled by default for server roles but disabled by default for client roles. From this release onwards, TLSv1.3 is now also enabled by default for client roles. You can find more details in the Additional Information section of the Oracle JRE and JDK Cryptographic Roadmap.

Note that TLS 1.3 is not directly compatible with previous versions. Enabling it on the client may introduce compatibility issues on either the server or the client side. Here are some more details on potential compatibility issues that you should be aware of:

  • TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there may be compatibility issues when upgrading to TLS 1.3.
  • The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application may use non-supported signature algorithms.
  • The DSA signature algorithm is not supported in TLS 1.3. If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.
  • The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions. If an application hard-codes cipher suites which are no longer supported, it may not be able to use TLS 1.3 without modifying the application code, for example TLS_AES_128_GCM_SHA256 (1.3 and later) versus TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (1.2 and earlier).
  • The TLS 1.3 session resumption and key update behaviors are different from TLS 1.2 and prior versions. The compatibility should be minimal, but it could be a risk if an application depends on the handshake details of the TLS protocols.
  • TLS 1.3 requires that the implementation support new cryptographic algorithms which previous versions of TLS did not, such as RSASSA-PSS. If your application is configured to use 3rd party JCE provider(s) which do not support the required algorithms, you may get handshake failures.
See JDK-8245263

core-libs/java.net
 HTTPS Channel Binding Support for Java GSS/Kerberos

Support has been added for TLS channel binding tokens for Negotiate/Kerberos authentication over HTTPS through javax.net.HttpsURLConnection.

Channel binding tokens are increasingly required as an enhanced form of security. They work by communicating from a client to a server the client's understanding of the binding between connection security (as represented by a TLS server cert) and higher level authentication credentials (such as a username and password). The server can then detect if the client has been fooled by a MITM and shutdown the session/connection.

The feature is controlled through a new system property `jdk.https.negotiate.cbt` which is described fully as below:

jdk.https.negotiate.cbt (default: "never")

This controls the generation and sending of TLS channel binding tokens (CBT) when Kerberos or the Negotiate authentication scheme using Kerberos are employed over HTTPS with HttpsURLConnection. There are three possible settings:

  • "never". This is also the default value if the property is not set. In this case, CBTs are never sent.
  • "always". CBTs are sent for all Kerberos authentication attempts over HTTPS.
  • "domain:" Each domain in the list specifies destination host or hosts for which a CBT is sent. Domains can be single hosts like foo, or foo.com, or literal IP addresses as specified in RFC 2732, or wildcards like *.foo.com which matches all hosts under foo.com and its sub-domains. CBTs are not sent to any destinations that don't match one of the list entries

The channel binding tokens generated are of the type "tls-server-end-point" as defined in RFC 5929.

See JDK-8279842

Other Notes

core-libs/java.net
 Update java.net.InetAddress to Detect Ambiguous IPv4 Address Literals

The java.net.InetAddress class has been updated to strictly accept IPv4 address literals in decimal quad notation. The InetAddress class methods are updated to throw an java.net.UnknownHostException for invalid IPv4 address literals. To disable this check, the new "jdk.net.allowAmbiguousIPAddressLiterals" system property can be set to "true".

See JDK-8277608 (not public)
 JDK Bundle Extensions Truncated When Downloading Using Firefox 102

On oracle.com and java.com, certain JDK bundle extensions are getting truncated on download when using Firefox version 102. The downloaded bundles have no file extension like ".exe", ".rpm", ".deb". If you are not able to upgrade to Firefox ESR 102.0.1 or Firefox 103 when it is released, then as a workaround you can:

  • manually add a file extension to the file name after download.
  • use a different browser

See JDK-8277093
core-libs/java.io:serialization
 Vector Should Throw ClassNotFoundException for a Missing Class of an Element

java.util.Vector is updated to correctly report ClassNotFoundException that occurs during deserialization using java.io.ObjectInputStream.GetField.get(name, object) when the class of an element of the Vector is not found. Without this fix, a StreamCorruptedException is thrown that does not provide information about the missing class.

See JDK-8277093

core-libs/java.util.jar
 Default JDK Compressor Will Be Closed when IOException Is Encountered

DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.

See JDK-8193682
hotspot/runtime
 OperatingSystemMXBean.getProcessCpuLoad Is Now Container Aware

For JVMs running in a container, OperatingSystemMXBean.getProcessCpuLoad now considers only the CPU resources available to the container when calculating CPU load. Prior to this change, the calculation included all CPUs on a host. After this change, management agents may report higher CPU usage by JVMs in containers that are constrained to a limited set of CPUs.

See JDK-8269851

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update. The following table lists the bug fixes included in the JDK 8u341 release:

# BugId Component Subcomponent Summary
1JDK-8259869client-libs[macOS] Remove desktop module dependencies on JNF Reference APIs
2JDK-8274751client-libsjava.awtDrag And Drop hangs on Windows
3JDK-8272806client-libsjava.awt[macOS] "Apple AWT Internal Exception" when input method is changed
4JDK-8133713client-libsjavax.accessibility[macosx] Accessible JTables always reported as empty
5JDK-8277922client-libsjavax.accessibilityUnable to click JCheckBox in JTable through Java Access Bridge
6JDK-7124301client-libsjavax.accessibility[macosx] When in a tab group if you arrow between tabs there are no VoiceOver announcements.
7JDK-7124298client-libsjavax.accessibility[macosx] Nothing heard from VoiceOver when tabbing between a nested tab group and a parent tab group
8JDK-7124293client-libsjavax.accessibility[macosx] VoiceOver reads percentages rather than the actual values for sliders.
9JDK-8277093core-libsjava.io:serializationVector should throw ClassNotFoundException for a missing class of an element
10JDK-8279842core-libsjava.netHTTPS Channel Binding support for Java GSS/Kerberos
11JDK-8282293core-libsjava.netDomain value for system property jdk.https.negotiate.cbt should be case-insensitive
12JDK-8288033core-libsjava.nio(dc) DatagramChannel.disconnect uses disconnectx which is not supported on macOS 10.8.3
13JDK-8285515core-libsjava.nio(dc) DatagramChannel.disconnect fails with "Invalid argument" on macOS 12.4
14JDK-8258795core-libsjava.util:i18nUpdate IANA Language Subtag Registry to Version 2021-05-11
15JDK-8247469core-svcjavax.managementgetSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
16JDK-8273747deploywebstartGrant JWS JavaFX apps access to Windows trust store
17JDK-8283886docsguidesFix broken links in the security guide of JDK 8u docs
18JDK-6584403docsguidesRequest to add a CA/CSR certificate cookbook to JSSE Reference Guide
19JDK-8173625installinstallJRE 8u121 fails to install with blank dialog box (username with character #)
20JDK-8090477javafxcontrolsCustomizable visibility timing for Tooltip
21JDK-8205915javafxcontrols[macOS] Accelerator assigned to button in dialog fires menuItem in owning stage
22JDK-8222211javafxgraphicsCreating animated gif image from non FX App thread causes exception
23JDK-8280840javafxmediaUpdate libFFI to 3.4.2
24JDK-8283403javafxmediaUpdate Glib to 2.72.0
25JDK-8283218javafxmediaUpdate GStreamer to 1.20.1
26JDK-8282054javafxmediaMediaplayer not working with HTTP Live Stream link with query parameter appended with file extension m3u8
27JDK-8286256javafxwebUpdate libxml2 to 2.9.14
28JDK-8283328javafxwebUpdate libxml2 to 2.9.13
29JDK-8286257javafxwebUpdate libxslt to 1.1.35
30JDK-8282134javafxwebCertain regex can cause a JS trap in WebView
31JDK-8281459javafxwebWebKit 613.1 build broken on M1
32JDK-8280841javafxwebUpdate SQLite to 3.37.2
33JDK-8284184javafxwebCrash in GraphicsContextJava::drawLinesForText on https://us.yahoo.com/
34JDK-8278759javafxwebPointerEvent: buttons property set to 0 when mouse down
35JDK-8277734javafxwebWebView: Update Public Suffix List to 3c213aa
36JDK-8278851security-libsjava.securityCorrect signer logic for jars signed with multiple digest algorithms
37JDK-8245263security-libsjavax.net.sslEnable TLSv1.3 by default on JDK 8u for Client roles
38JDK-8274524security-libsjavax.net.sslSSLSocket.close() hangs if it is called during the ssl handshake
39JDK-8275082security-libsjavax.xml.cryptoUpdate XML Security for Java to 2.3.0
40JDK-8279520security-libsorg.ietf.jgssSPNEGO has not passed channel binding info into the underlying mechanism
41JDK-8157391toolsjdeps left JarFile open
42JDK-8284132toolsFXLauncherTest.java fails on headless macos


Java SE 8u333 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u333 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u333 b33

Bug Fixes

BugId Category Subcategory Summary
JDK-8288212 core-libs java.net WLS12.2.1.3/JDK8u281 high throughput servlet performance

 

Changes in Java SE 8u333 b32

Bug Fixes

BugId Category Subcategory Summary
JDK-8279842 core-libs java.net HTTPS Channel Binding support for Java GSS/Kerberos
JDK-8088420 javafx web JavaFX WebView memory leak via EventListener

 

Changes in Java SE 8u333 b31

Fixes from the prior BPR are included in this version.


Java™ SE Development Kit 8, Patch 8u333 (JDK 8u333)

May 2, 2022

The full version string for this update release is 8u333-b02 (where "b" means "build"). The version number is 8u333.

 

IANA TZ Data 2022a

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines are unchanged from the release of JDK 8u331.

JRE Family Version JRE Security Baseline (Full Version String)
8 8u331-b09
7 7u341-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u333) be used after the next critical patch update scheduled for July 19, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u333) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

Changes

core-libs/java.io
 New System Property to Disable Windows Alternate Data Stream Support in java.io.File

The Windows implementation of java.io.File allows access to NTFS Alternate Data Streams (ADS) by default. Such streams have a structure like “filename:streamname”. A system property jdk.io.File.enableADS has been added to control this behavior. To disable ADS support in java.io.File, the system property jdk.io.File.enableADS should be set to false (case ignored). Stricter path checking however prevents the use of special devices such as NUL:

See JDK-8285445

 

 

Bug Fixes

This release is based on the previous CPU and does not contain any additional security fixes. The following issues have also been resolved:

BugId Category Subcategory Summary
JDK-8284920 xml javax.xml.path Incorrect Token type causes XPath expression to return incorrect results
JDK-8284548 xml jaxp Invalid XPath expression causes StringIndexOutOfBoundsException


Java SE 8u331 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u331 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u331 b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8277922 client-libs javax.accessibility Unable to click JCheckBox in JTable through Java Access Bridge
JDK-8282583 xml jaxp Update BCEL md to include the copyright notice
JDK-8283350 core-libs java.time (tz) Update Timezone Data to 2022a

Java™ SE Development Kit 8, Update 331 (JDK 8u331)

April 19, 2022

The full version string for this update release is 8u331-b09 (where "b" means "build"). The version number is 8u331.

 

IANA TZ Data 2021e

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u331 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u331-b09
7 7u341-b08

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u331) be used after the next critical patch update scheduled for July 19, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u331) on 2022-08-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

xml/jaxp
 New XML Processing Limits

Three processing limits have been added. These are:

  • jdk.xml.xpathExprGrpLimit

Description: Limits the number of groups an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10.

  • jdk.xml.xpathExprOpLimit

Description: Limits the number of operators an XPath expression can contain.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 100.

  • jdk.xml.xpathTotalOpLimit

Description: Limits the total number of XPath operators in an XSL Stylesheet.

Type: integer

Value: A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumberFormatException is thrown. Default 10000.

Supported processors

  • jdk.xml.xpathExprGrpLimit and jdk.xml.xpathExprOpLimit are supported by the XPath processor.

  • All three limits are supported by the XSLT processor.

Setting properties

For the XSLT processor, the properties can be changed through the TransformerFactory. For example,

        TransformerFactory factory = TransformerFactory.newInstance();

        factory.setAttribute("jdk.xml.xpathTotalOpLimit", "1000");

For both the XPath and XSLT processors, the properties can be set through the system property and jaxp.properties configuration file located in the conf directory of the Java installation. For example,

        System.setProperty("jdk.xml.xpathExprGrpLimit", "20");

or in the jaxp.properties file,

        jdk.xml.xpathExprGrpLimit=20

 

There are two known issues:

  1. An XPath expression that contains a short form of the parent axis ".." can return incorrect results. See JDK-8284920 for details.
  2. An invalid XPath expression that ends with a relational operator such as ‘<’ ‘>’ and ‘=’ will cause the processor to erroneously throw StringIndexOutOfBoundsException instead of XPathExpressionException. See JDK-8284548 for details.
JDK-8270504 (not public)

Other Notes

security-libs/java.security
 Only Expose Certificates With Proper Trust Settings as Trusted Certificate Entries in macOS KeychainStore

On macOS, only certificates with proper trust settings in the user keychain will be exposed as trusted certificate entries in the KeychainStore type of keystore. Also, calling the KeyStore::setCertificateEntry method or the keytool -importcert command on a KeychainStore keystore now fails with a KeyStoreException. Instead, call the macOS "security add-trusted-cert" command to add a trusted certificate into the user keychain.

JDK-8278449 (not public)

security-libs/java.security
 Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280

The gencert command of the keytool utility has been updated to create AKID from the SKID of the issuing certificate as specified by RFC 5280.

See JDK-8257497

core-libs/javax.naming
 Parsing of URL Strings in Built-in JNDI Providers Is More Strict

The parsing of URLs in the LDAP, DNS, and RMI built-in JNDI providers has been made more strict. The strength of the parsing can be controlled by system properties:

  -Dcom.sun.jndi.ldapURLParsing="legacy" | "compat" | "strict"    (to control "ldap:" URLs)

  -Dcom.sun.jndi.dnsURLParsing="legacy" | "compat" | "strict"     (to control "dns:" URLs)
  -Dcom.sun.jndi.rmiURLParsing="legacy" | "compat" | "strict"     (to control "rmi:" URLs)
  -Dcom.sun.jndi.corbaURLParsing="legacy" | "compat" | "strict"   (to control "iiop:" and "iiopname:" URLs) 

 

The default value is "compat" for all of the three providers.

  • The "legacy" mode turns the new validation off.
  • The "compat" mode limits incompatibilities.
  • The "strict" mode is stricter and may cause regression by rejecting URLs that an application might consider as valid.

In "compat" and "strict" mode, more validation is performed. As an example, in the URL authority component, the new parsing only accepts brackets around IPv6 literal addresses. Developers are encouraged to use java.net.URI constructors or its factory method to build URLs rather than handcrafting URL strings.

If an illegal URL string is found, a java.lang.IllegalArgumentException or a javax.naming.NamingException (or a subclass of it) is raised.

JDK-8278972 (not public)

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8259343 client-libs [macOS] Update JNI error handling in Cocoa code.
2 JDK-8251840 client-libs java.awt Java_sun_awt_X11_XToolkit_getDefaultScreenData should not be in make/mapfiles/libawt_xawt/mapfile-vers
3 JDK-8259237 client-libs javax.swing Demo selection changes with left/right arrow key. No need to press space for selection.
4 JDK-8074883 client-libs javax.swing Tab key should move to focused button in a button group
5 JDK-8258554 client-libs javax.swing javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
6 JDK-8272105 client-libs javax.swing TestButtonGroupFocusTraversal.java fails in 8u
7 JDK-8275703 core-libs java.lang System.loadLibrary fails on Big Sur for libraries hidden from filesystem
8 JDK-8274779 core-libs java.net HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
9 JDK-8209178 core-libs java.net Proxied HttpsURLConnection doesn't send BODY when retrying POST request
10 JDK-8272473 core-libs java.time Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
11 JDK-8279618 core-libs java.util Deserializing HashMap throws access denied suppressAccessChecks
12 JDK-8274658 core-libs java.util:i18n ISO 4217 Amendment 170 Update
13 JDK-8277795 core-libs javax.naming ldap connection timeout not honoured under contention
14 JDK-8266187 core-svc java.lang.instrument Memory leak in appendBootClassPath()
15 JDK-8273575 core-svc java.lang.instrument memory leak in appendBootClassPath(), paths must be deallocated
16 JDK-8276957 docs guides Fix broken JDK8 documentation links
17 JDK-8166140 hotspot compiler C1: Possible integer overflow in LIRGenerator::generate_address on several platforms
18 JDK-8183543 hotspot compiler Aarch64: C2 compilation often fails with "failed spill-split-recycle sanity check"
19 JDK-8132306 hotspot gc java/lang/ref/ReferenceEnqueue.java fails with "RuntimeException: Error: poll() returned null; expected ref object"
20 JDK-8273341 hotspot runtime Update Siphash to version 1.0
21 JDK-8189641 javafx accessibility [Accessibility, windows] NPE when navigating to ComboBox with empty string
22 JDK-8151974 javafx accessibility Invisible controls are still accessible by screen readers.
23 JDK-8089884 javafx controls TextInputControls capturing function key events
24 JDK-8274022 javafx controls Additional Memory Leak in ControlAcceleratorSupport
25 JDK-8244075 javafx controls Accelerator of ContextMenu's MenuItem is not removed when ContextMenu is removed from Scene
26 JDK-8276847 javafx web JSException: ReferenceError: Can't find variable: IntersectionObserver
27 JDK-8278980 javafx web Update WebKit to 613.1
28 JDK-8281711 javafx web Cherry-pick WebKit 613.1 stabilization fixes
29 JDK-8282099 javafx web Cherry-pick WebKit 613.1 stabilization fixes (2)
30 JDK-8242544 javafx window-toolkit CMD+ENTER key event crashes the application when invoked on dialog
31 JDK-8257497 security-libs java.security Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
32 JDK-8274736 security-libs java.security Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
33 JDK-8241248 security-libs javax.net.ssl NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
34 JDK-8275811 security-libs javax.net.ssl Incorrect instance to dispose
35 JDK-8141508 tools javac java.lang.invoke.LambdaConversionException: Invalid receiver type ...
36 JDK-8255035 xml jaxp Update BCEL to Version 6.5.0
37 JDK-8276141 xml jaxp XPathFactory set/getProperty method


Java SE 8u321 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u321 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u321 b35

Bug Fixes

BugId Component Subcomponent Summary
JDK-8278472 client-libs java.awt:i18n Invalid value set to CANDIDATEFORM structure
JDK-8278186 security-libs javax.xml.crypto org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
JDK-8255199 security-libs javax.xml.crypto Catching a few NumberFormatExceptions in xmldsig
JDK-8275082 security-libs javax.xml.crypto Update XML Security for Java to 2.3.0
JDK-8090477 javafx controls Customizable visibility timing for Tooltip

 

Changes in Java SE 8u321 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8247469 core-svc javax.management getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
JDK-8265836 core-svc java.lang.management OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
JDK-8268103 core-svc java.lang.management JNI functions incorrectly return a double after JDK-8265836

 

Changes in Java SE 8u321 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8141508 tools javac java.lang.invoke.LambdaConversionException: Invalid receiver type
JDK-8209178 core-libs java.net Proxied HttpsURLConnection doesn't send BODY when retrying POST request
JDK-8279618 core-libs java.util Deserializing HashMap throws access denied suppressAccessChecks
JDK-8273747 deploy webstart Grant JWS JavaFX apps access to Windows trust store

 

 

Changes in Java SE 8u321 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8279118 core-libs java.net ServerSocket.close bind exception with ResourceManagement
JDK-8151974 javafx accessibility Invisible controls are still accessible by screen readers.

 


Java™ SE Development Kit 8, Update 321 (JDK 8u321)

January 18, 2022

The full version string for this update release is 8u321-b07 (where "b" means "build"). The version number is 8u321.

 

IANA TZ Data 2021b, 2021c, 2021d, 2021e

JDK 8u321 contains IANA time zone data 2021b, 2021c, 2021d, 2021e.
  • Jordan now starts DST on February's last Thursday.
  • Samoa no longer observes DST.
  • Merge more location-based Zones whose timestamps agree since 1970.
  • Move some backward-compatibility links to 'backward'.
  • Rename Pacific/Enderbury to Pacific/Kanton.
  • Correct many pre-1993 transitions in Malawi, Portugal, etc.
  • zic now creates each output file or link atomically.
  • zic -L no longer omits the POSIX TZ string in its output.
  • zic fixes for truncation and leap second table expiration.
  • zic now follows POSIX for TZ strings using all-year DST.
  • Fix some localtime crashes and bugs in obscure cases.
  • zdump -v now outputs more-useful boundary cases.
  • tzfile.5 better matches a draft successor to RFC 8536.
  • A new file SECURITY.
  • Revert most 2021b changes to 'backward'.
  • Fix 'zic -b fat' bug in pre-1970 32-bit data.
  • Fix two Link line typos.
  • Distribute SECURITY file.

This release is intended as a bugfix release, to fix compatibility problems and typos reported since 2021b was released.

  • Fiji suspends DST for the 2021/2022 season.
  • 'zic -r' marks unspecified timestamps with "-00".
  • Palestine will fall back 10-29 (not 10-30) at 01:00.
For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u321 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u321-b07
7 7u331-b06

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u321) be used after the next critical patch update scheduled for April 19, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u321) on 2022-05-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.crypto:pkcs11
 New SunPKCS11 Configuration Properties

SunPKCS11 provider adds new provider configuration attributes to better control native resources usage. The SunPKCS11 provider consumes native resources in order to work with native PKCS11 libraries. To manage and better control the native resources, additional configuration attributes are added to control the frequency of clearing native references as well as whether to destroy the underlying PKCS11 Token after logout.

The 3 new attributes for SunPKCS11 provider configuration file are:

  1. destroyTokenAfterLogout (boolean, defaults to false)

    If set to true, when java.security.AuthProvider.logout() is called upon the SunPKCS11 provider instance, the underlying Token object will be destroyed and resources will be freed. This essentially renders the SunPKCS11 provider instance unusable after logout() calls. Note that a PKCS11 provider with this attribute set to true should not be added to the system provider list since the provider object is not usable after a logout() method call.

  2. cleaner.shortInterval (integer, defaults to 2000, in milliseconds)

    This defines the frequency for clearing native references during busy period (such as, how often should the cleaner thread processes the no-longer-needed native references in the queue to free up native memory). Note that the cleaner thread will switch to the 'longInterval' frequency after 200 failed tries (such as, when no references are found in the queue).

  3. cleaner.longInterval (integer, defaults to 60000, in milliseconds)

    This defines the frequency for checking native reference during non-busy period (such as, how often should the cleaner thread check the queue for native references). Note that the cleaner thread will switch back to the 'shortInterval' value if native PKCS11 references for cleaning are detected.

See JDK-8240256

security-libs/javax.net.ssl
 Configurable Extensions With System Properties

Two new system properties have been added. The system property, jdk.tls.client.disableExtensions, is used to disable TLS extensions used in the client. The system property, jdk.tls.server.disableExtensions, is used to disable TLS extensions used in the server. If an extension is disabled, it will be neither produced nor processed in the handshake messages.

The property string is a list of comma separated standard TLS extension names, as registered in the IANA documentation (for example, server_name, status_request, and signature_algorithms_cert). Note that the extension names are case sensitive. Unknown, unsupported, misspelled and duplicated TLS extension name tokens will be ignored.

Please note that the impact of blocking TLS extensions is complicated. For example, a TLS connection may not be able to be established if a mandatory extension is disabled. Please do not disable mandatory extensions, and do not use this feature unless you clearly understand the impact.

See JDK-8217633

 

Removed Features and Options

security-libs/java.security
 Removed Google's GlobalSign Root Certificate

The following root certificate from Google has been removed from the cacerts keystore:

+ alias name "globalsignr2ca [jdk]"

  Distinguished Name: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2

See JDK-8225083

 

 

Other Notes

core-libs/java.time
 Update Timezone Data to 2021c

IANA Time Zone Database, on which JDK's Date/Time libraries are based, has made a tweak to some time zone rules since 2021c. Note that since this update, some of the time zone rules prior to the year 1970 have been modified according to the changes which were introduced with 2021b. For more detail, refer to the announcement of 2021b

See JDK-8274407

security-libs/javax.net.ssl
 SocketExceptions Are Not Wrapped Into SSLExceptions in SSLSocketImpl

This release reverts the behavior of SSLSocketImpl and SSLTransport introduced by JDK-8196584. SocketException will now be thrown as is instead of being suppressed into an SSLException.

See JDK-8259662

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8263846 client-libs Bad JNI lookup getFocusOwner in accessibility code on Mac OS X
2 JDK-8155742 client-libs [Windows] robot.keyPress(KeyEvent.VK_ALT_GRAPH) throws java.lang.IllegalArgumentException in windows
3 JDK-8249548 client-libs backward focus traversal gets stuck in button group
4 JDK-8259232 client-libs 2d Bad JNI lookup during printing
5 JDK-6801613 client-libs 2d Cross-platform pageDialog and printDialog top margin entry broken
6 JDK-8042713 client-libs 2d [macosx] Print dialog does not update attribute set with page range
7 JDK-8257853 client-libs java.awt Remove dependencies on JNF's JNI utility functions in AWT and 2D code
8 JDK-8259585 client-libs java.awt [macOS] Bad JNI lookup error : Accessible actions do not work on macOS
9 JDK-8038631 client-libs java.awt Create wrapper for awt.Robot with additional functionality
10 JDK-6722236 client-libs java.awt 3 Choice regression testcases are failing from 6u10_b26 build onwards
11 JDK-8041928 client-libs java.awt MouseEvent.getModifiersEx gives wrong result
12 JDK-8275131 client-libs java.awt Exceptions after a touchpad gesture on macOS
13 JDK-8263490 client-libs java.awt:i18n [macos] Crash occurs on JPasswordField with activated InputMethod
14 JDK-8274326 client-libs javax.accessibility [macos] Ensure initialisation of sun/lwawt/macosx/CAccessibility in JavaComponentAccessibility.m
15 JDK-8274056 client-libs javax.accessibility JavaAccessibilityUtilities leaks JNI objects
16 JDK-8274381 client-libs javax.accessibility missing CAccessibility definitions in JNI code
17 JDK-8259729 client-libs javax.accessibility Missed JNFInstanceOf -> IsInstanceOf conversion
18 JDK-8208640 client-libs javax.accessibility [a11y] [macos] Unable to navigate between Radiobuttons in Radio group using keyboard.
19 JDK-8208747 client-libs javax.accessibility [a11y] [macos] In Optionpane Demo, inside ComponentDialog Example, unable to navigate to all items, with VO on
20 JDK-8194873 client-libs javax.swing right ALT key hotkeys no longer work in Swing components
21 JDK-8182577 client-libs javax.swing Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel
22 JDK-8269850 core-libs Most JDK releases report macOS version 12 as 10.16 instead of 12.0
23 JDK-8190482 core-libs InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride
24 JDK-8143317 core-libs jdk/lambda/vm/InterfaceAccessFlagsTest.java fails with IncompatibleClassChangeError
25 JDK-8253702 core-libs java.lang BigSur version number reported as 10.16, should be 11.nn
26 JDK-8202788 core-libs java.nio Explicitly reclaim cached thread-local direct buffers at thread exit
27 JDK-8276536 core-libs java.time Update TimeZoneNames files to follow the changes made by JDK-8275766
28 JDK-8273924 core-libs java.util:i18n ArrayIndexOutOfBoundsException thrown in java.util.JapaneseImperialCalendar.add()
29 JDK-8187649 core-libs java.util:i18n ArrayIndexOutOfBoundsException in java.util.JapaneseImperialCalendar
30 JDK-8273819 docs guides Update JSSE Reference Guide with new properties to disable TLS extensions
31 JDK-8139247 hotspot compiler Improper locking of MethodData::_extra_data_lock
32 JDK-8057038 hotspot compiler Speculative traps not robust when compilation and class unloading are concurrent
33 JDK-8253353 hotspot compiler Crash in C2: guarantee(n != NULL) failed: No Node
34 JDK-8069034 hotspot gc gc/g1/TestEagerReclaimHumongousRegionsClearMarkBits.java nightly failure
35 JDK-8071530 hotspot runtime Update OS detection code to reflect Windows 10 version change
36 JDK-8273229 hotspot runtime Update OS detection code to recognize Windows Server 2022
37 JDK-8274840 hotspot runtime Update OS detection code to recognize Windows 11
38 JDK-8273342 hotspot runtime Null pointer dereference in classFileParser.cpp:2817
39 JDK-8266404 hotspot runtime Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report
40 JDK-8219562 hotspot runtime Line of code in osContainer_linux.cpp#L102 appears unreachable
41 JDK-8186902 hotspot svc jcmd GC.run should not be blocked by DisableExplicitGC
42 JDK-8263807 javafx controls Button types of a DialogPane are set twice, returns a wrong button
43 JDK-8261460 javafx controls Incorrect CSS applied to ContextMenu on DialogPane
44 JDK-8178297 javafx controls TableView scrolls slightly when adding new elements
45 JDK-8269538 javafx controls StackOverflowError when pressing F10 within SpinnerSkin
46 JDK-8208088 javafx controls Memory Leak in ControlAcceleratorSupport
47 JDK-8275138 javafx web WebView: UserAgent string is empty for first request
48 JDK-8274929 javafx window-toolkit Crash while reading specific clipboard content
49 JDK-8275723 javafx window-toolkit Crash on macOS 12 in GlassRunnable::dealloc
50 JDK-8192988 security-libs java.security keytool should support -storepasswd for pkcs12 keystores
51 JDK-8225083 security-libs java.security Remove Google certificate that is expiring in December 2021
52 JDK-8273826 security-libs java.security Correct Manifest file name and NPE checks
53 JDK-8277224 security-libs java.security sun.security.pkcs.PKCS9Attributes.toString() throws NPE
54 JDK-8269034 security-libs javax.crypto:pkcs11 AccessControlException for SunPKCS11 daemon threads
55 JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
56 JDK-8098580 security-libs javax.crypto:pkcs11 drainRefQueueBounds() puts pressure on pool.size()
57 JDK-8270344 security-libs javax.net.ssl Session resumption errors
58 JDK-8217633 security-libs javax.net.ssl Configurable extensions with system properties
59 JDK-8268965 security-libs javax.net.ssl TCP Connection Reset when connecting simple socket to SSL server
60 JDK-8259662 security-libs javax.net.ssl Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
61 JDK-8169416 security-libs javax.net.ssl SSLSessionImpl finalize overhead
62 JDK-8147051 xml javax.xml.stream StaxEntityResolverWrapper should create StaxXMLInputSource with a resolver indicator


Java SE 8u311 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u311 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

Changes in Java SE 8u311 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8182577 client-libs javax.swing Exception when Tab key moves focus to a JCheckbox with a custom ButtonModel
JDK-8241248 security-libs javax.net.ssl NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)

 

Changes in Java SE 8u311 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8274929 javafx window-toolkit Crash while reading specific clipboard content
JDK-8089884 javafx controls TextInputControls capturing function key events
JDK-8253353 hotspot compiler Crash in C2: guarantee(n != NULL) failed: No Node
JDK-8275766 core-libs java.time (tz) Update Timezone Data to 2021e

 

Changes in Java SE 8u311 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8275138 javafx web WebView: UserAgent string is empty for first request
JDK-8274779 core-libs java.net HttpURLConnection: HttpClient and HttpsClient incorrectly check request method when set to POST
JDK-8273229 hotspot runtime Update OS detection code to recognize Windows Server 2022
JDK-8274840 hotspot runtime Update OS detection code to recognize Windows 11
JDK-8041928 client-libs java.awt MouseEvent.getModifiersEx gives wrong result
JDK-8275723 javafx window-toolkit Crash on macOS 12 in GlassRunnable::dealloc
JDK-8274407 core-libs java.time (tz) Update Timezone Data to 2021c

 

Changes in Java SE 8u311 b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8269538 javafx controls StackOverflowError when pressing F10 within SpinnerSkin
JDK-8240256 security-libs javax.crypto:pkcs11 Better resource cleaning for SunPKCS11 Provider
JDK-8098580 security-libs javax.crypto:pkcs11 drainRefQueueBounds() puts pressure on pool.size()
JDK-8190482 core-libs InnocuousThread creation should not require the caller to possess enableContextClassLoaderOverride
JDK-8169416 security-libs javax.net.ssl SSLSessionImpl finalize overhead

Java™ SE Development Kit 8, Update 311 (JDK 8u311)

October 19, 2021

The full version string for this update release is 8u311-b11 (where "b" means "build"). The version number is 8u311.

IANA TZ Data 2021a

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u311 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u311-b11
7 7u321-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u311) be used after the next critical patch update scheduled for January 18, 2022.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u311) on 2022-02-18. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

client-libs/2d
 Marlin Renderer in JDK 8u

Starting from version 8u311, the Marlin graphics rasterizer and its artifacts will be built and distributed as a part of the JDK/JRE bundles. It is not the default rendering engine, however there is an option to enable it by setting the following system property:

sun.java2d.renderer=sun.java2d.marlin.MarlinRenderingEngine

See JDK-8143849

core-libs/java.io:serialization
 Context-specific Deserialization Filter Subset

Allow applications to configure context-specific and dynamically-selected deserialization filters via a JVM-wide filter factory that is invoked to select a filter for each deserialization stream. The behavior is a strict subset of JEP 415: Context-Specific Deserialization Filters to allow a filter factory to be configured using a property configured on the command line or in the security properties file.

The behavior is opt-in based on the presence of the jdk.serialFilterFactory system property on the command line or the jdk.serialFilterFactory security property. If set, the JVM-wide filter factory selects the filter for each stream when the stream is constructed and when a stream-specific filter is set.

The JVM-wide filter factory is a java.util.function.BinaryOperator<sun.misc.ObjectInputFilter> function invoked when each ObjectInputStream is constructed and when the stream-specific filter is set using sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter). The parameters are the current filter and a requested filter and the function returns the filter to be used for the stream. When invoked from the ObjectInputStream constructors, the first parameter is null and the second parameter is the static JVM-wide filter. When invoked from sun.misc.ObjectInputFilter.Config.setObjectInputFilter(sun.misc.ObjectInputFilter), the first parameter is the filter currently set on the stream (which was set in the constructor), and the second parameter is the filter requested.

A typical filter factory should use or merge the static JVM-wide filter with other application and context specific filters and the stream-specific filter, if one is set on the stream. The filter factory implementation can also use any contextual information at its disposal, for example, extracted from the application thread context, or its call stack, to compose and combine a new filter. It is not restricted to only use its two parameters.

Refer to Context-Specific Deserialization Filter and Serialization Filtering Guide for details.

JDK-8268680 (not public)

Removed Features and Options

security-libs/java.security
 Removed IdenTrust Root Certificate

The following root certificate from IdenTrust has been removed from the cacerts keystore:

+ alias name "identrustdstx3 [jdk]"

  Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
See JDK-8225082

Other Notes

core-libs/java.lang
 Release Doesn't Correctly Recognize Windows 11

This release doesn't correctly identify Windows 11. The property os.name is set to Windows 10 on Windows 11. In HotSpot error logs, the OS is identified as Windows 10; however, the HotSpot error log does show the Build number. Windows 11 has Build 22000.194 or above.

See JDK-8274840

security-libs/javax.net.ssl
 Updated the Default Enabled Cipher Suites Preference

The default priority order of the cipher suites for TLS 1.0 to TLS 1.3 has been adjusted.

For TLS 1.3, TLS_AES_256_GCM_SHA384 is now preferred over TLS_AES_128_GCM_SHA256.

For TLS 1.0 to TLS 1.2, some of the intermediate suites have been lowered in priority as follows:

  • Cipher suites that do not preserve forward secrecy have been moved lower in priority than those that do support forward secrecy.
  • Cipher suites that use SHA-1 have been moved lower in priority.

core-libs/java.net
 Modified HttpURLConnection Behavior When a Suitable Proxy Is Not Found

The behavior of HttpURLConnection when using ProxySelector has been modified in this JDK release. HttpURLConnection used to fall back to a direct connection attempt if the configured proxy(s) failed to make a connection. Beginning with this release, the default behavior has been changed to no longer use a direct connection when the first proxy connection attempt fails.

A new system property, sun.net.http.fallbackToDirect, can be set to a value of "true" should an application need to fall back to the old behavior (fall back to a direct connection when the first proxy connection attempt fails).

See JDK-8161016

core-libs/javax.naming
 System Property to Control Reconstruction of Reference Address Objects by JDK's Built-in JNDI LDAP Implementation

The scope of the com.sun.jndi.ldap.object.trustSerialData system property has been extended to control the deserialization of java objects from the javaReferenceAddress LDAP attribute. This system property now controls the deserialization of java objects from the javaSerializedData and javaReferenceAddress LDAP attributes.

To prevent deserialization of java objects from these attributes, the system property can be set to false. By default, the deserialization of java objects from javaSerializedData and javaReferenceAddress attributes is allowed.

JDK-8267712 (not public)

hotspot/runtime
 Release Doesn't Correctly Recognize Windows Server

This release doesn't correctly identify Windows Server. The property os.name is set to Windows 2019 on Windows Server 2022. In HotSpot error logs, the OS is identified as Windows 10.0 for Windows Server releases 2016, 2019, and 2022; however, the HotSpot error log does show the Build number. Windows Server 2016 has Build 14393 or above, Windows Server 2019 has Build 17763 or above, and Windows Server 2022 has Build 20348 or above.

See JDK-8273229

security-libs/javax.crypto:pkcs11
 SunPKCS11 Initialization With NSS When External FIPS Modules Are in Security Modules Database

The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Before this change, when such a library was configured for NSS in non-FIPS mode, the SunPKCS11 provider would throw a RuntimeException with the message "FIPS flag set for non-internal module".

This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.

See JDK-8238555

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8148886 client-libs SEGV in sun.java2d.marlin.Renderer._endRendering
2 JDK-8149338 client-libs 2d JVM Crash caused by Marlin renderer not handling NaN coordinates
3 JDK-8144938 client-libs 2d Handle properly coordinate overflow in Marlin Renderer
4 JDK-8180055 client-libs 2d Upgrade the Marlin renderer in Java2D
5 JDK-8202580 client-libs 2d Dashed BasicStroke randomly painted incorrectly, may freeze application
6 JDK-8210335 client-libs 2d Clipping problems with complex affine transforms: negative scaling factors or small scaling factors
7 JDK-8228711 client-libs 2d Path rendered incorrectly when it goes outside the clipping region
8 JDK-8230728 client-libs 2d Thin stroked shapes are not rendered if affine transform has flip bit
9 JDK-8145055 client-libs 2d Marlin renderer causes unaligned write accesses
10 JDK-8244088 client-libs 2d [Regression] Switch of Gnome theme ends up in deadlocked UI
11 JDK-8262392 client-libs 2d Update Mesa 3-D Headers to version 21.0.3
12 JDK-8262731 client-libs 2d [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
13 JDK-8198885 client-libs 2d Upgrade Marlin (java2d) to 0.9.1
14 JDK-8273358 client-libs 2d macOS Monterey does not have the font Times needed by Serif
15 JDK-8269984 client-libs java.awt [macos] JTabbedPane title looks like disabled
16 JDK-8129940 client-libs javax.swing JRadioButton does not honor non-standard FocusTraversalKeys
17 JDK-8251377 client-libs javax.swing [macos11] JTabbedPane selected tab text is barely legible
18 JDK-8269931 client-libs javax.swing ButtonGroupLayoutTraversalTest.java fails on macOS
19 JDK-8268518 client-libs javax.swing Add headful keyword to LayoutFocusTraversalPolicy.java
20 JDK-8154043 client-libs javax.swing Fields not reachable anymore by tab-key, because of new tabbing behaviour of radio button groups.
21 JDK-8035424 core-libs java.lang:reflect Performance problem in sun.reflect.generics.parser.SignatureParser
22 JDK-8161016 core-libs java.net Strange behavior of URLConnection with proxy
23 JDK-8183369 core-libs java.net RFC unconformity of HttpURLConnection with proxy
24 JDK-8067744 hotspot compiler XMM/SSE float register values corrupted by JNI_CreateVM call in JRE 8 (Windows)
25 JDK-8268366 hotspot compiler Incorrect calculation of has_fpu_registers in C1 linear scan
26 JDK-8268347 hotspot compiler C2: nested locks optimization may create unbalanced monitor enter/exit code
27 JDK-8269304 hotspot compiler Regression ~5% in spec2005 in b27
28 JDK-8065895 hotspot runtime Synchronous signals during error reporting may terminate or hang VM process
29 JDK-8261397 hotspot runtime try catch Method failing to work when dividing an integer by 0
30 JDK-8262396 javafx graphics Update Mesa 3-D Headers to version 21.0.3
31 JDK-8266860 javafx media [macos] Incorrect duration reported for HLS live streams
32 JDK-8264737 javafx media JavaFX media stream stops playing after reconnecting via Remote Desktop
33 JDK-8267819 javafx media CoInitialize/CoUninitialize should be called on same thread
34 JDK-8268219 javafx media hlsprogressbuffer should provide PTS after GStreamer update
35 JDK-8269147 javafx media Update GStreamer to version 1.18.4
36 JDK-8268718 javafx media [macos] Video stops, but audio continues to play when stopTime is reached
37 JDK-8269131 javafx web Update libxml2 to version 2.9.12
38 JDK-8270479 javafx web WebKit 612.1 build fails with Visual Studio 2017
39 JDK-8272329 javafx web Cherry pick GTK WebKit 2.32.3 changes
40 JDK-8268849 javafx web Update to 612.1 version of WebKit
41 JDK-8274107 javafx web Cherry pick GTK WebKit 2.32.4 changes
42 JDK-8231558 javafx window-toolkit [macos] Platform.exit causes assertion error on macOS 10.15 or later
43 JDK-8268158 security-libs Partial backport of JDK-8214074
44 JDK-8156584 security-libs java.security Initialization race in sun.security.x509.AlgorithmId.get
45 JDK-8268128 security-libs java.security ProviderConfig deadlock in JDK 8u291
46 JDK-8225082 security-libs java.security Remove IdenTrust certificate that is expiring in September 2021
47 JDK-8238555 security-libs javax.crypto:pkcs11 Allow initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB
48 JDK-8163326 security-libs javax.net.ssl Update the default enabled cipher suites preference
49 JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability
50 JDK-8255255 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.2.1
51 JDK-8260690 tools jconsole JConsole User Guide Link from the Help menu is not accessible by keyboard
52 JDK-8268213 xml jax-ws Racecondition at ContextClassloaderLocal.java:45


Java SE 8u301 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u301 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u301 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-6801613 client-libs 2d Cross-platform pageDialog and printDialog top margin entry broken
JDK-8268965 security-libs javax.net.ssl TCP Connection Reset when connecting simple socket to SSL server

 

Changes in Java SE 8u301 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8261287 (Confidential) client-libs 2d Ductus renderer does not work properly on aarch64, all graphics primitives appear broken
JDK-8271206 (Confidential) deploy webstart Passing system property jnlp.sis.session requires multi-clicks
JDK-8271087 (Confidential) install install [macos] postinstall script should provide verbose output
JDK-8271854 core-libs java.nio Explicitly reclaim cached thread-local direct buffers at thread exit
JDK-8205540 core-svc debugger test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 commands

 

Changes in Java SE 8u301 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8268213 xml jax-ws Racecondition at ContextClassloaderLocal.java:45

Java™ SE Development Kit 8, Update 301 (JDK 8u301)

July 20, 2021

The full version string for this update release is 8u301-b09 (where "b" means "build"). The version number is 8u301.

IANA TZ Data 2021a

JDK 8u301 contains IANA time zone data 2021a.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u301 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 8u301-b09
7 7u311-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u301) be used after the next critical patch update scheduled for October 19, 2021.

Java SE Subscription customers managing JRE updates/installs for large numbers of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u301) on 2021-11-19. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/org.ietf.jgss:krb5
 Support cross-realm MSSFU

The support for the Kerberos MSSFU extensions [1] is now extended to cross-realm environments.

By leveraging the Kerberos cross-realm referrals enhancement introduced in the context of JDK-8215032, the 'S4U2Self' and 'S4U2Proxy' extensions may be used to impersonate user and service principals located on different realms.

[1] - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/3bff5864-8135-400e-bdd9-33b552051d94

See JDK-8005819

security-libs/java.security
 Customizing PKCS12 keystore Generation

New system and security properties have been added to enable users to customize the generation of PKCS #12 keystores. This includes algorithms and parameters for key protection, certificate protection, and MacData. The detailed explanation and possible values for these properties can be found in the "PKCS12 KeyStore properties" section of the java.security file.

Also, support for the following SHA-2 based HmacPBE algorithms has been added to the SunJCE provider: HmacPBESHA224, HmacPBESHA256, HmacPBESHA384, HmacPBESHA512, HmacPBESHA512/224, HmacPBESHA512/256

See JDK-8076190

Removed Features and Options

security-libs/java.security
 Removed Root Certificates with 1024-bit Keys

The following root certificates with weak 1024-bit RSA public keys have been removed from the cacerts keystore:

+ alias name "thawtepremiumserverca [jdk]"

  Distinguished Name: EMAILADDRESS=premium-server@thawte.com, 
  CN=Thawte Premium Server CA, OU=Certification Services Division, 
  O=Thawte Consulting cc, 
  L=Cape Town, ST=Western Cape, C=ZA

+ alias name "verisignclass2g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, 
  OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
  OU=Class 2 Public Primary Certification Authority - G2, 
  O="VeriSign, Inc.", C=US

+ alias name "verisignclass3ca [jdk]"
  Distinguished Name: OU=Class 3 Public Primary Certification Authority, 
  O="VeriSign, Inc.", C=US

+ alias name "verisignclass3g2ca [jdk]"
  Distinguished Name: OU=VeriSign Trust Network, 
  OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
  OU=Class 3 Public Primary Certification Authority - G2, 
  O="VeriSign, Inc.", C=US

+ alias name "verisigntsaca [jdk]"
  Distinguished Name: CN=Thawte Timestamping CA, 
  OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA

+ alias name "gtecybertrustglobalca [jdk]"
  Distinguished Name:CN=GTE CyberTrust Global Root, 
  OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US 


See JDK-8243559

security-libs/java.security
 Removed Telia Company's Sonera Class2 CA certificate

The following root certificate has been removed from the cacerts truststore:

+ Telia Company

  + soneraclass2ca
    DN: CN=Sonera Class2 CA, O=Sonera, C=FI
See JDK-8225081

Other Notes

security-libs/java.security
 JarFile Treats Signed JARs with Multiple Manifests as Unsigned

The JarFile class now treats a signed JAR as unsigned if it detects a second manifest in the JAR file. A warning message, "WARNING: Multiple MANIFEST.MF found. Treat JAR file as unsigned.", is logged if the system property -Djava.security.debug=jar is set.

JDK-8260967 (not public)

install/install
 Updated List of Capabilities Provided by JDK RPMs

The following capabilities have been removed from the list of what OracleJDK/OracleJRE RPMs provide: xml-commons-api, jaxp_parser_impl, and java-fonts. This clean-up of the list resolves existing and potential conflicts with modular RPMs.

There are other rpms providing these capabilities, so there should be no impact on packages that depend on them. Package managers can use other RPMs to satisfy the dependencies provided by the OracleJDK/OracleJRE RPMs before this change.

JDK-8263575 (not public)

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, now referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

deploy/webstart
 Java WebStart Protocol Registration After macOS Upgrade

On the macOS platform, custom URL protocol handlers such as Java WebStart (jnlp and jnlps URI schemes) are deregistered after an OS upgrade. If the Java WebStart application uses jnlp or jnlps URI scheme(s), it is recommended that you check their registration status after the OS upgrade. The registration status of the custom URL protocol handlers can be obtained via the 'lsregister' command.

For example:

lsregister -dump URLSchemeBinding | sort | grep 'jnlp|java|jar'

The Java WebStart protocol handler is registered and no-further action is required if the output of the above command contains the following lines:

jnlp: Java Network Launch Protocol (0x4680) (0x4682)
jnlps: Secure Java Network Launch Protocol (0x4684) (0x4686)

Otherwise, it is necessary to upgrade or reinstall the JRE in order to register the Java WebStart protocol.

JDK-8273858 (not public)

security-libs/java.security
 Upgraded the Default PKCS12 Encryption Algorithms

The default encryption algorithms used in a PKCS #12 keystore have been updated. The new algorithms are based on AES-256 and SHA-256 and are stronger than the old algorithms that were based on RC2, DESede, and SHA-1. See the security properties starting with keystore.pkcs12 in the java.security file for detailed information.

For compatibility, a new system property named keystore.pkcs12.legacy is defined that will revert the algorithms to use the older, weaker algorithms. There is no value defined for this property.

See JDK-8153005

security-libs/java.security
 Disable SHA-1 JARs

JARs signed with SHA-1 algorithms are now restricted by default and treated as if they were unsigned. This applies to the algorithms used to digest, sign, and optionally timestamp the JAR. It also applies to the signature and digest algorithms of the certificates in the certificate chain of the code signer and the Timestamp Authority, and any CRLs or OCSP responses that are used to verify if those certificates have been revoked.

In order to reduce the compatibility risk for applications that have been previously timestamped or use private CAs, there are two exceptions to this policy:

  • Any JAR signed with SHA-1 algorithms and timestamped prior to January 01, 2019 will not be restricted.
  • Any JAR signed with a SHA-1 certificate that does not chain back to a Root CA included by default in the JDK cacerts keystore will not be restricted.

These exceptions may be removed in a future JDK release.

Users can, at their own risk, remove these restrictions by modifying the java.security configuration file (or overriding it using the java.security.properties system property) and removing "SHA1 jdkCA & usage SignedJAR & denyAfter 2019-01-01" from the jdk.certpath.disabledAlgorithms security property and "SHA1 jdkCA & denyAfter 2019-01-01" from the jdk.jar.disabledAlgorithms security property.

See JDK-8196415

security-libs/javax.net.ssl
 Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values

Certain TLS ALPN values couldn't be properly read or written by the SunJSSE provider. This is due to the choice of Strings as the API interface and the undocumented internal use of the UTF-8 character set which converts characters larger than U+00007F (7-bit ASCII) into multi-byte arrays that may not be expected by a peer.

SunJSSE now encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 characters. This means applications that used characters above U+000007F that were previously encoded using UTF-8 may need to either be modified to perform the UTF-8 conversion, or set the Java security property jdk.tls.alpnCharset to "UTF-8" revert the behavior.

See the updated guide at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html for more information.

See JDK-8254631

core-libs/java.net
 URL FTP Protocol Handler: IPv4 Address Validation in Passive Mode

Client-side FTP support in the Java platform is available through the FTP URL stream protocol handler, henceforth referred to as the FTP Client.

The following system property has been added for validation of server addresses in FTP passive mode.

  • jdk.net.ftp.trustPasvAddress.

In this release, the FTP Client has been enhanced to reject an address sent by a server, in response to a PASV command from the FTP Client, when that address differs from the address which the FTP Client initially connected.

To revert to the prior behavior, the jdk.net.ftp.trustPasvAddress system property can be set to true. The affect of setting this property is that the FTP Client accepts and uses the address value returned in reply to a PASV command

JDK-8258432 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8249142 client-libs java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
2 JDK-8166673 client-libs The new implementation of Robot.waitForIdle() may hang
3 JDK-8263311 client-libs 2d Watch registry changes for remote printers update instead of polling
4 JDK-8262829 client-libs 2d Native crash in Win32PrintServiceLookup.getAllPrinterNames()
5 JDK-8260380 client-libs 2d Upgrade to LittleCMS 2.12
6 JDK-6847157 client-libs 2d java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
7 JDK-8225105 client-libs java.awt java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10
8 JDK-8198335 client-libs java.awt java/awt/FullScreen/UninitializedDisplayModeChangeTest/UninitializedDisplayModeChangeTest.java fails in headless mode
9 JDK-6544871 client-libs java.awt java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.
10 JDK-8196019 client-libs java.awt java/awt/Window/Grab/GrabTest.java fails on Windows
11 JDK-8224821 client-libs java.awt java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64
12 JDK-8215105 client-libs java.awt java/awt/Robot/HiDPIScreenCapture/ScreenCaptureTest.java: Wrong Pixel Color
13 JDK-8261231 client-libs java.awt Windows IME was disabled after DnD operation
14 JDK-7185258 client-libs java.awt [macOS] Deadlock in SunToolKit.realSync()
15 JDK-8240518 client-libs java.awt Incorrect JNU_ReleaseStringPlatformChars in Windows Print
16 JDK-8004148 client-libs java.awt NPE in sun.awt.SunToolkit.getWindowDeactivationTime
17 JDK-8262446 client-libs java.awt DragAndDrop hangs on Windows
18 JDK-8159898 client-libs java.beans Negative array size in java/beans/Introspector/Test8027905.java
19 JDK-8178403 client-libs javax.sound DirectAudio in JavaSound may hang and leak
20 JDK-8159135 client-libs javax.swing [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail
21 JDK-8264328 client-libs javax.swing Broken license in javax/swing/JComboBox/8072767/bug8072767.java
22 JDK-8240690 client-libs javax.swing Race condition between EDT and BasicDirectoryModel.FilesLoader.run0()
23 JDK-8239312 client-libs javax.swing [macOS] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
24 JDK-8196100 client-libs javax.swing javax/swing/text/JTextComponent/5074573/bug5074573.java fails
25 JDK-8177809 core-libs java.io File.lastModified() is losing milliseconds (always ends in 000)
26 JDK-8178161 core-libs java.net Default multicast interface on Mac
27 JDK-8263917 core-libs java.rmi Backout of 8049202 in 8u
28 JDK-8252883 core-libs java.util.logging AccessDeniedException caused by delayed file deletion on Windows
29 JDK-8262110 core-libs java.util:i18n DST starts from incorrect time in 2038
30 JDK-8255086 core-libs java.util:i18n Update the root locale display names
31 JDK-8247432 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-09-29
32 JDK-8241082 core-libs java.util:i18n Upgrade IANA Language Subtag Registry data to 03-16-2020 version
33 JDK-8242010 core-libs java.util:i18n Update IANA Language Subtag Registry to Version 2020-04-01
34 JDK-8073446 core-libs java.util:i18n TimeZone getOffset API does not return a DST offset between years 2038-2137
35 JDK-8258753 core-libs javax.naming StartTlsResponse.close() hangs due to synchronization issues
36 JDK-8247707 deploy plugin UAC prompt of unknown publisher after upgrading java 8u241
37 JDK-7123987 docs Request Documentation on JNLP/JNI with in 32-bit and 64-bit windows
38 JDK-8216154 hotspot compiler C4819 warnings at HotSpot sources on Windows
39 JDK-8211233 hotspot compiler MemBarNode::trailing_membar() and MemBarNode::leading_membar() need to handle dying subgraphs better
40 JDK-8209420 hotspot compiler Track membars for volatile accesses so they can be properly optimized
41 JDK-8132148 hotspot gc G1 hs_err region dump legend out of sync with region values
42 JDK-8166607 hotspot gc G1 needs klass_or_null_acquire
43 JDK-8166862 hotspot gc CMS needs klass_or_null_acquire
44 JDK-8166229 hotspot gc Eliminate ParNew's use of klass_or_null()
45 JDK-8166663 hotspot gc Simplify oops_on_card_seq_iterate_careful
46 JDK-8166583 hotspot gc Add oopDesc::klass_or_null_acquire()
47 JDK-8165808 hotspot gc Add release barriers when allocating objects with concurrent collection
48 JDK-8260704 hotspot gc ParallelGC: oldgen expansion needs release-store for _end
49 JDK-8259271 hotspot gc gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
50 JDK-8257746 hotspot runtime Regression introduced with JDK-8250984 - memory might be null in some machines
51 JDK-8203345 javafx accessibility Memory leak in VirtualFlow when screen reader is enabled
52 JDK-8160554 javafx controls Wrong unit measure in CornerRadiiConverter
53 JDK-8185854 javafx controls NPE on non-editable ComboBox in TabPane with custom Skin
54 JDK-8266966 javafx controls Wrong CSS properties are applied to other nodes after fix for JDK-8204568
55 JDK-8204568 javafx controls Relative CSS-Attributes don't work all time
56 JDK-8239589 javafx graphics JavaFX UI will not repaint after reconnecting via Remote Desktop
57 JDK-8259046 javafx graphics ViewPainter.ROOT_PATHS holds reference to Scene causing memory leak
58 JDK-8258986 javafx graphics getColor throws IOOBE when PixelReader reads the same pixel twice
59 JDK-8259356 javafx media MediaPlayer's seek freezes video
60 JDK-8262365 javafx media Update GStreamer to version 1.18.3
61 JDK-8262366 javafx media Update glib to version 2.66.7
62 JDK-8268152 javafx media gstmpegaudioparse does not provides timestamps for HLS MP3 streams
63 JDK-8260246 javafx samples Ensemble: Update version of Lucene to 7.7.3
64 JDK-8259680 javafx scenegraph Need API to query states of CAPS LOCK and NUM LOCK keys
65 JDK-8264990 javafx web WebEngine crashes with segfault when not loaded through system classloader
66 JDK-8259555 javafx web Webkit crashes on Apple Silicon
67 JDK-8263788 javafx web JavaFX application freezes completely after some time when using the WebView
68 JDK-8261927 javafx web WebKit build fails with Visual Studio 2017
69 JDK-8260245 javafx web Update ICU4C to version 68.2
70 JDK-8251555 javafx window-toolkit Remove unused focusedWindow field in glass Window to avoid leak
71 JDK-8263169 javafx window-toolkit [macOS] JavaFX windows open as tabs when system preference for documents is set
72 JDK-8266293 security-libs Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
73 JDK-8263817 security-libs java.security java.util.MissingResourceException if add cert with GOST key in cacerts
74 JDK-8218553 security-libs java.security Enhance keystore load debug output
75 JDK-8243559 security-libs java.security Remove root certificates with 1024-bit keys
76 JDK-8225081 security-libs java.security Remove Telia Company CA certificate expiring in April 2021
77 JDK-8153005 security-libs java.security Upgrade the default PKCS12 encryption/MAC algorithms
78 JDK-8267599 security-libs java.security Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
79 JDK-8214513 security-libs java.security A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11
80 JDK-8202837 security-libs java.security PBES2 AlgorithmId encoding error in PKCS12 KeyStore
81 JDK-8267100 security-libs java.security [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs
82 JDK-8196415 security-libs java.security Disable SHA-1 Signed JARs
83 JDK-8076190 security-libs java.security Customizing the generation of a PKCS12 keystore
84 JDK-8260300 security-libs javax.net.ssl Restrict TLS signature schemes in 8u
85 JDK-8254631 security-libs javax.net.ssl Better support ALPN byte wire values in SunJSSE
86 JDK-8005819 security-libs org.ietf.jgss:krb5 Support cross-realm MSSFU
87 JDK-8180478 tools tools/launcher/MultipleJRE.sh fails on Windows because of extra-''
88 JDK-8260568 xml Xerces version string output does not match actual version in JDK
89 JDK-8235368 xml jaxp Update BCEL to Version 6.4.1
90 JDK-8213734 xml org.xml.sax SAXParser.parse(File, ..) does not close resources when Exception occurs.


Java SE 8u291 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u291 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u291 b35

Bug Fixes

BugId Component Subcomponent Summary
JDK-8268128 security-libs java.security ProviderConfig deadlock in JDK 8u291

 

 

Changes in Java SE 8u291 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259886 security-libs javax.net.ssl Improve SSL session cache performance and scalability
JDK-8266943 (Confidential) install install Request to reinstate MacOS JRE pkg.dmg binary bundle
JDK-8267429 (Confidential) infrastructure release_eng MacOS JRE pkg.dmg binary bundle reinstated

 

 

Changes in Java SE 8u291 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8258753 core-libs javax.naming StartTlsResponse.close() hangs due to synchronization issues
JDK-8263788 javafx web JavaFX application freezes completely after some time when using the WebView
JDK-8185854 javafx controls NPE on non-editable ComboBox in TabPane with custom Skin
JDK-8260300 security-libs javax.net.ssl Restrict TLS signature schemes in 8u

 

 

Changes in Java SE 8u291 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8239589 javafx graphics JavaFX UI will not repaint after reconnecting via Remote Desktop

Java™ SE Development Kit 8, Update 291 (JDK 8u291)

April 20, 2021

The full version string for this update release is 1.8.0_291-b10 (where "b" means "build"). The version number is 8u291.

IANA TZ Data 2020e, 2020f, 2021a

JDK 8u291 contains IANA time zone data 2020e, 2020f, 2021a.

  • * Volgograd switches to Moscow time on 2020-12-27 at 02:00.
  • * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u291 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_291-b10
7 1.7.0_301-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u291) be used after the next critical patch update scheduled for July 20, 2021.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u291) on 2021-08-20. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Other Notes

core-libs/javax.naming
 New System and Security Properties to Control Reconstruction of Remote Objects by JDK's Built-in JNDI RMI and LDAP Implementations

jdk.jndi.object.factoriesFilter: This system and security property allows a serial filter to be specified that controls the set of object factory classes permitted to instantiate objects from object references returned by naming/directory systems. The factory class named by the reference instance is matched against this filter during remote reference reconstruction. The filter property supports pattern-based filter syntax with the format specified by JEP 290. This property applies both to the JNDI/RMI and the JNDI/LDAP built-in provider implementations. The default value allows any object factory class specified in the reference to recreate the referenced object.

com.sun.jndi.ldap.object.trustSerialData: This system property allows control of the deserialization of java objects from the javaSerializedData LDAP attribute. To prevent deserialization of java objects from the attribute, the system property can be set to false value. By default, deserialization of java objects from the javaSerializedData attribute is allowed.

JDK-8244473 (not public)

security-libs/java.security
 Added 2 HARICA Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ HARICA

  + haricarootca2015
    DN: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR

  + haricaeccrootca2015
    DN: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
See JDK-8256421

install/install
 Default java Version Is Not Updated for Double Click jar Execution

Oracle JRE installers will update the PATH environment variable with their directory behind any already put in place by other Oracle JDK installers.

See JDK-8259215

security-libs/javax.net.ssl
 Disable TLS 1.0 and 1.1

TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been superseded by more secure and modern versions (TLS 1.2 and 1.3).

These versions have now been disabled by default. If you encounter issues, you can, at your own risk, re-enable the versions by removing "TLSv1" and/or "TLSv1.1" from the jdk.tls.disabledAlgorithms security property in the java.security configuration file.

See JDK-8202343

deploy
 Disable TLS 1.0 and 1.1 for Java Plugin Applets and Java Web Start Applications

TLS 1.0 and 1.1 have been disabled. These protocols are NOT used by Java Plugin applets and Java Web Start applications by default. In case of any issues there is an option to re-enable the protocols via Java Control Panel.

JDK-8255892 (not public)

core-libs/java.lang
 Less Ambiguous Processing of ProcessBuilder Quotes on Windows

In the java.lang.ProcessBuilder implementation on Windows, the system property jdk.lang.Process.allowAmbiguousCommands=false ensures, for each argument, that double-quotes are properly encoded in the command string passed to Windows CreateProcess. An argument with a final trailing double-quote preceded by a backslash is encoded as a literal double-quote; previously, the argument including the double-quote would be joined with the next argument. An empty argument is encoded as a pair of double-quotes ("") resulting in a zero length string passed for the argument to the process; previously, it was silently ignored. An argument containing double-quotes, other than first and last, is encoded to preserve the double-quotes when passed to the process; previously, the embedded double-quotes would be dropped and not passed to the process. If a security manager is set, such as in WebStart applications, double-quotes are encoded as described. When there is no security manager, there is no change to existing behavior; the jdk.lang.Process.allowAmbiguousCommands property can be set to true: jdk.lang.Process.allowAmbiguousCommands=true or false. If left unset, it is the same as setting it to true.

JDK-8250568 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8244621 client-libs 2d [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11
2 JDK-8258805 client-libs java.awt Japanese characters not entered by mouse click on Windows 10
3 JDK-8212678 client-libs java.awt Windows IME related patch
4 JDK-8239137 client-libs javax.accessibility JAWS does not always announce the value of JSliders in JColorChooser
5 JDK-8249588 client-libs javax.accessibility libwindowsaccessbridge issues on 64bit Windows
6 JDK-8255880 client-libs javax.swing UI of Swing components is not redrawn after their internal state changed
7 JDK-8250627 core-libs Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
8 JDK-8251397 core-libs java.lang NPE on ClassValue.ClassValueMap.cacheArray
9 JDK-7146776 core-libs java.net Deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
10 JDK-8247766 hotspot compiler AArch64: guarantee(val < (1U << nbits)) failed: Field too big for insn
11JDK-8252482hotspotcompilerdisable cbcond instructions on SPARC64
12 JDK-8243290 hotspot runtime Improve diagnostic messages for class verification and redefinition failures
13 JDK-8257168 hotspot runtime Use SkippedException instead of RuntimeException for docker not able to pull the repository
14 JDK-8260159 install install Typo in Javapath.cpp
15 JDK-8260190 install install Incomplete JDK-8259215 fix
16 JDK-8259215 install install Default Java version is not updated for double click jar execution
17 JDK-8242565 security-libs java.security Policy initialization issues when the denyAfter constraint is enabled
18 JDK-8244154 security-libs javax.crypto:pkcs11 Update SunPKCS11 provider with PKCS11 v3.0 header files
19 JDK-8240871 security-libs javax.net.ssl SSLEngine handshake status immediately after the handshake can be NOT_HANDSHAKING rather than FINISHED with TLSv1.3
20 JDK-8257997 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
21 JDK-8253368 security-libs javax.net.ssl TLS connection always receives close_notify exception
22 JDK-8202343 security-libs javax.net.ssl Disable TLS 1.0 and 1.1
23 JDK-8256818 security-libs javax.net.ssl SSLSocket that is never bound or connected leaks socket resources
24 JDK-8257670 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
25 JDK-8255559 security-libs javax.xml.crypto Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
26 JDK-8261970 xml reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271
27 JDK-8256685 xml jaxp Behavior change in XML since JDK 8u271
28 JDK-8249867 xml jaxp XML declaration is not followed by a newline


Java SE 8u281 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u281 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u281 b35

Bug Fixes

BugId Component Subcomponent Summary
JDK-8204568 javafx controls Relative CSS-Attributes don't work all time
JDK-8262829 client-libs 2d Native crash in Win32PrintServiceLookup.getAllPrinterNames()
JDK-8262940 (Confidential) install [macOS] Java Webstart protocol schemes not registered by JRE installer on macOS
JDK-8247707 deploy plugin UAC prompt of unknown publisher after upgrading java 8u241
JDK-8263575 (Confidential) install install Conflict between JDK rpms and OL8 Modularity prevents dnf install/updates
JDK-8263842 (Confidential) install install Clean up "Provides" tag of OracleJDK/JRE rpms

 

Changes in Java SE 8u281 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8261970 xml reutilization of org.w3c.dom.ls.LSSerializer,produces unexpected result in 8u271

 

Changes in Java SE 8u281 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259680 javafx scenegraph Need API to query states of CAPS LOCK and NUM LOCK keys
JDK-8258803 xml WLS/Tuxedo error in encoding post JDK upgrade
JDK-8261209 xml jaxp isStandalone property: remove dependency on pretty-print
JDK-8249867 xml jaxp xml declaration is not followed by a newline

 

Changes in Java SE 8u281 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8259048 core-libs java.time (tz) Upgrade time-zone data to tzdata2020f
JDK-8259215 install install default java version is not updated for double click jar execution

 

Changes in Java SE 8u281 b31

Bug Fixes

BugId Component Subcomponent Summary
JDK-8256925 (Confidential) security-libs java.security Regression with JDK-8236464 in Oracle 8u271
JDK-8256818 security-libs javax.net.ssl SSLSocket that is never bound or connected leaks socket resources
JDK-8257670 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
JDK-8257884 security-libs javax.net.ssl Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test
JDK-8257997 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
JDK-8256004 (Confidential) deploy plugin DRS: Can not run applet in DRS with java 6 after 8u261 upgrade
JDK-8258373 client-libs javax.swing Update the text handling in the JPasswordField
JDK-8253368 security-libs javax.net.ssl TLS connection always receives close_notify exception

Java™ SE Development Kit 8, Update 281 (JDK 8u281)

January 19, 2021

The full version string for this update release is 1.8.0_281-b09 (where "b" means "build"). The version number is 8u281.

IANA Data 2020d

JDK 8u281 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u281 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_281-b09
7 1.7.0_291-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u281) be used after the next critical patch update scheduled for April 20, 2021.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u281) on May 15, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/java.security
 -groupname Option Added to keytool Key Pair Generation

A new -groupname option has been added to keytool -genkeypair so that a user can specify a named group when generating a key pair. For example, keytool -genkeypair -keyalg EC -groupname secp384r1 will generate an EC key pair by using the secp384r1 curve. Because there might be multiple curves with the same size, using the -groupname option is preferred over the -keysize option.

See JDK-8213400

security-libs/javax.xml.crypto
 Apache Santuario Library Updated to Version 2.1.4

The Apache Santuario library has been upgraded to version 2.1.4. As a result, a new system property com.sun.org.apache.xml.internal.security.parser.pool-size has been introduced.

This new system property sets the pool size of the internal DocumentBuilder cache used when processing XML Signatures. The function is equivalent to the org.apache.xml.security.parser.pool-size system property used in Apache Santuario and has the same default value of 20.

See JDK-8231507

security-libs/javax.net.ssl
 Support for certificate_authorities Extension

The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. It is used to indicate the certificate authorities (CAs) that an endpoint supports and should be used by the receiving endpoint to guide certificate selection.

With this JDK release, the "certificate_authorities" extension is supported for TLS 1.3 in both the client and the server sides. This extension is always present for client certificate selection, while it is optional for server certificate selection.

Applications can enable this extension for server certificate selection by setting the jdk.tls.client.enableCAExtension system property to true. The default value of the property is false.

Note that if the client trusts more CAs than the size limit of the extension (less than 2^16 bytes), the extension is not enabled. Also, some server implementations do not allow handshake messages to exceed 2^14 bytes. Consequently, there may be interoperability issues when jdk.tls.client.enableCAExtension is set to true and the client trusts more CAs than the server implementation limit.

See JDK-8206925

Other Notes

 

deploy/deployment_toolkit
 Disk Access From Java Control Panel on macOS

Starting from macOS Catalina 10.15, applications do not have access to the Desktop, Documents and Downloads folders. So, if you use JavaControlPanel app to access files at the locations specified above, (such as load certificates from the Downloads folder) you must either move the files to another location or grant the required permissions to the JavaControlPanel app.

The steps to required to grant the permissions to JavaControlPanel are provided below:

1. On your Mac, open the Apple menu, click System Preferences, click Security & Privacy, then click Privacy.

2. Select Full Disk Access and click +.

3. In Applications, navigate to the System Preferences app (Applications > System Preferences), and click Open.

Note: You must grant permissions to the System Preferences app because the JavaControlPanel app is a part of that application on macOS.

JDK-8265416 (not public)

core-libs/java.time
 JDK time-zone data upgraded to tzdata2020d

The JDK update incorporates tzdata2020d. The main change is

  • Palestine ends DST earlier than predicted, on 2020-10-24.

Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000062.html for more information.

See JDK-8255226

core-libs/java.time
 JDK time-zone data upgraded to tzdata2020c

The JDK update incorporates tzdata2020c. The main change is

  • Fiji starts DST later than usual, on 2020-12-20.

Please refer to https://mm.icann.org/pipermail/tz-announce/2020-October/000060.html for more information.

See JDK-8254982

core-libs/java.time
 US/Pacific-New Zone Name Removed as Part of tzdata2020b

Following the JDK's update to tzdata2020b, the long-obsolete files named pacificnew and systemv have been removed. As a result, the "US/Pacific-New" Zone name declared in the pacificnew data file is no longer available for use.

Information regarding this update can be viewed at https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html

See JDK-8254177

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8209113 client-libs 2d Use WeakReference for lastFontStrike for created Fonts
2 JDK-8245400 client-libs 2d Upgrade to LittleCMS 2.11
3 JDK-8198334 client-libs java.awt java/awt/FileDialog/8003399/bug8003399.java fails in headless mode
4 JDK-8232114 client-libs java.awt JVM crashed at imjpapi.dll in native code
5 JDK-8252470 client-libs java.awt java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
6 JDK-8240633 client-libs javax.swing Memory leaks in the implementations of FileChooserUI
7 JDK-8253072 core-libs XERCES version is displayed incorrect
8 JDK-8069211 core-libs java.nio (zipfs) ZipFileSystem creates corrupted zip if entry output stream gets closed more than once
9 JDK-8242480 core-svc java.lang.management Negative value may be returned by getFreeSwapSpaceSize() in the docker
10 JDK-8252789 deploy deployment_toolkit Empty client certificate issue during TLS handshake
11 JDK-8253695 docs guides JDK 8 Install Guide - 8u RPM Installer Failed to Install on SUSE When Updating Alternatives
12 JDK-8255558 docs guides InstallGuide: Update documentation of JDK RPM installation steps
13 JDK-8250665 globalization locale-data Wrong translation for the month of May in ar_JO, ar_LB and ar_SY
14 JDK-8146612 hotspot compiler C2: Precedence edges specification violated
15 JDK-8160006 hotspot compiler Fix AArch64 after changes made by 8151661
16 JDK-8214862 hotspot compiler assert(proj != __null) at compile.cpp:3251
17 JDK-8248214 hotspot gc Add paddings for TaskQueueSuper to reduce false-sharing cache contention
18 JDK-8185348 hotspot jvmti Major performance regression in GetMethodDeclaringClass and other JVMTI Method functions
19 JDK-8140091 hotspot runtime remove VMStructs cast_uint64_t workaround for GCC 4.1.1 bug
20 JDK-8148854 hotspot runtime Class names "SomeClass" and "LSomeClass;" treated by JVM as an equivalent
21 JDK-8217338 hotspot runtime [Containers] Improve systemd slice memory limit support
22 JDK-8217766 hotspot runtime Container Support doesn't work for some Join Controllers combinations
23 JDK-8221408 hotspot runtime Windows 32bit build build errors/warnings in hotspot
24 JDK-8221725 hotspot runtime AArch64 build failures after JDK-8221408 (Windows 32bit build build errors/warnings in hotspot)
25 JDK-8227006 hotspot runtime [linux] Runtime.availableProcessors execution time increased by factor of 100
26 JDK-8246648 hotspot runtime issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480
27 JDK-8247839 javafx graphics Wrong position of GUI elements using multiple HiDPI displays in JavaFX 8
28 JDK-8252060 javafx media gstreamer fails to build with gcc 10
29 JDK-8254100 javafx other FX: Update copyright year in docs, readme files to 2021
30 JDK-8181775 javafx web JavaFX WebView does not calculate border-radius properly
31 JDK-8234471 javafx web Canvas in webview displayed with wrong scale on Windows
32 JDK-8251241 javafx window-toolkit macOS: iconify property doesn't change after minimize when resizable is false
33 JDK-8244151 security-libs javax.smartcardio Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26

Java SE 8u271 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u271 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u271 b37

Bug Fixes

BugId Component Subcomponent Summary
JDK-8256818 security-libs javax.net.ssl SSLSocket that is never bound or connected leaks socket resources
JDK-8257670 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
JDK-8257997 security-libs javax.net.ssl sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
JDK-8255908 core-libs ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem
JDK-8250627 core-libs Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
JDK-8256685 xml jaxp Behavior change in XML since jdk1.8.0_271
JDK-8238579 core-libs java.net HttpsURLConnection drops the timeout and hangs forever in read
JDK-8254982 core-libs java.time (tz) Upgrade time-zone data to tzdata2020c
JDK-8255226 core-libs java.time (tz) Upgrade time-zone data to tzdata2020d
JDK-8250984 hotspot runtime Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities

 

 

Changes in Java SE 8u271 b34

Bug Fixes

BugId Component Subcomponent Summary
JDK-8255559 security-libs javax.xml.crypto Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()

 

Changes in Java SE 8u271 b33

Bug Fixes

BugId Component Subcomponent Summary
JDK-8253502 (Confidential) hotspot svc No certificates in "Request Authentication" dialog after upgrading to 8u261
JDK-8252455 (Confidential) core-libs java.net Performance issue caused by 8232854
JDK-8206925 security-libs javax.net.ssl Support the certificate_authorities extension
JDK-8250676 (Confidential) hotspot svc JFR recording MonitorEnter events - Stack trace caching

 

Changes in Java SE 8u271 b32

Bug Fixes

BugId Component Subcomponent Summary
JDK-8254177 core-libs java.time (tz) Upgrade time-zone data to tzdata2020b.

Java™ SE Development Kit 8, Update 271 (JDK 8u271)

October 20, 2020

The full version string for this update release is 1.8.0_271-b09 (where "b" means "build"). The version number is 8u271.

IANA Data 2020a

JDK 8u271 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u271 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_271-b09
7 1.7.0_281-b06

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u271) be used after the next critical patch update scheduled for January 19, 2021.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u271) on February 20, 2021. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/java.security
 Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default

Weak named curves are disabled by default by adding them to the following disabledAlgorithms security properties: jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms, and jdk.jar.disabledAlgorithms. The named curves are listed below.

With 47 weak named curves to be disabled, adding individual named curves to each disabledAlgorithms property would be overwhelming. To relieve this, a new security property, jdk.disabled.namedCurves, is implemented that can list the named curves common to all of the disabledAlgorithms properties. To use the new property in the disabledAlgorithms properties, precede the full property name with the keyword include. Users can still add individual named curves to disabledAlgorithms properties separate from this new property. No other properties can be included in the disabledAlgorithms properties.

To restore the named curves, remove the include jdk.disabled.namedCurves either from specific or from all disabledAlgorithms security properties. To restore one or more curves, remove the specific named curve(s) from the jdk.disabled.namedCurves property.

Curves that are disabled through jdk.disabled.namedCurves include the following: secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1

Curves that remain enabled are: secp256r1, secp384r1, secp521r1, X25519, X448

See JDK-8233228

security-libs/org.ietf.jgss:krb5
 Support for Kerberos Cross-Realm Referrals (RFC 6806)

The Kerberos client has been enhanced with the support of principal name canonicalization and cross-realm referrals, as defined by the RFC 6806 protocol extension.

As a result of this new feature, the Kerberos client can take advantage of more dynamic environment configurations and does not necessarily need to know (in advance) how to reach the realm of a target principal (user or service).

Support is enabled by default and 5 is the maximum number of referral hops allowed. To turn it off, set the sun.security.krb5.disableReferrals security or system property to false. To configure a custom maximum number of referral hops, set the sun.security.krb5.maxReferrals security or system property to any positive value.

See further information in JDK-8223172.

See JDK-8215032

security-libs/javax.net.ssl
 Improve Certificate Chain Handling

A new system property, jdk.tls.maxHandshakeMessageSize, has been added to set the maximum allowed size for the handshake message in TLS/DTLS handshaking. The default value of the system property is 32768 (32 kilobytes).

A new system property, jdk.tls.maxCertificateChainLength, has been added to set the maximum allowed length of the certificate chain in TLS/DTLS handshaking. The default value of the system property is 10.

JDK-8245417 (not public)

security-libs/java.security
 Tools Warn If Weak Algorithms Are Used

The keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms security property in the java.security configuration file. In this release, the tools issue warnings for the SHA-1 hash algorithm and 1024-bit RSA/DSA keys.

See JDK-8172404

security-libs/org.ietf.jgss:krb5
 Support for canonicalize in krb5.conf

The 'canonicalize' flag in the krb5.conf file is now supported by the JDK Kerberos implementation. When set to true, RFC 6806 name canonicalization is requested by clients in TGT requests to KDC services (AS protocol). Otherwise, and by default, it is not requested.

The new default behavior is different from JDK 14 and previous releases where name canonicalization was always requested by clients in TGT requests to KDC services (provided that support for RFC 6806 was not explicitly disabled with the sun.security.krb5.disableReferrals system or security properties).

See JDK-8239385

Removed Features and Options

deploy/plugin
 Java Plugin is Removed from JDK 8u for Linux, Solaris, and MacOS Platforms

NPAPI is considered to be a vulnerable plugin and has been disabled in many browsers. No browsers currently support Java Plugin, which is NPAPI-based, on Linux, Solaris, and MacOS platforms.

Starting from 8u271, the part of Java Plugin responsible for integration and interaction with a browser (in particular libnpjp2 library) and an associated artifact will not be built and is not part of the JRE distribution on Linux, Solaris, and MacOS platforms.

JDK-8240210 (not public)

Other notes

core-libs/javax.naming
 Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear Connections

A new environment property, jdk.jndi.ldap.mechsAllowedToSendCredentials, has been added to control which LDAP authentication mechanisms are allowed to send credentials over clear LDAP connections - a connection not secured with TLS. An encrypted LDAP connection is a connection opened by using ldaps scheme, or a connection opened by using ldap scheme and then upgraded to TLS with a STARTTLS extended operation.

The value of the property, which is by default not set, is a comma separated list of the mechanism names that are permitted to authenticate over a clear connection. If a value is not specified for the property, then all mechanisms are allowed. If the specified value is an empty list, then no mechanisms are allowed (except for none and anonymous). The default value for this property is 'null' ( i.e. System.getProperty("jdk.jndi.ldap.mechsAllowedToSendCredentials") returns 'null'). To explicitly permit all mechanisms to authenticate over a clear connection, the property value can be set to "all". If a connection is downgraded from encrypted to clear, then only the mechanisms that are explicitly permitted are allowed.

The property can be supplied to the LDAP context environment map, or set globally as a system property. When both are supplied, the environment map takes precedence.

Note: none and anonymous authentication mechanisms are exempted from these rules and are always allowed regardless of the property value.

JDK-8237990 (not public)

security-libs/java.security
 Added 3 SSL Corporation Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ SSL Corporation

  + sslrootrsaca
    DN: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrootevrsaca
    DN: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US

  + sslrooteccca
    DN: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
See JDK-8243320

security-libs/java.security
 Added Entrust Root Certification Authority - G4 certificate

The following root certificate has been added to the cacerts truststore:

+ Entrust

  + entrustrootcag4
    DN: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", 
        OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
See JDK-8243321

install
 8u RPM Installer Failed to Install on SUSE When Updating Alternatives

Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java and javac. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac group with alternatives framework. All links unique to the javac group have been moved into the java group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.

The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command:

/usr/sbin/alternatives --auto java

JDK-8240919 (not public)

install
 [macos] Invisible (or Hidden) Text in the Installer Window Using Mac's Dark Mode

Some text in the Installer window is hidden/invisible when using Dark mode on macOS. To workaround this issue, switch to Light mode when running the installer. This issue should be resolved by JDK-8249683.

See JDK-8249683

core-libs/java.io:serialization
 Enhanced Support of Proxy Class

The deserialization of java.lang.reflect.Proxy objects can be limited by setting the system property jdk.serialProxyInterfaceLimit. The limit is the maximum number of interfaces allowed per Proxy in the stream. Setting the limit to zero prevents any Proxies from being deserialized including Annotations, a limit of less than 2 might interfere with RMI operations.

JDK-8236862 (not public)

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8198406 client-libs 2d Test TestAATMorxFont is unstable
2 JDK-8220150 client-libs 2d [macos] macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
3 JDK-8236996 client-libs 2d Incorrect Roboto font rendering on Windows with subpixel antialiasing
4 JDK-8244818 client-libs 2d [macos] Java2D Queue Flusher crash while moving application window to external monitor
5 JDK-6966205 client-libs java.awt closed/sun/awt/font/DeriveFont.java failed with compilation error
6 JDK-8183286 client-libs java.awt Some java/awt and javax/swing tests miss headful jtreg keyword
7 JDK-8198612 client-libs java.awt Headful closed tests should not be run in headless mode
8 JDK-8030123 client-libs java.beans java/beans/Introspector/Test8027648.java fails
9 JDK-8060027 client-libs java.beans Tests java/beans/XMLEncoder/Test4903007.java and java/beans/XMLEncoder/java_awt_GridBagLayout.java
10 JDK-8156579 client-libs java.beans Two JavaBeans tests failed
11 JDK-8156581 client-libs java.beans Cleanup of ProblemList.txt
12 JDK-8249278 client-libs javax.accessibility Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
13 JDK-8183341 client-libs javax.imageio Better cleanup for javax/imageio/AllowSearch.java
14 JDK-8183349 client-libs javax.imageio Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java and WriteAfterAbort.java
15 JDK-8183351 client-libs javax.imageio Better cleanup for jdk/test/javax/imageio/spi/AppletContextTest/BadPluginConfigurationTest.sh
16 JDK-7109623 client-libs javax.sound javax/sound/sampled/DirectAudio/bug6372428.java failed
17 JDK-8047222 client-libs javax.sound Test closed/javax/sound/sampled/Clip/bug6251460.java fails if run with 32-bit java on Windows 64-bit host
18 JDK-8148983 client-libs javax.sound Fix extra comma in changes for JDK-8148916
19 JDK-8153725 client-libs javax.sound Problem list javax/sound/sampled/DirectAudio/bug6400879.java for Linux
20 JDK-8156169 client-libs javax.sound Some sound tests rarely hangs because of incorrect synchronization
21 JDK-8160217 client-libs javax.sound JavaSound should clean up resources better
22 JDK-6962725 client-libs javax.swing Regtest javax/swing/JFileChooser/6738668/bug6738668.java fails under Linux
23 JDK-8198004 client-libs javax.swing javax/swing/JFileChooser/6868611/bug6868611.java throws error
24 JDK-8198321 client-libs javax.swing javax/swing/JEditorPane/5076514/bug5076514.java fails
25 JDK-8249251 client-libs javax.swing [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
26 JDK-8168517 core-libs java.lang java/lang/ProcessBuilder/Basic.java failed with "java.lang.AssertionError: Some tests failed"
27 JDK-8151788 core-libs java.net NullPointerException from ntlm.Client.type3
28 JDK-8192953 core-svc java.lang.management sun/management/jmxremote/bootstrap/*.sh tests fail with error : revokeall.exe: Permission denied
29 JDK-8242884 deploy plugin 8u241 32 bit SSV Helper causes long load time and page load on IE11
30 JDK-8145096 hotspot compiler Undefined behaviour in HotSpot
31 JDK-8215265 hotspot compiler C2: range check elimination may allow illegal out of bound access
32 JDK-8023697 hotspot runtime failed class resolution reports different class name in detail message for the first and subsequent times
33 JDK-8048933 hotspot runtime -XX:+TraceExceptions output should include the message
34 JDK-8064319 hotspot runtime Need to enable -XX:+TraceExceptions in release builds
35 JDK-8235243 hotspot runtime handle VS2017 15.9 and VS2019 in abstract_vm_version
36 JDK-8240295 hotspot runtime hs_err elapsed time in seconds is not accurate enough
37 JDK-8193800 javafx controls TreeTableView selection changes on sorting
38 JDK-8129582 javafx graphics Controls slow considerably when displaying RTL-languages text on Linux
39 JDK-8246204 javafx graphics No 3D support for newer Intel graphics drivers on Linux
40 JDK-8246348 javafx graphics Crash in libpango on Ubuntu 20.04 with some unicode chars
41 JDK-8239095 javafx media Upgrade libFFI to the latest 3.3 version
42 JDK-8248365 javafx media Debug build crashes on Windows when playing media file
43 JDK-8252107 javafx media Media pipeline initialization can crash if audio or video bin state change fails
44 JDK-8191758 javafx web Match WebKit's font weight rendering with JavaFX
45 JDK-8208169 javafx web can not print selected pages of web page
46 JDK-8245284 javafx web Update to 610.1 version of WebKit
47 JDK-8246357 javafx web Allow static build of webkit library on linux
48 JDK-8247963 javafx web Update SQLite to version 3.32.3
49 JDK-8249839 javafx web Cherry pick GTK WebKit 2.28.3 changes
50 JDK-8252381 javafx web Cherry pick GTK WebKit 2.28.4 changes
51 JDK-8248490 javafx window-toolkit [macOS] Undecorated stage does not minimize
52 JDK-8141457 security-libs java.security keytool default cert fingerprint algorithm should be SHA-256
53 JDK-8211049 security-libs java.security Second parameter of "initialize" method is not used
54 JDK-8242556 security-libs java.security Cannot load RSASSA-PSS public key with non-null params from byte array
55 JDK-8245151 security-libs java.security jarsigner should not raise duplicate warnings on verification
56 JDK-8205111 security-libs javax.net.ssl Develop new Test to verify different key types for supported TLS protocols.
57 JDK-8215443 security-libs javax.net.ssl The use of TransportContext.fatal() leads to bad coding style
58 JDK-8236464 security-libs javax.net.ssl SO_LINGER option is ignored by SSLSocket in JDK 11
59 JDK-8226719 security-libs org.ietf.jgss Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message"
60 JDK-8227381 security-libs org.ietf.jgss GSS login fails with PREAUTH_FAILED
61 JDK-8227437 security-libs org.ietf.jgss:krb5 S4U2proxy cannot continue because server's TGT cannot be found
62 JDK-8246193 security-libs org.ietf.jgss:krb5 Possible NPE in ENC-PA-REP search in AS-REQ
63 JDK-8250582 security-libs org.ietf.jgss:krb5 Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
64 JDK-8249717 tools javac langtools tests are failing on Windows in jdk8u-cpu
65 JDK-8248348 xml jaxp Regression caused by the update to BCEL 6.0

Java SE 8u261 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u261 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u261 b36

Bug Fixes

BugId Component Subcomponent Summary
8252789 deploy deployment_toolkit Empty client certificate issue during TLS handshake
8249183 client-libs java.awt JVM crash in "AwtFrame::WmSize" method
8249846 core-libs java.util.concurrent Change of behavior after JDK-8237117: Better ForkJoinPool behavior
8252861 deploy Disable TLSv1.3 by default on deploy configurations

Changes in Java SE 8u261 b34

Bug Fixes

BugId Component Subcomponent Summary
8247839 javafx graphics Wrong position of GUI elements using multiple HiDPI displays in JavaFX 8
8193800 javafx controls TreeTableView selection changes on sorting

Changes in Java SE 8u261 b33

Bug Fixes

BugId Component Subcomponent Summary
8248505 security-libs java.security Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
8248990 (Confidential) docs guides Remove link to old license page from JDK 8 troubleshooting guide
8248523 (Confidential) docs guides In TLS overview page, change JDK 11 to JDK 8
8235932 (Confidential) docs guides Backport TLS 1.3 documentation for JDK 8u MR3
8245624 (Confidential) embedded hotspot Arm support missing for JDK-8176100
8062947 core-libs javax.naming Fix exception message to correctly represent LDAP connection failure
8217606 core-libs javax.naming LdapContext#reconnect always opens a new connection
8151678 core-libs javax.naming com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect
8243138 core-libs javax.naming Enhance BaseLdapServer to support starttls extended request
8247925 (Confidential) xml jaxp JDK8u251- XSL transformer fails with TransformerConfigurationException

Java™ SE Development Kit 8, Update 261 (JDK 8u261)

July 14, 2020

The full version string for this update release is 1.8.0_261-b12 (where "b" means "build"). The version number is 8u261.

IANA Data 2020a

JDK 8u261 contains IANA time zone data version 2020a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u261 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_261-b12
7 1.7.0_271-b10

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u261) be used after the next critical patch update scheduled for October 20, 2020.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u261) on November 17, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

hotspot/runtime
 JDK/JRE Runtime Windows Visual Studio Library (DLL) Dependency Changes

As part of ongoing maintenance, the Microsoft Visual Studio 2017 tool chain will be used to build JDK 7 and JDK 8 for Windows. JDK 8u261, in the July 2020 CPU, was built with Visual Studio 2017. With the release of the January 2021 CPU, JDK 7u291 will move to Visual Studio 2017.

Moving to Visual Studio 2017 for JDK 7 and JDK 8 requires changing the runtime library that the JDK/JRE depends on. Before this change, JDK/JRE implementations used and shipped the Microsoft Visual C++ 2010 SP1 Redistributable Package (x86/x64) that included MSVCR100.dll [a][b]. Microsoft Visual Studio 2017 uses a different set of libraries/DLLs.

Native applications (including JNI) that have depended on and assumed the presence of MSCVR100.dll in the JDK/JRE directory will fail to run. When this happens, users will see an error such as:

"The code execution cannot proceed because MSVCR100.dll was not found. Reinstalling the program may fix this problem."

These applications should be rebuilt and shipped with modern C++ runtime dependencies that use a later instance of Visual Studio. Applications should not depend on DLLs included with the JDK/JRE that are not documented in the product as offering support for the specification or other functionality in Java SE.

[a] http://support.microsoft.com/kb/2019667

[b] https://docs.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2020

JDK-8246783 (not public)

security-libs/javax.net.ssl
 TLS Support for RSASSA-PSS Signature Algorithms

Added support for RSASSA-PSS signature algorithms in JSSE implementation.

See JDK-8166595

security-libs/javax.net.ssl
 JEP 332: Transport Layer Security (TLS) 1.3

JDK 8u261 includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). For more details including a list of the features that are supported, refer to the Java Secure Socket Extension (JSSE) Reference Guide documentation and JEP 332.

For TLS 1.3, the following new standard algorithm names are defined:

  1. TLS protocol version name: TLSv1.3
  2. SSLContext algorithm name: TLSv1.3
  3. TLS cipher suite names for TLS 1.3: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384

TLS 1.3 is disabled for default SSLContext("SSL" or "TLS") for client end-point.

The TLS 1.3 protocol can be enabled using several mechanisms already available in the JDK. For example, TLS 1.3 protocol can be enabled on SSL/TLS connections using SSLSocket/SSLEngine/SSLServerSocket APIs and system properties by the following:

  1. sslSocket.setEnabledProtocols(new String[] { "TLSv1.3", "TLSv1.2"});
  2. Setting up and using a TLSv1.3 based SSLContext : SSLContext ctx = SSLContext.getInstance("TLSv1.3");
  3. Using the SSLParameters API: sslParameters.setProtocols(new String[] {"TLSv1.3", "TLSv1.2"});
  4. The jdk.tls.client.protocols system property can also be used to control the protocols in use for a TLS connection. One may launch their application with this property. For example, java -Djdk.tls.client.protocols="TLSv1.3,TLSv1.2" enables TLSv1.3 and TLSv1.2 on client SSLSockets.
  5. The https.protocols system property can also be used to control the protocols on connection obtained through use of the HttpsURLConnection class or URL.openStream() operations. For example, -Dhttps.protocols=TLSv1.3,TLSv1.2.

A new system property, jdk.tls.server.protocols, has been added to configure the default enabled protocol suite in the server side of the SunJSSE provider.

A new security property, jdk.tls.keyLimits, has been added for TLS 1.3. When the specified amount of data of a specific algorithm has been processed, a post-handshake Key and IV Update is triggered to derive new keys.

Note that TLS 1.3 is not directly compatible with previous versions. Although TLS 1.3 can be implemented with a backward-compatibility mode, there are still several compatibility risks to take into account when upgrading to TLS 1.3:

  1. TLS 1.3 uses a half-close policy, while TLS 1.2 and prior versions use a duplex-close policy. For applications that depend on the duplex-close policy, there might be compatibility issues when upgrading to TLS 1.3. A new system property, jdk.tls.acknowledgeCloseNotify, is added. The default value of the system property is "false". If the system property is set to "true", a corresponding close_notify alert will be sent when receiving a close_notify alert, and the connection will be duplex closed.
  2. The signature_algorithms_cert extension requires that pre-defined signature algorithms are used for certificate authentication. In practice, however, an application can use unsupported signature algorithms.
  3. The DSA signature algorithm is not supported in TLS 1.3. If a server is configured to only use DSA certificates, it cannot upgrade to TLS 1.3.
  4. The supported cipher suites for TLS 1.3 are not the same as TLS 1.2 and prior versions. If an application hard-codes cipher suites that are no longer supported, it cannot use TLS 1.3 without modifying the application code.
  5. The TLS 1.3 session resumption and key update behaviors are different from TLS 1.2 and prior versions. The compatibility impact should be minimal; however, there could be a risk if an application depends on the handshake details of the TLS protocols.
  6. The legacy com.sun.net.ssl.dhKeyExchangeFix system property has been removed from the new TLS implementation.

Improved JSSE debug logging format has been introduced to record the logger name, the logger level, the thread ID, the thread name, the time and the caller for each log item. Use the javax.net.debug=all system property to get full debug logs.

See JDK-8145252

security-libs/javax.crypto
 JCE Jurisdiction Policy Files updated

Since January 2018 (8u161, 7u171) unlimited Java Cryptography Extension (JCE) Jurisdiction Policy files have been bundled with the JDK and enabled by default (see JDK Cryptographic Roadmap).

The certificate for the old stand alone jar has expired, and if used the following exception will be seen:

Caused By: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.) at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:336) at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378) at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323) at javax.crypto.JceSecurity.access$000(JceSecurity.java:50) at javax.crypto.JceSecurity$1.run(JceSecurity.java:85) at java.security.AccessController.doPrivileged(Native Method) at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)

If still required for older releases the re-signed files can be found at https://www.oracle.com/java/technologies/oracle-java-archive-downloads.html

JDK-8245319 (not public)

security-libs/javax.net.ssl
 New System Properties to Configure the TLS Signature Schemes

Two new system properties have been added to customize the TLS signature schemes in JDK. jdk.tls.client.SignatureSchemes has been added for the TLS client side, and jdk.tls.server.SignatureSchemes has been added for the server side.

Each system property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.

The names are described in the "Signature Schemes" section of the Java Security Standard Algorithm Names Specification.

See JDK-8242141

security-libs/javax.net.ssl
 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS

The JDK SunJSSE implementation now supports the TLS FFDHE mechanisms defined in RFC 7919. If a server cannot process the supported_groups TLS extension or the named groups in the extension, applications can either customize the supported group names with jdk.tls.namedGroups, or turn off the FFDHE mechanisms by setting the System Property jsse.enableFFDHE to false.

See JDK-8140436

infrastructure
 Toolchain Upgrade to Xcode 10.1

Build Environment Update for macOS Moved to Xcode 10.1 On macOS, the toolchain used to build the JDK has been upgraded from Xcode 4.5 to Xcode 10.1.

JDK-8232007 (not public)

Removed Features and Options

security-libs/java.security
Removal of DocuSign Root CA Certificate
The following expired DocuSign root CA certificate was removed from the cacerts keystore:

  • alias name "keynectisrootca [jdk]"

    Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

See JDK-8225068

Other Notes

javafx/media
 Media Playback Does Not Work on Ubuntu 20.04

Media playback does not work on Ubuntu 20.04. This affects all media formats (such as, mp4, mp3, wav, etc.). In some cases, an error will be thrown. In other cases, the media player will switch to the ready state, but playback will not start. There is no workaround for this issue. This issue should be resolved by JDK-8239095.

JDK-8245501 (not public)

core-libs/java.util:collections
 Better Listing of Arrays

The preferred way to copy a collection is to use a "copy constructor." For example, to copy a collection into a new ArrayList, one would write new ArrayList<>(collection). In certain circumstances, an additional, temporary copy of the collection's contents might be made in order to improve robustness. If the collection being copied is exceptionally large, then the application should be (aware of/monitor) the significant resources required involved in making the copy.

JDK-8231800 (not public)

security-libs/javax.net.ssl
 Problem looking up Client Certificates in keystore

Prior to JDK 8u261, the JSSE framework passed an array of Strings of all keytypes in one call to the (delegate) javax.net.ssl.X509KeyManager.chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) implementation when client authentication is present in an application. Since JDK 8u261, the internal JDK libraries may call the delegate javax.net.ssl.X509KeyManager.chooseClientAlias method in multiple iterations while performing client authentication. One key type per call. https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias-java.lang.String:A-java.security.Principal:A-java.net.Socket-

If application code implements javax.net.ssl.X509KeyManager, ensure that the code logic in that implementation does not assume that all keytypes are passed in the keyType String array in the first call to chooseClientAlias: String chooseClientAlias​(String[] keyType, Principal[] issuers, Socket socket)

See JDK-8261624

install/install
 Java Mission Control Is No Longer Bundled With the JDK

This version of the JDK no longer includes Java Mission Control (JMC). The jmc launcher has been removed from the JDK bin directory, and the missioncontrol directory has been removed from the JDK lib directory. The .jfr file association is not registered by JDK installers. JMC is now available as a separate download. Please visit https://www.oracle.com/javase/jmc for more information.

JDK-8244662 (not public)

docs/release_notes
 SSL Handshake Issues Encountered Post Upgrade to 8u261

JDK 8u261 release includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). The following are descriptions of "Known Issues" which an application might encounter during a SSL handshake, post upgrade to Oracle JDK/JRE 8u261:

  1. SSL handshake fails on client side with an exception message "Received fatal alert: handshake_failure"
javax.net.ssl|SEVERE|C8|....|TransportContext.java:319|Fatal (HANDSHAKE_FAILURE): Received fatal

alert: handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.Alert.createSSLException(Alert.java:117)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:187)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1198)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1107)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400)
       at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:372)

Cause: One possible cause is old server intolerance to FFDHE arguments. As per TLS RFC 7919 on server behavior If a compatible TLS server receives a Supported Groups extension from a client that includes any FFDHE group (i.e., any codepoint between 256 and 511, inclusive, even if unknown to the server), and if none of the client-proposed FFDHE groups are known and acceptable to the server, then the server MUST NOT select an FFDHE cipher suite. In this case, the server SHOULD select an acceptable non-FFDHE cipher suite from the client's offered list. If the extension is present with FFDHE groups, none of the client's offered groups are acceptable by the server, and none of the client's proposed non-FFDHE cipher suites are acceptable to the server, the server MUST end the connection with a fatal TLS alert of type insufficient_security(71).

Solution: In Oracle JDK 8u261, Finite Field Diffie-Hellman Ephemeral (FFDHE) is enabled by default. User can disable FFDHE via security property "-Djsse.enableFFDHE=false on the server (See JDK-8252716)

  1. Post upgrade to 8u261 client application encounters close_notify exception during a ClientHello SSL handshake.
javax.net.ssl.SSLProtocolException: Received close_notify during handshake


       at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.Alert.createSSLException(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.TransportContext.fatal(Unknown Source)
        at sun.security.ssl.Alert$AlertConsumer.consume(Unknown Source)
        at sun.security.ssl.TransportContext.dispatch(Unknown Source)
        at sun.security.ssl.SSLTransport.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown

Cause: In case of an SSL abbreviated handshake (session resumption) SSL client is adding extra extensions than the agreed protocol's supported extensions. While it is TLS RFC complaint, some old non-compliant server implementations may reject this ClientHello.

Solution: As a work around specify System property -Djdk.tls.client.protocols= or use setEnabledProtocols API to set on the client end to mitigate the issue.

  1. On upgrade to 8u261, under certain conditions user application may observe higher CPU utilization and slower response time.

Following method reference count would increase in memory profilers

   HashMap$Node[] java.util.HashMap.resize()

   void sun.security.ssl.SSLSessionContextImpl.put(SSLSessionImpl)
   void sun.security.util.MemoryCache.put(Object, Object)
   Object java.util.HashMap.put(Object, Object)
   Object java.util.HashMap.putVal(int, Object, Object, boolean, boolean)
   HashMap$Node[] java.util.HashMap.resize()

Cause: In 8u261, System Property SSLSessionContext.getSessionCacheSize default value was changed from 0 to 20480 ( see JDK-8210985 ) The change was made since with larger heaps, applications are running into situations where the cache ends up with several million entries at the 24 hour mark, at which time many of them are invalidated at almost the same time, which can result in multi-minute pauses, which are effectively service failures.

Solution: Revert back to JDK 8u251 behaviour by setting System Property "-Djavax.net.ssl.sessionCacheSize=0" (set number of entries in the SSL session cache to infinite)

  1. TLS connection issues with applications using javax.net.ssl.SSLEngine

Cause: The internal implementation of the SSLEngine and associated classes has been reworked with the introduction of TLS v1.3 support. Buffer usage has been improved in the SSLEngine area.

Solution: If an SSLEngine application encounters issues after upgrading to JDK 8u261 or later, refer to the Java 8 API to ensure application code is correct. In particular, applications using SSLEngine should not just depend on SSLEngineResult.Status.BUFFER_UNDERFLOW or SSLEngineResult.Status.BUFFER_OVERFLOW results in order to flush pending data. Buffers should always be flushed after an SSLEngine wrap operation if such a call produces data (where SSLEngineResult.Status.OK may be returned).

  1. Post upgrading client machine with 8u261, during a SSL handshake, the "Request Authentication" popup dialog does not display any certificates if user has set deployment System Property deployment.security.clientauth.keystore.auto=false

Cause: If deployment.security.clientauth.keystore.auto=false in the deployment.properties file Java Plugin and Java Web Start show “Request Authentication” dialog regardless the number of available certificates. However due to some modifications introduced by TLS 1.3 framework sometimes the list of available certificates might be empty.

Solution: There are two possible ways to resolve the issue:

  1. Set deployment System Property deployment.security.clientauth.keystore.auto=true

  2. Upgrade to new version 8u281 of Oracle JDK contained the fix for the issue

(see JDK-8253502 )

  1. Post upgrade to 8u261, during a SSL handshake, user may observe the following "Warning" message in the log
javax.net.ssl|WARNING|03|Finalizer|2020-08-31 09:42:20.203 EDT|null:-1|SSLSocket duplex close failed (

"throwable" : {
java.net.SocketException: Socket is not connected
at java.net.Socket.shutdownOutput(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.shutdownOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.duplexCloseOutput(Unknown Source)
at sun.security.ssl.SSLSocketImpl.close(Unknown Source)
at sun.security.ssl.BaseSSLSocketImpl.finalize(Unknown Source)
at java.lang.System$2.invokeFinalize(Unknown Source)
at java.lang.ref.Finalizer.runFinalizer(Unknown Source)
at java.lang.ref.Finalizer.access$100(Unknown Source)
at java.lang.ref.Finalizer$FinalizerThread.run(Unknown Source)}

Cause: JDK 8u261 introduced a new format for TLS logging. Additional data is now captured per event and logged. Exceptions handled by the JDK TLS library code may print verbose information about the cause of such exceptions when logging is enabled.

Solution: User can safely ignore these Warning messages

  1. Ensure you 3rd party libraries are fully patched. Examples: Bouncy Castle, Apache, OpenSSL, Jetty

Symptoms: New/Unexpected issues from 3rd party library software being used in conjunction with the JDK.

Cause: The new TLS implementation introduces significant changes to the internal, underlying, design of the JDK TLS security libraries. The new design has exposed some bugs in 3rd party software libraries. For the most part, these issues have already been patched in such 3rd party libraries.

Examples include: Apache http-core Bouncy Castle Jetty

Solution: It's good practice to ensure that 3rd party library products being used in conjunction with the JDK TLS API are patched and up to date.

JDK-8258585 (not public)

deploy/plugin
 Possible Hang of Internet Explorer 11 With JDK 8u261 on Windows 7

On Windows 7, the Internet Explorer 11 (IE 11) JavaScript engine does not interact properly with Java Applets because, beginning with 8u261, the JDK/JRE is compiled with VisualStudio 2017. For example, an application that uses the JavaScript methods setTimeout() and setInterval() may cause IE 11 to hang when a modal dialog is shown by a Java Applet.

JDK-8244937 (not public)

install
 8u RPM Installer Failed to Install on SUSE When Updating Alternatives

Communication with the alternatives framework of JDK RPM installer starting from 8u261 has changed. JDK RPM installers of prior versions registered two groups of symbolic links with alternatives framework, java and javac. Some names of links in these groups were duplicated, which resulted in installation failures for some versions of alternatives framework. The JDK RPM installer beginning with 8u261 doesn't register the javac group with alternatives framework. All links unique to the javac group have been moved into the java group, but the set of symbolic links registered by the installer have not changed; only the duplicated links have been dropped.

The implication of this change is that if this version of JDK and 8u251 or older versions of the JDK are installed and the previous version is uninstalled, the symbolic links from the java group that are managed by the alternatives framework will be deleted. To restore deleted links, run the command: /usr/sbin/alternatives --auto java

JDK-8240919 (not public)

core-svc/java.lang.management
 OperatingSystemMXBean Methods Inside a Container Return Container Specific Data

When executing in a container, or other virtualized operating environment, the following OperatingSystemMXBean methods in this release return container specific information, if available. Otherwise, they return host specific data:

  • getFreePhysicalMemorySize()
  • getTotalPhysicalMemorySize()
  • getFreeSwapSpaceSize()
  • getTotalSwapSpaceSize()
  • getSystemCpuLoad()
See JDK-8226575

security-libs
 Default SSL Session Cache Size Updated to 20480

The default SSL session cache size has been updated to 20480 in this JDK release

See JDK-8210985

security-libs/javax.net.ssl
 BoringSSL Rejects JSSE TLS 1.3 HTTPS Connections When status_request Extension Is Disabled

BoringSSL is an SSL library deployed on some popular websites such as those run by Google/YouTube. An interoperability issue with the BoringSSL library can lead to a connection failure if TLSv1.3 is presented as the only enabled protocol in the ClientHello message and the certificate status_request extension is disabled. Enabling the certificate status_request extension by setting the jdk.tls.client.enableStatusRequestExtension system property to true will provide mitigation in such scenarios.

See JDK-8241360

core-libs/java.io:serialization
 Improved Serialization Handling

When setting a serialization filter by using java.io.ObjectInputStream.setObjectInputFilter the method must be called before reading any objects from the stream. If the methods readObject or readUnshared are called, the setObjectInputFilter method throws IllegalStateException.

JDK-8234836 (not public)

security-libs/javax.net.ssl
 Increase the priorities of GCM cipher suites

In TLS, a ciphersuite defines a specific set of cryptography algorithms used in a TLS connection. JSSE maintains a prioritized list of ciphersuites. In this update, GCM-based cipher suites are configured as the most preferable default cipher suites in the SunJSSE provider.

In the SunJSSE provider, the following ciphersuites are now the most preferred by default:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

Note that this is a behavior change of the SunJSSE provider in the JDK, it is not guaranteed to be examined and used by other JSSE providers. There is no guarantee the cipher suites priorities will remain the same in future updates or releases.

See JDK-8028518

client-libs/javax.swing
Deprecated NSWindowStyleMaskTexturedBackground
After an upgrade of the macOS SDK used to build the JDK, the behavior of the apple.awt.brushMetalLook and textured Swing properties has changed. When these properties are set, the title of the frame is still visible. It is recommended that the apple.awt.transparentTitleBar property be set to true to make the title of the frame invisible again. The apple.awt.fullWindowContent property can also be used.

Please note that Textured window support was implemented by using the NSTexturedBackgroundWindowMask value of NSWindowStyleMask. However, this was deprecated in macOS 10.12 along with NSWindowStyleMaskTexturedBackground, which was deprecated in macOS 10.14.

For additional information, refer to the following documentation:

See JDK-8240995

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8130737 client-libs 2d [macosx] AffineTransformOp can't handle child raster with non-zero x-offset
2 JDK-8211301 client-libs java.awt [macos] support full window content options
3 JDK-8214046 client-libs java.awt [macosx] Undecorated Frame does not Iconify when set to
4 JDK-8231438 client-libs java.awt [macOS] Dark mode for the desktop is not supported
5 JDK-8242498 client-libs java.awt Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
6 JDK-8226253 client-libs javax.accessibility JAWS reports wrong number of radio buttons when buttons are hidden
7 JDK-8238842 client-libs javax.imageio AIOOBE in GIFImageReader.initializeStringTable
8 JDK-8194298 core-libs java.net Add support for per Socket configuration of TCP keepalive
9 JDK-8232854 core-libs java.net URLClassLoader.close() doesn't close cached JAR file on Windows when load() fails
10 JDK-8044365 core-libs java.nio (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
11 JDK-8229888 core-libs java.nio (zipfs) Updating an existing zip file does not preserve original permissions
12 JDK-8146356 core-libs java.time java.time.format.TextStyle.FULL_STANDALONE does not work well while formatting months.
13 JDK-8165936 core-libs java.util:i18n Potential Heap buffer overflow when seaching timezone info files
14 JDK-8228477 core-libs java.util:i18n Have calendar revert to default names if no standalone resources exist
15 JDK-8214440 core-libs javax.naming ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate"
16 JDK-8193137 core-libs jdk.nashorn Nashorn crashes when given an empty script file.
17 JDK-8226575 core-svc java.lang.management OperatingSystemMXBean should be made container aware
18 JDK-8239332 deploy plugin LiveConnect netscape.javascript.JSException: No such property "outerWidthX" on JavaScript object
19 JDK-8170074 docs guides Typos on "How Classes are Found" web page on Oracle site
20 JDK-8240337 docs guides JDK 8 Developer Guides index.html page has incorrect links
21 JDK-8241531 docs guides Update copyright page for JDK 8 docs
22 JDK-8243337 docs guides Java Print Service API User's Guide contains typos and formatting errors
23 JDK-8243584 docs guides Malformed HTML in the Serialization section of the JDK 8 developer guides
24 JDK-8181872 hotspot compiler C1: possible overflow when strength reducing integer multiply by constant
25 JDK-8062808 hotspot gc Turn on the -Wreturn-type warning
26 JDK-8064786 hotspot gc Fix debug build after 8062808: Turn on the -Wreturn-type warning
27 JDK-8141056 hotspot gc Erroneous assignment in HeapRegionSet.cpp
28 JDK-8176100 hotspot gc [REDO][REDO] G1 Needs pre barrier on dereference of weak JNI handles
29 JDK-8191393 hotspot gc Random crashes during cfree+0x1c
30 JDK-8225716 hotspot gc G1 GC: Undefined behaviour in G1BlockOffsetTablePart::block_at_or_preceding
31 JDK-8231779 hotspot gc crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
32 JDK-8041626 hotspot jfr Shutdown tracing event
33 JDK-8213617 hotspot jfr JFR should record the PID of the recorded process
34 JDK-8035493 hotspot jvmti JVMTI PopFrame capability must instruct compilers not to prune locals
35 JDK-8060721 hotspot runtime Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler
36 JDK-8076475 hotspot runtime Misuses of strncpy/strncat
37 JDK-8187667 hotspot runtime Disable deprecation warning for readdir_r
38 JDK-8223671 infrastructure   The latest Java 8 is not ready to use in applications on future macOS versions
39 JDK-8237820 infrastructure build remove clang version check for optimization bug workaround from 8u
40 JDK-8240780 infrastructure build [8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds
41 JDK-8232811 javafx controls Dialog's preferred size no longer accommodates multi-line strings
42 JDK-8189092 javafx graphics ArrayIndexOutOfBoundsException on Linux in getCachedGlyph
43 JDK-8212034 javafx graphics Potential memory leaks in jpegLoader.c in error case
44 JDK-8234916 javafx graphics [macos 10.15] Garbled text running with native-image
45 JDK-8237782 javafx graphics Only read advances up to the minimum of the numHorMetrics or the available font data.
46 JDK-8237833 javafx graphics Check glyph size before adding to glyph texture cache.
47 JDK-8239107 javafx graphics Update libjpeg to version 9d
48 JDK-8241370 javafx graphics Crash in JPEGImageLoader after fix for JDK-8212034
49 JDK-8202393 javafx media App Transport Security blocks http media on macOS with JDK build using new compilers
50 JDK-8236832 javafx media [macos 10.15] JavaFX Application hangs on video play on Catalina
51 JDK-8240694 javafx media [macos 10.15] JavaFX Media hangs on some video files on Catalina
52 JDK-8241629 javafx media [macos10.15] Long startup delay playing media over https on Catalina
53 JDK-8242530 javafx media [macos] Some audio files miss spectrum data when another audio file plays first
54 JDK-8238434 javafx samples Ensemble: Update version of Lucene to 7.7.2
55 JDK-8132880 javafx scenegraph Unpredictable behaviour when trying to set negative scene width or height
56 JDK-8223298 javafx web SVG patterns are drawn wrong
57 JDK-8237889 javafx web Update libxml2 to version 2.9.10
58 JDK-8237944 javafx web webview native cl "-m32" unknown option for windows 32-bit build
59 JDK-8242209 javafx web Increase web native thread stack size for x86 mode
60 JDK-8244579 javafx web Windows "User Objects" leakage with WebView
61 JDK-8181476 javafx window-toolkit [macos] Stages with StageStyle.UTILITY are always on-top when initialized without an owner
62 JDK-8234474 javafx window-toolkit [macos 10.15] Crash in file dialog in sandbox mode
63 JDK-8236685 javafx window-toolkit [macOs] Remove obsolete file dialog subclasses
64 JDK-8236971 javafx window-toolkit [macos] Gestures handled incorrectly due to missing events
65 JDK-7092821 security-libs java.security java.security.Provider.getService() is synchronized and became scalability bottleneck
66 JDK-8028431 security-libs java.security NullPointerException in DerValue.equals(DerValue)
67 JDK-8028591 security-libs java.security NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
68 JDK-8181841 security-libs java.security A TSA server returns timestamp with precision higher than milliseconds
69 JDK-8228613 security-libs java.security java.security.Provider#getServices order is no longer deterministic
70 JDK-8231387 security-libs java.security java.security.Provider.getService returns random result due to race condition with mutating methods in the same class
71 JDK-8238452 security-libs java.security Keytool generates wrong expiration date if validity is set to 2050/01/01
72 JDK-8177784 security-libs javax.crypto Use CounterMode intrinsic for AES/GCM
73 JDK-8179098 security-libs javax.crypto Crypto AES/ECB encryption/decryption performance regression (introduced in jdk9b73)
74 JDK-8201633 security-libs javax.crypto Problems with AES-GCM native acceleration
75 JDK-8220165 security-libs javax.crypto Encryption using GCM results in RuntimeException: input length out of bound
76 JDK-8233954 security-libs javax.crypto UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll
77 JDK-8165275 security-libs javax.crypto:pkcs11 Replace the reflective call to the implUpdate method in HandshakeMessage::digestKey
78 JDK-4919790 security-libs javax.net.ssl Errors in alert ssl message does not reflect the actual certificate status
79 JDK-7013776 security-libs javax.net.ssl Multithreaded JSSE application debug information is hard to read
80 JDK-8028518 security-libs javax.net.ssl Increase the priorities of GCM cipher suites
81 JDK-8145854 security-libs javax.net.ssl SSLContextImpl.statusResponseManager should be generated if required
82 JDK-8166595 security-libs javax.net.ssl TLS Support for RSASSA-PSS Signature Algorithms
83 JDK-8185576 security-libs javax.net.ssl New handshake implementation
84 JDK-8206355 security-libs javax.net.ssl SSLSessionImpl.getLocalPrincipal() throws NPE
85 JDK-8206929 security-libs javax.net.ssl Check session context for TLS 1.3 session resumption
86 JDK-8207009 security-libs javax.net.ssl TLS 1.3 half-close and synchronization issues
87 JDK-8207029 security-libs javax.net.ssl Unable to use custom SSLEngine with default TrustManagerFactory after updating to JDK 11 b21
88 JDK-8207058 security-libs javax.net.ssl Backport System Property jdk.tls.server.protocols
89 JDK-8207223 security-libs javax.net.ssl SSL Handshake failures are reported with more generic SSLException
90 JDK-8207317 security-libs javax.net.ssl SSLEngine negotiation fail exception behavior changed from fail-fast to fail-lazy
91 JDK-8208166 security-libs javax.net.ssl Still unable to use custom SSLEngine with default TrustManagerFactory after JDK-8207029
92 JDK-8209333 security-libs javax.net.ssl Socket reset issue for TLS 1.3 socket close
93 JDK-8209916 security-libs javax.net.ssl NPE in SupportedGroupsExtension
94 JDK-8209965 security-libs javax.net.ssl The "supported_groups" extension in ServerHellos
95 JDK-8210334 security-libs javax.net.ssl TLS 1.3 server fails if ClientHello doesn't have pre_shared_key and psk_key_exchange_modes
96 JDK-8210846 security-libs javax.net.ssl TLSv.1.3 interop problems with OpenSSL 1.1.1 when used on the client side with mutual auth
97 JDK-8210974 security-libs javax.net.ssl No extensions debug log for ClientHello
98 JDK-8210985 security-libs javax.net.ssl Update the default SSL session cache size to 20480
99 JDK-8210989 security-libs javax.net.ssl RSASSA-PSS certificate cannot be selected for client auth on TLSv1.2
100 JDK-8211339 security-libs javax.net.ssl NPE during SSL handshake caused by HostnameChecker
101 JDK-8211806 security-libs javax.net.ssl TLS 1.3 handshake server name indication is missing on a session resume
102 JDK-8211866 security-libs javax.net.ssl TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms
103 JDK-8212738 security-libs javax.net.ssl Incorrectly named signature scheme ecdsa_secp512r1_sha512
104 JDK-8212885 security-libs javax.net.ssl TLS 1.3 resumed session does not retain peer certificate chain
105 JDK-8213202 security-libs javax.net.ssl Possible race condition in TLS 1.3 session resumption
106 JDK-8213782 security-libs javax.net.ssl NullPointerException in sun.security.ssl.OutputRecord.changeWriteCiphers
107 JDK-8214098 security-libs javax.net.ssl sun.security.ssl.HandshakeHash.T12HandshakeHash constructor check backwards.
108 JDK-8214129 security-libs javax.net.ssl SSL session resumption/SNI with TLS1.2 causes StackOverflowError
109 JDK-8214339 security-libs javax.net.ssl SSLSocketImpl erroneously wraps SocketException
110 JDK-8214688 security-libs javax.net.ssl TLS 1.3 session resumption with hello retry request failed with "illegal_parameter"
111 JDK-8215524 security-libs javax.net.ssl Finished message validation failure should be decrypt_error alert
112 JDK-8215711 security-libs javax.net.ssl Missing key_share extension for (EC)DHE key exchange should alert missing_extension
113 JDK-8215790 security-libs javax.net.ssl Delegated task created by SSLEngine throws java.nio.BufferUnderflowException
114 JDK-8216045 security-libs javax.net.ssl The size of key_exchange may be wrong on FFDHE
115 JDK-8216326 security-libs javax.net.ssl SSLSocket stream close() does not close the associated socket
116 JDK-8217610 security-libs javax.net.ssl TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
117 JDK-8219389 security-libs javax.net.ssl Delegated task created by SSLEngine throws BufferUnderflowException
118 JDK-8221253 security-libs javax.net.ssl TLSv1.3 may generate TLSInnerPlainText longer than 2^14+1 bytes
119 JDK-8223482 security-libs javax.net.ssl Unsupported ciphersuites may be offered by a TLS client
120 JDK-8223940 security-libs javax.net.ssl Private key not supported by chosen signature algorithm
121 JDK-8225766 security-libs javax.net.ssl Curve in certificate should not affect signature scheme when using TLSv1.3
122 JDK-8228757 security-libs javax.net.ssl Fail fast if the handshake type is unknown
123 JDK-8235263 security-libs javax.net.ssl Revert TLS 1.3 change that wrapped IOExceptions
124 JDK-8235311 security-libs javax.net.ssl Tag mismatch may alert bad_record_mac
125 JDK-8235874 security-libs javax.net.ssl The ordering of Cipher Suites is not maintained provided through “jdk.tls.client.cipherSuites” and “jdk.tls.server.cipherSuites” system property.
126 JDK-8236039 security-libs javax.net.ssl JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
127 JDK-8237474 security-libs javax.net.ssl Default SSLEngine should create in server role
128 JDK-8239798 security-libs javax.net.ssl SSLSocket closes socket both socket endpoints on a SocketTimeoutException
129 JDK-8242141 security-libs javax.net.ssl New System Properties to configure the TLS signature schemes
130 JDK-8242294 security-libs javax.net.ssl JSSE Client does not throw SSLException when an alert occurs during handshaking
131 JDK-8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
132 JDK-8224157 xml jaxp BCEL: update to version 6.3.1
133 JDK-8238164 xml jaxp Update Apache Xerces to version 2.12.0 in JDK 8u


Java SE 8u251 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u251 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u251 b36

Bug Fixes

BugId Component Subcomponent Summary
8244579 javafx web Windows "User Objects" leakage with WebView

Changes in Java SE 8u251 b35

Bug Fixes

BugId Component Subcomponent Summary
8242884 deploy plugin 8u241 32 bit SSV Helper causes long load time and page load on IE11
8151788 core-libs java.net NullPointerException from ntlm.Client.type3
8210147 core-libs java.net adjust some WSAGetLastError usages in windows network coding

Changes in Java SE 8u251 b34

Bug Fixes

BugId Component Subcomponent Summary
8241966 (Confidential) install Add Oracle copyright to modified Sparkle 1.23.0 files
8241965 (Confidential) install Update THIRD_PARTY_README for Sparkle 1.23.0
8241814 (Confidential) install auto_update [macos] 8u251b60 AU missing "Remind Me" button
8241410 (Confidential) infrastructure 8u251 b60 Mac notarized build is missing the ant-javafx.jar
8241399 (Confidential) client-libs java.awt jdk8 build broken on macOS 10.7 and sdk 10.8
8240780 infrastructure build[8u] update jprt.properties to add Xcode 10.1 / macOS 10.13 builds
8239919 hotspot [8u] enable parentheses-equality warnings in HotSpot
8239808 (Confidential) install auto_update Change URL In <cntry-lookup> Tag In mac-XXX-XX.xml
8239400 hotspot [8u] clean up delete-non-virtual-dtor warnings in HotSpot
8239223 hotspot [8u] enable Wparentheses warnings in HotSpot
8239112 hotspot [8u] clean up empty-body warnings in HotSpot
8239053 hotspot runtime [8u] clean up undefined-var-template warnings
8238852 (Confidential) install install [macos] AU to NEXTVER failed when AU from 8u251 to future
8238700 (Confidential) infrastructure build Signing reliability change not fully working on 8u
8238225 infrastructure build Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary
8237820 infrastructure build remove clang version check for optimization bug workaround from 8u
8236971 javafx window-toolkit [macos] Gestures handled incorrectly due to missing events
8236956 (Confidential) security-libs javax.net.ssl Backport test lib files from JDK-8228967
8235687 infrastructure build Contents/MacOS/libjli.dylib cannot be a symlink
8232580 (Confidential) infrastructure build Sign Macosx binaries with hardened runtime enabled
8232087 (Confidential) security-libs org.ietf.jgss Migrate KDC from sca00jvo/burge0401/sca00kte/sca00lol/adc1140258/sca00joh to new OCI hosts
8231438 client-libs java.awt [macOS] Dark mode for the desktop is not supported
8231092 (Confidential) infrastructure build Implement Apple notarization support in the build
8230555 (Confidential) security-libs javax.net.ssl OCI migration on IIS
8226306 (Confidential) infrastructure build Improve signing reliability
8214046 client-libs java.awt [macosx] Undecorated Frame does not Iconify when set to
8213838 (Confidential) install Upgrade sparkle to 1.23.0
8202393 javafx media App Transport Security blocks http media on macOS with JDK build using new compilers
8200550 hotspot gc Xcode 9.3 produce warning -Wexpansion-to-defined
8196724 infrastructure build Change macosx deployment target to 10.9
8196538 (Confidential) infrastructure build Fix compilation errors when using Xcode 9.2/Macosx 10.13 in deploy and install
8181872 hotspot compiler C1: possible overflow when strength reducing integer multiply by constant
8152856 hotspot runtime Xcode 7.3 -Wshift-negative-value compile failure on Mac OS X
8141056 hotspot gc Erroneous assignment in HeapRegionSet.cpp
8060721 hotspot runtime Test runtime/SharedArchiveFile/LimitSharedSizes.java fails in jdk 9 fcs new platforms/compiler
8043646 client-libs java.awt libosxapp.dylib fails to build on Mac OS 10.9 with clang
8030680 hotspot compiler 292 cleanup from default method code assessment
7188942 (Confidential) client-libs 2d Remove support of pbuffers in OGL Java2d pipeline

Changes in Java SE 8u251 b33

Bug Fixes

BugId Component Subcomponent Summary
8239444 (Confidential) security-libs java.security High contention java.security.Provider.getService()-JDK-7092821
7092821 security-libs java.security java.security.Provider.getService() is synchronized and became scalability bottleneck
8231387 security-libs java.security java.security.Provider.getService returns random result due to race condition with mutating methods in the same class
8228613 security-libs java.security java.security.Provider#getServices order is no longer deterministic
8239946 (Confidential) security-libs javax.crypto Update JarVerifier class with new signing cert details
8240439 (Confidential) core-libs java.net java.net.PlainDatagramSocketImpl.receive0 seems to fail for UDP traffic spontaneously

Changes in Java SE 8u251 b32

Bug Fixes

BugId Component Subcomponent Summary
8240694 javafx media [macos 10.15] JavaFX Media hangs on some video files on Catalina
8241629 javafx media Long startup delay playing media over https on Catalina
8176100 hotspot gc [REDO][REDO] G1 Needs pre barrier on dereference of weak JNI handles

Changes in Java SE 8u251 b31

Bug Fixes

BugId Component Subcomponent Summary
8231779 hotspot gc crash HeapWord*ParallelScavengeHeap::failed_mem_allocate

Java™ SE Development Kit 8, Update 251 (JDK 8u251)

April 14, 2020

The full version string for this update release is 1.8.0_251-b08 (where "b" means "build"). The version number is 8u251. This JDK 8 Update release implements JSR 337 Maintenance Release 3 (approved Feb 2020).

IANA Data 2019c

JDK 8u251 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u251 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_251-b08
7 1.7.0_261-b07

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u251) be used after the next critical patch update scheduled for July 14, 2020.

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u251) on August 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features

security-libs/javax.net.ssl
TLS Application-Layer Protocol Negotiation Extension
JEP 244 has enhanced the Java Secure Socket Extension (JSSE) to provide support for the TLS Application-Layer Protocol Negotiation (ALPN) Extension (RFC 7301). New methods have been added to the javax.net.ssl classes SSLEngine, SSLSocket, and SSLParameters to allow clients and servers to negotiate an application layer value as part of the TLS handshake.

This API change was required by JSR 337 MR 3.

See JDK-8051498

security-libs/javax.crypto
RSASSA-PSS Signature Support Added to SunMSCAPI
The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider.

See JDK-8205445

security-libs/java.security
Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature
The SunRsaSign and SunJCE providers have been enhanced with support for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS signature and OAEP using FIPS 180-4 digest algorithms. New constructors and methods have been added to relevant JCA/JCE classes under the java.security.spec and javax.crypto.spec packages for supporting additional RSASSA-PSS parameters.

This API change was required by JSR 337 MR 3.

See JDK-8146293

 

Other notes

javafx/web
WebEngine Limits JavaScript Method Calls for Certain Classes
JavaScript programs that are run in the context of a web page loaded by WebEngine can communicate with Java objects passed from the application to the JavaScript program. JavaScript programs that reference java.lang.Class objects are now limited to the following methods:

getCanonicalName
getEnumConstants
getFields
getMethods
getName
getPackageName
getSimpleName
getSuperclass
getTypeName
getTypeParameters
isAssignableFrom
isArray
isEnum
isInstance
isInterface
isLocalClass
isMemberClass
isPrimitive
isSynthetic
toGenericString
toString

No methods can be called on the following classes:

java.lang.ClassLoader
java.lang.Module
java.lang.Runtime
java.lang.System

java.lang.invoke.*
java.lang.module.*
java.lang.reflect.*
java.security.*
sun.misc.*

JDK-8236798 (not public)

security-libs/javax.xml.crypto
New Oracle Specific JDK 8 Updates System Property to Fallback to Legacy Base64 Encoding Format
Oracle JDK 8u231 upgraded the Apache Santuario libraries to v2.1.3. This upgrade introduced an issue where XML signature using Base64 encoding resulted in appending &#xd or &#13 to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

Oracle JDK 8u221 using the legacy encoder returns encoded data in a format without &#xd or &#13.

Therefore, a new Oracle JDK 8 Updates only system property, - com.sun.org.apache.xml.internal.security.lineFeedOnly, is made available to fall back to legacy Base64 encoded format.

Users can set this flag in one of two ways:

  1. -Dcom.sun.org.apache.xml.internal.security.lineFeedOnly=true
  2. System.setProperty("com.sun.org.apache.xml.internal.security.lineFeedOnly", "true")

This new system property is disabled by default. It has no effect on default behavior nor when com.sun.org.apache.xml.internal.security.ignoreLineBreaks property is set.

Later JDK family versions might only support the recommended property: com.sun.org.apache.xml.internal.security.ignoreLineBreaks

See JDK-8236645

 

security-libs/javax.crypto
Support for MS Cryptography Next Generation (CNG)
The SunMSCAPI provider now supports reading private keys in Cryptography Next Generation (CNG) format. This means that RSA and EC keys in CNG format are loadable from Windows keystores, such as "Windows-MY". Signature algorithms related to EC (SHA1withECDSA, SHA256withECDSA, etc.) are also supported.

See JDK-8026953

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8232154 client-libs 2d Update Mesa 3-D Headers to version 19.2.1
2 JDK-8214578 client-libs java.awt [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings
3 JDK-8230597 client-libs java.awt Update GIFlib library to the 5.2.1
4 JDK-8230926 client-libs java.awt [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout
5 JDK-4949105 client-libs javax.accessibility Access Bridge lacks html tags parsing
6 JDK-8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications
7 JDK-8224475 client-libs javax.swing JTextPane does not show images in HTML rendering
8 JDK-8226892 client-libs javax.swing ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
9 JDK-8230235 client-libs javax.swing Rendering HTML with empty img attribute and documentBaseKey cause Exception
10 JDK-8235744 client-libs javax.swing PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64
11 JDK-8229022 core-libs java.io BufferedReader performance can be improved by using StringBuilder
12 JDK-6996807 core-libs java.io:serialization FieldReflectorKey hash code computation can be improved
13 JDK-8067796 core-libs java.lang (process) Process.waitFor(timeout, unit) doesn't throw NPE if timeout is less than, or equal to zero when unit == null
14 JDK-8208715 core-libs java.lang Conversion of milliseconds to nanoseconds in UNIXProcess contains bug.
15 JDK-8051853 core-libs java.net new URI("x/").resolve("..").getSchemeSpecificPart() returns null!
16 JDK-8230856 core-libs java.net Java_java_net_NetworkInterface_getByName0 on unix misses ReleaseStringUTFChars in early return
17 JDK-8233022 core-libs java.net [test] backout accidental change to SetLoopbackMode.java
18 JDK-8232003 core-libs java.nio (fs) Files.write can leak file descriptor in the exception case
19 JDK-8237368 core-libs java.rmi Problem with NullPointerException in RMI TCPEndpoint.read
20 JDK-8227127 core-libs java.text Era designator not displayed correctly using the COMPAT provider
21 JDK-8234466 core-libs java.util.jar Class loading deadlock involving X509Factory#commitEvent()
22 JDK-8066652 core-libs java.util:i18n Default TimeZone is GMT not local if user.timezone is invalid on Mac OS
23 JDK-8225435 core-libs java.util:i18n Upgrade IANA Language Subtag Registry to the latest for JDK14
24 JDK-8033215 hotspot compiler clang: node.cpp:284 IDX_INIT macro use uninitialized field _out
25 JDK-8146792 hotspot compiler Predicate moved after partial peel may lead to broken graph
26 JDK-8231988 hotspot compiler Unexpected test result caused by C2 IdealLoopTree::do_remove_empty_loop
27 JDK-8222122 hotspot jfr Provision to disable XML validation in .jfc file in JFR
28 JDK-8215355 hotspot runtime Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1)
29 JDK-8229345 hotspot runtime Memory leak due to vtable stubs not being shared on SPARC
30 JDK-8146293 security-libs java.security Add support for RSASSA-PSS Signature algorithm
31 JDK-8175029 security-libs java.security StackOverflowError in X509CRL and X509Certificate.verify(PublicKey, Provider)
32 JDK-8206171 security-libs java.security Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized
33 JDK-8214096 security-libs java.security sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
34 JDK-8215694 security-libs java.security keytool cannot generate RSASSA-PSS certificates
35 JDK-8225180 security-libs java.security SignedObject with invalid Key not throwing the InvalidKeyException in Windows
36 JDK-8225745 security-libs java.security NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
37 JDK-8236470 security-libs java.security Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId
38 JDK-8193262 security-libs javax.crypto JNI array not released in libsunmscapi convertToLittleEndian
39 JDK-8205445 security-libs javax.crypto Add RSASSA-PSS Signature support to SunMSCAPI
40 JDK-8221407 security-libs javax.crypto Windows 32bit build error in libsunmscapi/security.cpp
41 JDK-8223003 security-libs javax.crypto SunMSCAPI keys are not cleaned up
42 JDK-8145849 security-libs javax.net.ssl ALPN: getHandshakeApplicationProtocol() always return null
43 JDK-8158978 security-libs javax.net.ssl ALPN not working when values are set directly on a SSLServerSocket
44 JDK-8170282 security-libs javax.net.ssl Enable ALPN parameters to be supplied during the TLS handshake
45 JDK-8171443 security-libs javax.net.ssl (spec) An ALPN callback function may also ignore ALPN
46 JDK-8216039 security-libs javax.net.ssl TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
47 JDK-8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
48 JDK-8207760 xml javax.xml.transform SAXException: Invalid UTF-16 surrogate detected: d83c ?
49 JDK-8046274 xml jaxp Removing dependency on jakarta-regexp
50 JDK-8163121 xml jaxp BCEL: update to the latest 6.0 release
51 JDK-8233548 xml jaxp Update CUP to v0.11b

Java SE 8u241 Bundled Patch Release (BPR) - Bug Fixes and Updates

Java SE 8u241 BPRs, are based on the current Java SE 8u241 release and are available for Java SE Subscription customers.

For more information on installation and licensing of Java SE Products, visit Java SE Products Overview.

Find information about Java SE Subscriptions at Oracle Java SE Subscriptions.

The following sections summarize changes made in all Java SE 8u241 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u241 b33

Bug Fixes

BugId Component Subcomponent Summary
8163251 security-libs javax.smartcardio Hard coded loop limit prevents reading of smart card data greater than 8k
8236645 security-libs javax.xml.crypto JDK 8u231 introduces a regression with incompatible handling of XML messages
8239033 (Confidential) security-libs javax.xml.crypto Oracle JDK 8u Base64XmlEncode.java test fails for windows platform
8236832 javafx media [macos 10.15] JavaFX Application hangs on video play on Catalina
8239803 (Confidential) javafx build [macOS 10.15] Wrong SDK recorded in dylib files prevents notarization
8160768 core-libs javax.naming Add capability to custom resolve host/domain names within the default JNDI LDAP provider

Changes in Java SE 8u241 b32

Bug Fixes

BugId Component Subcomponent Summary
8234468 security-libs java.security Application startup failed on JRE 8u231

Changes in Java SE 8u241 b31

Bug Fixes

BugId Component Subcomponent Summary
8193445 javafx controls JavaFX CSS is applied redundantly leading to significant performance degradation

Java™ SE Development Kit 8, Update 241 (JDK 8u241)

January 14, 2020

The full version string for this update release is 1.8.0_241-b07 (where "b" means "build"). The version number is 8u241.

IANA Data 2019c

JDK 8u241 contains IANA time zone data version 2019c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u241 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_241-b07
7 1.7.0_251-b08

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u241) be used after the next critical patch update scheduled for April 14, 2020. 

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u241) on May 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

New Features 

 

security-libs/javax.security
 Allow SASL Mechanisms to Be Restricted

A security property named jdk.sasl.disabledMechanisms has been added that can be used to disable SASL mechanisms. Any disabled mechanism will be ignored if it is specified in the mechanisms argument of Sasl.createSaslClient or the mechanism argument of Sasl.createSaslServer. The default value for this security property is empty, which means that no mechanisms are disabled out-of-the-box.

See JDK-8200400

security-libs/javax.crypto:pkcs11
 SunPKCS11 Provider Upgraded with Support for PKCS#11 v2.40

The SunPKCS11 provider has been updated with support for PKCS#11 v2.40. This version adds support for more algorithms such as the AES/GCM/NoPadding cipher, DSA signatures using SHA-2 family of message digests, and RSASSA-PSS signatures when the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.

See JDK-8080462

 

Other notes

 

security-libs/java.security
 New Checks on Trust Anchor Certificates

New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.

A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or "true" (case-insensitive), trust anchor certificates can be used if they do not have proper CA extensions.

The default value of this property, if not set, is "false".

Note that the property does not apply to X.509 v1 certificates (since they don't support extensions).

This property is currently used by the JDK implementation. It is not guaranteed to be supported by other Java SE implementations.

JDK-8230318 (not public)

security-libs/java.security
 Exact Match Required for Trusted TLS Server Certificate 

A TLS server certificate must be an exact match of a trusted certificate on the client in order for it to be trusted when establishing a TLS connection.

JDK-8227758 (not public)

security-libs/java.security
 Added LuxTrust Global Root 2 Certificate 

The following root certificate has been added to the cacerts truststore:

+ LuxTrust
     + luxtrustglobalroot2ca
 
         DN: CN=LuxTrust Global Root 2, O=LuxTrust S.A., C=LU

See JDK-8232019

security-libs/java.security
 Added 4 Amazon Root CA Certificates

The following root certificates have been added to the cacerts truststore:

+ Amazon
     + amazonrootca1
         DN: CN=Amazon Root CA 1, O=Amazon, C=US
 
     + amazonrootca2
         DN: CN=Amazon Root CA 2, O=Amazon, C=US
 
     + amazonrootca3
         DN: CN=Amazon Root CA 3, O=Amazon, C=US
 
     + amazonrootca4
         DN: CN=Amazon Root CA 4, O=Amazon, C=US

See JDK-8233223

core-libs/java.rmi
 Improve Registry Support

The java.rmi.Remote marker interface identifies interfaces containing methods that can be invoked remotely by using the following specification:

  • Methods declared in interfaces that directly or indirectly extend java.rmi.Remote can be invoked remotely
  • Methods declared in interfaces that do not extend Remote directly or indirectly cannot be invoked remotely

This affects remote objects in the java.rmi.registry.Registry and any other remote object.

JDK-8230967 (not public)

 

Bug Fixes

The following are some of the notable bug fixes included in this release:

 

client-libs/2d
 Support for OpenType CFF Fonts

Previously, Oracle JDK 8 did not include OpenType CFF fonts (.otf fonts) into the standard logical fonts (such as "Dialog" and "SansSerif"). This resulted in missing glyphs when rendering text. In the most extreme cases where only CFF fonts were installed on the system, a Java exception could be thrown.

Several Linux distributions were affected by this issue because they rely on CFF fonts to support some languages, which is common for CJK (Chinese, Japanese, and Korean) languages.

Oracle JDK 8 now uses these CFF fonts, and this issue has been resolved.

See JDK-8209672

core-libs/java.io:serialization
 Better Serial Filter Handling

The jdk.serialFilter system property can only be set on the command line. If the filter has not been set on the command line, it can be set can be set with java.io.ObjectInputFilter.Config.setSerialFilter. Setting the jdk.serialFilter with java.lang.System.setProperty has no effect.

JDK-8231422 (not public)

 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8080465 client-libs   The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel".
2 JDK-8185538 client-libs 2d JDK 9 is really slow initialising some OTF/CFF fonts.
3 JDK-8146238 client-libs 2d [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts
4 JDK-8209672 client-libs 2d Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init
5 JDK-8225101 client-libs java.awt Crash at sun.awt.X11.XlibWrapper.XkbGetUpdatedMap when change keybord map
6 JDK-8230782 client-libs java.awt Robot.createScreenCapture() fails if ???awt.robot.gtk??? is set to false
7 JDK-8221246 client-libs java.awt NullPointerException within Win32ShellFolder2
8 JDK-8213119 client-libs java.awt [macos] java/awt/GraphicsDevice/CheckDisplayModes.java fails
9 JDK-8225505 client-libs javax.swing ctrl-F1 does not show the tooltip of a menu item (JMenuItems)
10 JDK-8134424 core-libs java.io:serialization BlockDataInputStream.readUTFBody: size local StringBuffer with the given length
11 JDK-8185898 core-libs java.net setRequestProperty(key, null) results in HTTP header without colon in request
12 JDK-8230085 core-libs java.nio (fs) FileStore::isReadOnly is always true on macOS Catalina
13 JDK-8223490 core-libs java.util Optimize search algorithm for determining default time zone
14 JDK-8227018 core-libs java.util.concurrent CompletableFuture should not call Runtime.availableProcessors on fast path
15 JDK-8204290 core-libs jdk.nashorn Add check to limit number of capture groups
16 JDK-8232984 core-libs jdk.nashorn Upgrading Joni License version to 2.1.16
17 JDK-8204288 core-libs jdk.nashorn Matching the end of a string followed by an empty greedy regex and a word boundary fails
18 JDK-8230303 core-svc debugger JDB hangs when running monitor command
19 JDK-8179348 deploy webstart User friendly warning when Java WebStart Temporary Internet Files is disabled.
20 JDK-8133949 deploy webstart deploy-test build broken by fix to JDK-6921877
21 JDK-6921877 deploy webstart JCP JNLP Shortcut settings for JDK 9
22 JDK-7024585 deploy webstart enhance the list of secure jnlp vm-args for plugin and web start
23 JDK-8223925 docs   No document covering default property files and system properties of the Preferences API
24 JDK-8060000 docs guides Endpoint identification algorithm is not only in TLS 1.2
25 JDK-8207028 docs guides JSSE TrustManagerFactory ignores custom value of deployment.system.security.cacerts property
26 JDK-8227326 docs guides Broken link to JNLP specifications in Java Web Start documentation
27 JDK-8077316 docs guides JRE Installer Options Page should include JDK
28 JDK-8171356 docs tools providerpath option should be added to all keytool commands which specify provider information's
29 JDK-8143925 hotspot compiler enhancing CounterMode.crypt() for AESCrypt.implEncryptBlock()
30 JDK-8146581 hotspot compiler Minor corrections to the patch submitted for earlier bug id - 8143925
31 JDK-8171974 hotspot compiler Fix for R10 Register clobbering with usage of ExternalAddress
32 JDK-8131778 hotspot compiler java disables UseAES flag when using VIS=2 on sparc
33 JDK-8225141 hotspot compiler Better handling of classes in error state by fast class initialization checks
34 JDK-8229420 hotspot gc [Redo] jstat reports incorrect values for OU for CMS GC
35 JDK-8048556 hotspot gc Unnecessary GCLocker-initiated young GCs
36 JDK-8226798 hotspot runtime JVM crash in klassItable::initialize_itable_for_interface(int, InstanceKlass*, bool, Thread*)
37 JDK-8041620 hotspot runtime Solaris Studio 12.4 C++ 5.13 change in behavior for placing friend declarations within surrounding scope
38 JDK-8231854 javafx other Change Mercurial to git in various README files
39 JDK-8231590 javafx other Update location of jfx repo to GitHub in third-party legal files
40 JDK-8232522 javafx other FX: Update copyright year in docs, readme files to 2020
41 JDK-8231126 javafx web libxslt.md has incorrect version string
42 JDK-8224636 javafx web CSS "pointer-events" property "stroke" is not respected for SVG renderings
43 JDK-8218640 javafx web Update ICU4C to version 64.2
44 JDK-8173956 security-libs java.security KeyStore regression due to default keystore being changed to PKCS12
45 JDK-8195667 security-libs javax.crypto:pkcs11 ProblemList PKCS11 tests Secmod/AddTrustedCert.java and tls/TestKeyMaterial.java due to JDK-8180837
46 JDK-8080462 security-libs javax.crypto:pkcs11 Update SunPKCS11 provider with PKCS11 v2.40 support
47 JDK-8228835 security-libs javax.crypto:pkcs11 Memory leak in PKCS11 provider when using AES GCM
48 JDK-8229243 security-libs javax.crypto:pkcs11 SunPKCS11-Solaris provider tests failing on Solaris 11.4
49 JDK-8225695 security-libs javax.crypto:pkcs11 32-bit build failures after JDK-8080462 (Update SunPKCS11 provider with PKCS11 v2.40 support)
50 JDK-8133489 security-libs javax.net.ssl Better messaging for PKIX path validation matching
51 JDK-8229767 security-libs javax.security Typo in java.security: Sasl.createClient and Sasl.createServer
52 JDK-8200400 security-libs javax.security Allow Sasl mechanisms to be restricted
53 JDK-8226607 security-libs javax.smartcardio Inconsistent info between pcsclite.md and MUSCLE headers
54 JDK-8201627 security-libs org.ietf.jgss:krb5 Kerberos sequence number issues

Java SE 8u231 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u231 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u231 b34

Bug Fixes

BugId Component Subcomponent Summary
8223158 client-libs javax.swing Docked MacBook cannot start any Java Swing applications
8134424 core-libs java.io:serialization BlockDataInputStream.readUTFBody: size local StringBuffer with the given length
8077707
(Confidential)
client-libs javax.accessibility jdk9 b58 cannot run any graphical application on Win 8 with JAWS running

Changes in Java SE 8u231 b33

Bug Fixes

BugId Component Subcomponent Summary
8185538 client-libs 2d JDK 9 is really slow initialising some OTF/CFF fonts.
8223490 core-libs java.util Optimize search algorithm for determining default time zone
8209672
(Confidential)
client-libs 2d Oracle JDK 8 equivalent fix for JDK-8188030: AIOOBE in font manager init
8080465
(Confidential)
client-libs   The underline of the text doesn't display unless resizing the window with the option "-server -d64 -Xmixed -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel".

Changes in Java SE 8u231 b32

Bug Fixes

BugId Component Subcomponent Summary
8230085 core-libs java.nio (fs) FileStore::isReadOnly is always true on macOS Catalina
8146238 client-libs 2d [macosx] Java2D Queue Flusher crash on OSX after switching between user accounts
8230303 core-svc debugger JDB hangs when running monitor command

Java™ SE Development Kit 8, Update 231 (JDK 8u231)

October 15, 2019

The full version string for this update release is 1.8.0_231-b11 (where "b" means "build"). The version number is 8u231.

IANA Data 2019b

JDK 8u231 contains IANA time zone data version 2019b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u231 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_231-b11
7 1.7.0_241-b09

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update (CPU). In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u231) be used after the next critical patch update scheduled for January 14, 2020. 

Java SE Subscription customers managing JRE updates/installs for large number of desktops should consider using Java Advanced Management Console (AMC).

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u231) on February 14, 2020. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

security-libs/javax.crypto
 New jdk.jceks.iterationCount System Property 

A new system property has been introduced to control the iteration count value used for the jceks keystore. The default value remains at 200000 but values between 10000 and 5000000 may be specified. The new system property name is jdk.jceks.iterationCount and the value supplied should be an integer in the accepted range. The default value will be used if a parsing error is encountered.

JDK-8223269 (not public)

security-libs/java.security
 New Java Flight Recorder (JFR) Security Events 

Four new JFR events have been added to the security library area. These events are disabled by default and can be enabled via the JFR configuration files or via standard JFR options.

  • java/security_property

    • Records Security.setProperty(String key, String value) method calls
  • java/tls_handshake

    • Records TLS handshake activity. The event fields include:
      • Peer hostname
      • Peer port
      • TLS protocol version negotiated
      • TLS cipher suite negotiated
      • Certificate id of peer client
  • java/x509_validation

    • Records details of X.509 certificates negotiated in successful X.509 validation (chain of trust)
  • java/x509_certificate

    • Records details of X.509 Certificates. The event fields include:
      • Certificate algorithm
      • Certificate serial number
      • Certificate subject
      • Certificate issuer
      • Key type
      • Key length
      • Certificate id
      • Validity of certificate

See JDK-8148188

Removed Features and Options

javafx/graphics
 Removal of T2K Rasterizer and ICU Layout Engine From JavaFX 

The T2K rasterizer and ICU layout engine have been removed from JavaFX.

See JDK-8187147

Other notes

client-libs
 [client-libs and javaFX] GTK3 Is Now the Default on Linux/Unix 

Newer versions of Linux, Solaris, and other Unix flavor desktop environments use GTK3, while still supporting GTK2.

Previously, the JDK would default to loading the older GTK2 libraries. However, in this release, it defaults to loading GTK3 libraries. Loading is typically triggered by using the Swing GTK Look And Feel.

The old behavior can be restored by using the system property: -Djdk.gtk.version=2.2

See JDK-8222496

docs
 Using the JDK or JRE on macOS Catalina (10.15)

Changes introduced in macOS 10.15 (Catalina) have caused JCK test failures which will prevent Java from being supported on macOS 10.15. If you still want to install and test then please see http:/java/technologies/javase/jdk-jre-macos-catalina.html.

JDK-8230057 (not public)

security-libs/javax.net.ssl
 Remove Obsolete NIST EC Curves from the Default TLS Algorithms

This change removes obsolete NIST EC curves from the default Named Groups used during TLS negotiation. The curves removed are sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, and secp256k1.

To re-enable these curves, use the jdk.tls.namedGroups system property. The property contains a comma-separated list within quotation marks of enabled named groups in preference order. For example:

java -Djdk.tls.namedGroups="secp256r1, secp384r1, secp521r1, sect283k1, 
sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1" ...

JDK-8228825 (not public)

security-libs/javax.xml.crypto
Updated XML Signature Implementation to Apache Santuario 2.1.3
The XML Signature implementation in the java.xml.crypto module has been updated to version 2.1.3 of Apache Santuario. New features include:

  • Added support for embedding elliptic curve public keys in the KeyValue element

See JDK-8219013

security-libs/javax.xml.crypto
 Updated xmldsig Implementation to Apache Santuario 2.1.1

The XMLDSig provider implementation in the java.xml.crypto module has been updated to version 2.1.1 of Apache Santuario. New features include:

  • Support for the SHA-224 and SHA-3 DigestMethod algorithms specified in RFC 6931.
  • Support for the HMAC-SHA224, RSA-SHA224, ECDSA-SHA224, and RSASSA-PSS family of SignatureMethod algorithms specified in RFC 6931.

See JDK-8177334

security-libs/javax.crypto
 System Property jdk.security.useLegacyECC is Turned Off by Default

The system property jdk.security.useLegacyECC, which was introduced in the update releases 7u231 and 8u221, is turned off by default.

This option allows control of which implementation of ECC is in use.

When the system property, jdk.security.useLegacyECC, is explicitly set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line. Setting the option to true or the empty string is not recommended.

If the option is set to "false", or if it is not specified at all, the provider decides which implementation of ECC is used. This is the recommended setting, as the JDK will use modern and timing resistant implementations of the NIST secp256r1, secp384r1, and secp521r1 curves. For more information on which curves are recommended and which are legacy, see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC.

JDK-8224499 (not public)

security-libs/javax.xml.crypto
 com.sun.org.apache.xml.internal.security.ignoreLineBreaks System Property

An Apache Santuario libraries upgrade introduces a behavioral change where Base64 encoded XML signatures may result in &#xd or &#13 being appended to the encoded output. This behavioral change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has adopted a position of keeping their libraries compliant with RFC 2045.

An application may continue working with the encoded output data containing the carriage return character (&#xd or &#13) if the application coding logic allows such output.

The com.sun.org.apache.xml.internal.security.ignoreLineBreaks system property may be set to a value of true if an application is unable to handle encoded output data including the carriage return character (&#xd or &#13).

Additional information can be found at https://issues.apache.org/jira/browse/SANTUARIO-482.

See JDK-8219013

core-libs/java.lang
 Runtime.exec and ProcessBuilder Argument Restrictions 

Runtime.exec and ProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager.

In applications where there is no security manager, there is no change in the default behavior and the new restrictions are opt-in. To enable the restrictions, set the system property jdk.lang.Process.allowAmbiguousCommands to false.

In applications where there is a security manager, the new restrictions are opt-out. To revert to the previous behavior set the system property jdk.lang.Process.allowAmbiguousCommands to true.

Applications using Runtime.exec or ProcessBuilder with a security manager to invoke .bat or .cmd and command names that do not end in ".exe" may be more restrictive in the characters accepted for arguments if they contain double-quote, "&", "|", "<", ">", or "^". The arguments passed to applications may be quoted differently than in previous versions.

For .exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. In the case where the entire argument has been passed with quotes or must be quoted to encode special characters including space and tab, the encoding ensures they are passed to the application correctly. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands property is "false" or there is no security manager and property is not "false".

JDK-8221858 (not public)

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8222496 client-libs   [8u] Switch on GTK3 as a default GTK L&F in client-libs
2 JDK-8217676 client-libs   Upgrade libpng to 1.6.37
3 JDK-8219914 client-libs   Change the environment variable for Java Access Bridge logging to have a directory
4 JDK-8222108 client-libs 2d Reduce minRefreshTime for updating remote printer list on Windows
5 JDK-8196681 client-libs javax.accessibility Java Access Bridge logging and debug flags dynamically controlled
6 JDK-8226964 client-libs javax.swing [Yaru] GTK L&F: There is no difference between menu selected and de-selected
7 JDK-8225423 client-libs javax.swing GTK L&F: JSplitPane: There is no divider shown
8 JDK-8214702 client-libs javax.swing Wrong text position for whitespaced string in printing Swing text
9 JDK-8216401 core-libs   Allow "file:" URLs in Class-Path of local JARs
10 JDK-8151486 core-libs java.lang Class.forName causes memory leak
11 JDK-8197930 core-libs java.lang JNI exception pending in initializeEncoding of jni_util.c
12 JDK-8225425 core-libs java.net java.lang.UnsatisfiedLinkError: net.dll: Can't find dependent libraries
13 JDK-8214687 core-libs java.util:collections Optimize Collections.nCopies().hashCode() and equals()
14 JDK-8222980 core-libs java.util:i18n Upgrade IANA Language Subtag Registry to Version 2019-04-03
15 JDK-8219890 core-libs java.util:i18n Calendar.getDisplayName() returns empty string for new Japanese Era on some locales
16 JDK-8203324 core-libs java.util:i18n Use out of scope in getMacOSXLocale of java_props_macosx.c:120
17 JDK-8139965 core-libs javax.naming Hang seen when using com.sun.jndi.ldap.search.replyQueueSize
18 JDK-8217581 docs tools JDK 8 javadoc man page does not list correct values for -source
19 JDK-8206879 globalization locale-data Currency decimal marker incorrect for Peru
20 JDK-8202414 hotspot compiler Unsafe write after primitive array creation may result in array length change
21 JDK-8219807 hotspot compiler C2 crash in IfNode::up_one_dom(Node*, bool)
22 JDK-8218721 hotspot compiler C1's CEE optimization produces safepoint poll with invalid debug information
23 JDK-8130341 hotspot compiler GHASH 32bit intrinsics has AEADBadTagException
24 JDK-8080157 hotspot compiler assert(allocates2(pc)) failed: not in CodeBuffer memory
25 JDK-8187147 javafx graphics Remove T2K from JavaFX in JDK 10
26 JDK-8201539 javafx graphics Crash in DirectWrite CreateBitmap code when running TestFX test suite
27 JDK-8213510 javafx media [Windows] MediaPlayer does not play some mp3 with artwork stream in mjpeg
28 JDK-8222780 javafx media Visual Studio does not open media vs_projects files
29 JDK-8223046 javafx samples AudioClip sample does not work in Ensemble when run via web-start
30 JDK-8230361 javafx web [web] Cookies are not enabled in WebKit v608.1
31 JDK-8229328 javafx web [windows] PlatformFileHandle type should be JGObject rather than void *
32 JDK-8227431 javafx web [Windows] Fix assertion failure on X86 32-bit when enabling CLOOP based JavaScript interpreter
33 JDK-8227079 javafx web Cherry pick GTK WebKit 2.24.3 changes
34 JDK-8222912 javafx web Websocket client doesn't work in WebView
35 JDK-8219362 javafx web Update to 608.1 version of WebKit
36 JDK-8225203 javafx web Update SQLite to version 3.28.0
37 JDK-8222788 javafx web javafx.web build fails on XCode 10.2
38 JDK-8222497 javafx window-toolkit [8u] Switch on GTK3 as a default GTK L&F in javafx
39 JDK-8226537 javafx window-toolkit Multi-level Stage::initOwner can crash gnome-shell or X.org server
40 JDK-8211302 javafx window-toolkit DragAndDrop no longer works with GTK3
41 JDK-8212060 javafx window-toolkit [GTK3] Stage sometimes shown at top-left before moving to correct position
42 JDK-8147502 security-libs java.security Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
43 JDK-8148188 security-libs java.security Enhance the security libraries to record events of interest
44 JDK-8226543 security-libs javax.crypto Reduce GC pressure during message digest calculations in password-based encryption
45 JDK-8073108 security-libs javax.crypto Use x86 and SPARC CPU instructions for GHASH acceleration
46 JDK-8218780 security-libs javax.smartcardio Update MUSCLE PCSC-Lite header files
47 JDK-8229868 security-libs javax.xml.crypto Update Apache Santuario TPRM version
48 JDK-8218629 security-libs javax.xml.crypto XML Digital Signature throws NAMESPACE_ERR exception on OpenJDK 11, works 8/9/10
49 JDK-8217878 security-libs javax.xml.crypto ENVELOPING XML signature no longer works in JDK 11
50 JDK-8219013 security-libs javax.xml.crypto Update Apache Santuario (XML Signature) to version 2.1.3
51 JDK-8177334 security-libs javax.xml.crypto Update xmldsig implementation to Apache Santuario 2.1.1

Java SE 8u221 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u221 BPR releases. The BPR releases are listed below in date order, most current BPR first. Note that bug fixes in previous BPRs are also included in the current BPR.

Changes in Java SE 8u221 b36

Bug Fixes

BugId Component Subcomponent Summary
8221246 client-libs java.awt NullPointerException within Win32ShellFolder2

Changes in Java SE 8u221 b35

Bug Fixes

BugId Component Subcomponent Summary
8080157 hotspot compiler assert(allocates2(pc)) failed: not in CodeBuffer memory
8130341 hotspot compiler GHASH 32bit intrinsics has AEADBadTagException
8073108 security-libs javax.crypto Use x86 and SPARC CPU instructions for GHASH acceleration
8048556 hotspot gc Unnecessary GCLocker-initiated young GCs

Changes in Java SE 8u221 b34

Bug Fixes

BugId Component Subcomponent Summary
8226895
(Confidential)
xml jaxp Problems when validating XML with STax

Changes in Java SE 8u221 b33

Bug Fixes

BugId Component Subcomponent Summary
8226543 security-libs javax.crypto Reduce GC pressure during message digest calculations in password-based encryption
8139965 core-libs javax.naming Hang seen when using com.sun.jndi.ldap.search.replyQueueSize
8225615
(Confidential)
deploy packager Need javapackager to work with Inno Setup 6.x
8223727
(Confidential)
core-libs javax.naming com/sun/jndi/ldap/privconn/RunTest.java failed due to hang in LdapRequest.getReplyBer

Changes in Java SE 8u221 b32

Please note that fixes from prior BPR are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8219914 client-libs   Change the environment variable for Java Access Bridge logging to have a directory
8196681 client-libs javax.accessibility Java Access Bridge logging and debug flags dynamically controlled

Java™ SE Development Kit 8, Update 221 (JDK 8u221)

July 16, 2019

The full version string for this update release is 1.8.0_221-b11 (where "b" means "build"). The version number is 8u221.

IANA Data 2018i

JDK 8u221 contains IANA time zone data version 2018i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u221 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_221-b11
7 1.7.0_231-b08

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u221) will expire with the release of the next critical patch update scheduled for October 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u221) on November 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

hotspot/runtime

HotSpot Windows OS Detection Correctly Identifies Windows Server 2019

Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016", which produced incorrect values in the os.name system property and the hs_err_pid file.

See JDK-8211106

Removed Features and Options

security-libs/java.security

Removal of Two DocuSign Root CA Certificates

Two DocuSign root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "certplusclass2primaryca [jdk]"

    Distinguished Name: CN=Class 2 Primary CA, O=Certplus, C=FR

  • alias name "certplusclass3pprimaryca [jdk]"

    Distinguished Name: CN=Class 3P Primary CA, O=Certplus, C=FR

See JDK-8223499

security-libs/java.security

Removal of Two Comodo Root CA Certificates

Two Comodo root CA certificates are expired and have been removed from the cacerts keystore:

  • alias name "utnuserfirstclientauthemailca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Client Authentication and Email, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

  • alias name "utnuserfirsthardwareca [jdk]"

    Distinguished Name: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

See JDK-8222136

security-libs/java.security

Removal of T-Systems Deutsche Telekom Root CA 2 Certificate

The T-Systems Deutsche Telekom Root CA 2 certificate is expired and has been removed from the cacerts keystore:

  • alias name "deutschetelekomrootca2 [jdk]"

    Distinguished Name: CN=Deutsche Telekom Root CA 2, OU=T-TeleSec Trust Center, O=Deutsche Telekom AG, C=DE

See JDK-8222137

Other notes

install

Java Access Bridge Installation Workaround

There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

  • Stop JAWS before running the Java installer.
  • Uninstall the existing JRE(s) before installing the new version of Java.
  • Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

JDK-8223293 (not public)

security-libs/javax.crypto

System Property to Switch Between Implementations of ECC

A new boolean system property, jdk.security.useLegacyECC, has been introduced that enables switching between implementations of ECC.

When the system property, jdk.security.useLegacyECC, is set to "true" (the value is case-insensitive) the JDK uses the old, native implementation of ECC. If the option is set to an empty string, it is treated as if it were set to "true". This makes it possible to specify -Djdk.security.useLegacyECC in the command line.

If the option is explicitly set to "false", the provider decides which implementation of ECC is used.

The default value of the option is "true". Note that the default value might change in a future update release of the JDK.

JDK-8217763 (not public)

client-libs/2d

Missing Glyphs in AWT/Swing Components Due to Lack of CJK TrueType Fonts in RHEL 8

Red Hat Enterprise Linux 8 no longer includes packages which provided TrueType fonts used by JDK for CJK (Chinese, Japanese, and Korean) languages.

Text display for those languages will therefore result in missing glyphs.

See JDK-8209672 for a resolution to this issue.

See JDK-8230150

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8214252 client-libs   Expanded & Collapsed nodes of a JTree look the same on GTK3
2 JDK-8153732 client-libs 2d Windows remote printer changes do not reflect in lookupPrintServices()
3 JDK-8212202 client-libs 2d [Windows] Exception if no printers are installed.
4 JDK-8218020 client-libs 2d Fix version number in mesa.md 3rd party legal file
5 JDK-8215210 client-libs 2d [macos] Hangul text does not shape to the precomposed form on JDK8u
6 JDK-8218605 client-libs 2d Startup Splash Screen of SwingSet2 flashes in smaller coordinates before appearing in the final size
7 JDK-8214765 client-libs java.awt All TrayIcon MessageType icons does not show up with gtk3 option set
8 JDK-8204142 client-libs java.awt AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts.
9 JDK-8210886 client-libs java.awt Remove references in xwindows.md to non-existent files.
10 JDK-8214109 client-libs java.awt XToolkit is not correctly displayed color on 16-bit high color setting
11 JDK-8213183 client-libs java.awt:i18n InputMethod cannot be used after its restarting
12 JDK-8214253 client-libs javax.swing Tooltip is transparent rather than having a black background
13 JDK-8214112 client-libs javax.swing The whole text in target JPasswordField image are not selected.
14 JDK-8214111 client-libs javax.swing There is no icon in all JOptionPane target image
15 JDK-8220349 client-libs javax.swing The fix done for JDK-8214253 have caused issues in JTree behaviour
16 JDK-8218674 client-libs javax.swing HTML Tooltip with "img src=" on component doesn't show
17 JDK-8196775 core-libs java.net java/net/Socket/asyncClose/Race.java failed intermittently on Windows with ConnectException: Connection refused
18 JDK-8044047 core-libs java.util.stream Missing null pointer checks for streams
19 JDK-8213294 core-libs java.util:i18n Upgrade IANA LSR data
20 JDK-8040211 core-libs java.util:i18n Update LSR datafile for BCP 47
21 JDK-8191404 core-libs java.util:i18n Upgrading JDK with latest available LSR data from IANA.
22 JDK-8203872 core-libs java.util:i18n Upgrading JDK with latest available LSR data from IANA.
23 JDK-8214935 core-libs java.util:i18n Upgrade IANA LSR data
24 JDK-8218781 core-libs java.util:i18n Localized names for Japanese Era Reiwa in COMPAT provider
25 JDK-8209775 core-libs java.util:i18n ISO 4217 Amendment #169 Update
26 JDK-8210153 core-libs java.util:i18n localized currency symbol of VES
27 JDK-8209951 hotspot compiler Problematic sparc intrinsic: com.sun.crypto.provider.CipherBlockChaining
28 JDK-8211106 hotspot runtime [windows] Update OS detection code to recognize Windows Server 2019
29 JDK-8134030 hotspot svc test/serviceability/dcmd/gc/HeapDumpTest fails to verify the dump
30 JDK-8202884 hotspot svc-agent SA: Attach/detach might fail on Linux if debugee application create/destroy threads during attaching
31 JDK-8222812 install install java usage unit tests are failing
32 JDK-8212742 install uninstall More information link at Java Uninstall tool for MAC point to Windows page instructions
33 JDK-8215686 javafx build FX build fails using gradle 5
34 JDK-8217942 javafx build Upgrade to libxslt 1.1.33
35 JDK-8219008 javafx graphics Update OpenGL Headers to version 4.6
36 JDK-8204060 javafx graphics [Canvas] Add API in GraphicsContext to control image smoothing
37 JDK-8215894 javafx media Provide media support for libav version 58
38 JDK-8133841 javafx media Full HD video can not be played on standard 1080p screen in portrait mode
39 JDK-8222217 javafx media FX build fails on 32-bit Windows after fix for JDK-8133841
40 JDK-8218174 javafx other Add missing license file for Mesa header files
41 JDK-8222883 javafx samples Ensemble: Update version of Lucene to 7.7.1
42 JDK-8219734 javafx web [WebView] Get rid of macOS SDK private API usage
43 JDK-8215775 javafx web Scrollbars from web pages appear to be absolute, overlapping everything
44 JDK-8220147 javafx web Cherry pick GTK WebKit 2.22.7 changes
45 JDK-8219917 javafx web [WebView] Sub-resource integrity check fails on Windows and Linux
46 JDK-8151225 security-libs java.security Mark SpecTest.java as intermittently failing
47 JDK-8222137 security-libs java.security Remove T-Systems root CA certificate
48 JDK-8223499 security-libs java.security Remove two DocuSign root certificates that are expiring
49 JDK-8222136 security-libs java.security Remove two Comodo root CA certificates that are expiring
50 JDK-8181594 security-libs javax.crypto Efficient and constant-time modular arithmetic
51 JDK-8203228 security-libs javax.crypto Branch-free output conversion for X25519 and X448
52 JDK-8201317 security-libs javax.crypto X25519/X448 code improvements
53 JDK-8208648 security-libs javax.crypto ECC Field Arithmetic Enhancements
54 JDK-8204909 security-libs javax.crypto Improved ECC Implementation
55 JDK-8193830 xml jaxp Xalan Update: Xalan Java 2.7.2

Java SE 8u212 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u212 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u212 b34

Please note that fixes in 8u212 b34 are included in 8u221-b32.

Bug Fixes

BugId Component Subcomponent Summary
8208666 client-libs 2d Missing glyphs from custom made font when rendering on Graphics2D
8178870 hotspot jvmti instrumentation.retransformClasses cause coredump
8155951 hotspot jvmti VM crash in nsk/jvmti/RedefineClasses/StressRedefine: assert failed: Corrupted constant pool
8151066 hotspot jvmti assert(0 <= i && i < length()) failed: index out of bounds
8221986
(Confidential)
javafx build Intermittent FX Hudson build failure on Windows: cannot execute gperf

Changes in Java SE 8u212 b33

Bug Fixes

BugId Component Subcomponent Summary
8218674 client-libs javax.swing HTML Tooltip with "img src=" on component doesn't show
8223233
(Confidential)
install install 8u 211 32 bit MSI uninstalls Java 8u211 64 bit, which is above the security baseline

Changes in Java SE 8u212 b32

Bug Fixes

BugId Component Subcomponent Summary
8204060 javafx graphics [Canvas] Add API in GraphicsContext to control image smoothing
8221263 client-libs 2d [TEST_BUG] RemotePrinterStatusRefresh test is hard to use
8153732 client-libs 2d Windows remote printer changes do not reflect in lookupPrintServices()
8221412 client-libs 2d lookupPrintServices() does not always update the list of Windows remote printers
8212202 client-libs 2d [Windows] Exception if no printers are installed.
8194653 core-libs java.lang Deadlock involving FileSystems.getDefault and System.loadLibrary call
8219410
(Confidential)
javafx graphics [GraphicsContext] Backport doc changes

Changes in Java SE 8u212 b31

Please note that fixes from prior BPR (8u202 b34) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8221355 hotspot compiler Performance regression after JDK-8155635 backport into 8u

Java™ SE Development Kit 8, Update 212 (JDK 8u212)

April 16, 2019

The full version string for this update release is 1.8.0_212-b10 (where "b" means "build"). The version number is 8u212.

IANA Data 2018g

JDK 8u212 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u212 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_211-b12
7 1.7.0_221-b08
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u212) will expire with the release of the next critical patch update scheduled for July 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u212) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8215364 client-libs   JavaFX crashes on Ubuntu 18.04 with Wayland while using Swing-FX interop
2 JDK-8207070 client-libs java.awt Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor
3 JDK-8189926 javafx other [Mac] Pulse timer should pause when idle
4 JDK-8210411 javafx window-toolkit JavaFX crashes on Ubuntu 18.04 with Wayland
5 JDK-8211280 javafx window-toolkit JavaFX build fails on Linux with gcc8
6 JDK-8213952 security-libs java.security Relax DNSName restriction as per RFC 1123

Java™ SE Development Kit 8, Update 211 (JDK 8u211)

April 16, 2019

The full version string for this update release is 1.8.0_211-b12 (where "b" means "build"). The version number is 8u211.

IANA Data 2018g

JDK 8u211 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u211 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_211-b12
7 1.7.0_221-b08
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u211) will expire with the release of the next critical patch update scheduled for July 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u211) on August 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

New Features

core-libs/java.time

 New Japanese Era Name Reiwa

An instance representing the new Reiwa era has been added to this update. Unlike other eras, there is no public field for this era. It can be obtained by calling JapaneseEra.of(3) or JapaneseEra.valueOf("Reiwa"). JDK 13 and later will have a new public field to represent this era.

The placeholder name, "NewEra", for the Japanese era that started from May 1st, 2019 has been replaced with the new official name. Applications that relied on the placeholder name (see JDK-8202088) to obtain the new era singleton (JapaneseEra.valueOf("NewEra")) will no longer work.

See JDK-8205432

core-libs/java.util:i18n

 Square Character Support for Japanese New Era 

The code point, U+32FF, is reserved by the Unicode Consortium to represent the Japanese square character for the new era that begins from May, 2019. Relevant methods in the Character class return the same properties as the existing Japanese era characters (e.g., U+337E for "Meizi"). For details about the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.

See JDK-8211398

client-libs/2d

 High DPI Auto-Scaling on Windows

If the Windows desktop DPI of the default screen is configured via Display Settings to be 150% or greater (that is 144 dpi or greater), JDK will now ask Windows to auto-scale the entire UI of a Java application to be consistent with the rest of the Windows desktop UI.

Below that value Java applications will appear at the same size as they did in previous releases.

This threshold is chosen as a trade-off between compatibility and legibility of the UI. At higher DPI settings, without this auto-scaling, the Java UI may be just too small to be read comfortably.

There may be some negative consequences such as

  • Some elements of the UI may appear somewhat blurry, particularly if the scaling factor is a non-integral value (that is 1.5 rather than 2.0).
  • ClearType text is not effective when auto-scaling so grey scale anti-aliasing is used instead by the Swing toolkit.
  • Window sizing and positioning calculations may be adversely affected.

In the event that the negative consequences outweigh the benefits, an application can request the old behaviour by specifying:

-Dsun.java2d.dpiaware=true

Conversely, if the application would prefer to be auto-scaled even at lower DPI settings, then specify:

-Dsun.java2d.dpiaware=false

In the absence of either explicit setting, the default behaviour described above will apply.

JDK-8204512 (not public)

core-libs/java.lang

 New Currency Code Points Added

The Java SE 8 Platform spec for java.lang.Character now supports Unicode 6.2 plus an extension to allow new currency code points from Unicode 10.0.

The following currency code points have been added:

0BB NORDIC MARK SIGN
    20BC  MANAT  SIGN
    20BD RUBLE SIGN
    20BE LARI SIGN
    20BF BITCOIN SIGN

See JDK-8217710

Known Issues

install

 Java Access Bridge Installation Workaround

There is a risk of breaking Java Access Bridge functionality when installing Java on a Windows system that has both a previously installed version of Java and an instance of JAWS running. After rebooting, the system can be left without the WindowsAccessBridge-64.dll in either the system directory (C:\Windows\System32) for 64bit Java products or the system directory used by WOW64 (C:\Windows\SysWoW64) for 32bit Java products.

To prevent breaking Java Access Bridge functionality, use one of the following workarounds:

  • Stop JAWS before running the Java installer.
  • Uninstall the existing JRE(s) before installing the new version of Java.
  • Uninstall the existing JRE(s) after the new version of Java is installed and the machine is rebooted.

The goal of the workarounds is to avoid the scenario of uninstalling existing JRE(s) from Java installer when JAWS is running.

JDK-8223293 (not public)

hotspot/compiler

 Possible Performance Regression in JDK 8 Updates 202, 211, and 212

Due to a known issue with the fix for JDK-8155635, introduced in JDK 8 update 202, some applications may experience a performance regression (lower throughput and/or higher CPU consumption) when migrating from earlier releases. Examples of code that might trigger this regression include heavy use of sun.misc.Unsafe and the Reflection API. This performance regression is addressed in JDK-8221355.

See JDK-8221355

Changes

security-libs/java.security

 Added GlobalSign R6 Root Certificate 

The following root certificate has been added to the cacerts truststore:

  • GlobalSign
    • globalsignrootcar6

      DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R6

JDK-8216577 (not public)

security-libs/javax.net.ssl

 Distrust TLS Server Certificates Anchored by Symantec Root CAs 

The JDK will stop trusting TLS Server certificates issued by Symantec, in line with similar plans recently announced by Google, Mozilla, Apple, and Microsoft. The list of affected certificates includes certificates branded as GeoTrust, Thawte, and VeriSign, which were managed by Symantec.

TLS Server certificates issued on or before April 16, 2019 will continue to be trusted until they expire. Certificates issued after that date will be rejected. See the DigiCert support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over validation and issuance for all Symantec Website Security SSL/TLS certificates on December 1, 2017).

An exception to this policy is that TLS Server certificates issued through two subordinate Certificate Authorities managed by Apple, and identified below, will continue to be trusted as long as they are issued on or before December 31, 2019.

The restrictions are enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below.

An application will receive an Exception with a message indicating the trust anchor is not trusted, ex:

"TLS Server certificate issued after 2019-04-16 and anchored by a distrusted legacy Symantec root CA: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US"

If necessary, and at your own risk, you can work around the restrictions by removing "SYMANTEC_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Symantec Root certificates included in the JDK:

Root Certificates distrusted after 2019-04-16

Distinguished Name SHA-256 Fingerprint
CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

FF:85:6A:2D:25:1D:CD:88:D3:66:56:F4:50:12:67:98:CF:AB:AA: DE:40:79:9C:72:2D:E4:D2:B5:DB:36:A7:3A

CN=GeoTrust Primary Certification Authority, O=GeoTrust Inc., C=US

37:D5:10:06:C5:12:EA:AB:62:64:21:F1:EC:8C:92:01:3F:C5:F8: 2A:E9:8E:E5:33:EB:46:19:B8:DE:B4:D0:6C

CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

5E:DB:7A:C4:3B:82:A0:6A:87:61:E8:D7:BE:49:79:EB:F2:61:1F: 7D:D7:9B:F9:1C:1C:6B:56:6A:21:9E:D7:66

CN=GeoTrust Primary Certification Authority - G3, OU=(c) 2008 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US

B4:78:B8:12:25:0D:F8:78:63:5C:2A:A7:EC:7D:15:5E:AA:62:5E: E8:29:16:E2:CD:29:43:61:88:6C:D1:FB:D4

CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US

A0:45:9B:9F:63:B2:25:59:F5:FA:5D:4C:6D:B3:F9:F7:2F:F1:93: 42:03:35:78:F0:73:BF:1D:1B:46:CB:B9:12

CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A: 97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F

CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US

A4:31:0D:50:AF:18:A6:44:71:90:37:2A:86:AF:AF:8B:95:1F:FB: 43:1D:83:7F:1E:56:88:B4:59:71:ED:15:57

CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US

4B:03:F4:58:07:AD:70:F2:1B:FC:2C:AE:71:C9:FD:E4:60:4C: 06:4C:F5:FF:B6:86:BA:E5:DB:AA:D7:FD:D3:4C

EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

3F:9F:27:D5:83:20:4B:9E:09:C8:A3:D2:06:6C:4B:57:D3:A2:47: 9C:36:93:65:08:80:50:56:98:10:5D:BC:E9

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F: D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09: CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05

OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E: DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B

CN=VeriSign Class 3 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

EB:04:CF:5E:B1:F3:9A:FA:76:2F:2B:B1:20:F2:96:CB:A5:20:C1: B9:7D:B1:58:95:65:B8:1C:B9:A1:7B:72:44

CN=VeriSign Class 3 Public Primary Certification Authority - G4, OU="(c) 2007 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60: 32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79

CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

9A:CF:AB:7E:43:C8:D8:80:D0:6B:26:2A:94:DE:EE:E4:B4:65:99: 89:C3:D0:CA:F1:9B:AF:64:05:E4:1A:B7:DF

CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

23:99:56:11:27:A5:71:25:DE:8C:EF:EA:61:0D:DF:2F:A0:78:B5: C8:06:7F:4E:82:82:90:BF:B8:60:E8:4B:3C

Subordinate Certificates distrusted after 2019-12-31

Distinguished Name SHA-256 Fingerprint
CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US

AC:2B:92:2E:CF:D5:E0:17:11:77:2F:EA:8E:D3:72:DE:9D:1E:22:45:FC:E3:F5:7A: 9C:DB:EC:77:29:6A:42:4B

CN=Apple IST CA 8 - G1, OU=Certification Authority, O=Apple Inc., C=US

A4:FE:7C:7F:15:15:5F:3F:0A:EF:7A:AA:83:CF:6E:06:DE:B9:7C:A3:F9:09:DF:92:0A: C1:49:08:82:D4:88:ED

If you have a TLS Server certificate issued by one of the CAs above, you should have received a message from DigiCert with information about replacing that certificate, free of charge.

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server if not yours.

See JDK-8207258

core-libs/java.time

 Support New Japanese Era in java.time.chrono.JapaneseEra 

The JapaneseEra class and its of(int), valueOf(String), and values() methods are clarified to accommodate future Japanese era additions, such as how the singleton instances are defined, what the associated integer era values are, etc.

See JDK-8212941

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8213983 client-libs java.awt [macosx] Keyboard shortcut ???cmd +`??? stops working properly if popup window is displayed
2 JDK-8213583 client-libs java.awt Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files
3 JDK-8076164 client-libs javax.swing [JTextField] When input too long Thai character, cursor's behavior is odd
4 JDK-8132136 client-libs javax.swing [PIT] RTL orientation in JEditorPane is broken
5 JDK-8133108 client-libs javax.swing [PIT] Container size is wrong in JEditorPane
6 JDK-8187364 client-libs javax.swing Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component
7 JDK-8216396 core-libs java.lang Support new Japanese era and new currency code points in java.lang.Character for Java SE 8
8 JDK-8218915 core-libs java.lang Change isJavaIdentifierStart and isJavaIdentifierPart to handle new code points
9 JDK-8217710 core-libs java.lang Add 5 currency code points to Java SE 8uX
10 JDK-8180469 core-libs java.time Wrong short form text for supplemental Japanese era
11 JDK-8212941 core-libs java.time Support new Japanese era in java.time.chrono.JapaneseEra
12 JDK-8211398 core-libs java.util:i18n Square character support for the Japanese new era
13 JDK-8202088 core-libs java.util:i18n Japanese new era implementation
14 JDK-8207152 core-libs java.util:i18n Placeholder for Japanese new era should be two characters
15 JDK-8217609 core-libs java.util:i18n New era placeholder not recognized by java.text.SimpleDateFormat
16 JDK-8159886 deploy plugin Window of a newly launched Oracle Forms applet loses focus
17 JDK-8133984 hotspot runtime print_compressed_class_space() is only defined in 64-bit VM
18 JDK-8180904 hotspot test Hotspot tests running with -agentvm failing due to classpath
19 JDK-8187220 install install postinstall fails if there is a space in user name
20 JDK-8214185 javafx media Upgrade GStreamer to the latest (1.14.4) version
21 JDK-8200665 javafx samples Ensemble: Update SyntaxHighlighter to version 4.0.1
22 JDK-8207772 javafx web File API and FileReader should be supported in WebView
23 JDK-8213541 javafx web WebView does not handle HTTP response without ContentType
24 JDK-8215702 javafx web SVG gradients are not rendered
25 JDK-8215799 javafx web Complex text is not rendered by webkit on Windows
26 JDK-8214119 javafx web Update to 607.1 version of WebKit
27 JDK-8211399 javafx web libxslt fails to build with glibc 2.26
28 JDK-8211454 javafx web Update SQLite to version 3.26.0
29 JDK-8214452 javafx web Update libxml2 to version 2.9.9
30 JDK-8213806 javafx web WebView - JVM crashes for given HTML
31 JDK-8218611 javafx web [DRT] fast/xslt tests fails with Unsupported encoding windows-1251
32 JDK-8219539 javafx web Cherry pick GTK WebKit 2.22.6 changes
33 JDK-8133802 security-libs   replace some <tt> tags (obsolete in html5) in security-libs docs
34 JDK-8216280 security-libs java.security Allow later Symantec Policy distrust date for two Apple SubCAs
35 JDK-8215318 security-libs java.security Amend the Standard Algorithm Names specification to clarify that names can be defined in later versions
36 JDK-8029661 security-libs javax.net.ssl Support TLS v1.2 algorithm in SunPKCS11 provider
37 JDK-8207258 security-libs javax.net.ssl Distrust TLS server certificates anchored by Symantec Root CAs
38 JDK-8129988 security-libs javax.net.ssl JSSE should create a single instance of the cacerts KeyStore
39 JDK-8217579 security-libs javax.net.ssl TLS_EMPTY_RENEGOTIATION_INFO_SCSV is disabled after 8211883
40 JDK-8203190 security-libs javax.net.ssl SessionId.hashCode generates too many collisions
41 JDK-8164656 security-libs org.ietf.jgss:krb5 krb5 does not retry if TCP connection timeouts

Java SE 8u202 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u202 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u202 b34

Bug Fixes

BugId Component Subcomponent Summary
8204142 client-libs java.awt AWT hang occurs when sequenced events arrive out of sequence in multiple AppContexts.
8217227
(Confidential)
deploy plugin Java Deployment Ruleset (DRS) not working for forms Web Start (webstart) configÂ
8221544
(Confidential)
deploy webstart StackOverflowError and JWS fails to launch for some client PCs in cluster config

Changes in Java SE 8u202 b32

Bug Fixes

BugId Component Subcomponent Summary
8213583 client-libs java.awt Error while opening the JFileChooser when desktop contains shortcuts pointing to deleted files
8207070 client-libs java.awt Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor
8027434 hotspot runtime "-XX:OnOutOfMemoryError" uses fork instead of vfork

Changes in Java SE 8u202 b31

Please note that fixes from the prior BPR (8u192 b35) are included in this version.


Java™ SE Development Kit 8, Update 202 (JDK 8u202)

January 15, 2019

The full version string for this update release is 1.8.0_202-b08 (where "b" means "build"). The version number is 8u202.

IANA Data 2018g

JDK 8u202 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u202 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_201-b09
7 1.7.0_211-b07
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u202) will expire with the release of the next critical patch update scheduled for April 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u202) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Known Issues

client-libs

GTK+ 3.20 and Later Unsupported by Swing

Due to incompatible changes in the GTK+ 3 library versions 3.20 and later, the Swing GTK Look and Feel does not render some UI components when using this library. Therefore, Linux installations with versions of GTK+ 3.20 and above are not supported for use by the Swing GTK Look And Feel in this release.

See JDK-8219072

Bug Fixes

The following are some of the notable bug fixes included in this release:

deploy/webstart

Changes in Update Process of Java Web Start Cached Objects

The update mechanism of cached Java Web Start objects has been slightly changed. Now Java Web Start issues HTTP HEAD request instead of GET to test whether the updates for cached object are available or not. The downloading of the updates did not change and keeps working in the same way as before.

JDK-8211746 (not public)

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8210384 client-libs 2d SunLayoutEngine.isAAT() font is expensive on MacOS
2 JDK-8191178 client-libs java.awt [macos] Problem with input of yen symbol
3 JDK-8130655 client-libs java.awt OS X: keyboard input in textfield is not possible if the window contained textfield is owned by EmbeddedFrame
4 JDK-8205479 client-libs java.awt OS X: requestFocus() does not work properly for embedded frame
5 JDK-8170937 client-libs java.awt Swing apps are slow if displaying from a remote source to many local displays
6 JDK-8207322 client-libs java.awt [Client-Libs] Backport GTK3 support on Linux to 8u
7 JDK-8201801 client-libs java.awt RTL language (Hebrew) is presented from left to right
8 JDK-8182461 client-libs javax.imageio IndexOutOfBoundsException when reading indexed color BMP
9 JDK-8207150 client-libs javax.sound Clip.isRunning() may return true after Clip.stop() was called
10 JDK-8202264 client-libs javax.sound Race condition in AudioClip.loop()
11 JDK-8206392 client-libs javax.swing [macosx] Cycling through windows (JFrames) does not work with keyboard shortcut
12 JDK-8208638 client-libs javax.swing Instead of circle rendered in appl window, but ellipse is produced JEditor Pane
13 JDK-8207060 core-libs java.io Memory leak when malloc fails within WITH_UNICODE_STRING block
14 JDK-8207750 core-libs java.io Native handle leak in java.io.WinNTFileSystem.list()
15 JDK-8200719 core-libs java.net Cannot connect to IPv6 host when exists any active network interface without IPv6 address
16 JDK-8202261 core-libs java.nio (fc) FileChannel.map and RandomAccessFile.setLength should not preallocate space
17 JDK-8207145 core-libs java.nio (fs) Native memory leak in WindowsNativeDispatcher.LookupPrivilegeValue0
18 JDK-8165852 core-libs java.nio (fs) Mount point not found for a file which is present in overlayfs
19 JDK-8139507 core-libs java.util WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs
20 JDK-8209184 core-libs java.util:i18n JCK Test Failure due to ResourceBundle
21 JDK-8210038 deploy webstart JNLP 'arch' attribute fails with NPE in SingleInstanceServiceImpl
22 JDK-8208183 hotspot   update HSDIS plugin license to UPL
23 JDK-8212709 hotspot   Backout backport of JDK-8211394 from jdk 8u-dev
24 JDK-8164920 hotspot compiler ppc: enhancement of CRC32 intrinsic
25 JDK-8209639 hotspot compiler assert failure in coalesce.cpp: attempted to spill a non-spillable item
26 JDK-8172850 hotspot compiler Anti-dependency on membar causes crash in register allocator due to invalid instruction scheduling
27 JDK-8155635 hotspot compiler C2: Mixed unsafe oop accesses break alias analysis
28 JDK-8131048 hotspot compiler ppc: implement CRC32 intrinsic
29 JDK-8211150 hotspot gc G1 Full GC not purging code root memory and hence causing memory leak
30 JDK-8064811 hotspot gc Use THREAD instead of CHECK_NULL in return statements
31 JDK-8211909 hotspot jvmti JDWP Transport Listener: dt_socket thread crash
32 JDK-8211387 hotspot runtime [Zero] atomic_copy64: Use ldrexd for atomic reads on ARMv7
33 JDK-8211124 hotspot runtime HotSpot vm_version.cpp should recognise updated VS2017
34 JDK-8205965 hotspot runtime SIGSEGV on write to NativeCallStack::EMPTY_STACK
35 JDK-8196882 hotspot runtime VS2017 Hotspot Defined vsnprintf Function Causes C2084 Already Defined Compilation Error
36 JDK-8209863 hotspot runtime Add a test to verify that -XX:+EnableTracing works
37 JDK-8211394 hotspot runtime CHECK_ must be used in the rhs of an assignment statement within a block (round 2)
38 JDK-8145788 hotspot svc JVM crashes with -XX:+EnableTracing
39 JDK-8208091 hotspot svc-agent SA: jhsdb jstack --mixed throws UnmappedAddressException on i686
40 JDK-8164383 hotspot svc-agent jhsdb dumps core on Solaris 12 when loading dumped core
41 JDK-8210219 javafx graphics GlassClipboard.cpp fails to compile with newer versions of VS2017
42 JDK-8148129 javafx web Implement Accelerated composition for WebView
43 JDK-8209457 javafx web [WebView] Canvas.toDataURL with image/jpeg MIME type fails
44 JDK-8202277 javafx web WebView image capture fails with standalone FX due to dependency on javafx.swing
45 JDK-8196968 javafx web One time crash on exit in JNIEnv_::CallObjectMethod
46 JDK-8207159 javafx web Update ICU to version 62.1
47 JDK-8212147 javafx window-toolkit [JavaFX] Backport GTK3 support on Linux to 8u
48 JDK-8156709 security-libs java.security Cannot call setSeed on NativePRNG on Mac if EGD is /dev/urandom
49 JDK-8187218 security-libs org.ietf.jgss GSSCredential.getRemainingLifetime() returns negative value for TTL > 24 days.
50 JDK-8131051 security-libs org.ietf.jgss:krb5 KDC might issue a renewable ticket even if not requested
51 JDK-8160928 tools javac javac incorrectly copies over interior type annotations to bridge method

Java™ SE Development Kit 8, Update 201 (JDK 8u201)

January 15, 2019

The full version string for this update release is 1.8.0_201-b09 (where "b" means "build"). The version number is 8u201.

IANA Data 2018g

JDK 8u201 contains IANA time zone data version 2018g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u201 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_201-b09
7 1.7.0_211-b07
6 1.6.0_221

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u201) will expire with the release of the next critical patch update scheduled for April 16, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u201) on May 16, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

Issues Fixed

core-libs/java.net
Restriction on Windows NTLM Transparent Authentication

This change limits the use of transparent HTTP authentication on Microsoft Windows for the NTLM scheme. In that scheme, the security credentials based on the currently logged in user's name and password are obtained directly from the operating system, without prompting the user.

A new networking system property, jdk.http.ntlm.transparentAuth, has been added with the following possible values:

  • "disabled" means transparent authentication is not used and the user application is always prompted for NTLM credentials. This is the default and preferred setting. NTLM authentication is still usable in this mode through the java.net.Authenticator class.
  • "trustedHosts" means transparent authentication is only used for hosts identified as trusted in the Windows networking configuration.
  • "allHosts" means transparent authentication is always used.

Any other value, or no value, is treated the same as "disabled". Care should be taken before enabling this mechanism.

See JDK-8209094

Changes

security-libs/javax.net.ssl

TLS anon and NULL Cipher Suites are Disabled

The TLS anon (anonymous) and NULL cipher suites have been added to the jdk.tls.disabledAlgorithms security property and are now disabled by default.

See JDK-8211883

security-libs/java.security

jarsigner Prints When a timestamp Will Expire

The jarsigner tool now shows more information about the lifetime of a timestamped JAR. New warning and error messages are displayed when a timestamp has expired or is expiring within one year.

See JDK-8191438

hotspot/runtime

Linux Native Code Checks 

Additional safeguards to protect against buffer overruns in native code have been enabled on Linux. If a buffer overrun is encountered the system will write the message “stack smashing detected” and the program will exit. Issues of this type should be reported to your vendor.

JDK-8196902 (not public)

Bug Fixes 

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8201818 client-libs 2d [macosx] Printing attributes break page size set via "java.awt.print.Book" object
2 JDK-8141491 core-libs java.nio Unaligned memory access in Bits.c
3 JDK-8171049 core-libs java.time Era.getDisplayName doesn't work with non-IsoChronology
4 JDK-8205330 core-libs javax.naming InitialDirContext ctor sometimes throws NPE if the server has sent a disconnection
5 JDK-8157913 deploy packager Launcher can not find path to libpackager.so
6 JDK-8213011 deploy plugin Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError
7 JDK-8212457 deploy webstart JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled
8 JDK-8212793 deploy webstart Fix for JDK-8189783 fails
9 JDK-8147555 docs   Document that % and " characters are not supported in keys and values of a property for Java Web Start
10 JDK-8161741 docs guides Typo within section "22.2.3 File Names"
11 JDK-8189182 install install JDK8 RPM postinstall scriptlet assumes /usr/share/man/man1 exists
12 JDK-8203884 javafx graphics Update libjpeg to version 9c
13 JDK-8214035 javafx graphics Unable to render cmyk jpeg image
14 JDK-8212158 javafx other FX: Update copyright year in docs, readme files to 2019
15 JDK-8209652 javafx samples Ensemble: Update version of Lucene to 7.4.0
16 JDK-8213837 javafx samples FX samples cannot load media from download.java.net over http
17 JDK-8211304 javafx window-toolkit [macOS] Crash on focus loss from dialog on macOS 10.14 Mojave
18 JDK-8027781 security-libs java.security New jarsigner timestamp warning is grammatically incorrect
19 JDK-8209129 security-libs javax.crypto Further improvements to cipher buffer management
20 JDK-8208583 security-libs javax.crypto Better management of internal KeyStore buffers
21 JDK-8207775 security-libs javax.crypto Better management of CipherCore buffers
22 JDK-8209862 security-libs javax.crypto CipherCore performance improvement
23 JDK-8211883 security-libs javax.net.ssl Disable anon and NULL cipher suites

Java SE 8u192 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u192 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR. Note that bug fixes in previous BPR (8u181-b37) are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u192 b35

Bug Fixes

BugId Component Subcomponent Summary
8213011 deploy plugin Running application under 1.8u172 via a DRS rules with the 1.8u192 plugin fail with java.lang.NoSuchMethodError
8187364 client-libs javax.swing Unable to enter zero width non-joiner (ZWNJ) symbol in Swing text component
8159886 deploy plugin Window of a newly launched Oracle Forms applet loses focus
8141491 core-libs java.nio Unaligned memory access in Bits.c
8029661 security-libs javax.net.ssl Support TLS v1.2 algorithm in SunPKCS11 provider
8129988 security-libs javax.net.ssl JSSE should create a single instance of the cacerts KeyStore
8203190 security-libs javax.net.ssl SessionId.hashCode generates too many collisions

Changes in Java SE 8u192 b33

Bug Fixes

BugId Component Subcomponent Summary
8212457 deploy webstart JWS: Application does not launch on when jnlp.delete.jnlp.file is enabled

Changes in Java SE 8u192 b32

Bug Fixes

BugId Component Subcomponent Summary
8139507 core-libs java.util WARNING: Could not open/create prefs root node Software\JavaSoft\Prefs
8170937 client-libs java.awt Swing apps are slow if displaying from a remote source to many local displays
8193879
(Confidential)
core-svc debugger Java debugger hangs on method invocation
8163083
(Confidential)
core-svc debugger SocketListeningConnector does not allow invocations with port 0

Changes in Java SE 8u192 b31

Please note that fixes from the prior BPR (8u181 b37) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8208638 client-libs javax.swing Instead of circle rendered in appl window, but ellipse is produced JEditor Pane

Java™ SE Development Kit 8, Update 192 (JDK 8u192)

October 16, 2018

The full version string for this update release is 1.8.0_192-b12 (where "b" means "build"). The version number is 8u192.

IANA Data 2018e

JDK 8u192 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u192 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_191-b12
7 1.7.0_201-b11
6 1.6.0_211-b11

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u192) will expire with the release of the next critical patch update scheduled for January 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u192) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features

security-libs/javax.net.ssl

Support for Customization of Default Enabled Cipher Suites via System Properties 

The system property jdk.tls.client.cipherSuites can be used to customize the default enabled cipher suites for the client side of SSL/TLS connections. In a similar way, the system property jdk.tls.server.cipherSuites can be used for customization on the server side.

The system properties contain a comma-separated list of supported cipher suite names that specify the default enabled cipher suites. All other supported cipher suites are disabled for this default setting. Unrecognized or unsupported cipher suite names specified in properties are ignored. Explicit setting of enabled cipher suites will override the system properties.

Please refer to the "Java Cryptography Architecture Standard Algorithm Name Documentation" for the standard JSSE cipher suite names, and the "Java Cryptography Architecture Oracle Providers Documentation" for the cipher suite names supported by the SunJSSE provider.

Note that the actual use of enabled cipher suites is restricted by algorithm constraints.

Note also that these system properties are currently supported by the JDK Reference Implementation. They are not guaranteed to be supported by other implementations.

Warning: These system properties can be used to configure weak cipher suites, or the configured cipher suites may become more weak over time. We do not recommend using the system properties unless you understand the security implications. Use them at your own risk.

See JDK-8162362

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8201240 client-libs 2d Improve releasing native resources of BufImgSurfaceData.ICMColorData
2 JDK-8188030 client-libs java.awt AWT java apps fail to start when some minimal fonts are present
3 JDK-8200353 client-libs java.awt Shift or Capslock not working in Textfield after accented keystrokes
4 JDK-8195738 client-libs java.awt scroll position in ScrollPane is reset after calling validate()
5 JDK-8188083 client-libs java.awt NullPointerExcpn-java.awt.image.FilteredImageSource.startProduction JDK-8079607
6 JDK-8150954 client-libs java.awt Taking screenshots on x11 composite desktop produce wrong result
7 JDK-8202696 client-libs javax.swing Remove exclusion range for phonetic chars in windows fontconfig.properties
8 JDK-8195095 client-libs javax.swing Images are not scaled correctly in JEditorPane
9 JDK-8206914 core-libs   add jdk8u-dev test failures to ProblemList.txt
10 JDK-8201369 core-libs java.net Inet4AddressImpl_getLocalHostName reverse lookup on Solaris only
11 JDK-8194412 core-libs java.time Adding 256 units of IsoFields.QUARTER_YEARS broken
12 JDK-8176192 core-libs javax.naming Incorrect usage of Iterator in Java 8 In com.sun.jndi.ldap.EventSupport.removeNamingListener
13 JDK-8156824 core-libs javax.naming com.sun.jndi.ldap.pool.PoolCleaner should clear its context class loader
14 JDK-8186646 core-libs jdk.nashorn Nashorn: "duplicate code" assertion when binding a vararg function that just passes arguments along
15 JDK-8201651 deploy plugin Better error handling during JNLP2Manager initialisation
16 JDK-8204508 deploy webstart Robot ScreenCapture fails on HiDPI system
17 JDK-8205343 deploy webstart bug in backport of JDK-8185002
18 JDK-8168415 deploy webstart ShowDocument fails with URL using jnlp or jnlps protocol
19 JDK-8193711 deploy webstart Launching JWS applet the default download progress dialog only shows if the java console is enabled
20 JDK-8195609 deploy webstart DRS - cert based run rule not working when running offline
21 JDK-8008321 hotspot compiler compile.cpp verify_graph_edges uses "bool" as "int"
22 JDK-8162540 hotspot compiler Crash in C2 escape analysis with assert: "node should be registered"
23 JDK-8194642 hotspot compiler Improve OOM error reporting for JDK8
24 JDK-8158012 hotspot compiler Use SW prefetch instructions instead of BIS for allocation prefetches on SPARC Core C4
25 JDK-8148175 hotspot compiler C1: G1 barriers don't preserve FP registers
26 JDK-8165489 hotspot gc Missing G1 barrier in Unsafe_GetObjectVolatile
27 JDK-8173013 hotspot gc JVMTI tagged object access needs G1 pre-barrier
28 JDK-8114823 hotspot gc G1 doesn't honor request to disable class unloading
29 JDK-8081323 hotspot jvmti ConstantPool::_resolved_references is missing in heap dump
30 JDK-8150426 hotspot runtime Wrong cast in metadata_at_put
31 JDK-8196884 hotspot runtime VS2017 Multiple Type Cast Conversion Compilation Errors
32 JDK-8196880 hotspot runtime VS2017 Addition of Global Delete Operator with Size Parameter Conflicts with Arena's Chunk Provided One
33 JDK-8197868 hotspot runtime VS2017 (C2065) 'timezone': Undeclared Identifier in share/runtime/os.cpp
34 JDK-8144201 hotspot runtime openjdk aarch64: jdk/test/com/sun/net/httpserver/Test6a.java fails with --enable-unlimited-crypto
35 JDK-8189170 hotspot runtime Add option to disable stack overflow checking in primordial thread for use with JNI_CreateJavaJVM
36 JDK-8206406 hotspot runtime StubCodeDesc constructor publishes partially-constructed objects on StubCodeDesc::_list
37 JDK-8186461 hotspot runtime Zero's atomic_copy64() should use SPE instructions on linux-powerpcspe
38 JDK-8185723 hotspot runtime Zero: segfaults on Power PC 32-bit
39 JDK-8026331 hotspot runtime hs_err improvement: Print if we have seen any OutOfMemoryErrors or StackOverflowErrors
40 JDK-8202600 hotspot runtime [Zero] Undefined behaviour in src/os_cpu/linux_zero/vm/os_linux_zero.cpp
41 JDK-6730115 hotspot svc Fastdebug VM crashes with "ExceptionMark destructor expects no pending exceptions" error
42 JDK-8204053 hotspot svc-agent libsaproc.so not linked with -z,noexecstack
43 JDK-8189677 javafx controls RadioMenuItem fires extra NULL value in property
44 JDK-8192800 javafx controls Table auto resize ignores column resize policy
45 JDK-8198354 javafx graphics [macOS] Corrupt Thai characters displayed in word wrapped label
46 JDK-8198316 javafx media MediaPlayer crashes when playing m3u8 files on macOS High Sierra 10.13.2
47 JDK-8202036 javafx other Update OpenJFX license files to match OpenJDK
48 JDK-8147476 javafx web Rendering issues with MathML token elements
49 JDK-8203845 performance   backport of JDK-8034788 inadvertently rolled back JDK-8187045 changes to toolchain.m4
50 JDK-8165463 security-libs   Native implementation of sunmscapi should use operator new (nothrow) for allocations
51 JDK-8185855 security-libs java.security Debug exception stacks should be clearer
52 JDK-8193171 security-libs java.security keytool -list displays "JKS" for a PKCS12 keystore.
53 JDK-8081792 security-libs javax.crypto buffer size calculation issue in NativeGCMCipher
54 JDK-8203182 security-libs javax.crypto:pkcs11 Release session if initialization of SunPKCS11 Signature fails
55 JDK-8162362 security-libs javax.net.ssl Introduce system property to control enabled ciphersuites

Java™ SE Development Kit 8, Update 191 (JDK 8u191)

October 16, 2018

The full version string for this update release is 1.8.0_191-b12 (where "b" means "build"). The version number is 8u191.

IANA Data 2018e

JDK 8u191 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u191 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_191-b12
7 1.7.0_201-b11
6 1.6.0_211-b11

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u191) will expire with the release of the next critical patch update scheduled for January 15, 2019.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u191) on February 15, 2019. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features

infrastructure/build

Build Environment Update Linux x86/x64 Moved to gcc 7.3

On x86/x64 Linux, the toolchain used to build the JDK has been upgraded from GCC 4.3 to GCC 7.3.

JDK-8206409 (not public)

Changes

core-svc

Changed Central File System Location for usagetracker.properties File

The file system location in Windows for the usagetracker.properties file has been moved from %ProgramData%\Oracle\Java\ to %ProgramFiles%\Java\conf

There is no change in the file path for Linux, Solaris, or macOS.

JDK-8204901 (not public)

security-libs/javax.net.ssl

Disabled all DES TLS Cipher Suites

DES-based TLS cipher suites are considered obsolete and should no longer be used. DES-based cipher suites have been deactivated by default in the SunJSSE implementation by adding the "DES" identifier to the jdk.tls.disabledAlgorithms security property. These cipher suites can be reactivated by removing "DES" from the jdk.tls.disabledAlgorithms security property in the java.security file or by dynamically calling the Security.setProperty() method. In both cases re-enabling DES must be followed by adding DES-based cipher suites to the enabled cipher suite list using the SSLSocket.setEnabledCipherSuites() or SSLEngine.setEnabledCipherSuites() methods.

Note that prior to this change, DES40_CBC (but not all DES) suites were disabled via the jdk.tls.disabledAlgorithms security property.

See JDK-8208350

security-libs/java.security

Removal of Several Symantec Root CAs

The following Symantec root certificates are no longer in use and have been removed:

  • Symantec
    • equifaxsecureca

      DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

    • equifaxsecureglobalebusinessca1

      DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

    • equifaxsecureebusinessca1

      DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

    • verisignclass1g3ca

      DN: CN=VeriSign Class 1 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass2g3ca

      DN: CN=VeriSign Class 2 Public Primary Certification Authority - G3, OU="(c) 1999 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

    • verisignclass1g2ca

      DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US

    • verisignclass1ca

      DN: OU=Class 1 Public Primary Certification Authority, O="VeriSign, Inc.", C=US

See JDK-8191031

security-libs/java.security

Removal of Baltimore Cybertrust Code Signing CA

The following Baltimore CyberTrust Code Signing root certificate is no longer in use and has been removed:

  • baltimorecodesigningca

    DN: CN=Baltimore CyberTrust Code Signing Root, OU=CyberTrust, O=Baltimore, C=IE

See JDK-8189949

security-libs/java.security

Removal of SECOM Root Certificate

The following SECOM root certificate is no longer in use and has been removed:

  • secomevrootca1

    DN: OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP

See JDK-8191844

hotspot/runtime

Java Improvements for Docker Containers

The following changes have been introduced in JDK 10 to improve the execution and configurability of Java running in Docker containers:

  • JDK-8146115 Improve docker container detection and resource configuration usage

The JVM has been modified to be aware that it is running in a Docker container and will extract container specific configuration information instead of querying the operating system. The information being extracted is the number of CPUs and total memory that have been allocated to the container. The total number of CPUs available to the Java process is calculated from any specified cpu sets, cpu shares or cpu quotas. This support is only available on Linux based platforms. This new support is enabled by default and can be disabled in the command line with the JVM option:

-XX:-UseContainerSupport

In addition, this change adds a JVM option that provides the ability to specify the number of CPUs that the JVM will use:

-XX:ActiveProcessorCount=count

This count overrides any other automatic CPU detection logic in the JVM.

  • JDK-8186248 Allow more flexibility in selecting Heap % of available RAM

Three new JVM options have been added to allow Docker container users to gain more fine grained control over the amount of system memory that will be used for the Java Heap:

  • -XX:InitialRAMPercentage
  • -XX:MaxRAMPercentage
  • -XX:MinRAMPercentage

These options replace the deprecated Fraction forms (-XX:InitialRAMFraction, -XX:MaxRAMFraction, and -XX:MinRAMFraction).

  • JDK-8179498 attach in linux should be relative to /proc/pid/root and namespace aware

This bug fix corrects the attach mechanism when trying to attach from a host process to a Java process that is running in a Docker container.

See JDK-8146115

security-libs/javax.crypto

Improved Cipher Inputs

The specification of javax.crypto.CipherInputStream has been clarified to indicate that this class may catch BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client may not be informed that integrity checks failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (e.g. GCM). Applications that require authenticated encryption can use the Cipher API directly as an alternative to using this class.

JDK-8201756 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:

core-libs/javax.naming

LDAPS Communication Failure

Application code using LDAPS with a socket connect timeout that is <= 0 ( the default value ) may encounter an exception when establishing the connection.

The top most frames from Exception stack traces of applications encountering such issues might resemble the following:

javax.naming.ServiceUnavailableException: <server:port>; socket closed
at   com.sun.jndi.ldap.Connection.readReply(Unknown Source) 
at   com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
...

See JDK-8211107

core-libs/java.net

Better HTTP Redirection Support

In this release, the behavior of methods which application code uses to set request properties in java.net.HttpURLConnection has changed. When a redirect occurs automatically from the original destination server to a resource on a different server, then all such properties are cleared for the redirect and any subsequent redirects. If these properties are required to be set on the redirected requests, then the redirect responses should be handled by the application by calling HttpURLConnection.setInstanceFollowRedirects(false) for the original request.

JDK-8196902 (not public)

 

Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8152974 client-libs java.awt AWT hang occurrs when sequenced events arrive out of sequence
2 JDK-8208353 client-libs java.awt Upgrade JDK to libpng 1.6.35
3 JDK-8168628 core-libs java.nio (fc) SIGBUS when extending file size to map it
4 JDK-8171452 core-libs java.nio (ch) linux io_util_md: Operation not supported exception after 8168628
5 JDK-8211107 core-libs javax.naming LDAPS communication failure with jdk 1.8.0_181
6 JDK-8175871 docs guides Deployment.properties file example is incorrect
7 JDK-8198835 docs guides Typo in URL for XML section in developer guides
8 JDK-8173224 docs guides Document jdk.tls.legacyAlgorithms security property
9 JDK-8164480 hotspot compiler Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
10 JDK-8146115 hotspot runtime Improve docker container detection and resource configuration usage
11 JDK-8206875 install install [L10N]Truncation issue happens on the final dialog for pt on Mac
12 JDK-8209191 javafx graphics [macOS] Distorted complex text rendering
13 JDK-8199527 javafx media Upgrade GStreamer to 1.14
14 JDK-8209049 javafx web Cherry pick GTK WebKit 2.20.4 changes
15 JDK-8208622 javafx web [WebView] IllegalStateException when invoking print API with html form controls
16 JDK-8204856 javafx web WebEngine document becomes null after PAGE_REPLACED event
17 JDK-8208114 javafx web Drag and drop of text contents and URL links functionalities are broken in Webview
18 JDK-8203698 javafx web JavaFX WebView crashes when visiting certain web sites
19 JDK-8199474 javafx web Update to 606.1 version of WebKit
20 JDK-8200629 javafx web Update SQLite to version 3.23.0
21 JDK-8197987 javafx web Update libxslt to version 1.1.32
22 JDK-8193368 javafx web [OS X] Remove redundant files
23 JDK-8142927 other-libs other Feed some text to STDIN in ProcessTools.executeProcess()
24 JDK-8180289 security-libs java.security jarsigner treats timestamped signed jar invalid after the signer cert expires
25 JDK-8130132 security-libs java.security jarsigner should emit warning if weak algorithms or keysizes are used
26 JDK-8191031 security-libs java.security Remove several Symantec Root CAs
27 JDK-8191844 security-libs java.security Remove SECOM root (secomevrootca1)
28 JDK-8189949 security-libs java.security Remove Baltimore Cybertrust Code Signing CA
29 JDK-8074462 security-libs javax.net.ssl Handshake messages can be strictly ordered
30 JDK-8172529 security-libs jdk.security Use PKIXValidator in jarsigner
31 JDK-8197518 security-libs org.ietf.jgss Kerberos krb5 authentication: AuthList's put method leads to performance issue

Java SE 8u181 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u181 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u181 b37

Bug Fixes

BugId Component Subcomponent Summary
8211107 core-libs javax.naming LDAPS communication failure with jdk 1.8.0_181

Changes in Java SE 8u181 b36

Bug Fixes

BugId Component Subcomponent Summary
8204513
(Confidential)
deploy deployment_toolkit Context lost after resizing the browser window in applet with Forms

Changes in Java SE 8u181 b35

Bug Fixes

BugId Component Subcomponent Summary
8201818 client-libs 2d [macosx] Printing attributes break page size set via "java.awt.print.Book" object

Changes in Java SE 8u181 b34

Bug Fixes

BugId Component Subcomponent Summary
8208583 security-libs javax.crypto Better management of internal KeyStore buffers
8209129 security-libs javax.crypto Further improvements to cipher buffer management
8207775 security-libs javax.crypto Better management of CipherCore buffers

Changes in Java SE 8u181 b33

Bug Fixes

BugId Component Subcomponent Summary
8202696 client-libs javax.swing Remove exclusion range for phonetic chars in windows fontconfig.properties
8206242
(Confidential)
deploy webstart Java Web Start checks "user.dir" read permission when opening http connection

Changes in Java SE 8u181 b32

Please note that fixes from the prior BPR (8u172 b37) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8195095 client-libs javax.swing Images are not scaled correctly in JEditorPane

Java™ SE Development Kit 8, Update 181 (JDK 8u181)

July 17, 2018

The full version string for this update release is 1.8.0_181-b13 (where "b" means "build"). The version number is 8u181.

IANA Data 2018e

JDK 8u181 contains IANA time zone data version 2018e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u181 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_181-b13
7 1.7.0_191-b08
6 1.6.0_201-b07

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. This JRE (version 8u181) will expire with the release of the next critical patch update scheduled for October 16, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u181) on November 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Removed Features and Options

other-libs/javadb

 Removal of Java DB 

Java DB, also known as Apache Derby, has been removed in this release.

We recommend that you obtain the latest Apache Derby directly from the Apache project at:

https://db.apache.org/derby

JDK-8197871 (not public)

Changes

core-libs/javax.naming

 Improve LDAP support

Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

core-libs/java.io:serialization

 Better stack walking

New access checks have been added during the object creation phase of deserialization. This should not affect ordinary uses of deserialization. However, reflective frameworks that make use of JDK-internal APIs may be impacted. The new checks can be disabled if necessary by setting the system property jdk.disableSerialConstructorChecks to the value "true". This must be done by adding the argument -Djdk.disableSerialConstructorChecks=true to the Java command line.

JDK-8197925 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:

core-svc/debugger

 Unable to use the JDWP API in JDK 8 to debug JDK >=9

The implementation of VirtualMachineImpl.canGetInstanceInfo() has been corrected, so it is now able to see JDK JVMs >= JDK 9.

This correction allows certain debugger agents to operate correctly without any action required from a user (developer).

See JDK-8197943

hotspot/gc

 JVM Crash during G1 GC 

A klass that has been considered unreachable by the concurrent marking of G1, can be looked up in the ClassLoaderData/SystemDictionary, and its _java_mirror or _class_loader fields can be stored in a root or any other reachable object making it alive again. Whenever a klass is resurrected in this manner, the SATB part of G1 needs to be notified about this, otherwise, the concurrent marking remark phase will erroneously unload that klass.

In this particular crash, while G1 was doing concurrent marking and had prepared its list of unreachable classes, JVMTI on a Java thread could traverse classes in the CLD and store thread-local JNIHandles for the java_mirror of the loaded classes. G1 did not have knowledge of these thread-local JNIHandles, and in the remark phase, it unloaded the classes per its prior knowledge of unreachable classes. When these JNIHandles were later scanned, it lead to a crash.

This fix for JDK-8187577 informs G1's SATB that a klass has been resurrected and it should not be unloaded.

See JDK-8187577

hotspot/gc

 Better stability with older NUMA libraries (-XX+UseNuma) 

A fix included in JDK 8 Update 152 introduced a regression that might cause the HotSpot JVM to crash during startup when the UseNUMA flag is used on Linux systems with versions of libnuma older than 2.0.9. This issue has been resolved.

See JDK-8198794

 

Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8201433 client-libs 2d Fix potential crash in BufImg_SetupICM
2 JDK-8198605 client-libs java.awt Touch keyboard is shown for a non-focusable text component
3 JDK-8198606 client-libs java.awt Touch keyboard does not hide, when a text component looses focus
4 JDK-8199748 client-libs java.awt Touch keyboard is not shown, if text component gets focus from other text component
5 JDK-8187635 client-libs java.awt On Windows Swing changes keyboard layout on a window activation
6 JDK-8203368 core-libs java.io:serialization ObjectInputStream filterCheck method throws NullPointerException
7 JDK-8202996 core-libs java.rmi Remove debug print statements from RMI fix
8 JDK-8197943 core-svc debugger Unable to use JDWP API in JDK 8 to debug JDK 9 VM
9 JDK-8194690 deploy   JRE bundled in App-V package will not start Java Web Start applications
10 JDK-8190689 deploy plugin Java incorrectly requires "HttpOnly" cookie attribute to be case sensitive
11 JDK-8201133 deploy webstart Security check failure for main jar downlaod with jnlp.versionEnabled and Deployment Rule Set feature
12 JDK-8189783 deploy webstart Java Web Start application with file extension association is removed from cache when invoked for the second time from browser
13 JDK-8187223 deploy webstart Long JNLP file is not parsed correctly and ends with javaws path
14 JDK-8199304 deploy webstart javaws.exe failed to launch UTF-8 encoded JNLP file
15 JDK-8038636 hotspot compiler speculative traps break when classes are redefined
16 JDK-8156137 hotspot compiler SIGSEGV in ReceiverTypeData::clean_weak_klass_links
17 JDK-8188223 hotspot compiler IfNode::range_check_trap_proj() should handle dying subgraph with single if proj
18 JDK-8169201 hotspot compiler Montgomery multiply intrinsic should use correct name
19 JDK-8187577 hotspot gc JVM crash during gc doing concurrent marking
20 JDK-8199406 hotspot gc Performance drop with Java JDK 1.8.0_162-b32
21 JDK-8055008 hotspot jvmti Clean up code that saves the previous versions of redefined classes
22 JDK-8057570 hotspot jvmti RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid
23 JDK-8198794 hotspot runtime Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3
24 JDK-8078628 hotspot runtime linux-zero does not build without precompiled header
25 JDK-8202065 install install jre/bin/javaw.exe is missing from server-jre for windows since 8u171
26 JDK-8199650 install install JDK installation uninstalls public JRE
27 JDK-8200418 javafx web webPage.executeCommand("removeFormat", null) removes the style of the body element
28 JDK-8196011 javafx web Intermittent crash when using WebView from JFXPanel application
29 JDK-8076117 security-libs java.security EndEntityChecker should not process custom extensions after PKIX validation
30 JDK-8170035 security-libs javax.net.ssl When determining the ciphersuite lists there is no debug output for disabled suites.
31 JDK-8074373 tools launcher NMT is not enabled if NMT option is specified after class path specifiers
32 JDK-8196491 xml jax-ws Newlines in JAXB string values of SOAP-requests are escaped to " "

Java SE 8u172 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u172 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u172 b37

Bug Fixes

BugId Component Subcomponent Summary
8189161 (Confidential) deploy deployment_toolkit JWS: Method required to clean up all running instances by jnlp.sis.sessionid
8189098 (Confidential) deploy webstart JWS: Request for a method to limit the number of JVMs running on the client

Changes in Java SE 8u172 b35

Bug Fixes

BugId Component Subcomponent Summary
8200359 core-libs java.time (tz) Upgrade time-zone data to tzdata2018d
8196491 xml jax-ws Newlines in JAXB string values of SOAP-requests are escaped to " "
8164480 hotspot compiler Crash with assert(handler_address == SharedRuntime::compute_compiled_exc_handler(..) failed: Must be the same
8194690 deploy webstart JRE bundled in App-V package will not start Java Web Start applications
8199304 deploy webstart javaws.exe failed to launch UTF-8 encoded JNLP file
8196011 javafx web Intermittent crash when using WebView from JFXPanel applications

Changes in Java SE 8u172 b31

Please note that fixes from prior BPR (8u162 b37) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8198794 hotspot runtime Hotspot crash on Cassandra 3.11.1 startup with libnuma 2.0.3
8197518 security-libs org.ietf.jgss Kerberos krb5 authentication: AuthList's put method leads to performance issue
8199406 hotspot gc Performance drop with Java JDK 1.8.0_162-b32

Java™ SE Development Kit 8, Update 172 (JDK 8u172)

April 17, 2018

The full version string for this update release is 1.8.0_172-b11 (where "b" means "build"). The version number is 8u172.

IANA Data 2018c

JDK 8u172 contains IANA time zone data version 2018c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u172 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_171-b11
7 1.7.0_181-b09
6 1.6.0_191-b09

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u172) will expire with the release of the next critical patch update scheduled for July 17, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u172) on August 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Known Issues

docs/release_notes

Description for Toolkit.getImage() and Toolkit.createImage()

The changes made under JDK-8033530 introduced an inconsistency between the implementation for and the documentation of the following methods:

  • java.awt.Toolkit.getImage(URL u)
  • java.awt.Toolkit.createimage(URL u)

The description in the API document should read:

This method first checks if there is a security manager installed. If so, the method calls the security managers checkPermission() method with the corresponding permission to ensure that the access to the image or the image creation is allowed. If the connection to the specified URL requires either URLPermission or SocketPermission, then URLPermission is used for security checks.

JDK-8154405

Changes

client-libs/java.awt

Touch Keyboard for Swing/AWT Text Components

This release adds support for automatically showing the touch keyboard for Swing/AWT text components on Microsoft Windows 8 or later. A user can display the touch keyboard either by using a touch screen to tap the text component area or by using a mouse to click in the area, when a keyboard is not attached to a computer.

The system property awt.touchKeyboardAutoShowIsEnabled controls whether this functionality is enabled in the JDK. This functionality is enabled by default. However, if the functionality is not needed, the user can switch it off from the command line by setting the system property to false:

-Dawt.touchKeyboardAutoShowIsEnabled=false

See JDK-8166772

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8130400 client-libs 2d Test java/awt/image/DrawImage/IncorrectClipXorModeSurface2Surface.java fails with ClassCastException
2 JDK-8080444 client-libs demo Update SwingSet2 to use installed L&Fs instead of hard-coded list.
3 JDK-8147542 client-libs java.awt Linux: ClassCastException when repainting after display resolution change
4 JDK-8166772 client-libs java.awt Touch keyboard is not shown for text components on a screen touch
5 JDK-8188855 core-libs   Fix VS10 build after "8187658: Bigger buffer for GetAdaptersAddresses"
6 JDK-8154017 core-libs java.lang Shutdown hooks are racing against shutdown sequence, if System.exit()-calling thread is interrupted
7 JDK-8187658 core-libs java.net Bigger buffer for GetAdaptersAddresses
8 JDK-8165466 core-libs java.text DecimalFormat percentage format can contain unexpected %
9 JDK-8136356 core-libs java.util:i18n Add time zone mappings on Windows
10 JDK-8169424 core-libs javax.script src/share/sample/scripting/scriptpad/src/scripts/memory.sh missing #!
11 JDK-8079510 core-svc java.lang.management AIX: avoid UnsatisfiedLinkError by providing empty basic implementations of getSystemCpuLoad and getProcessCpuLoad
12 JDK-8177721 core-svc javax.management Improve diagnostics in sun.management.Agent#startAgent()
13 JDK-8185498 deploy plugin Console log shows that cert is expired (but TSA valid) although no certs in chain is expired.
14 JDK-8187822 hotspot compiler C2 conditonal move optimization might create broken graph
15 JDK-8170358 hotspot gc [REDO] 8k class metaspace chunks misallocated from 4k chunk freelist
16 JDK-8170395 hotspot gc Metaspace initialization queries the wrong chunk freelist
17 JDK-8187629 hotspot runtime NMT: Memory miscounting in compiler (C2)
18 JDK-8184991 hotspot runtime NMT detail diff should take memory type into account
19 JDK-8139673 hotspot runtime NMT stack traces in output should show mt component
20 JDK-8187685 hotspot runtime NMT: Tracking compiler memory usage of thread's resource area
21 JDK-8187331 hotspot runtime VirtualSpaceList tracks free space on wrong node
22 JDK-8055755 hotspot svc Information about loaded dynamic libraries is wrong on MacOSX.
23 JDK-8031304 hotspot svc Add dcmd to print all loaded dynamic libraries.
24 JDK-8059036 hotspot svc Implement Diagnostic Commands for heap and finalizerinfo
25 JDK-8044107 hotspot svc Add Diagnostic Command to list all ClassLoaders
26 JDK-8189265 javafx controls Closing stage does not free internal resources
27 JDK-8183100 javafx controls Styles not applied reliably after Java 8u92
28 JDK-8178275 javafx samples Ensemble: Upgrade version of Lucene to 7.1.0
29 JDK-8189280 javafx swing Memory leak in SwingNode if Stage is not shown
30 JDK-8185634 javafx swing Java Fx-Swing dialogs appearing behind main stage
31 JDK-8187928 javafx web [WebView] Images copied from clipboard not written in source file format
32 JDK-8187726 javafx web [WebView] Copy and Paste of Image not resulting in expected behavior
33 JDK-8090011 javafx web 'tab' key makes control loose focus
34 JDK-8191035 javafx web WebView Canvas Graphics2D arc renders incorrectly
35 JDK-8088925 javafx web Non opaque background cause NumberFormatException
36 JDK-8187985 security-libs java.security Broken certificate number in debug output

Java™ SE Development Kit 8, Update 171 (JDK 8u171)

April 17, 2018

The full version string for this update release is 1.8.0_171-b11 (where "b" means "build"). The version number is 8u171.

IANA Data 2018c

JDK 8u171 contains IANA time zone data version 2018c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u171 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_171-b11
7 1.7.0_181-b09
6 1.6.0_191-b09

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u171) will expire with the release of the next critical patch update scheduled for July 17, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u171) on August 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

security-libs/javax.crypto

CipherOutputStream Usage

The specification of javax.crypto.CipherOutputStream has been clarified to indicate that this class catches BadPaddingException and other exceptions thrown by failed integrity checks during decryption. These exceptions are not re-thrown, so the client is not informed that integrity checks have failed. Because of this behavior, this class may not be suitable for use with decryption in an authenticated mode of operation (for example, GCM) if the application requires explicit notification when authentication fails. These applications can use the Cipher API directly as an alternative to using this class.

JDK-8182362 (not public)

Known Issues

client-libs

 Enhanced KeyStore Mechanisms

Two files, jre/bin/javaw.exeand jre/bin/jabswitch.exe, were not included in 8u171. As a workaround, users who need those files can download the non-server JRE and copy those files from it into their server JRE image.

See JDK-8203544

New Features

security-libs/javax.crypto

Enhanced KeyStore Mechanisms

A new security property named jceks.key.serialFilter has been introduced. If this filter is configured, the JCEKS KeyStore uses it during the deserialization of the encrypted Key object stored inside a SecretKeyEntry. If it is not configured or if the filter result is UNDECIDED (for example, none of the patterns match), then the filter configured by jdk.serialFilter is consulted.

If the system property jceks.key.serialFilter is also supplied, it supersedes the security property value defined here.

The filter pattern uses the same format as jdk.serialFilter. The default pattern allows java.lang.Enum, java.security.KeyRep, java.security.KeyRep$Type, and javax.crypto.spec.SecretKeySpec but rejects all the others.

Customers storing a SecretKey that does not serialize to the above types must modify the filter to make the key extractable.

JDK-8189997 (not public)

core-svc/java.lang.management

System Property to Disable JRE Last Usage Tracking

A new system property jdk.disableLastUsageTracking has been introduced to disable JRE last usage tracking for a running VM. This property can be set in the command line by using either -Djdk.disableLastUsageTracking=true or -Djdk.disableLastUsageTracking. With this system property set, JRE last usage tracking will be disabled regardless of the com.oracle.usagetracker.track.last.usage property value set in usagetracker.properties.

JDK-8192039 (not public)

Changes

security-libs/java.security

 Additional TeliaSonera Root Certificate 

"TeliaSonera Root CA v1" has been added to the cacerts keystore.

JDK-8190851 (not public)

security-libs/javax.xml.crypto

XML Signatures Signed with EC Keys Less Than 224 Bits Disabled 

The secure validation mode of the XML Signature implementation has been enhanced to restrict EC keys less than 224 bits by default. The secure validation mode is enabled either by setting the property org.jcp.xml.dsig.secureValidation to true with the javax.xml.crypto.XMLCryptoContext.setProperty() method, or by running the code with a SecurityManager.

JDK-8186032 (not public)

security-libs/javax.net.ssl

3DES Cipher Suites Disabled 

To improve the strength of SSL/TLS connections, 3DES cipher suites have been disabled in SSL/TLS connections in the JDK via the jdk.tls.disabledAlgorithms Security Property.

JDK-8175075 (not public)

core-libs/java.util.logging

System Property Controls java.util.logging.FileHandler's MAX_LOCKS Limit

A new JDK implementation specific system property jdk.internal.FileHandlerLogging.maxLocks has been introduced to control the java.util.logging.FileHandler MAX_LOCKS limit. The default value of the current MAX_LOCKS (100) is retained if this new system property is not set or an invalid value is provided to the property. Valid values for this property are integers ranging from 1 to Integer.MAX_VALUE-1.

See JDK-8153955

install

Change to Internal Java Package Names in RPM Installers 

On the Linux platform, the names of JRE and JDK packages provided by Java RPM installers have been changed. Names of JRE and JDK packages follow `jre ` and `jdk ` patterns respectively instead of the jre and jdk previously used. For example, the new names of JRE and JDK packages are jre1.8 and jdk1.8 respectively.

On Linux platform, the names of installation directories of Java products have also been changed. The installation directories of products from the 8u171 release are as follows:

  • /usr/java/jre1.8.0_171-i586 for 32bit JRE
  • /usr/java/jdk1.8.0_171-i586 for 32bit JDK
  • /usr/java/jre1.8.0_171-amd64 for 64bit JRE
  • /usr/java/jdk1.8.0_171-amd64 for 64bit JDK

See JDK-8191608

Bug Fixes

The following are some of the notable bug fixes included in this release:

core-libs/java.rmi

Server-side HTTP-tunneled RMI Connections Disabled

This release disables server side HTTP-tunneled RMI connections by default. The previous behavior can be re-enabled after due consideration of any impact by setting the runtime property sun.rmi.server.disableIncomingHttp to false. Note that this should not be confused with the sun.rmi.server.disableHttp property, which disables HTTP-tunneling on the client side and is false by default.

JDK-8193833 (not public)

 

Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8179665 client-libs javax.swing [Windows] java.awt.IllegalComponentStateException: component must be showing on the screen to determine its location
2 JDK-8054213 core-libs java.lang:reflect Class name repeated in output of Type.toString()
3 JDK-8189789 core-libs java.util.jar tomcat gzip-compressed response bodies appear to be broken in update 151
4 JDK-8153955 core-libs java.util.logging increase java.util.logging.FileHandler MAX_LOCKS limit
5 JDK-8195748 deploy webstart When in <application-desc> is present "progress-class" attribute javaws cannot start
6 JDK-8185036 docs guides Typo in one of the content link of "Location-Independent Access to Resources" doc
7 JDK-8177914 docs guides Links to jaxp.java.net in Java SE docs will be broken when java.net is shut down
8 JDK-8066866 docs guides Supported Encodings page for Java SE 8 is out of date
9 JDK-8195813 infrastructure build Change download.java.net links in java.net created pages from http to https
10 JDK-8198838 infrastructure release_eng 8u171-b08 and 8u172-b08 Need SECURE_ID Promoted
11 JDK-8191608 install   Java RPMs should allow for side-by-side installation of JDK and JRE, 32 and 64 bit, and only one update for each major version
12 JDK-8193522 install install meta-index in 1.8.0_152 does not include jfxrt.jar entries
13 JDK-8189350 javafx web Crash due to ASSERT(url == m_string) fail while loading URL
14 JDK-8187568 javafx web JavaFX crash in libjfxwebkit.so
15 JDK-8089124 javafx web HTML5: Number input allows non-numeric input
16 JDK-8187671 javafx web [WebView] Drag and Drop of text or html results in an image
17 JDK-8157686 javafx web JavaFX WebView fails to track URL changes for PJAX websites
18 JDK-8185940 javafx web Web native compiled files not removed during gradle clean
19 JDK-8186148 javafx web Few extension to MIME type mappings are missing
20 JDK-8183928 javafx web [Linux] Remove Warnings [-Wunused-parameter]
21 JDK-8196374 javafx web windows x86 webview-icu isAlphaNumericString crash
22 JDK-8196677 javafx web Cherry pick GTK WebKit 2.18.6 changes
23 JDK-8187483 javafx web Update to 605.1 version of WebKit
24 JDK-8189420 javafx web Crash in :web:test in debug build
25 JDK-8089264 javafx web DRT test fast/events/before-unload-returnValue.html times out
26 JDK-8194265 javafx web Webengine (webkit) crash when reading files using FileReader
27 JDK-8194935 javafx web Cherry pick GTK WebKit 2.18.5 changes
28 JDK-8193798 javafx web Cherry pick GTK WebKit 2.18.4 changes
29 JDK-8197463 javafx web Update libxml2 to version 2.9.7
30 JDK-8150530 security-libs javax.crypto Improve javax.crypto.BadPaddingException messages
31 JDK-8196952 security-libs javax.crypto Bad primeCertainty value setting in DSAParameterGenerator
32 JDK-8186441 xml jax-ws Change of behavior in the getMessage () method of the SOAPMessageContextImpl class

Java SE 8u162 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u162 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u162 b37

Bug Fixes

BugId Component Subcomponent Summary
8187635 client-libs java.awt On Windows Swing changes keyboard layout on a window activation
8187803 client-libs javax.swing JDK part of JavaFX-Swing dialogs appearing behind main stage
8185634 javafx swing Java Fx-Swing dialogs appearing behind main stage
8189280 javafx swing Memory leak in SwingNode if Stage is not shown

Changes in Java SE 8u162 b36

Bug Fixes

BugId Component Subcomponent Summary
8076117 security-libs java.security EndEntityChecker should not process custom extensions after PKIX validation
8176072 client-libs java.awt READING attributes are not available on TSF
8183504 client-libs javax.swing 8u131 Win 10, issue with wrong position of Sogou IME popup

Changes in Java SE 8u162 b35

Bug Fixes

BugId Component Subcomponent Summary
8171452 core-libs java.nio (ch) linux io_util_md: Operation not supported exception after 8168628
8168628 core-libs java.nio (fc) SIGBUS when extending file size to map it
8187577 hotspot gc JVM crash during gc doing concurrent marking
8196912 deploy plugin Java Plugin - CRL lookup does external search, with internal CRL configured

Changes in Java SE 8u162 b34

Bug Fixes

BugId Component Subcomponent Summary
8196332
(Confidential)
deploy plugin settings are written to the root drive on Windows-10 with MSI installer
8074373 tools launcher NMT is not enabled if NMT option is specified after class path specifiers
8192987 security-libs java.security keytool should remember real storetype if it is not provided
8187045 infrastructure build [linux] Not all libraries in the VM are linked with -z,noexecstack

Changes in Java SE 8u162 b32

Bug Fixes

BugId Component Subcomponent Summary
8057570 hotspot jvmti RedefineClasses() tests fail assert(((Metadata*)obj)->is_valid()) failed: obj is valid
8156137 hotspot compiler SIGSEGV in ReceiverTypeData::clean_weak_klass_links
8055008 hotspot jvmti Clean up code that saves the previous versions of redefined classes
8038636 hotspot compiler speculative traps break when classes are redefined

Changes in Java SE 8u162 b31

Please note that fixes from the prior BPR (8u152 b35) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8054213 core-libs java.lang:reflect Class name repeated in output of Type.toString()
8189789 core-libs java.util.jar tomcat gzip-compressed response bodies appear to be broken in update 151

Java™ SE Development Kit 8, Update 162 (JDK 8u162)

January 16, 2018

The full version string for this update release is 1.8.0_162-b12 (where "b" means "build"). The version number is 8u162.

IANA Data 2017c

JDK 8u162 contains IANA time zone data version 2017c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u162 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_161-b12
7 1.7.0_171-b11
6 1.6.0_181-b10

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u162) will expire with the release of the next critical patch update scheduled for April 17, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u162) on May 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Changes

core-libs/java.rmi

 RMI Registry Filter Allows Binding Arrays of Any Type 

The RMI Registry built-in serial filter has been modified to check only the array size and not the component type. The maximum array size has been increased to 1,000,000. The override filter can be used to decrease the limit. Array sizes greater than the maxarray limit will be rejected. Sizes less than the maxarray limit will be allowed.

The java.security file contains more information about the sun.rmi.registry.registryFilter property and the conf/security/java.security configuration file has been updated to better describe the default behavior and how to override it.

See JDK-8185346

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-7162125 client‑libs 2d [macosx] A font has different behaviour for ligatures depending on its creation mode
2 JDK-8147002 client‑libs 2d [macosx] Arabic character cannot be rendered on MacOS X
3 JDK-8180370 client‑libs 2d Characters are skipped on input of Korean text on OS X
4 JDK-8181659 client‑libs 2d Create an alternative fix for JDK‑8167102, whose fix was backed out
5 JDK-8190280 client‑libs 2d [macos] Font2DTest demo started failing for Arabic range from JDK 8 u162 b01 on Mac
6 JDK-7124271 client‑libs java.awt [macosx] RealSync test failure
7 JDK-8080504 client‑libs java.awt [macosx] SunToolkit.realSync() may hang
8 JDK-8139218 client‑libs java.awt Dialog that opens and closes quickly changes focus in original focusowner
9 JDK-8155197 client‑libs java.awt Focus transition issue
10 JDK-8078269 client‑libs javax.swing JTabbedPane UI Property TabbedPane.tabAreaBackground no longer works
11 JDK-4354680 core‑libs java.lang Runtime.runFinalization() silently clears interrupted flag in the calling thread
12 JDK-8031661 core‑libs java.net java/net/Authenticator/B4769350.java failed intermittently
13 JDK-8184328 core‑libs java.net JDK 8u131 socketRead0 hang at SSL read
14 JDK-8185346 core‑libs java.rmi Relax RMI Registry Serial Filter to allow arrays of any type
15 JDK-8179086 core‑libs java.time java.time.temporal.ValueRange has poor hashCode()
16 JDK-8184893 core‑libs jdk.nashorn jdk8u152 b06 : issues with nashorn when running kraken benchmarks
17 JDK-6618335 core‑svc debugger ThreadReference.stop(null) throws NPE instead of InvalidTypeException
18 JDK-8181419 core‑svc debugger Race in jdwp invoker handling may lead to crashes or invalid results
19 JDK-8162530 core‑svc java.lang.management src/jdk.management/share/native/libmanagement_ext/GcInfoBuilder.c doesn't handle JNI exceptions properly
20 JDK-8046778 core‑svc javax.management Better error messages when starting JMX agent via attach or jcmd
21 JDK-6656031 core‑svc tools SA: jmap ‑permstat number of classes is off by 1
22 JDK-6977426 core‑svc tools sun/tools tests can intermittently fail to find app's Java pid
23 JDK-8074812 core‑svc tools More specific error message when the .java_pid well‑known file is not secure
24 JDK-8190758 deploy packager javapackager fails to consider filesystem type
25 JDK-8191176 deploy packager JavaFX Self-Contained Application fails with error "Failed to find library: jvm.dll"
26 JDK-8074544 deploy webstart webstart app fails with CouldNotLoadArgumentException when account in Japanese
27 JDK-8185661 deploy webstart JNLP files won't launch from IE11 on Windows 10 Creators Update
28 JDK-8160365 deploy webstart Desktop shortcut of Web Start application is broken after JRE update
29 JDK-8072428 hotspot compiler Enable UseLoopCounter ergonomically if on‑stack‑replacement is enabled
30 JDK-8073670 hotspot compiler TypeF::eq and TypeD::eq do not handle NaNs correctly
31 JDK-8145913 hotspot compiler PPC64: add Montgomery multiply intrinsic
32 JDK-8148786 hotspot compiler xml.transform fails on x86‑64
33 JDK-8164954 hotspot compiler split_if creates empty phi and region nodes
34 JDK-8166742 hotspot compiler SIGFPE in C2 Loop IV elimination
35 JDK-8168318 hotspot compiler PPC64: Use cmpldi instead of li/cmpld
36 JDK-8170328 hotspot compiler PPC64: Use andis instead of lis/and
37 JDK-8172751 hotspot compiler OSR compilation at unreachable bci causes C1 crash
38 JDK-8177958 hotspot compiler Possible uninitialized char* in vm_version_solaris_sparc.cpp
39 JDK-8178047 hotspot compiler Aliasing problem with raw memory accesses
40 JDK-8180855 hotspot compiler Null pointer dereference in OopMapSet::all_do of oopMap.cpp:394
41 JDK-8181810 hotspot compiler PPC64: Leverage extrdi for bitfield extract
42 JDK-8184009 hotspot compiler Missing null pointer check in InterpreterRuntime::update_mdp_for_ret()
43 JDK-8184271 hotspot compiler Time related C1 intrinsics produce inconsistent results when floating around
44 JDK-8185572 hotspot compiler Enable AssumeMP by default on SPARC machines
45 JDK-8181055 hotspot gc PPC64: "mbind: Invalid argument" still seen after 8175813
46 JDK-8185164 hotspot jvmti GetOwnedMonitorInfo() returns incorrect owned monitor
47 JDK-6651256 hotspot runtime jstack: DeleteGlobalRef method call doesn't lead to descreasing of global refs count shown by jstack
48 JDK-8087291 hotspot runtime InitialBootClassLoaderMetaspaceSize and CompressedClassSpaceSize should be checked consistent from MaxMetaspaceSize
49 JDK-8023667 hotspot svc SA: ExceptionBlob and other C2 classes not available in client VM
50 JDK-8130721 javafx graphics [macos] problem with editing thai in TextArea
51 JDK-8181922 javafx media Provide media support for libav version 57
52 JDK-8185691 javafx media MediaPlayer reports error with HTTP Live Streams instead of EOS
53 JDK-8187594 javafx media Media crashes with libavcodec 57 on Ubuntu 17.04 32‑bit
54 JDK-8188029 javafx media [macos] MediaView Crashes on OS X 10.13 High Sierra
55 JDK-8191335 javafx media Linux 32‑bit build fails after fix for JDK‑8187594
56 JDK-8190249 javafx other Missing content from cssref.html due to missed closing comment
57 JDK-8181786 javafx swing Extra runLater causes impossible states to be possible using javafx.embed.singleThread=true
58 JDK-8187781 javafx swing "InvalidDnDOperationException: Drag and drop in progress" while running javafx application with option ‑Djavafx.embed.singleThread=true
59 JDK-8182977 javafx web NullPointerException with HTMLEditor when changing the scene graph
60 JDK-8185970 javafx web Possible crash due to use‑after‑free
61 JDK-8158633 security‑libs javax.crypto BASE64 encoded cert not correctly parsed with UTF‑16
62 JDK-8187023 security‑libs javax.crypto:pkcs11 Cannot read pkcs11 config file in UTF‑16 environment
63 JDK-8140436 security‑libs javax.net.ssl Negotiated Finite Field Diffie‑Hellman Ephemeral Parameters for TLS
64 JDK-8066185 tools launcher VM crashed with SIGSEGV VirtualMemoryTracker::add_reserved_region

Java™ SE Development Kit 8, Update 161 (JDK 8u161)

January 16, 2018

The full version string for this update release is 1.8.0_161-b12 (where "b" means "build"). The version number is 8u161.

IANA Data 2017c

JDK 8u161 contains IANA time zone data version 2017c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u161 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_161-b12
7 1.7.0_171-b11
6 1.6.0_181-b10

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u161) will expire with the release of the next critical patch update scheduled for April 17, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u161) on May 17, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features

security-libs/javax.net.ssl

Added TLS session hash and extended master secret extension support

Support has been added for the TLS session hash and extended master secret extension (RFC 7627) in JDK JSSE provider. Note that in general, server certificate change is restricted if endpoint identification is not enabled and the previous handshake is a session-resumption abbreviated initial handshake, unless the identities represented by both certificates can be regarded as the same. However, if the extension is enabled or negotiated, the server certificate changing restriction is not necessary and will be discarded accordingly. In case of compatibility issues, an application may disable negotiation of this extension by setting the System Property jdk.tls.useExtendedMasterSecret to false in the JDK. By setting the System Property jdk.tls.allowLegacyResumption to false, an application can reject abbreviated handshaking when the session hash and extended master secret extension is not negotiated. By setting the System Property jdk.tls.allowLegacyMasterSecret to false, an application can reject connections that do not support the session hash and extended master secret extension.

See JDK-8148421

security-libs/javax.crypto

Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits

Enhance the JDK security providers to support 3072-bit DiffieHellman and DSA parameters generation, pre-computed DiffieHellman parameters up to 8192 bits and pre-computed DSA parameters up to 3072 bits.

See JDK-8072452

other-libs/corba

Add additional IDL stub type checks to org.omg.CORBA.ORBstring_to_object method

Applications that either explicitly or implicitly call org.omg.CORBA.ORB.string_to_object, and wish to ensure the integrity of the IDL stub type involved in the ORB::string_to_object call flow, should specify additional IDL stub type checking. This is an "opt in" feature and is not enabled by default.

To take advantage of the additional type checking, the list of valid IDL interface class names of IDL stub classes is configured by one of the following:

  • Specifying the security property com.sun.CORBA.ORBIorTypeCheckRegistryFilter located in the file conf/security/java.security in Java SE 9 or in jre/lib/security/java.security in Java SE 8 and earlier.
  • Specifying the system property com.sun.CORBA.ORBIorTypeCheckRegistryFilter with the list of classes. If the system property is set, its value overrides the corresponding property defined in the java.security configuration.

If the com.sun.CORBA.ORBIorTypeCheckRegistryFilter property is not set, the type checking is only performed against a set of class names of the IDL interface types corresponding to the built-in IDL stub classes.

JDK-8160104 (not public)

Changes

security-libs/javax.crypto

RSA public key validation

In 8u161, the RSA implementation in the SunRsaSign provider will reject any RSA public key that has an exponent that is not in the valid range as defined by PKCS#1 version 2.2. This change will affect JSSE connections as well as applications built on JCE.

JDK-8174756 (not public)

security-libs/javax.net.ssl

Restrict Diffie-Hellman keys less than 1024 bits

Diffie-Hellman keys less than 1024 bits are considered too weak to use in practice and should be restricted by default in SSL/TLS/DTLS connections. Accordingly, Diffie-Hellman keys less than 1024 bits have been disabled by default by adding "DH keySize < 1024" to the "jdk.tls.disabledAlgorithms" security property in the java.security file. Although it is not recommended, administrators can update the security property ("jdk.tls.disabledAlgorithms") and permit smaller key sizes (for example, by setting "DH keySize < 768").

JDK-8148108 (not public)

security-libs/javax.crypto

Provider default key size is updated

This change updates the JDK providers to use 2048 bits as the default key size for DSA instead of 1024 bits when applications have not explicitly initialized the java.security.KeyPairGenerator and java.security.AlgorithmParameterGenerator objects with a key size.

If compatibility issues arise, existing applications can set the system property jdk.security.defaultKeySize introduced in JDK-8181048 with the algorithm and its desired default key size.

JDK-8178466 (not public)

security-libs/javax.crypto

Stricter key generation

The generateSecret(String) method has been mostly disabled in the javax.crypto.KeyAgreement services of the SunJCE and SunPKCS11 providers. Invoking this method for these providers will result in a NoSuchAlgorithmException for most algorithm string arguments. The previous behavior of this method can be re-enabled by setting the value of the jdk.crypto.KeyAgreement.legacyKDF system property to true (case insensitive). Re-enabling this method by setting this system property is not recommended.

Prior to this change, the following code could be used to produce secret keys for AES using Diffie-Hellman:

KeyAgreement ka = KeyAgreement.getInstance("DiffieHellman");

ka.init(...);

ka.doPhase(...);

SecretKey sk = ka.generateSecret("AES");

The issue with this code is that it is unspecified how the provider should derive a secret key from the output of the Diffie-Hellman operation. There are several options for how this key derivation function can work, and each of these options has different security properties. For example, the key derivation function may bind the secret key to some information about the context or the parties involved in the key agreement. Without a clear specification of the behavior of this method, there is a risk that the key derivation function will not have some security property that is expected by the client.

To address this risk, the generateSecret(String) method of KeyAgreement was mostly disabled in the DiffieHellman services, and code like the example above will now result in a java.security.NoSuchAlgorithmException. Clients still may use the no-argument generateSecret method to obtain the raw Diffie-Hellman output, which can be used with an appropriate key derivation function to produce a secret key.

Existing applications that use the generateSecret(String) method of this service will need to be modified. Here are a few options:

A) Implement the key derivation function from an appropriate standard. For example, NIST SP 800-56Ar2[1] section 5.8 describes how to derive keys from Diffie-Hellman output.

B) Implement the following simple key derivation function:

  1. Call KeyAgreement.generateSecret() to get the shared secret as a byte array
  2. Hash the byte array produced in step 1 using SHA-256
  3. Pass the byte array produced in step 2 into the constructor of SecretKeySpec. This constructor also

requires the standard name of the secret-key algorithm (e.g. "AES")

This is a simple key derivation function that may provide adequate security in a typical application. Developers should note that this method provides no protection against the reuse of key agreement output in different contexts, so it is not appropriate for all applications. Also, some additional effort may be required to enforce key size restrictions like the ones in Table 2 of NIST SP 800-57pt1r4[2].

C) Set the jdk.crypto.KeyAgreement.legacyKDF system property to "true". This will restore the previous behavior of this KeyAgreement service. This solution should only be used as a last resort if the application code cannot be modified, or if the application must interoperate with a system that cannot be modified. The "legacy" key derivation function and its security are unspecified.

JDK-8185292 (not public)

security-libs/javax.crypto

Unlimited cryptography enabled by default

The JDK uses the Java Cryptography Extension (JCE) Jurisdiction Policy files to configure cryptographic algorithm restrictions. Previously, the Policy files in the JDK placed limits on various algorithms. This release ships with both the limited and unlimited jurisdiction policy files, with unlimited being the default. The behavior can be controlled via the new 'crypto.policy' Security property found in the /lib/java.security file. Please refer to that file for more information on this property.

See JDK-8170157

core-libs/java.rmi

The RMI Registry filter is relaxed to allow binding arrays of any type

The RMI Registry built-in serial filter is modified to check only the array size and not the component type. The maximum array size is increased to 1,000,000. The override filter can be used to decrease the limit. Array sizes greater than the maxarray limit will be rejected and otherwise will be allowed. The java.security file contains more information about the sun.rmi.registry.registryFilter property and it will be updated in the conf/security/java.security configuration file to better describe the default behavior and how to override it.

See JDK-8185346

security-libs/javax.net.ssl

Disable exportable cipher suites

To improve the strength of SSL/TLS connections, exportable cipher suites have been disabled in SSL/TLS connections in the JDK by the jdk.tls.disabledAlgorithms Security Property.

See JDK-8163237

security-libs/java.security

Disable JARs signed with DSA keys less than 1024 bits

DSA keys less than 1024 bits have been added to the jdk.jar.disabledAlgorithms Security property in the java.security file. This property contains a list of disabled algorithms and key sizes for signed JAR files. If a signed JAR file uses a disabled algorithm or key size less than the minimum length, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

  1. Applets or Web Start Applications
  2. Standalone or Server Applications run with a SecurityManager enabled and that are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

Running jarsigner -verify -verbose on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.

For example, to check a JAR file named test.jar, use this command: jarsigner -verify -verbose test.jar

If the file in this example was signed with a weak key such as 512 bit DSA, this output would be seen:

- Signed by "CN=weak_signer"
Digest algorithm: SHA1 
Signature algorithm: SHA1withDSA, 512-bit key (weak)

To address the issue, the JAR file will need to be re-signed with a stronger key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JARs, the existing signature(s) should be removed from the JAR file. This can be done with the zip utility, as follows:

zip -d test.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'

Periodically check the Oracle JRE and JDK Cryptographic Roadmap at http://java.com/cryptoroadmap for planned restrictions to signed JARs and other security components.

JDK-8185909 (not public)

core-svc/javax.management

JMX Connections need deserialization filters

New public attributes, RMIConnectorServer.CREDENTIALS_FILTER_PATTERN and RMIConnectorServer.SERIAL_FILTER_PATTERN have been added to RMIConnectorServer.java. With these new attributes, users can specify the deserialization filter pattern strings to be used while making a RMIServer.newClient() remote call and while sending deserializing parameters over RMI to server respectively.

The user can also provide a filter pattern string to the default agent via management.properties. As a result, a new attribute is added to management.properties.

Existing attribute RMIConnectorServer.CREDENTIAL_TYPES is superseded by RMIConnectorServer.CREDENTIALS_FILTER_PATTERN and has been removed.

JDK-8159377 (not public)

xml/jaxp

JDK Transform, Validation and XPath use the system-default parser

Java SE 9 changes the JDK's Transform, Validation and XPath implementations to use the JDK's system-default parser even when a third party parser is on the classpath. In order to override the JDK system-default parser, applications need to explicitly set the new System property jdk.xml.overrideDefaultParser.

  1. Support through the API

    The overrideDefaultParser property is supported by the following APIs:

    1. TransformerFactory::setFeature
    2. SchemaFactory::setFeature
    3. Validator::setFeature
    4. XPathFactory::setFeature
  2. Support as a System property
  3. The overrideDefaultParser property can be set through the System.setProperty.

  4. Support as a JAXP system property
  5. The overrideDefaultParser property can be set in the JAXP configuration file jaxp.properties.

  6. Scope and order

The overrideDefaultParser property follows the same rule as other JDK JAXP properties in that a setting of a narrower scope takes preference over that of a wider scope. A setting through the API overrides the System property which in turn overrides that in the jaxp.properties file.

JDK-8186080 (not public)

 

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8079595 client‑libs java.awt Resizing dialog which is JWindow parent makes JVM crash
2 JDK-8184016 client‑libs java.swing Text in native popup is not always updated with Sogou IME
3 JDK-8035105 core‑libs javax.naming DNS provider cleanups
4 JDK-8185661 deploy webstart JNLP files won't launch from IE11 on Windows 10 Creators Update
5 JDK-8186344 deploy webstart 64 bit java install not setting jnlp associate if lower 32bit versions exist
6 JDK-8157548 hotspot runtime JVM crashes sometimes while starting
7 JDK-8191607 install install undo 8189805: 64 and 32 bit RPMS must co‑exist
8 JDK-8178728 security‑libs java.security Check the AlgorithmParameters in algorithm constraints
9 JDK-8184673 security‑libs java.security Fix compatibility issue in AlgorithmChecker for 3rd party JCE providers
10 JDK-8072452 security‑libs javax.crypto Support DHE sizes up to 8192‑bits and DSA sizes up to 3072‑bits
11 JDK-8170157 security‑libs javax.crypto Enable unlimited cryptographic policy by default in Oracle JDK builds
12 JDK-8156502 security‑libs javax.net.ssl Use short name of SupportedEllipticCurvesExtension.java
13 JDK-8193683 security‑libs javax.net.ssl Increase the number of clones in the CloneableDigest
14 JDK-8159240 xml jaxb XSOM parser incorrectly processes type names with whitespaces

Java SE 8u152 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u152 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u152 b35

Bug Fixes

BugId Component Subcomponent Summary
8191608 install install Java RPMs should allow for side-by-side installation of JDK and JRE, 32 and 64 bit, and only one update for each major version
8193218 install install Simplify build system building rpms
8191607 install install undo 8189805: 64 and 32 bit RPMS must co-exist
8189805 install install 64 and 32 bit RPMS must co-exist

Changes in Java SE 8u152 b34

Bug Fixes

BugId Component Subcomponent Summary
8179665 client-libs javax.swing [Windows] java.awt.IllegalComponentStateException: component must be showing on the screen to determine its location
8186441 xml jax-ws Change of behavior in the getMessage () method of the SOAPMessageContextImpl class
8185661 deploy webstart JNLP files won't launch from IE11 on Windows 10 Creators Update
8189612
(Confidential)
deploy webstart com.sun.deploy.net.JARSigningException: Found unsigned entry in resource
8173129
(Confidential)
deploy plugin [deploy] System must be left clean after the uninstall process completes
8193168
(Confidential)
deploy javafx Failed to launch the FX application after clicking link 'click to launch this app as webstart'

Changes in Java SE 8u152 b33

Bug Fixes

BugId Component Subcomponent Summary
8184271 hotspot compiler Time related C1 intrinsics produce inconsistent results when floating around
8190258 core-libs java.time (tz) Support tzdata2017c
8190259 core-libs java.time test tck.java.time.zone.TCKZoneRules is broken by tzdata2017c

Changes in Java SE 8u152 b32

Bug Fixes

BugId Component Subcomponent Summary
6988950 core-svc debugger JDWP exit error JVMTI_ERROR_WRONG_PHASE(112)
8134103
(Confidential)
core-svc debugger JVMTI_ERROR_WRONG_PHASE(112): on checking for an interface
8182402
(Confidential)
client-libs swing Tooltip for Desktop button is in English when non-English locale is set

Changes in Java SE 8u152 b31

Please note that fixes from prior BPR (8u144 b34) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8184328 core-libs java.net JDK 8u131 socketRead0 hang at SSL read
8185346 core-libs java.rmi Relax RMI Registry Serial Filter to allow arrays of any type
8185864
(Confidential)
install install JDK 8 Install wizard is hidden after JRE silent install is used
8160365 deploy webstart Desktop shortcut of Web Start application is broken after JRE update

Java™ SE Development Kit 8, Update 152 (JDK 8u152)

October 17, 2017

The full version string for this update release is 1.8.0_152-b16 (where "b" means "build"). The version number is 8u152.

IANA Data 2017b

JDK 8u152 contains IANA time zone data version 2017b. For more information, refer to Timezone Data Versions in the JRE Software.

See JDK-8159684

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u152 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_151-b12
7 1.7.0_161-b13
6 1.6.0_171-b13

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u152) will expire with the release of the next critical patch update scheduled for January 16, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u152) on February 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Known Issues

core-libs/java.util.jar

 Decode error with Tomcat version 7.x

The zlib version shipped in the 8u151 and 7u161 JDK releases was updated to zlib v1.2.11. The deflate functionality in this version causes a compatibility issue with Tomcat v7.x. Server responses can appear as corrupt or can fail to be decoded. The issue is seen if Tomcat is using compression (e.g. compression="on" in server.xml). This issue is being fixed via JDK-8189789.

Users can disable the compression mode on their Tomcat servers as a workaround. Tomcat versions 8.x and later don't appear to be affected.

See JDK-8191040

New Features

security-libs/javax.crypto

 New Security property to control crypto policy

This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information.

Note : On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, or 8u111, then you should set the new crypto.policy Security property in the java.security file.

Because the old JCE jurisdiction files are left in <<em>java-home</em>>/lib/security, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used:

Caused by: java.lang.SecurityException: Jurisdiction policy files are not 
signed by trusted signers!
       at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:593) 
       at 
javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:524)

See JDK-8157561

Changes

hotspot/compiler

 BigInteger performance improvements turned on by default

The performance improvements described in JDK-8130150 and JDK-8081778 have now been turned on by default. They can be turned off by using the following command options:

-XX:-UseMontgomerySquareIntrinsic
-XX:-UseMontgomeryMultiplyIntrinsic
-XX:-UseSquareToLenIntrinsic 
-XX:-UseMultiplyToLenIntrinsic

See JDK-8154945

Bug Fixes

The following are some of the notable bug fixes included in this release:

hotspot/compiler

 Compilers accept modification of final fields outside initializer methods

According to the Java VM Specification, final fields can be modified by the putfield byte code instruction only if the instruction appears in the instance initializer method <init> of the field's declaring class. Similar, static final fields can be modified by a putstatic instruction only if the instruction appears in the class initializer method <clinit> of the field's declaring class. With the JDK 9 release, the HotSpot VM fully enforces the previously mentioned restrictions, but only for class files with version number >= 53. For class files with version numbers < 53, restrictions are only partially enforced (as it is done by releases preceding JDK 9). That is, for class files with version number < 53 final fields can be modified in any method of the class declaring the field (not only class/instance initializers).

See JDK-8157181

 

Bug Fix List

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8160893 client‑libs   [macosx] JMenuItems in JPopupMenu are not accessible
2 JDK-8177315 client‑libs   backout changes for 8176516 (backport of 8173791)
3 JDK-8039412 client‑libs 2d Stack overflow on Linux using DialogTypeSelection.NATIVE
4 JDK-8040635 client‑libs 2d [macosx] Printing a shape filled with a texture doesn't work under Mac OS X
5 JDK-8058316 client‑libs 2d lookupDefaultPrintService returns null on Solaris 11 when default printer is set using lpoptions command
6 JDK-8061258 client‑libs 2d [macosx] PrinterJob's native Print Dialog does not reflect specified Copies or Page Ranges
7 JDK-8067059 client‑libs 2d PrinterJob.pageDialog() with DialogSelectionType.NATIVE returns a PageFormat when cancelled.
8 JDK-8074562 client‑libs 2d CID keyed OpenType fonts are not supported by T2K
9 JDK-8089573 client‑libs 2d [macosx] Incorrect char to glyph mapping printing on OSX 10.10
10 JDK-8158356 client‑libs 2d SIGSEGV when attempting to rotate BufferedImage using AffineTransform by NaN degrees
11 JDK-8160664 client‑libs 2d JVM crashed with font manager on Solaris 12
12 JDK-8162488 client‑libs 2d JDK should be updated to use LittleCMS 2.8
13 JDK-8162796 client‑libs 2d [macosx] LinearGradientPaint and RadialGradientPaint are not printed on OS X.
14 JDK-8167102 client‑libs 2d [macosx] PrintRequestAttributeSet breaks page size set using PageFormat
15 JDK-8170552 client‑libs 2d [macosx] Wrong rendering of diacritics on macOS
16 JDK-8170913 client‑libs 2d Java "1.8.0_112" on Windows 10 displays different characters for EUDCs from ones created in eudcedit.exe.
17 JDK-8170950 client‑libs 2d Text is displayed in bold when fonts are installed into symlinked folder
18 JDK-8175025 client‑libs 2d The copyright section in the test/java/awt/font/TextLayout/DiacriticsDrawingTest.java should be updated
19 JDK-8176530 client‑libs 2d JDK support for JavaFX modal print dialogs
20 JDK-4953367 client‑libs java.awt MAWT: Java should be more careful manipulating NLSPATH, XFILESEARCHPATH env variables
21 JDK-6980209 client‑libs java.awt Make tracking SecondaryLoop.enter/exit methods easier
22 JDK-8035568 client‑libs java.awt [macosx] Cursor management unification
23 JDK-8040322 client‑libs java.awt TextArea.replaceRange() and insert() are broken with setText(null)
24 JDK-8050478 client‑libs java.awt [macosx] Cursor not updating correctly after closing a modal dialog
25 JDK-8075516 client‑libs java.awt Deleting a file from either the open or save java.awt.FileDialog hangs.
26 JDK-8139189 client‑libs java.awt VK_OEM_102 dead key detected as VK_UNDEFINED
27 JDK-8140525 client‑libs java.awt AwtFrame::WmShowWindow() may steal focus
28 JDK-8156116 client‑libs java.awt [macosx] two JNI locals to delete in AWTWindow.m, CGraphicsEnv.m
29 JDK-8156723 client‑libs java.awt JVM crash at sun.java2d.windows.GDIBlitLoops.nativeBlit
30 JDK-8160570 client‑libs java.awt [macosx] modal dialog can skip the activation/focus events
31 JDK-8160623 client‑libs java.awt [PIT] Exception running java/awt/event/KeyEvent/KeyChar/KeyCharTest.java
32 JDK-8160696 client‑libs java.awt IllegalArgumentException: adding a component to a container on a different GraphicsDevice
33 JDK-8160941 client‑libs java.awt "text/uri‑list" dataflavor concats the first two strings
34 JDK-8163583 client‑libs java.awt [macosx] Press "To Back" button on the Dialog,the Dialog moves behind the Frame
35 JDK-8165717 client‑libs java.awt [macosx] Various memory leaks in jdk9
36 JDK-8169355 client‑libs java.awt Diacritics input works incorrectly on Windows if Spanish (Latin American) keyboard layout is used
37 JDK-8173853 client‑libs java.awt IllegalArgumentException in java.awt.image.ReplicateScaleFilter
38 JDK-8173876 client‑libs java.awt [macosx] Fast precise scrolling and DeltaAccumulator fix for macOS Sierra 10.12.2
39 JDK-8176490 client‑libs java.awt [macosx] Sometimes NSWindow.isZoomed hangs
40 JDK-8136570 client‑libs java.awt:i18n Stop changing user environment variables related to /usr/dt
41 JDK-8159696 client‑libs java.beans java.beans.MethodRef#get throws NullPointerException
42 JDK-8076249 client‑libs javax.accessibility NPE in AccessBridge while editing JList model
43 JDK-8076554 client‑libs javax.accessibility [macosx] Custom Swing text components need to allow standard accessibility
44 JDK-8145207 client‑libs javax.accessibility [macosx] JList, VO can't access non‑visible list items
45 JDK-8165829 client‑libs javax.accessibility Android Studio 2.x crashes with NPE at sun.lwawt.macosx.CAccessibility.getAccessibleIndexInParent
46 JDK-8171808 client‑libs javax.accessibility Performance problems in dialogs with large tables when JAB activated
47 JDK-8175915 client‑libs javax.accessibility NullPointerException from JComboBox and JList when Accessibility enabled
48 JDK-8168751 client‑libs javax.sound Two "Direct Clip" threads are created to play the same "AudioClip" object, what makes clip sound corrupted
49 JDK-7172652 client‑libs javax.swing With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin
50 JDK-8152981 client‑libs javax.swing Double icons with JMenuItem setHorizontalTextPosition on Win 10
51 JDK-8158325 client‑libs javax.swing Memory leak in com.apple.laf.ScreenMenu: removed JMenuItems are still referenced
52 JDK-8161664 client‑libs javax.swing Memory leak in com.apple.laf.AquaProgressBarUI: removed progress bar still referenced
53 JDK-8177450 client‑libs javax.swing javax.swing.text.html.parser.Parser parseScript ignores a character after comment end
54 JDK-8163518 core‑libs java.io Integer overflow in StringBufferInputStream.read() and CharArrayReader.read/skip()
55 JDK-8169556 core‑libs java.io Wrap FileInputStream's native skip and available methods
56 JDK-8161039 core‑libs java.lang System.getProperty("os.version") returns incorrect version number on Mac
57 JDK-8170153 core‑libs java.lang PPC64/s390x/aarch64: Poor StrictMath performance due to non‑optimized compilation
58 JDK-8170873 core‑libs java.lang PPC64/aarch64: Poor StrictMath performance due to non‑optimized compilation
59 JDK-8172053 core‑libs java.lang (ppc64) Downport of 8170153 breaks build on linux/ppc64 (big endian)
60 JDK-8173654 core‑libs java.lang Regression since 8u60: System.getenv doesn't return env var set in JNI code
61 JDK-8174729 core‑libs java.lang:reflect Race Condition in java.lang.reflect.WeakCache
62 JDK-6947916 core‑libs java.net JarURLConnection does not handle useCaches correctly
63 JDK-8022580 core‑libs java.net sun.net.ftp.impl.FtpClient.nameList(String path) handles "null" incorrectly
64 JDK-8035158 core‑libs java.net Remove dependency on sun.misc.RegexpPool and friends
65 JDK-8035653 core‑libs java.net InetAddress.getLocalHost crash
66 JDK-8071424 core‑libs java.net JCK test api/java_net/Socket/descriptions.html#Bind crashes on Windows
67 JDK-8075484 core‑libs java.net SocketInputStream.socketRead0 can hang even with soTimeout set
68 JDK-8145732 core‑libs java.net Duplicate entry in http.nonProxyHosts will ignore subsequent entries
69 JDK-8159410 core‑libs java.net InetAddress.isReachable returns true for non existing IP addresses
70 JDK-8166747 core‑libs java.net Add invalid network / computer name cases to isReachable known failure switch
71 JDK-8169865 core‑libs java.net Downport minor fixes in java.net native code from JDK 9 to JDK 8
72 JDK-8182672 core‑libs java.net Java 8u121 on Linux intermittently returns null for MAC address
73 JDK-8145981 core‑libs java.nio (fs) LinuxWatchService can reports events against wrong directory
74 JDK-8153925 core‑libs java.nio (fs) WatchService hangs on GetOverlappedResult and locks directory (win)
75 JDK-8165231 core‑libs java.nio java.nio.Bits.unaligned() doesn't return true on ppc
76 JDK-8180949 core‑libs java.rmi Correctly handle exception in TCPChannel.createConnection
77 JDK-8054214 core‑libs java.time JapaneseEra.getDisplayName doesn't return names if it's an additional era
78 JDK-8164366 core‑libs java.time ZoneOffset.ofHoursMinutesSeconds() does not reject invalid input
79 JDK-8173423 core‑libs java.time Wrong display name for supplemental Japanese era
80 JDK-8177678 core‑libs java.time Overstatement of universality of Era.getDisplayName() implementation
81 JDK-8165243 core‑libs java.util Base64.Encoder.wrap(os).write(byte[],int,int) with incorrect arguments should not produce output
82 JDK-8166507 core‑libs java.util.concurrent ConcurrentSkipListSet.clear() can leave the Set in an invalid state
83 JDK-8179515 core‑libs java.util.concurrent Class java.util.concurrent.ThreadLocalRandom fails to Initialize when using SecurityManager
84 JDK-8169056 core‑libs java.util.regex StringIndexOutOfBoundsException in Pattern.compile with CANON_EQ flag
85 JDK-8129361 core‑libs java.util:i18n ISO 4217 amendment 160
86 JDK-8145952 core‑libs java.util:i18n Currency update needed for ISO 4217 Amendment #161
87 JDK-8164784 core‑libs java.util:i18n Currency update needed for ISO 4217 Amendment #162.
88 JDK-8174736 core‑libs java.util:i18n [JCP] [Mac]Cannot launch JCP on Mac os with language set to "Chinese, Simplified" while region is not China
89 JDK-8174779 core‑libs java.util:i18n Locale issues with Mac 10.12
90 JDK-8177776 core‑libs java.util:i18n Create an equivalent test case for JDK9's SupplementalJapaneseEraTest
91 JDK-8149521 core‑libs javax.naming automatic discovery of LDAP servers with Kerberos authentication
92 JDK-8163945 core‑libs jdk.nashorn Honor Number type hint in toPrimitive on Numbers
93 JDK-8166902 core‑libs jdk.nashorn Nested object literal property maps not reset in optimistic recompilation
94 JDK-8168373 core‑libs jdk.nashorn "Bad local variable type" in ES6 Nashorn when reassigning a `let` within a `try`
95 JDK-8170565 core‑libs jdk.nashorn JSObject call() is passed undefined for the argument 'thiz'
96 JDK-8170594 core‑libs jdk.nashorn >>>=0 generates invalid bytecode for BaseNode LHS
97 JDK-8170977 core‑libs jdk.nashorn SparseArrayData should not grow its underlying dense array data
98 JDK-8171219 core‑libs jdk.nashorn Missing checks in sparse array shift() implementation
99 JDK-8171849 core‑libs jdk.nashorn Can't unambiguously select between fixed arity signatures [(java.util.Collection), (java.util.Map)]
100 JDK-8176511 core‑libs jdk.nashorn JSObject property access is broken for numeric keys outside the int range
101 JDK-8181191 core‑libs jdk.nashorn getUint32 returning Long
102 JDK-8153711 core‑svc debugger [REDO] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command
103 JDK-8160024 core‑svc debugger jdb returns invalid argument count if first parameter to Arrays.asList is null
104 JDK-8164843 core‑svc tools UsageTracker should limit records and avoid truncation
105 JDK-8169236 core‑svc tools JRE 8u112 attempts to run ICACLS.EXE on startup in Windows 10 Version 1607, build 14393
106 JDK-8173664 core‑svc tools Typo in https://java.net/downloads/heap‑snapshot/hprof‑binary‑format.html
107 JDK-8174806 deploy packager Packager update App Store runtime rules for libjfxwebkit.dylib
108 JDK-8164410 deploy plugin JRE 6u121 causes applet to fail with: Reset deny session certificate store
109 JDK-8022291 deploy webstart Mac OS: Unexpected JavaLaunchHelper message displaying
110 JDK-8161700 deploy webstart Deadlock in Java Web Start application involving JNLPClassLoader
111 JDK-8161986 deploy webstart Selecting 32/64 bit resources failed if user has installed both jre's
112 JDK-8167306 deploy webstart Side effects of using url schema handler.
113 JDK-8038348 hotspot compiler Instance field load is replaced by wrong data Phi
114 JDK-8043913 hotspot compiler remove legacy code in SPARC's VM_Version::platform_features
115 JDK-8134119 hotspot compiler Use new API to get cache line sizes
116 JDK-8134389 hotspot compiler Crash in HotSpot with jvm.dll+0x42b48 ciObjectFactory::create_new_metadata
117 JDK-8134918 hotspot compiler C2: Type speculation produces mismatched unsafe accesses
118 JDK-8140309 hotspot compiler [REDO] failed: no mismatched stores, except on raw memory: StoreB StoreI
119 JDK-8143897 hotspot compiler Weblogic12medrec assert(handler_address == SharedRuntime::compute_compiled_exc_handler(nm, pc, exception, force_unwind, true)) failed: Must be the same
120 JDK-8152172 hotspot compiler PPC64: Support AES intrinsics
121 JDK-8153134 hotspot compiler Infinite loop in handle_wrong_method in jmod
122 JDK-8153267 hotspot compiler nmethod's exception cache not multi‑thread safe
123 JDK-8154945 hotspot compiler Enable 8130150 and 8081778 intrinsics by default
124 JDK-8155781 hotspot compiler C2: opaque unsafe access triggers an assert
125 JDK-8157181 hotspot compiler Compilers accept modification of final fields outside initializer methods
126 JDK-8157306 hotspot compiler Random infrequent null pointer exceptions in javac
127 JDK-8158639 hotspot compiler C2 compilation fails with SIGSEGV
128 JDK-8162101 hotspot compiler C2: Handle "wide" aliases for unsafe accesses
129 JDK-8162384 hotspot compiler Performance regression: bimorphic inlining may be bypassed by type speculation
130 JDK-8162496 hotspot compiler missing precedence edge for anti_dependence
131 JDK-8164002 hotspot compiler Add a new CPU family (S_family) for SPARC S7 and above processors
132 JDK-8164293 hotspot compiler HotSpot leaking memory in long‑running requests
133 JDK-8164508 hotspot compiler unexpected profiling mismatch in c1 generated code
134 JDK-8165482 hotspot compiler java in ldoms, with cpu‑arch=generic has problems
135 JDK-8173373 hotspot compiler C1: NPE is thrown instead of LinkageError when accessing inaccessible field on NULL receiver
136 JDK-8175887 hotspot compiler C1 value numbering handling of Unsafe.get*Volatile is incorrect
137 JDK-8177095 hotspot compiler Range check dependent CastII/ConvI2L is prematurely eliminated
138 JDK-8140584 hotspot gc nmethod::oops_do_marking_epilogue always runs verification code
139 JDK-8153176 hotspot gc Long pause in ParOldGC, because ParallelTaskTerminator peeks wrong TaskQueueSet
140 JDK-8168914 hotspot gc Crash in ClassLoaderData/JNIHandleBlock::oops_do during concurrent marking
141 JDK-8170409 hotspot gc CMS: Crash in CardTableModRefBSForCTRS::process_chunk_boundaries
142 JDK-8175813 hotspot gc PPC64: "mbind: Invalid argument" when ‑XX:+UseNUMA is used
143 JDK-8180048 hotspot gc Interned string and symbol table leak memory during parallel unlinking
144 JDK-8034249 hotspot jvmti need more workarounds for suspend equivalent condition issue
145 JDK-8081219 hotspot jvmti hs_err improvement: Add event logging for class redefinition to the hs_err file
146 JDK-8162795 hotspot jvmti [REDO] MemberNameTable doesn't purge stale entries
147 JDK-8049717 hotspot runtime expose L1_data_cache_line_size for diagnostic/sanity checks
148 JDK-8087342 hotspot runtime Crash in klassItable::initialize_itable_for_interface when running SelectionResolution InvokeInterfaceICCE.java
149 JDK-8162766 hotspot runtime Unsafe_DefineClass0 accesses raw oops while in _thread_in_native
150 JDK-8163969 hotspot runtime Cyclic interface initialization causes JVM crash
151 JDK-8165153 hotspot runtime Crash in rebuild_cpu_to_node_map
152 JDK-8171155 hotspot runtime Scanning method file for initialized final field updates can fail for non‑existent fields
153 JDK-8171194 hotspot runtime Exception "Duplicate field name&signature in class file" should report the name and signature of the field
154 JDK-8177817 hotspot runtime Remove assertions in 8u that were removed by 8056124 in 9.
155 JDK-8166208 hotspot svc FlightRecorderOptions settings for defaultrecording ignored.
156 JDK-8173941 hotspot svc SA does not work if executable is DSO
157 JDK-8161945 install install REGRESSION: 8u91 update of 32 bit JRE removes preferences of the 64 bit JRE
158 JDK-8164096 javafx base ListChangeListener on ReadOnlyListWrapper's getReadOnlyProperty() does not reset change
159 JDK-8139841 javafx controls Axis class does not render ticks marks when tick labels are invisible
160 JDK-8139850 javafx controls CategoryAxis rotates improperly as yAxis
161 JDK-8163486 javafx controls NumberAxis: inaccurate rendering of ticks when tick unit is low
162 JDK-8166847 javafx controls NumberAxis: sticked numbers sometimes
163 JDK-8168895 javafx controls Tick marks position is not animated when toggling forceZeroInRange
164 JDK-8134600 javafx fxml Can't pass ObservableList as argument using FXML
165 JDK-8087565 javafx graphics Scaling problem on OSX Retina
166 JDK-8088205 javafx graphics [Mac] WebView renders icons instead of letters on some sites
167 JDK-8088395 javafx graphics Print dialogs are not blocking/modal w.r.t specified owner windows
168 JDK-8088857 javafx graphics Menu slow to respond after resizing a window multiple times with animation running
169 JDK-8090176 javafx graphics Pisces software renderer shows incomplete border images in particular situation
170 JDK-8148549 javafx graphics Region is not rendered correctly when node cache is enabled
171 JDK-8151744 javafx graphics wrong width/height in texture update
172 JDK-8154148 javafx graphics [Mac] JavaFX crashes on startup when run on Mac in VMWare
173 JDK-8156078 javafx graphics Stage alwaysOnTop property not reset to false if permission is denied
174 JDK-8163526 javafx graphics protect FileChooser return from internal NPE
175 JDK-8169777 javafx graphics MenuBar unoperable after moving Application to second monitor
176 JDK-8173468 javafx graphics Font.loadFont returns null on some Ubuntu 32bits
177 JDK-8174688 javafx graphics JavaFX Applet popup windows are in the wrong location on Mac
178 JDK-8178804 javafx graphics Excessive memory consumption in TriangleMesh/MeshView
179 JDK-8156563 javafx media JavaFX Ensemble8 media sample hang and crash
180 JDK-8159869 javafx media HTTP Live Streaming not working anymore
181 JDK-8091485 javafx samples Ensemble8: Review each sample description, playground, appearance, related docs and links
182 JDK-8134354 javafx samples Ensemble Media samples sliders don't react to clicks
183 JDK-8136918 javafx samples Ensemble uses deprecated flv (vp6) media files hosted on OTN
184 JDK-8136968 javafx samples [Mac] Regression from JDK‑8087709
185 JDK-8142439 javafx samples Ensemble8 media player slider issues
186 JDK-8152858 javafx samples Ensemble Timeline regression
187 JDK-8165373 javafx samples Ensemble8 uses setAccessible to access methods and fields of various classes
188 JDK-8168095 javafx samples Second image in Ensemble8/Image Creation sample does not load
189 JDK-8170421 javafx samples Ensemble8 black flash at startup on b145+
190 JDK-8130675 javafx scenegraph Document that setting scene on stage changes stage size unless explicitly set
191 JDK-8164141 javafx scenegraph [Javadoc] Replace references of Stage with Window in the Window class
192 JDK-8172554 javafx swing [macos] deadlock on JFXPanel startup
193 JDK-8174154 javafx swing NPE in JFXPanel$HostContainer#setEmbeddedStage
194 JDK-8088681 javafx web Underscore not visible in HTML combo box options inside webview
195 JDK-8089915 javafx web Input of type file doesn't honor "accept" attribute.
196 JDK-8090216 javafx web HTMLEditor: font bold doesn't work when an indent is set
197 JDK-8136847 javafx web DRT test fast/canvas/canvas‑fillRect‑shadow.html fails
198 JDK-8144263 javafx web [WebView, OS X] Webkit rendering artifacts with inertia scrolling
199 JDK-8150982 javafx web Crash when calling WebEngine.print on background thread
200 JDK-8158196 javafx web WebView Form Post fails if connection is closed before keepAlive‑Timeout
201 JDK-8162922 javafx web JavaFx WebView canvas doesn't support dash within strokeRec
202 JDK-8164314 javafx web [WebView] Debug build is no longer working after JDK‑8089681
203 JDK-8165098 javafx web WebEngine.print will attempt to print even if the printer job is complete or has an error
204 JDK-8165173 javafx web canvas/philip/tests/2d.path.clip.empty.html fails with 8u112
205 JDK-8166231 javafx web use @Native annotation in web classes
206 JDK-8166677 javafx web HTMLEditor freezes after restoring previously maximized window
207 JDK-8167098 javafx web Backport of JDK‑8158926 to JDK 8u mistakenly used preliminary patch
208 JDK-8167675 javafx web Animated gifs are not working
209 JDK-8168887 javafx web [WebView] ComboBox and DropDownList ‑ Render fragments of the scrollbar are visible
210 JDK-8169204 javafx web Need to document JSObject Call and setSlot APIs to use weak references
211 JDK-8170938 javafx web Memory leak in JavaFX WebView
212 JDK-8172361 javafx web Update java‑wrappers for WebKit generated classes following WebKit update
213 JDK-8172495 javafx web Ignore __cmake_systeminformation from web module build directory
214 JDK-8174919 javafx web SocketException no longer handled by WebView when processing web pages
215 JDK-8144258 javafx window‑toolkit Ensemble Advanced Media sample hangs after going full screen
216 JDK-8160241 javafx window‑toolkit Maximizing an Window with Screen‑Size hides it
217 JDK-8166106 javafx window‑toolkit JVM crash on resizing JavaFX application with title and icon
218 JDK-8172561 javafx window‑toolkit Copying String with "\r\n" to Clipboard duplicates "\r"
219 JDK-8155211 security‑libs java.security Ucrypto Library leaks native memory
220 JDK-8163896 security‑libs java.security Finalizing one key of a KeyPair invalidates the other key
221 JDK-8164846 security‑libs java.security CertificateException missing cause of underlying exception
222 JDK-8176536 security‑libs java.security Improved algorithm constraints checking
223 JDK-8157561 security‑libs javax.crypto Ship the unlimited policy files in JDK Updates
224 JDK-8165751 security‑libs javax.crypto NPE hit with java.security.debug=provider
225 JDK-8173581 security‑libs javax.crypto performance regression in com/sun/crypto/provider/OutputFeedback.java
226 JDK-8169229 security‑libs javax.net.ssl RSAClientKeyExchange debug info is incorrect
227 JDK-8181205 security‑libs javax.net.ssl JRE fails to load/register security providers when started from UNC pathname
228 JDK-8147772 security‑libs javax.security Update KerberosTicket to describe behavior if it has been destroyed and fix NullPointerExceptions
229 JDK-8163104 security‑libs javax.security Unexpected NPE still possible on some Kerberos ticket calls
230 JDK-8153438 security‑libs javax.smartcardio Avoid repeated "Please insert a smart card" popup windows
231 JDK-8170278 security‑libs org.ietf.jgss:krb5 ticket renewal won't happen with debugging turned on
232 JDK-8176329 tools   jdeps to detect MR jar file and output a warning
233 JDK-8180660 tools javac missing LNT entry for finally block
234 JDK-8028363 xml   XmlGregorianCalendarImpl.getTimeZone() bug when offset is less than 10 minutes
235 JDK-8169112 xml javax.xml.transform java.lang.VerifyError: (class: GregorSamsa, method: template$dot$0$outline$1 signature: (LGregorSamsa$48;)V) Register 10 contains wrong type
236 JDK-8146086 xml jax‑ws Publishing two webservices on same port fails with "java.net.BindException: Address already in use"
237 JDK-8172297 xml jax‑ws In java 8, the marshalling with JAX‑WS does not escape carriage return
238 JDK-8162598 xml jaxp XSLTC transformer swallows empty namespace declaration which is needed to undeclare default namespace
239 JDK-8146961 xml org.w3c.dom Fix PermGen memory leaks caused by static final Exceptions

Java™ SE Development Kit 8, Update 151 (JDK 8u151)

October 17, 2017

The full version string for this update release is 1.8.0_151-b12 (where "b" means "build"). The version number is 8u151.

IANA Data 2017b

JDK 8u151 contains IANA time zone data version 2017b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u151 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_151-b12
7 1.7.0_161-b13
6 1.6.0_171-b13

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u151) will expire with the release of the next critical patch update scheduled for January 16, 2018.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u151) on February 16, 2018. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Known Issues

core-libs/java.util.jar

Decode error with Tomcat version 7.x

The zlib version shipped in the 8u151 and 7u161 JDK releases was updated to zlib v1.2.11. The deflate functionality in this version causes a compatibility issue with Tomcat v7.x. Server responses can appear as corrupt or can fail to be decoded. The issue is seen if Tomcat is using compression (e.g. compression="on" in server.xml). This issue is being fixed via JDK-8189789.

Users can disable the compression mode on their Tomcat servers as a workaround. Tomcat versions 8.x and later don't appear to be affected.

See JDK-8191040

Notes

security-libs/java.security

Better keystore handling

Due to the more rigorous procedure of reading a keystore content, some keystores (particularly, those created with old versions of the JDK or with a JDK from other vendors) might need to be regenerated.

The following procedure can be used to import the keystore:

1. Before you start, create a backup of your keystore. For example, if your keystore file is /DIR/KEYSTORE, make a copy of it:

cp /DIR/KEYSTORE /DIR/KEYSTORE.BK

Download an older release of the JDK, prior CPU17_04, and install it in a separate location. For example: 6u161, 7u151, or 8u141. Suppose, that older JDK is installed in the directory /JDK8U141

2. Make sure that the keystore can be successfully read with the keytool from that older directory. For example, if the keystore file is located in /DIR/KEYSTORE, the following command should successfully list its content:

/JDK8U141/bin/keytool -list /DIR/KEYSTORE

3. Import the keystore. For example:

/JDK8U141/bin/keytool -importkeystore \
-srckeystore /DIR/KEYSTORE \
-srcstoretype JCEKS \
-srcstorepass PASSWORD \
-destkeystore /DIR/KEYSTORE.NEW \
-deststoretype JCEKS \
-deststorepass PASSWORD

4. Verify that the newly created keystore is correct. At the very least, make sure that the keystore can be read with keytool from a newer JDK:

/NEW_JDK/bin/keytool -list /DIR/KEYSTORE.NEW

After successful verification, replace the old keystore with the new one:

mv /DIR/KEYSTORE.NEW /DIR/KEYSTORE

Keep the backup copy of the keystore at least until you are sure the imported keystore is correct.

JDK-8181370 (not public)

core-libs/java.net

Default timeouts have changed for FTP URL handler

Timeouts used by the FTP URL protocol handler have been changed from infinite to 5 minutes. This will result in an IOException from connect and read operations if the FTP server is unresponsive. For example, new URL("ftp://example.com").openStream().read(), will fail with java.net.SocketTimeoutException in case a connection or reading could not be completed within 5 minutes.

To revert this behaviour to that of previous releases, the following system properties may be used, sun.net.client.defaultReadTimeout=0, sun.net.client.defaultConnectTimeout=0

JDK-8181612 (not public)

install

Demo references in Solaris install documentation

Demos were removed from package tar.Z bundle(JDK-7066713). There is a separate Demos&Samples bundle beginning with 7u2 b08 and 6u32 b04, but Solaris patches still contain SUNWj7dmo/SUNWj6dmo. The 64 bit packages are SUNWj7dmx/SUNWj6dmx

Demo packages remain in the existing Solaris patches; however, just because they are there doesn't mean that they are installed. They will be patched only if the end user has them installed on the system.

http://docs.oracle.com/javase/7/docs/webnotes/install/solaris/solaris-jdk.html

The link above is to the Solaris OS Install Directions for the JDK. The SUNWj7dmx package is mentioned in the tar.Z portion of the directions. This is confusing to some as, according to the cited bug, the SUNWj7dmx package shouldn't be part of the tar.Z bundle.

See JDK-8175866

Certificate Changes

Remove revoked Swisscom root certificate "swisscomrootevca2"

One Swisscom root certificate has been revoked by Swisscom and has been removed:

Swisscom Root EV CA 2
alias: "swisscomrootevca2 [jdk]"
DN: CN=Swisscom Root EV CA 2, OU=Digital Certificate Services, O=Swisscom, C=ch

JDK-8186330 (not public)

New Features

security-libs/javax.crypto

New Security property to control crypto policy

This release introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. In older releases, JCE jurisdiction files had to be downloaded and installed separately to allow unlimited cryptography to be used by the JDK. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the java.security file, or has been set dynamically by using the Security.setProperty() call before the JCE framework has been initialized, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'. See the notes in the java.security file shipping with this release for more information.

Note: On Solaris, it's recommended that you remove the old SVR4 packages before installing the new JDK updates. If an SVR4 based upgrade (without uninstalling the old packages) is being done on a JDK release earlier than 6u131, 7u121, 8u111, then you should set the new crypto.policy Security property in the java.security file.

Because the old JCE jurisdiction files are left in <java-home>/lib/security, they may not meet the latest security JAR signing standards, which were refreshed in 6u131, 7u121, 8u111, and later updates. An exception similar to the following might be seen if the old files are used:

Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers! at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:593) at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:524)

See JDK-8157561

other-libs/corba
 Add Additional IDL Stub Type Checks to org.omg.CORBA.ORB::string_to_object Method

Applications that either explicitly or implicitly call org.omg.CORBA.ORB.string_to_object, and wish to ensure the integrity of the IDL stub type involved in the ORB::string_to_object call flow, should specify additional IDL stub type checking. This is an "opt in" feature and is not enabled by default.

To take advantage of the additional type checking, the list of valid IDL interface class names of IDL stub classes is configured by one of the following:

  • Specifying the security property com.sun.CORBA.ORBIorTypeCheckRegistryFilter located in the file conf/security/java.security in Java SE 9 or in jre/lib/security/java.security in Java SE 8 and earlier.

  • Specifying the system property com.sun.CORBA.ORBIorTypeCheckRegistryFilter with the list of classes. If the system property is set, its value overrides the corresponding property defined in the java.security configuration.

If the com.sun.CORBA.ORBIorTypeCheckRegistryFilter property is not set, the type checking is only performed against a set of class names of the IDL interface types corresponding to the built-in IDL stub classes.

JDK-8160104 (not public)

Changes

security-libs/java.security

Refactor existing providers to refer to the same constants for default values for key length

Two important changes have been made for this issue:

1. A new system property has been introduced that allows users to configure the default key size used by the JDK provider implementations of KeyPairGenerator and AlgorithmParameterGenerator. This property is named "jdk.security.defaultKeySize" and the value of this property is a list of comma-separated entries. Each entry consists of a case-insensitive algorithm name and the corresponding default key size (in decimal) separated by ":". In addition, white space is ignored.

By default, this property will not have a value, and JDK providers will use their own default values. Entries containing an unrecognized algorithm name will be ignored. If the specified default key size is not a parseable decimal integer, that entry will be ignored as well.

2. The DSA KeyPairGenerator implementation of the SUN provider no longer implements java.security.interfaces.DSAKeyPairGenerator. Applications which cast the SUN provider's DSA KeyPairGenerator object to a java.security.interfaces.DSAKeyPairGenerator can set the system property "jdk.security.legacyDSAKeyPairGenerator". If the value of this property is "true", the SUN provider will return a DSA KeyPairGenerator object which implements the java.security.interfaces.DSAKeyPairGenerator interface. This legacy implementation will use the same default value as specified by the javadoc in the interface.

By default, this property will not have a value, and the SUN provider will return a DSA KeyPairGenerator object which does not implement the forementioned interface and thus can determine its own provider-specific default value as stated in the java.security.KeyPairGenerator class or by the "jdk.security.defaultKeySize" system property if set.

JDK-8181048 (not public)

core-libs/java.util:collections

Collections use serialization filter to limit array sizes

Deserialization of certain collection instances will cause arrays to be allocated. The ObjectInputFilter.checkInput() method is now called prior to allocation of these arrays. Deserializing instances of ArrayDeque, ArrayList, IdentityHashMap, PriorityQueue, java.util.concurrent.CopyOnWriteArrayList, and the immutable collections (as returned by List.of, Set.of, and Map.of) will call checkInput() with a FilterInfo instance whose style="font-family: Courier New;">serialClass() method returns Object[].class. Deserializing instances of HashMap, HashSet, Hashtable, and Properties will call checkInput() with a FilterInfo instance whose serialClass() method returns Map.Entry[].class. In both cases, the FilterInfo.arrayLength() method will return the actual length of the array to be allocated. The exact circumstances under which the serialization filter is called, and with what information, is subject to change in future releases.

JDK-8174109 (not public)

security-libs/java.security

keytool now prints warnings when reading or generating certificates/certificate requests/CRLs using weak algorithms

With one exception, keytool will always print a warning if the certificate, certificate request, or CRL it is parsing, verifying, or generating is using a weak algorithm or key. When a certificate is from an existing TrustedCertificateEntry, either in the keystore directly operated on or in the cacerts keystore when the -trustcacerts option is specified for the -importcert command, keytool will not print a warning if it is signed with a weak signature algorithm. For example, suppose the file cert contains a CA certificate signed with a weak signature algorithm, keytool -printcert -file cert and keytool -importcert -file cert -alias ca -keystore ks will print out a warning, but after the last command imports it into the keystore, keytool -list -alias ca -keystore ks will not show a warning anymore.

Precisely, an algorithm or a key is weak if it matches the value of the jdk.certpath.disabledAlgorithms security property defined in the conf/security/java.security file.

See JDK-8171319

security-libs/java.security

New defaults for DSA keys in jarsigner and keytool

For DSA keys, the default signature algorithm for keytool and jarsigner has changed from SHA1withDSA to SHA256withDSA and the default key size for keytool has changed from 1024 bits to 2048 bits.

Users wishing to revert to the previous behavior can use the -sigalg option of keytool and jarsigner and specify SHA1withDSA and the -keysize option of keytool and specify 1024.

There are a few potential compatibility risks associated with this change:

  1. If you have a script that uses the default key size of keytool to generate a DSA keypair but then subsequently specifies a specific signature algorithm, ex:
    keytool -genkeypair -keyalg DSA -keystore keystore -alias mykey ...
    keytool -certreq -sigalg SHA1withDSA -keystore keystore -alias mykey ...

    it will fail with one of the following exceptions, because the new 2048-bit keysize default is too strong for SHA1withDSA:

    keytool error: java.security.InvalidKeyException: The security strength of 
    SHA-1 digest algorithm is not sufficient for this key size
    keytool error: java.security.InvalidKeyException: DSA key must be at most 
    1024 bits

    The workaround is to remove the -sigalg option and use the stronger SHA256withDSA default or, at your own risk, use the -keysize option of keytool to specify a smaller key size (1024).

  2. If you use jarsigner to sign JARs with the new defaults, previous versions (than this release) of JDK 6 and 7 do not support the stronger defaults and will not be able to verify the JAR. jarsigner -verify on an earlier release of JDK 6 or 7 will output the following error:

    jar is unsigned. (signatures missing or not parsable)

    If you add -J-Djava.security.debug=jar to the jarsigner command line, the cause will be output:

    jar: processEntry caught: java.security.NoSuchAlgorithmException: 
    SHA256withDSA Signature not available

    If compatibility with earlier releases is important, you can, at your own risk, use the -sigalg option of jarsigner and specify the weaker SHA1withDSA algorithm.

  3. If you use a PKCS11 keystore, the SunPKCS11 provider does not support the SHA256withDSA algorithm. jarsigner and some keytool commands may fail with the following exception if PKCS11 is specified with the -storetype option, ex:
    keytool error: java.security.InvalidKeyException: No installed provider
    supports this key: sun.security.pkcs11.P11Key$P11PrivateKey

    A similar error may occur if you are using NSS with the SunPKCS11 provider. The workaround is to use the -sigalg option of keytool and specify SHA1withDSA.

See JDK-8057810

security-libs/java.security

Add warnings to keytool when using JKS and JCEKS

When keytool is operating on a JKS or JCEKS keystore, a warning may be shown that the keystore uses a proprietary format and migrating to PKCS12 is recommended. The keytool's -importkeystore command is also updated so that it can convert a keystore from one type to another if the source and destination point to the same file.

JDK-8182879 (not public)

security-libs/java.security

keytool now prints out information of a certificate's public key

Keytool now prints out the key algorithm and key size of a certificate's public key, in the form of "Subject Public Key Algorithm: <size>-bit RSA key", where <size> is the key size in bits (ex: 2048).

See JDK-8029659

tools

Improve javadoc generation

The Javadoc Standard Doclet documentation has been enhanced to specify that it doesn't validate the content of documentation comments for conformance, nor does it attempt to correct any errors in documentation comments. See the Conformance section in the Doclet documentation.

JDK-8179042 (not public)

 

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

# BugId Component Subcomponent Summary
1 JDK-8179084 hotspot gc HotSpot VM fails to start when AggressiveHeap is set
2 JDK-8089283 javafx web Padding property of the select tag is incorrect in WebView
3 JDK-8132675 javafx web VBox.setVgrow and HBox.setHgrow corrupt following controls when window resized
4 JDK-8138652 javafx web [macosx] New WebView Native Code uses private Apple APIs
5 JDK-8165909 javafx web JavaScript to Java String conversion is not correct
6 JDK-8170450 javafx web Crash while loading wordpress.com in HiDPI / Retina display
7 JDK-8172495 javafx web Ignore __cmake_systeminformation from web module build directory
8 JDK-8172836 javafx web WebView Debug build is broken
9 JDK-8176729 javafx web com.sun.webkit.dom.NodeImpl#SelfDisposer is not called
10 JDK-8178319 javafx web Build sqlite3 from source
11 JDK-8178360 javafx web Build and integrate ICU from source
12 JDK-8178440 javafx web Build libxml2 and libxslt from source
13 JDK-8179673 javafx web JVM Crash in WebPage.setBackgroundColor() during webpage navigation (Non Public API)
14 JDK-8180825 javafx web Javafx WebView fails to render pdf.js
15 JDK-8183292 javafx web Update to 604.1 version of WebKit
16 JDK-8184448 javafx web Crash while loading gif images with more frames
17 JDK-8185132 javafx web window.requestAnimationFrame API is not working
18 JDK-8172847 javafx window‑toolkit [macos] If you hit the escape key repeatedly to close the subwindow, the process crashes
19 JDK-8029659 security‑libs java.security Keytool, print key algorithm of certificate or key entry
20 JDK-8154015 security‑libs java.security Apply algorithm constraints to timestamped code
21 JDK-8171319 security‑libs java.security keytool should print out warnings when reading or generating cert/cert req using weak algorithms
22 JDK-8177569 security‑libs java.security keytool should not warn if signature algorithm used in cacerts is weak
23 JDK-8157561 security‑libs javax.crypto Ship the unlimited policy files in JDK Updates
24 JDK-8167485 tools visualvm Integrate new version of Java VisualVM based on VisualVM 1.3.9 into JDK

Java SE 8u144 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u144 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u144 b34

Bug Fixes

BugId Component Subcomponent Summary
8159035
(Confidential)
security-libs javax.crypto com/sun/crypto/provider/Cipher/CTS/CTSMode.java test crashed due to unhandled case of cipher length value as 0

Changes in Java SE 8u144 b33

Bug Fixes

BugId Component Subcomponent Summary
8185572 hotspot compiler Enable AssumeMP by default on SPARC machines
8074544 deploy webstart webstart app fails with CouldNotLoadArgumentException when account in Japanese
8133531
(Confidential)
deploy webstart deployJava.launchWebStartApplication() couldn't work
8129820
(Confidential)
deploy webstart Crash in native javaws base64 code
8180490
(Confidential)
deploy plugin Forms context lost when legacy_lifecycle=yes

Changes in Java SE 8u144 b32

Bug Fixes

BugId Component Subcomponent Summary
8180048 hotspot gc Interned string and symbol table leak memory during parallel unlinking
8175169
(Confidential)
deploy webstart Reduce security dialogs when only application args change
8180457
(Confidential)
deploy webstart WebStart cached jar verification intermittently slow in native ReadFile function

Changes in Java SE 8u144 b31

Please note that fixes from prior BPR (8u141 b32) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8134389 hotspot compiler Crash in HotSpot with jvm.dll+0x42b48 ciObjectFactory::create_new_metadata
8158639 hotspot compiler C2 compilation fails with SIGSEGV

Java™ SE Development Kit 8, Update 144 (JDK 8u144)

July 26, 2017

The full version string for this update release is 1.8.0_144-b01 (where "b" means "build"). The version number is 8u144.

IANA Data 2017b

JDK 8u144 contains IANA time zone data version 2017b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u144 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_141-b15
7 1.7.0_151-b15
6 1.6.0_161-b13

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u144) will expire with the release of the next critical patch update scheduled for October 17, 2017.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u144) on November 17, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Changes

core-libs/java.util.jar

java.util.zip.ZipFile.getEntry() now always returns the ZipEntry instance with a / ended entry name for directory entry

The java.util.zip.ZipEntry API doc specifies "A directory entry is defined to be one whose name ends with a /". However, in previous JDK releases, java.util.zip.ZipFile.getEntry(String entryName) may return a ZipEntry instance with an entry name that does not end with / for an existing zip directory entry when

  • the passed in argument entryName does not end with a /, and
  • there is a matching zip directory entry with name entryName + / in the zip file.

With this release, the name of the ZipEntry instance returned from java.util.zip.ZipFile.getEntry() always ends with / for any zip directory entry.

To revert to the previous behavior, set the system property jdk.util.zip.ensureTrailingSlash to "false".

This change was made in order to fix a regression introduced in JDK 8u141 when verifying signed JARs that has caused some WebStart applications to fail to load.

See JDK-8184993

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

# BugId Component Subcomponent Summary
1 JDK-8184993 security‑libs java.security Jar file verification failing with SecurityException: digest missing xxx

Java SE 8u141 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u141 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u141 b32

Please note that fixes from prior BPR (8u131 b34) are included in this version.

Known Issues

deploy/webstart

JAR file validation changes

After upgrading to the JDK July CPU release (8u141/7u151/6u161), when executing Java Webstart applications, customers may encounter an exception like

“java.lang.SecurityException: digest missing for …” that prevents the application from loading.

The issue is observed in signed JAR files whose manifest contains package version information[1] and does not have a trailing "/" in the name of the package (e.g.: Name: org/apache/xml/resolver). While we work towards resolving this issue, in the interim, users can work-around the issue as follows:

NOTE: We recommend use of this workaround only if the distributor of the JAR files can "re-sign" the JAR files.

  1. Extract the contents of the signed JAR file (e.g.: jar xf jar-file ).
  2. Modify META-INF/MANIFEST.MF file and add a trailing “/” to the name of the package ( e.g.: Name: org/apache/xml/resolver/).
  3. Remove the current signature files ( e.g.: rm -f META-INF/*.SF META-INF/*.RSA META-INF/*.DSA ).
  4. Recreate the JAR file ( e,g.: jar cfm jar-file META-INF/MANIFEST.MF input-file(s) ).
  5. NOTE: You must use the jar utility. Other jar creation tools might re-introduce the issue.

  6. Re-sign the JAR file.

[1] https://docs.oracle.com/javase/8/docs/technotes/guides/versioning/spec/versioning2.html#wp91706

See JDK-8184993

Bug Fixes

BugId Component Subcomponent Summary
8164410 deploy plugin JRE 6u121 causes applet to fail with: Reset deny session certificate store
8178536 hotspot svc OOM ERRORS + SERVICE-THREAD TAKES A PROCESSOR TO 100%
8161598
(Confidential)
hotspot compiler Kitchensink fails: assert(nm->insts_contains(original_pc)) failed: original PC must be in nmethod/CompiledMethod
8182672
(Confidential)
core-libs java.net Java 8u121 on Linux intermittently returns null for MAC address

Java™ SE Development Kit 8, Update 141 (JDK 8u141)

July 18, 2017

The full version string for this update release is 1.8.0_141-b15 (where "b" means "build"). The version number is 8u141.

IANA Data 2017b

JDK 8u141 contains IANA time zone data version 2017b. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u141 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_141-b15
7 1.7.0_151-b15
6 1.6.0_161-b13

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u141) will expire with the release of the next critical patch update scheduled for October 17, 2017.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u141) on November 17, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Known Issues

deploy/webstart

JAR file validation changes

After upgrading to the JDK July CPU release (8u141/7u151/6u161), when executing Java Webstart applications, customers may encounter an exception like “java.lang.SecurityException: digest missing for …” that prevents the application from loading.

The issue is observed in signed JAR files whose manifest contains package version information[1] and does not have a trailing "/" in the name of the package (e.g.: Name: org/apache/xml/resolver). While we work towards resolving this issue, in the interim, users can work-around the issue as follows:

NOTE: We recommend use of this workaround only if the distributor of the JAR files can "re-sign" the JAR files.

  1. Extract the contents of the signed JAR file (e.g.: jar xf jar-file ).
  2. Modify META-INF/MANIFEST.MF file and add a trailing “/” to the name of the package ( e.g.: Name: org/apache/xml/resolver/).
  3. Remove the current signature files ( e.g.: rm -f META-INF/*.SF META-INF/*.RSA META-INF/*.DSA ).
  4. Recreate the JAR file ( e,g.: jar cfm jar-file META-INF/MANIFEST.MF input-file(s) ).
  5. NOTE: You must use the jar utility. Other jar creation tools might re-introduce the issue.

  6. Re-sign the JAR file.
  7. [1] https://docs.oracle.com/javase/8/docs/technotes/guides/versioning/spec/versioning2.html#wp91706

See JDK-8184993

Certificate Changes

New Let's Encrypt certificates added to root CAs

One new root certificate has been added:

ISRG Root X1 
alias: letsencryptisrgx1 
DN: CN=ISRG Root X1, O=Internet Security Research Group, C=US

JDK-8177539 (not public)

New Features

security-libs/java.security

Disable SHA-1 TLS Server Certificates

Any TLS server certificate chain containing a SHA-1 certificate (end-entity or intermediate CA) and anchored by a root CA certificate included by default in Oracle's JDK is now blocked by default. TLS Server certificate chains that are anchored by enterprise or private CAs are not affected. Only X.509 certificate chains that are validated by the PKIX implementation of the CertPathValidator and CertPathBuilder APIs and the SunX509 and PKIX implementations of the TrustManagerFactory API are subject to the restrictions. Third-party implementations of these APIs are directly responsible for enforcing their own restrictions.

To implement this restriction and provide more flexibility for configuring your own restrictions, additional features have been added to the jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms Security Properties in the java.security file, as follows:

  • jdk.certpath.disabledAlgorithms:

    Three new constraints have been added to this Security Property:

    A new constraint named jdkCA, that when set, restricts the algorithm if it is used in a certificate chain that is anchored by a trust anchor that is pre-installed in the JDK cacerts keystore. This condition does not apply to certificate chains that are anchored by other certificates, including those that are subsequently added to the cacerts keystore. Also, note that the restriction does not apply to trust anchor certificates, since they are directly trusted.

    A new constraint named denyAfter, that when set, restricts the algorithm if it is used in a certificate chain after the specified date. The restriction does not apply to trust anchor certificates, since they are directly trusted. Also, code signing certificate chains as used in signed JARs are treated specially as follows:

    • if the certificate chain is used with a signed JAR that is not timestamped, it will be restricted after the specified date

    • if the certificate chain is used with a signed JAR that is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.

    A new constraint named usage, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported: TLSServer for TLS/SSL server certificate chains, TLSClient for TLS/SSL client certificate chains, and SignedJAR for certificate chains used with signed JARs.

  • Multiple constraints can be combined to constrain an algorithm when delimited by '&'. For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is "SHA1 jdkCA & usage TLSServer".

  • jdk.jar.disabledAlgorithms:

    A new constraint has been added named denyAfter, that when set, restricts the algorithm if it is used in a signed JAR after the specified date, as follows:

    • if the JAR is not timestamped, it will be restricted (treated as unsigned) after the specified date

    • if the JAR is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.

    For example, to restrict SHA1 in JAR files signed after January 1st 2018, add the following to the property: "SHA1 denyAfter 2018-01-01". The syntax is the same as the certpath property, however certificate checking will not be performed by this property.

See JDK-8176536

Changes

core-svc/java.lang.management

JMX Diagnostic improvements

com.sun.management.HotSpotDiagnostic::dumpHeap API is modified to throw IllegalArgumentException if the supplied file name does not end with “.hprof” suffix. Existing applications which do not provide a file name ending with the “.hprof” extension will fail with IllegalArgumentException. In that case, applications can either choose to handle the exception or restore old behavior by setting system property 'jdk.management.heapdump.allowAnyFileSuffix' to true.

JDK-8176055 (not public)

security-libs/javax.net.ssl

Custom HostnameVerifier enables SNI extension

Earlier releases of JDK 8 Updates didn't always send the Server Name Indication (SNI) extension in the TLS ClientHello phase if a custom hostname verifier was used. This verifier is set via the setHostnameVerifier(HostnameVerifier v) method in HttpsURLConnection. The fix ensures the Server Name is now sent in the ClientHello body.

See JDK-8144566

xml/jax-ws

Tighter secure checks on processing WSDL files by wsimport tool

The wsimport tool has been changed to disallow DTDs in Web Service descriptions, specifically:

  • DOCTYPE declaration is disallowed in documents
  • External general entities are not included by default
  • External parameter entities are not included by default
  • External DTDs are completely ignored

To restore the previous behavior:

  • Set the System property com.sun.xml.internal.ws.disableXmlSecurity to true
  • Use the wsimport tool command line option –disableXmlSecurity

    NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided via a Patch release post July CPU

JDK-8182054 (not public)

 

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

# BugId Component Subcomponent Summary
1 JDK-8179014 client‑libs java.awt JFileChooser with Windows look and feel crashes on win 10
2 JDK-8178996 client‑libs javax.swing [macos] JComboBox doesn't display popup in mixed JavaFX Swing Application on 8u131 and Mac OS 10.12
3 JDK-8174729 core‑libs java.lang:reflect Race Condition in java.lang.reflect.WeakCache
4 JDK-8165231 core‑libs java.nio java.nio.Bits.unaligned() doesn't return true on ppc
5 JDK-8180582 core‑libs java.rmi After updating to Java8u131, the bind to rmiregistry is rejected by registryFilter even though registryFilter is set
6 JDK-8139870 core‑svc java.lang.management sun.management.LazyCompositeData.isTypeMatched() fail for composite types with items of ArrayType
7 JDK-8174164 hotspot compiler SafePointNode::_replaced_nodes breaks with irreducible loops
8 JDK-8165342 javafx scenegraph NPE when JavaFX loads default stylesheet or font families if CCL is null
9 JDK-8179321 javafx web WebEngine.getDocument().getDocumentURI() no longer returns null for loading a String of HTML
10 JDK-8175251 security‑libs java.security Failed to load RSA private key from pkcs12
11 JDK-8176536 security‑libs java.security Improved algorithm constraints checking
12 JDK-8144566 security‑libs javax.net.ssl Custom HostnameVerifier disables SNI extension

Java SE 8u131 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u131 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u131 b34

Bug Fixes

BugId Component Subcomponent Summary
8173654 core-libs java.lang Regression since 8u60: System.getenv doesn't return env var set in JNI code
8075484 core-libs java.net SocketInputStream.socketRead0 can hang even with soTimeout set
8180660 tools javac missing LNT entry for finally block
8164119 client-libs java.awt MoveToOtherScreenTest fails due wrong key attribute
8181192 client-libs 2d [macos] javafx.print.PrinterJob.showPrintDialog() hangs on macOS
8172297 xml jax-ws In java 8, the marshalling with JAX-WS does not escape carriage return
8181057
(Confidential)
deploy webstart [regression] Fix of JDK-8174177 breaks existing scenarios of SingleInstanceService.
8181892
(Confidential)
core-svc tools Fix usagetracker use of getEnvVar

Changes in Java SE 8u131 b33

Bug Fixes

BugId Component Subcomponent Summary
8175251 security-libs java.security Failed to load RSA private key from pkcs12
8160696 client-libs java.awt IllegalArgumentException: adding a component to a container on a different GraphicsDevice
8168914 hotspot gc Crash in ClassLoaderData/JNIHandleBlock::oops_do during concurrent marking
8174177
(Confidential)
deploy webstart JWS: SAXParseException due to JNLP file not escaped

Changes in Java SE 8u131 b32

Bug Fixes

BugId Component Subcomponent Summary
8145207 client-libs javax.accessibility [macosx] JList, VO can't access non-visible list items
8076554 client-libs javax.accessibility [macosx] Custom Swing text components need to allow standard accessibility
8165829 client-libs javax.accessibility Android Studio 2.x crashes with NPE at sun.lwawt.macosx.CAccessibility.getAccessibleIndexInParent
8076249 client-libs javax.accessibility NPE in AccessBridge while editing JList model
8164002 hotspot compiler Add a new CPU family (S_family) for SPARC S7 and above processors
8167102 client-libs 2d [macosx] PrintRequestAttributeSet breaks page size set using PageFormat
8061258 client-libs 2d [macosx] PrinterJob's native Print Dialog does not reflect specified Copies or Page Ranges
8176490
(Confidential)
client-libs java.awt [macosx] Sometimes NSWindow.isZoomed hangs
8177449 core-libs java.time (tz) Support tzdata2017b

Changes in Java SE 8u131 b31

Please note that fixes from the prior BPR (8u121 b36) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8164293 hotspot compiler HotSpot leaking memory in long-running requests
8043913 hotspot compiler remove legacy code in SPARC's VM_Version::platform_features
8049717 hotspot runtime expose L1_data_cache_line_size for diagnostic/sanity checks
8177817 hotspot runtime Remove assertions in 8u that were removed by 8056124 in 9.
8134119 hotspot compiler Use new API to get cache line sizes
8165482 hotspot compiler java in ldoms, with cpu-arch=generic has problems
8165342 javafx scenegraph NPE when JavaFX loads default stylesheet or font families if CCL is null

Java™ SE Development Kit 8, Update 131 (JDK 8u131)

April 18, 2017

The full version string for this update release is 1.8.0_131-b11 (where "b" means "build"). The version number is 8u131.

IANA Data 2017a

JDK 8u131 contains IANA time zone data version 2017a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u131 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_131-b11
7 1.7.0_141-b11
6 1.6.0_151-b10

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u131) will expire with the release of the next critical patch update scheduled for July 18, 2017.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u131) on August 18, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Changes

security-libs/java.security

MD5 added to jdk.jar.disabledAlgorithms Security property
This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

  • Applets or Web Start Applications
  • Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.

To check if a weak algorithm or key was used to sign a JAR file, one can use the jarsigner binary that ships with this JDK. Running "jarsigner -verify" on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.

For example, to check a JAR file named test.jar, use the following command:

jarsigner -verify test.jar

If the file in this example was signed with a weak signature algorithm like MD5withRSA, the following output would be displayed:

The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled. Re-run jarsigner with the -verbose option for more details.

More details can be displayed by using the verbose option:

jarsigner -verify -verbose test.jar

The following output would be displayed:

- Signed by "CN=weak_signer" 
    Digest algorithm: MD5 (weak) 
    Signature algorithm: MD5withRSA (weak), 512-bit key (weak) 
  Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016 
    Timestamp digest algorithm: SHA-256 
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

To address the issue, the JAR file will need to be re-signed with a stronger algorithm or key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JARs, the existing signature(s) should be removed from the JAR file. This can be done with the .zip utility, as follows:

zip -d test.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*.DSA'

Please periodically check the Oracle JRE and JDK Cryptographic Roadmap at http://java.com/cryptoroadmap for planned restrictions to signed JARs and other security components.
JDK-8171121 (not public)

core-libs/java.net

New system property to control caching for HTTP SPNEGO connection.

A new JDK implementation specific system property to control caching for HTTP SPNEGO (Negotiate/Kerberos) connections is introduced. Caching for HTTP SPNEGO connections remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.

When connecting to an HTTP server that uses SPNEGO to negotiate authentication, and when connection and authentication with the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP server using SPNEGO usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP SPNEGO (Negotiate/Kerberos) protocol in order to force requesting new authentication with each new request to the server.

With this change, we now provide a new system property that allows control of the caching policy for HTTP SPNEGO connections. If jdk.spnego.cache is defined and evaluates to false, then all caching will be disabled for HTTP SPNEGO connections. Setting this system property to false may, however, result in undesirable side effects:

  • Performance of HTTP SPNEGO connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
  • Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.

JDK-8170814 (not public)

core-libs/java.net

New system property to control caching for HTTP NTLM connection.

A new JDK implementation specific system property to control caching for HTTP NTLM connection is introduced. Caching for HTTP NTLM connection remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.

On some platforms, the HTTP NTLM implementation in the JDK can support transparent authentication, where the system user credentials are used at system level. When transparent authentication is not available or unsuccessful, the JDK only supports getting credentials from a global authenticator. If connection to the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP NTLM server usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP NTLM protocol in order to force requesting new authentication with each new requests to the server.

With this change, we now provide a new system property that allows control of the caching policy for HTTP NTLM connections. If jdk.ntlm.cache is defined and evaluates to false, then all caching will be disabled for HTTP NTLM connections. Setting this system property to false may, however, result in undesirable side effects:

  • Performance of HTTP NTLM connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
  • Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.

JDK-8163520 (not public)

tools/visualvm

New version of VisualVM

VisualVM 1.3.9 was released on October 4th, 2016 http://visualvm.github.io/relnotes.html and has been integrated into 8u131.

See JDK-8167485

 

Bug Fixes

The following are some of the notable bug fixes included in this release:

client-libs/java.awt

Introduced a new window ordering model

On the OS X platform, the AWT framework used native services to implement parent-child relationship for windows. That caused some negative visual effects especially in multi-monitor environments. To get rid of the disadvantages of such an approach, the new window ordering model, which is fully implemented at the JDK layer, was introduced. Its main principles are listed below:

  • A window should be placed above its nearest parent window.
  • If a window has several child windows, all child windows should be located at the same layer and the window from the active window chain should be ordered above its siblings.
  • Ordering should not be performed for a window that is in an iconified state or when the transition to an iconified state is in progress.

These rules are applied to every frame or dialog from the window hierarchy that contains the currently focused window.

See JDK-8169589

security-libs/javax.net.ssl

Correction of IllegalArgumentException from TLS handshake

A recent issue from the JDK-8173783 fix can cause issue for some TLS servers. The problem originates from an IllegalArgumentException thrown by the TLS handshaker code:

java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves

The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified.

See JDK-8173783

 

Bug Fix list

This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

# BugId Component Subcomponent Summary
1 JDK-7155957 client‑libs java.awt closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.java hangs on win 64 bit with jdk8
2 JDK-8035568 client‑libs java.awt [macosx] Cursor management unification
3 JDK-8079595 client‑libs java.awt Resizing dialog which is JWindow parent makes JVM crash
4 JDK-8169589 client‑libs java.awt [macosx] Activating a JDialog puts to back another dialog
5 JDK-8147842 client‑libs javax.swing IME Composition Window is displayed at incorrect location
6 JDK-7167293 core‑libs java.net FtpURLConnection connection leak on FileNotFoundException
7 JDK-8169465 core‑libs javax.naming Deadlock in com.sun.jndi.ldap.pool.Connections
8 JDK-8133045 deploy deployment_toolkit java.lang.SecurityException: Failed to extract baseline.versions error
9 JDK-8028538 deploy webstart Fedora Linux issue with jnlp‑servlet.jar demo source code license
10 JDK-8170646 deploy webstart JNLP fails to get loaded with old javaws when multiple jres (jre9 and jre8u111) installed
11 JDK-8075196 docs guides CosNaming's implementation doesn't comply with the specification
12 JDK-8161147 hotspot compiler jvm crashes when ‑XX:+UseCountedLoopSafepoints is enabled
13 JDK-8161993 hotspot gc G1 crashes if active_processor_count changes during startup
14 JDK-8147910 hotspot runtime Cache initial active_processor_count
15 JDK-8150490 hotspot runtime Update OS detection code to recognize Windows Server 2016
16 JDK-8170888 hotspot runtime [linux] Experimental support for cgroup memory limits in container (ie Docker) environments
17 JDK-8166208 hotspot svc FlightRecorderOptions settings for defaultrecording ignored.
18 JDK-8161945 install install REGRESSION: 8u91 update of 32 bit JRE removes preferences of the 64 bit JRE
19 JDK-8172932 install install JRE installation fails with 1603 on Windows 10 with enabled Deviceguard
20 JDK-8089915 javafx web Input of type file doesn't honor "accept" attribute.
21 JDK-8090216 javafx web HTMLEditor: font bold doesn't work when an indent is set
22 JDK-8144263 javafx web [WebView, OS X] Webkit rendering artifacts with inertia scrolling
23 JDK-8150982 javafx web Crash when calling WebEngine.print on background thread
24 JDK-8164314 javafx web [WebView] Debug build is no longer working after JDK‑8089681
25 JDK-8165098 javafx web WebEngine.print will attempt to print even if the printer job is complete or has an error
26 JDK-8165173 javafx web canvas/philip/tests/2d.path.clip.empty.html fails with 8u112
27 JDK-8165508 javafx web Incorrect Bug ID in comment for JDK-8164076
28 JDK-8166231 javafx web use @Native annotation in web classes
29 JDK-8166677 javafx web HTMLEditor freezes after restoring previously maximized window
30 JDK-8166775 javafx web Audio slider works incorrectly for short files
31 JDK-8166999 javafx web Update to newer version of WebKit
32 JDK-8167098 javafx web Backport of JDK‑8158926 to JDK 8u mistakenly used preliminary patch
33 JDK-8167100 javafx web Minor source diffs introduced in backports of JDK-8160837 and JDK-8163582
34 JDK-8167675 javafx web Animated gifs are not working
35 JDK-8169204 javafx web Need to document JSObject Call and setSlot APIs to use weak references
36 JDK-8170585 javafx web Fix PlatformContextJava type leaking to GraphicsContext
37 JDK-8170938 javafx web Memory leak in JavaFX WebView
38 JDK-8173783 security‑libs javax.net.ssl IllegalArgumentException: jdk.tls.namedGroups
39 JDK-6474807 security‑libs javax.smartcardio (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException
40 JDK-8168774 tools javac Polymorhic signature method check crashes javac
41 JDK-8167485 tools visualvm Integrate new version of Java VisualVM based on VisualVM 1.3.9 into JDK
42 JDK-8167179 xml jaxp Make XSL generated namespace prefixes local to transformation process

Java SE 8u121 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u121 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u121 b36

Bug Fixes

BugId Component Subcomponent Summary
8058316 client-libs 2d lookupDefaultPrintService returns null on Solaris 11 when default printer is set using lpoptions command
8176044 core-libs java.time (tz) Support tzdata2017a
8165978
(Confidential)
core-libs java.net SocketTest.java fails with NullPointerException
8145826
(Confidential)
core-svc javax.management closed/jdk/management/resource tests fail after JDK-8056152

Changes in Java SE 8u121 b35

Bug Fixes

BugId Component Subcomponent Summary
8162795 hotspot jvmti [REDO] MemberNameTable doesn't purge stale entries
8171808 client-libs javax.accessibility Performance problems in dialogs with large tables when JAB activated
8170950 client-libs 2d Text is displayed in bold when fonts are installed into symlinked folder
8163979 client-libs java.awt [macosx] Chinese text shows as Latin w/ openVanilla input method
8163889
(Confidential)
client-libs java.awt [macosx] Can't print from browser on Mac OS X
8171388
(Confidential)
core-libs javax.naming Update JNDI Thread contexts

A regression has been identified with this build which impacts resource manager functionality only. This regression is only encountered if the commercial resource manager feature is turned on via: "-XX:+UnlockCommercialFeatures -XX:+ResourceManagement". JDK-8145826 (not public)

Changes in Java SE 8u121 b34

Bug Fixes

BugId Component Subcomponent Summary
8173783 security-libs javax.net.ssl IllegalArgumentException: jdk.tls.namedGroups
8173145 client-libs javax.swing Menu is activated after using mnemonic Alt/Key combination
8038348 hotspot compiler Instance field load is replaced by wrong data Phi
8170888 hotspot runtime [linux] Experimental support for cgroup memory limits in container (ie Docker) environments
6515172 hotspot runtime Runtime.availableProcessors() ignores Linux taskset command
8147910 hotspot runtime Cache initial active_processor_count
8165153 hotspot runtime Crash in rebuild_cpu_to_node_map
8161993 hotspot gc G1 crashes if active_processor_count changes during startup
8170307
(Confidential)
hotspot runtime Stack size option -Xss is ignored
8157184
(Confidential)
hotspot compiler java/lang/invoke/LFCaching/LFMultiThreadCachingTest.java failed with a fatal error
8166158
(Confidential)
deploy webstart correct version of jar is not asked in some cases when jar is originally downloaded using loadResource

Changes in Java SE 8u121 b33

Bug Fixes

BugId Component Subcomponent Summary
8169465 core-libs javax.naming Deadlock in com.sun.jndi.ldap.pool.Connections
8152981 client-libs javax.swing Double icons with JMenuItem setHorizontalTextPosition on Win 10
8075516 client-libs java.awt Deleting a file from either the open or save java.awt.FileDialog hangs.
7172652 client-libs javax.swing With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin
8159058 xml jax-ws SAXParseException when sending soap message
8141054 deploy webstart WebStart does not clean up jnlp file after closing
8169541
(Confidential)
deploy deployment_toolkit security pop-up triggers each time when launching application
8170668
(Confidential)
deploy webstart java.lang.UnsupportedOperationException in javaws applications
8168070
(Confidential)
deploy webstart Extra window appears due to Preloader failed to handle AppletInitEvent

Changes in Java SE 8u121 b31

Please note that fixes from the prior BPR (8u112 b32) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8167179 xml jaxp Make XSL generated namespace prefixes local to transformation process
8166208 hotspot svc FlightRecorderOptions settings for defaultrecording ignored.
8155211 security-libs java.security Ucrypto Library leaks native memory
8035568 client-libs java.awt [macosx] Cursor management unification
8169589 client-libs java.awt [macosx] Activating a JDialog puts to back another dialog
8163195
(Confidential)
deploy webstart Release DeploymentRuleSet.jar as soon as app is launched
8160275
(Confidential)
deploy deployment_toolkit 7u95 java does not start after the java splash screen in jws application
8161609
(Confidential)
deploy plugin Deploy starts applets even if mandatory config hasn't been found
8164476
(Confidential)
deploy deployment_toolkit JWS: JNLP file not removed when using SingleInstanceService
8171949
(Confidential)
client-libs java.awt [macosx] AWT_ZoomFrame Automated tests fail with error: The bitwise mask Frame.ICONIFIED is not setwhen the frame is in ICONIFIED state
8171952
(Confidential)
client-libs java.awt [macosx] ModelessDialog test fails as DummyButton on Dialog did not gain focus when clicked.

The fix made under JDK-8164476 does not take any effect without changes for JDK-8141054. JDK-8141054 will be included in the next JDK8u121 BPR build


Java™ SE Development Kit 8, Update 121 (JDK 8u121)

January 17, 2017

The full version string for this update release is 1.8.0_121-b13 (where "b" means "build"). The version number is 8u121.

IANA Data 2016i

JDK 8u121 contains IANA time zone data version 2016i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u121 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_121-b13
7 1.7.0_131-b12
6 1.6.0_141-b12

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u121) will expire with the release of the next critical patch update scheduled for April 18, 2017.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u121) on May 18, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

core-libs/javax.naming

Improved protection for JNDI remote class loading

Remote class loading via JNDI object factories stored in naming and directory services is disabled by default. To enable remote class loading by the RMI Registry or COS Naming service provider, set the following system property to the string "true", as appropriate:

com.sun.jndi.rmi.object.trustURLCodebase
com.sun.jndi.cosnaming.object.trustURLCodebase

JDK-8158997 (not public)

security-libs/java.security

jarsigner -verbose -verify should print the algorithms used to sign the jar

The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak.

Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property, jdk.jar.disabledAlgorithms, it will be labeled with "(weak)".

For example:

- Signed by "CN=weak_signer"
   Digest algorithm: MD2 (weak) 
   Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
 Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
   Timestamp digest algorithm: SHA-256 
   Timestamp signature algorithm: SHA256withRSA, 2048-bit key

See JDK-8163304

New Features

security-libs/javax.xml.crypto

Added security property to configure XML Signature secure validation mode

A new security property named jdk.xml.dsig.secureValidationPolicy has been added that allows you to configure the individual restrictions that are enforced when the secure validation mode of XML Signature is enabled. The default value for this property in the java.security configuration file is:

jdk.xml.dsig.secureValidationPolicy=\
    disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
    disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
    maxTransforms 5,\
    maxReferences 30,\
    disallowReferenceUriSchemes file http https,\
    noDuplicateIds,\
    noRetrievalMethodLoops

Please refer to the definition of the property in the java.security file for more information.

See JDK-8151893

core-libs/java.io:serialization

Serialization Filter Configuration

Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in JEP 290 Serialization Filtering and in <JRE>/lib/security/java.security. Filter actions are logged to the 'java.io.serialization' logger, if enabled.

See JDK-8155760

core-libs/java.rmi

RMI Better constraint checking

RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 Serialization Filtering to improve service robustness.

RMI Registry and DGC implement built-in white-list filters for the typical classes expected to be used with each service.

Additional filter patterns can be configured using either a system property or a security property. The "sun.rmi.registry.registryFilter" and "sun.rmi.transport.dgcFilter" property pattern syntax is described in JEP 290 and in <JRE>/lib/security/java.security.

JDK-8156802 (not public)

security-libs

Add mechanism to allow non-default root CAs to not be subject to algorithm restrictions

*New certpath constraint: jdkCA*

In the java.security file, an additional constraint named "jdkCA" is added to the jdk.certpath.disabledAlgorithms property. This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in the lib/security/cacerts keystore. If the jdkCA constraint is not set, then all chains using the specified algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm expression.

Example: To apply this constraint to SHA-1 certificates, include the following: SHA1 jdkCA

See JDK-8140422

Changes

security-libs/javax.net.ssl

Make 3DES as a legacy algorithm in the JSSE provider

For SSL/TLS/DTLS protocols, the security strength of 3DES cipher suites is not sufficient for persistent connections. By adding 3DES_EDE_CBC to the jdk.tls.legacyAlgorithms security property by default in JDK, 3DES cipher suites will not be negotiated unless there are no other candidates during the establishing of SSL/TLS/DTLS connections.

At their own risk, applications can update this restriction in the security property (jdk.tls.legacyAlgorithms) if 3DES cipher suites are really preferred.

JDK-8165071 (not public)

security-libs/javax.net.ssl

Improve the default strength of EC in JDK

To improve the default strength of EC cryptography, EC keys less than 224 bits have been deactivated in certification path processing (via the jdk.certpath.disabledAlgorithms Security Property) and SSL/TLS connections (via the jdk.tls.disabledAlgorithms Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192"). EC curves less than 256 bits are removed from the SSL/TLS implementation in JDK. The new System Property, jdk.tls.namedGroups, defines a list of enabled named curves for EC cipher suites in order of preference. If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly. For example:

jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1"

Note that the default enabled or customized EC curves follow the algorithm constraints. For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties.

See JDK-8148516

tools/javadoc(tool)

New --allow-script-in-comments option for javadoc

The javadoc tool will now reject any occurrences of JavaScript code in the javadoc documentation comments and command-line options, unless the command-line option, --allow-script-in-comments is specified.

With the --allow-script-in-comments option, the javadoc tool will preserve JavaScript code in documentation comments and command-line options. An error will be given by the javadoc tool if JavaScript code is found and the command-line option is not set.

JDK-8138725 (not public)

security-libs/javax.xml.crypto

Increase the minimum key length to 1024 for XML Signatures

The secure validation mode of the XML Signature implementation has been enhanced to restrict RSA and DSA keys less than 1024 bits by default as they are no longer secure enough for digital signatures. Additionally, a new security property named jdk.xml.dsig.SecureValidationPolicy has been added to the java.security file and can be used to control the different restrictions enforced when the secure validation mode is enabled.

The secure validation mode is enabled either by setting the xml signature property org.jcp.xml.dsig.secureValidation to true with the javax.xml.crypto.XMLCryptoContext.setProperty method, or by running the code with a SecurityManager.

If an XML Signature is generated or validated with a weak RSA or DSA key, an XMLSignatureException will be thrown with the message, "RSA keys less than 1024 bits are forbidden when secure validation is enabled" or "DSA keys less than 1024 bits are forbidden when secure validation is enabled."

JDK-8140353 (not public)

docs/release_notes

Restrict certificates with DSA keys less than 1024 bits.

DSA keys less than 1024 bits are not strong enough and should be restricted in certification path building and validation. Accordingly, DSA keys less than 1024 bits have been deactivated by default by adding "DSA keySize < 1024" to the jdk.certpath.disabledAlgorithms security property. Applications can update this restriction in the security property (jdk.certpath.disabledAlgorithms) and permit smaller key sizes if really needed (for example, "DSA keySize < 768").

JDK-8139565 (not public)

security-libs

More checks added to DER encoding parsing code

More checks are added to the DER encoding parsing code to catch various encoding errors. In addition, signatures which contain constructed indefinite length encoding will now lead to IOException during parsing. Note that signatures generated using JDK default providers are not affected by this change.

JDK-8168714 (not public)

core-libs/java.net

Additional access restrictions for URLClassLoader.newInstance

Class loaders created by the java.net.URLClassLoader.newInstance methods can be used to load classes from a list of given URLs. If the calling code does not have access to one or more of the URLs and the URL artifacts that can be accessed do not contain the required class, then a ClassNotFoundException, or similar, will be thrown. Previously, a SecurityException would have been thrown when access to a URL was denied. If required to revert to the old behavior, this change can be disabled by setting the jdk.net.URLClassPath.disableRestrictedPermissions system property.

JDK-8151934 (not public)

Bug Fixes

The following are some of the notable bug fixes included in this release:

client-libs/javax.swing

Trackpad scrolling of text on OS X 10.12 Sierra is very fast

The MouseWheelEvent.getWheelRotation() method returned rounded native NSEvent deltaX/Y events on Mac OS X. The latest macOS Sierra 10.12 produces very small NSEvent deltaX/Y values so rounding and summing them leads to the huge value returned from the MouseWheelEvent.getWheelRotation(). The JDK-8166591 fix accumulates NSEvent deltaX/Y and the MouseWheelEvent.getWheelRotation() method returns non-zero values only when the accumulated value exceeds a threshold and zero value. This is compliant with the MouseWheelEvent.getWheelRotation() specification (https://docs.oracle.com/javase/8/docs/api/java/awt/event/MouseWheelEvent.html#getWheelRotation):

"Returns the number of "clicks" the mouse wheel was rotated, as an integer. A partial rotation may occur if the mouse supports a high-resolution wheel. In this case, the method returns zero until a full "click" has been accumulated."

For the precise wheel rotation values, use the MouseWheelEvent.getPreciseWheelRotation() method instead.

See JDK-8166591

 

Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

# BugId Component Subcomponent Summary
1 JDK-8037099 client-libs java.awt [macosx] Remove all references to GC from native OBJ-C code
2 JDK-8166591 client-libs javax.swing [macos 10.12] Trackpad scrolling of text on macOS 10.12 Sierra is very fast (Trackpad, Retina only)
3 JDK-8152438 hotspot gc Threads may do significant work out of the non‑shared overflow buffer
4 JDK-8163171 install install Java installer leaves cached files on host after update
5 JDK-8164908 other‑libs corba ReflectionFactory support for IIOP and custom serialization
6 JDK-8161571 security-libs java.security Verifying ECDSA signatures permits trailing bytes
7 JDK-8163304 security-libs java.security jarsigner -verbose -verify should print the algorithms used to sign the jar
8 JDK-8167591 security-libs java.security Add MD5 to signed JAR restrictions
9 JDK-8167459 security-libs javax.net.ssl Add debug output for indicating if a chosen ciphersuite was legacy
10 JDK-8167472 security-libs javax.net.ssl Chrome interop regression with JDK‑8148516
11 JDK-8170131 security-libs javax.net.ssl Certificates not being blocked by jdk.tls.disabledAlgorithms property
12 JDK-8151893 security-libs javax.xml.crypto Add security property to configure XML Signature secure validation mode

 

Known Issues

security-libs/javax.net.ssl

IllegalArgumentException from TLS handshake

A recent issue from the JDK-8148516 fix can cause issue for some TLS servers. The problem originates from an *IllegalArgumentException* thrown by the TLS handshaker code:

java.lang.IllegalArgumentException: System property 
jdk.tls.namedGroups(null) contains no supported elliptic curves

The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified.

See JDK-8173783

deploy/packager

javapackager and fx:deploy bundle the whole JDK instead of JRE

There is a known bug in the Java Packager for Mac where the entire JDK may be bundled with the application bundle resulting in an unusually large bundle. The work around is to use the bundler option -Bruntime option. For example: -Bruntime=JavaAppletPlugin.plugin sets where the JavaAppletPlugin.plugin for the desired JRE to bundle is located in the current directory.

See JDK-8166835

install/install

Java Installation will fail for non-admin users with UAC off

The Java installation on Windows will fail without warning or prompting, for non-admin users with User Access Control (UAC) disabled. The installer will leave a directory, jds<number>.tmp, in the %TEMP% directory.

JDK-8161460 (not public)

Java SE 8u112 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u112 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u112 b32

Bug Fixes

BugId Component Subcomponent Summary
8157548 hotspot runtime JVM crashes sometimes while starting
8169191 core-libs java.time (tz) Support tzdata2016i

Changes in Java SE 8u112 b31

Please note that fixes from the prior BPR (8u102 b35) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8166591 client-libs javax.swing [macos 10.12] Trackpad scrolling of text on macOS 10.12 Sierra is very fast (Trackpad, Retina only)
8166875 core-libs java.time (tz) Support tzdata2016g
8063089
(Confidential)
hotspot jfr VM fails to start on Windows with enabled JFR

Java™ SE Development Kit 8, Update 112 (JDK 8u112)

October 18, 2016

The full version string for this update release is 1.8.0_112-b15 (b16 for OS X) (where "b" means "build"). The version number is 8u112.

IANA Data 2016f

JDK 8u112 contains IANA time zone data version 2016f. For more information, refer to Timezone Data Versions in the JRE Software.
See JDK-8159684

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u112 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_111-b14
7 1.7.0_121-b15
6 1.6.0_131-b14

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u112) will expire with the release of the next critical patch update scheduled for January 17, 2017.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u112) on February 17, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.


Changes

security-libs/java.security
SunPKCS11 Provider no longer offering SecureRandom by default
SecureRandom.PKCS11 from the SunPKCS11 Provider is disabled by default on Solaris because the native PKCS11 implementation has poor performance and is not recommended. If your application requires SecureRandom.PKCS11, you can re-enable it by removing "SecureRandom" from the disabledMechanisms list in conf/security/sunpkcs11-solaris.cfg

Performance improvements have also been made in the java.security.SecureRandom class. Improvements in the JDK implementation have allowed for synchronization to be removed from the java.security.SecureRandom.nextBytes(byte[] bytes) method.
See JDK-8098581


Known Issues

deploy
JVM throws NullPointerExceptions on macOS Sierra 10.12
On macOS Sierra 10.12, if a user presses modifier keys (such as Command, Shift, or Alt) while an applet is running in a browser, an error box named “Internal Error” might be displayed. It will also show the “exec” icon in the macOS dock. The user can dismiss the applet, or try to rerun the applet while not pressing a modifier key. To fix this problem, users can install JRE 8u112.
See JDK-8165867.


 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

# BugId Component Subcomponent Summary
1 JDK-6477756 client-libs 2d GraphicsDevice.getConfigurations() is slow taking 3 or more seconds
2 JDK-7172749 client-libs 2d Xrender: Class cast exception in 2D code running an AWT regression test
3 JDK-8028486 client-libs 2d java/awt/Window/WindowsLeak/WindowsLeak.java fails
4 JDK-8078382 client-libs 2d Wrong glyph is displayed for a derived font
5 JDK-8133309 client-libs 2d [win10] Some unicode characters do not display any more after upgrading to Windows 10
6 JDK-8144703 client-libs 2d ClassCastException: sun.font.CompositeFont cannot be cast to PhysicalFont
7 JDK-8158495 client-libs 2d CCE: sun.java2d.NullSurfaceData cannot be cast to sun.java2d.opengl.OGLSurfaceData
8 JDK-8158178 client-libs java.awt java.awt.SplashScreen.getSize() returns incorrect size for high dpi splash screens
9 JDK-8154816 client-libs java.awt:i18n Caps Lock doesn't work as expected when using Pinyin Simplified input method
10 JDK-8145984 client-libs javax.accessibility [macosx] sun.lwawt.macosx.CAccessible leaks
11 JDK-8153149 client-libs javax.accessibility Uninitialised memory in WinAccessBridge.cpp:1128
12 JDK-8154069 client-libs javax.accessibility Jaws reads wrong values from comboboxes when no element is selected
13 JDK-8057791 client-libs javax.swing Selection in JList is drawn with wrong colors in Nimbus L&F
14 JDK-8078268 client-libs javax.swing javax.swing.text.html.parser.Parser parseScript incorrectly optimized
15 JDK-8136998 client-libs javax.swing JComboBox prevents wheel mouse scrolling of JScrollPane
16 JDK-8157838 client-libs javax.swing Personalized Windows Font Size is not taken into account in Java8u102
17 JDK-8158734 client-libs javax.swing JEditorPane.createEditorKitForContentType throws NPE after 6882559
18 JDK-8147585 core-libs java.lang Annotations with lambda expressions has parameter result in wrong behavior.
19 JDK-8155106 core-libs java.lang.invoke MHs.Lookup.findConstructor returns handles for array classes
20 JDK-8153192 core-libs java.nio (se) Selector.select(long) uses wrong timeout after EINTR (lnx)
21 JDK-8141148 core-libs javax.naming LDAP "follow" throws ClassCastException with Java 8
22 JDK-8158802 core-libs javax.naming com.sun.jndi.ldap.SimpleClientId produces wrong hash code
23 JDK-8159822 core-libs javax.naming Non‑synchronized access to shared members of com.sun.jndi.ldap.pool.Pool
24 JDK-8150219 core-libs javax.script ReferenceError in 1.8.0_72
25 JDK-8130127 core-libs jdk.nashorn streamline input parameter of Nashorn scripting $EXEC function
26 JDK-8130317 core-libs jdk.nashorn "ant test" fails to complete on Windows when run under cygwin shell
27 JDK-8137240 core-libs jdk.nashorn Negative lookahead in RegEx breaks backreference
28 JDK-8141541 core-libs jdk.nashorn Simplify Nashorn's Context class loader handling
29 JDK-8143642 core-libs jdk.nashorn Nashorn shebang argument handling is broken
30 JDK-8144160 core-libs jdk.nashorn Regression: two tests fail on Windows with "ant test" target
31 JDK-8144221 core-libs jdk.nashorn fix Nashorn shebang argument handling on Mac/Linux
32 JDK-8148140 core-libs jdk.nashorn arguments are handled differently in apply for JS functions and AbstractJSObjects
33 JDK-8156714 core-libs jdk.nashorn Parsing issue with automatic semicolon insertion
34 JDK-8156896 core-libs jdk.nashorn Script stack trace should display function names
35 JDK-8157160 core-libs jdk.nashorn JSON.stringify does not work on ScriptObjectMirror objects
36 JDK-8157680 core-libs jdk.nashorn Callback parameter of any JS builtin implementation should accept any Callable
37 JDK-8157819 core-libs jdk.nashorn TypeError when a java.util.Comparator object is invoked as a function
38 JDK-8158467 core-libs jdk.nashorn AccessControlException is thrown on public Java class access if "script app loader" is set to null
39 JDK-8154144 core-svc   Tests in com/sun/jdi fails intermittently with "jdb input stream closed prematurely"
40 JDK-8049226 core-svc debugger com/sun/jdi/OptionTest.java test times out again
41 JDK-8029309 deploy   [macosx] Java Control Panel unable to perform tasks requiring admin privileges
42 JDK-8165867 deploy   [macos] JVM continuously throw a NullPointerException on new MacOS 10.12
43 JDK-8155835 deploy javafx FXUIToolkit.showFileChooser() fails when jre is below 7u21
44 JDK-8155837 deploy javafx FXUIToolkit.showSandboxSecurityDialog fails when running jre below 7u21
45 JDK-8155849 deploy javafx FXUIToolkit.showMessageDialog() fails when running jre below 7u55
46 JDK-8081847 deploy webstart Add a URL scheme handler to reliably launch .jnlp files - Mac registration part
47 JDK-8136844 deploy webstart Change JavawsLauncher.app to use NSTask or execv
48 JDK-8144348 deploy webstart Desktop shortcut is not updated after JNLP is changed in deployment cache
49 JDK-8157337 deploy webstart Allow always checkbox in security dialog when jnlp location is unknown
50 JDK-8157785 deploy webstart Signed JWS application unexpectedly asks for permission to open a socket
51 JDK-8063086 hotspot compiler Math.pow yields different results upon repeated calls
52 JDK-8130309 hotspot compiler Need to bailout cleanly if creation of stubs fails when codecache is out of space
53 JDK-8154831 hotspot compiler CastII/ConvI2L for a range check is prematurely eliminated
54 JDK-8158260 hotspot compiler PPC64: unaligned Unsafe.getInt can lead to the generation of illegal instructions
55 JDK-8159244 hotspot compiler Partially initialized string object created by C2's string concat optimization may escape
56 JDK-8017629 hotspot gc G1: UseSHM in combination with a G1HeapRegionSize > os::large_page_size() falls back to use small pages
57 JDK-8054326 hotspot gc Confusing message in "Current rem set statistics"
58 JDK-8077276 hotspot gc allocating heap with UseLargePages and HugeTLBFS may trash existing memory mappings (linux)
59 JDK-8158871 hotspot gc Long response times with G1 and StringDeduplication
60 JDK-8154722 hotspot gc Test gc/ergonomics/TestDynamicNumberOfGCThreads.java fails
61 JDK-8147451 hotspot jvmti Crash in Method::checked_resolve_jmethod_id(_jmethodID*)
62 JDK-8161144 hotspot jvmti Fix for JDK‑8147451 failed: Crash in Method::checked_resolve_jmethod_id(_jmethodID*)
63 JDK-8036630 hotspot runtime Null ProtectionDomain in JVM can cause NPE because principals field is not initialized to an empty array
64 JDK-8042660 hotspot runtime vm/mlvm/anonloader/stress/byteMutation failed with: assert(index >=0 && index < _length) failed: symbol index overflow
65 JDK-8135322 hotspot runtime ConstantPool::release_C_heap_structures not run in some circumstances
66 JDK-8147026 hotspot runtime Convert an assert in ClassLoaderData to a guarantee
67 JDK-8154210 hotspot runtime Zero: Better byte behaviour
68 JDK-8158373 hotspot runtime SIGSEGV: Metadata::mark_on_stack
69 JDK-8160201 infrastructure release_eng 8u112 template file need to be updated
70 JDK-8148167 install install jdk 8u71 fails to install with no error message
71 JDK-8156895 install install ent msi does not have double‑click support
72 JDK-8161053 javafx application‑lifecycle Passing objects between JavaScript (JavaFX / WebKit) and Java causes a memory leak
73 JDK-8134655 javafx base SortedList wrapping a FilteredList causes AIOOBE
74 JDK-8144501 javafx controls TreeTableView's selectedItems reports include null items.
75 JDK-8157398 javafx controls [TreeTableView] graphic property of TreeItem is still visible after collapsing tree
76 JDK-8161449 javafx controls Enhance CustomColorDialog to have flexibility to hide 'Opacity', 'Use' and 'Save' Button
77 JDK-8145516 javafx graphics Scene content shows too large on Retina display, when a regular screen attached
78 JDK-8150076 javafx graphics Print jobs do not finish when using a page range
79 JDK-8150181 javafx graphics javafx print jobs take 60 times longer than javax.print
80 JDK-8152423 javafx graphics Generated temp files (+JXF...temp) for custom fonts not deleted on exit.
81 JDK-8155692 javafx graphics changes to compile under Visual Studio 14.0
82 JDK-8155903 javafx graphics Crash while running imported/w3c/canvas/2d.gradient.interpolate.overlap2.html
83 JDK-8156094 javafx graphics ContextMenu shown at wrong position on Windows10 with Extended Screen
84 JDK-8158688 javafx graphics Revert fix for JDK‑8150181 to push it with the correct commit message
85 JDK-8159860 javafx graphics JavaFX Path drawing appears to leak native memory
86 JDK-8089563 javafx web Javascript Timing Events stop work on system clock changes at past
87 JDK-8130727 javafx web WebView Tooltip position no longer changes in 8u60
88 JDK-8146211 javafx web WebView can't alert from a timer
89 JDK-8149045 javafx web Debug build is not working after new WebKit upgrade
90 JDK-8150800 javafx web NullPointer exception in WebView
91 JDK-8152393 javafx web SQL Server Reporting Services in WebViews shows 401
92 JDK-8152420 javafx web [WebView] Icon font doesn't work if single page application will be loaded from jar
93 JDK-8154127 javafx web Need to document that JavaScript to Java bindings use weak references
94 JDK-8156698 javafx web Update to newer version of WebKit
95 JDK-8157145 javafx web DRT crash at fast/css‑generated‑content/initial‑letter‑basic.html
96 JDK-8157384 javafx web Update java‑wrappers for WebKit generated classes following WebKit update
97 JDK-8157559 javafx web Linux: Javascript Timing Events stop work on system clock changes at past
98 JDK-8158056 javafx web Linux: libjfxwebkit.so has hard‑coded path
99 JDK-8158926 javafx web Char value is set as integer, not as character
100 JDK-8159549 javafx web Add timestamp to WebView Keyboard Event
101 JDK-8159614 javafx web Can't get file size with javascript
102 JDK-8159868 javafx web the JVM for our Swing application crashes, once we login into our application server
103 JDK-8160260 javafx web WebView cannot render CSS background image with SVG data
104 JDK-8160326 javafx web Char value is returned as integer, not as character
105 JDK-8160388 javafx web Test Case Failure in CallBackTest
106 JDK-8160400 javafx web WebView can't alert from a timer
107 JDK-8160563 javafx web jvm crash at javafx com.sun.webkit.WebPage.twkPrePaint (GFlag + Heap verification)
108 JDK-8160757 javafx web Implement overridePreference() for DRT framework
109 JDK-8160769 javafx web [WebView] Unable to tile SVG image using css background property
110 JDK-8160837 javafx web WebEngine doesn't handle html5 color picker
111 JDK-8161137 javafx web Assertion fails with https://html‑online.com/editor/
112 JDK-8161258 javafx web [Win] Timer functionality is broken after JDK‑8089563
113 JDK-8161405 javafx web [OS X] Compilation Issue in WebPage.cpp
114 JDK-8161699 javafx web Fix compilation warnings in WebCore and JavaScriptCore
115 JDK-8161724 javafx web EOFException in GZIPInputStream.readUByte while browsing
116 JDK-8162949 javafx web [WebView] WebView can't display social network icons on wellsfargo.com
117 JDK-8162977 javafx web General sibling selector is broken for selected input boxes in WebView
118 JDK-8162979 javafx web Website weibo.com cannot be loaded
119 JDK-8163582 javafx web JavaFX browser can get stuck in an infinite loop when calling path.getTotalLength()
120 JDK-8164076 javafx web [Windows] JavaFX crash in WebPage.twkOpen in 8u112 when closing WebView while debugging
121 JDK-8165853 javafx web Loading "https://www.windyty.com" with JavaFX WebView crashes JVM.
122 JDK-8146975 other-libs corba NullPointerException in IIOPInputStream.inputClassFields
123 JDK-8085903 security-libs java.security New fix for memory leak in ProtectionDomain cache
124 JDK-8098581 security-libs java.security SecureRandom.nextBytes() hurts performance with small size requests
125 JDK-8147969 security-libs java.security Print size of DH keysize when errors are encountered
126 JDK-8154009 security-libs java.security Some methods of java.security.Security require more permissions, than necessary
127 JDK-8160267 security-libs javax.crypto Ucrypto config file cannot be read when ‑Dfile.encoding=UTF‑16 is set
128 JDK-8160723 security-libs javax.crypto Improve jurisdiction policy file signing exception
129 JDK-8134232 security-libs javax.crypto:pkcs11 KeyStore.load() throws an IOException with a wrong cause in case of wrong password
130 JDK-8158873 security-libs javax.crypto:pkcs11 LoadKeystore.java test is failing
131 JDK-8133070 security-libs javax.net.ssl Hot lock on BulkCipher.isAvailable
132 JDK-8158111 security-libs javax.net.ssl Make handling of 3rd party providers more stable
133 JDK-8158059 security-libs javax.security The fix for 8050402 was partially committed
134 JDK-8022582 security-libs org.ietf.jgss:krb5 Relax response flags checking in sun.security.krb5.KrbKdcRep.check.
135 JDK-8160518 security-libs org.ietf.jgss:krb5 Semicolon is not recognized as comment starting character (Kerberos)
136 JDK-8067964 tools   Native2ascii doesn't close one of the streams it opens
137 JDK-8129740 tools javac Incorrect class file created when passing lambda in inner class constructor
138 JDK-8143640 tools launcher Showing incorrect result while passing specific argument in the Java launcher tools
139 JDK-8153781 xml jaxp Issue in XMLScanner: EXPECTED_SQUARE_BRACKET_TO_CLOSE_INTERNAL_SUBSET when skipping large DOCTYPE section with CRLF at wrong place

Java™ SE Development Kit 8, Update 111 (JDK 8u111)

October 18, 2016

The full version string for this update release is 1.8.0_111-b14 (where "b" means "build"). The version number is 8u111.

IANA Data 2016f

JDK 8u111 contains IANA time zone data version 2016f. For more information, refer to Timezone Data Versions in the JRE Software.

See JDK-8159684

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u111 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_111-b14
7 1.7.0_121-b15
6 1.6.0_131-b14

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u111) will expire with the release of the next critical patch update scheduled for January 17, 2017.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u111) on February 17, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Certificate Changes

New JCE Code Signing Root CA

In order to support longer key lengths and stronger signature algorithms, a new JCE Provider Code Signing root certificate authority has been created and its certificate added to Oracle JDK. New JCE provider code signing certificates issued from this CA will be used to sign JCE providers from this point forward. By default, new requests for JCE provider code signing certificates will be issued from this CA.

Existing certificates from the current JCE provider code signing root will continue to validate. However, this root CA may be disabled at some point in the future. We recommend that new certificates be requested and existing provider JARs be re-signed.

For details on the JCE provider signing process, please refer to the How to Implement a Provider in the Java Cryptography Architecture documentation.

JDK-8141340 (not public)

Changes

client-libs/java.awt

Service Menu services

The lifecycle management of AWT menu components exposed problems on certain platforms. This fix improves state synchronization between menus and their containers.

JDK-8158993 (not public)

core-libs/java.net

Disable Basic authentication for HTTPS tunneling

In some environments, certain authentication schemes may be undesirable when proxying HTTPS. Accordingly, the Basic authentication scheme has been deactivated, by default, in the Oracle Java Runtime, by adding Basic to the jdk.http.auth.tunneling.disabledSchemes networking property. Now, proxies requiring Basic authentication when setting up a tunnel for HTTPS will no longer succeed by default. If required, this authentication scheme can be reactivated by removing Basic from the jdk.http.auth.tunneling.disabledSchemes networking property, or by setting a system property of the same name to "" ( empty ) on the command line.

Additionally, the jdk.http.auth.tunneling.disabledSchemes and jdk.http.auth.proxying.disabledSchemes networking properties, and system properties of the same name, can be used to disable other authentication schemes that may be active when setting up a tunnel for HTTPS, or proxying plain HTTP, respectively.

JDK-8160838 (not public)

security-libs/java.security

Restrict JARs signed with weak algorithms and keys

This JDK release introduces new restrictions on how signed JAR files are verified. If the signed JAR file uses a disabled algorithm or key size less than the minimum length, signature verification operations will ignore the signature and treat the JAR file as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

  1. Applets or Web Start Applications
  2. Standalone or Server Applications run with a SecurityManager enabled and that are configured with a policy file that grants permissions based on the code signer(s) of the JAR.

The list of disabled algorithms is controlled via a new security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.

The following algorithms and key sizes are restricted in this release:

  1. MD2 (in either the digest or signature algorithm)
  2. RSA keys less than 1024 bits 

NOTE: We are planning to restrict MD5-based signatures in signed JARs in the April 2017 CPU.

To check if a weak algorithm or key was used to sign a JAR file, you can use the jarsigner binary that ships with this JDK. Running jarsigner -verify -J-Djava.security.debug=jar on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.

For example, to check a JAR file named test.jar, use the following command:

jarsigner -verify -J-Djava.security.debug=jar test.jar

If the file in this example was signed with a weak signature algorithm like MD2withRSA, the following output would be displayed:

  1. jar: beginEntry META-INF/my_sig.RSA
  2. jar: processEntry: processing block
  3. jar: processEntry caught: java.security.SignatureException: Signature check
  4. failed. Disabled algorithm used: MD2withRSA
  5. jar: done with meta!

The updated jarsigner command will exit with the following warning printed to standard output:

"Signature not parsable or verifiable. The jar will be treated as unsigned. The jar may have been signed with a weak algorithm that is now disabled. For more information, rerun jarsigner with debug enabled (-J-Djava.security.debug=jar)"

To address the issue, the JAR file will need to be re-signed with a stronger algorithm or key size.

Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JAR files, the existing signature(s) should be removed from the JAR. This can be done with the zip utility, as follows:

zip -d test.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'

Please periodically check the Oracle JRE and JDK Cryptographic Roadmap at http://java.com/cryptoroadmap for planned restrictions to signed JAR files and other security components. In particular, please note the current plan is to restrict MD5-based signatures in signed JAR files in the April 2017 CPU.

To test if your JARs have been signed with MD5, add MD5 to the jdk.jar.disabledAlgorithms security property, ex:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

and then run jarsigner -verify -J-Djava.security.debug=jar on your JAR files as described above.

JDK-8155973 (not public)

deploy

Warning message added to deployment authenticator dialog

A warning has been added to the plugin authentication dialog in cases where HTTP Basic authentication (credentials are sent unencrypted) is used while using a proxy or while not using SSL/TLS protocols:

"WARNING: Basic authentication scheme will effectively transmit your credentials in clear text. Do you really want to do this?"

JDK-8161647 (not public)

Known Issues

hotspot/jfr

Some events not available in JFR recordings on Windows

The following events are not available in the JFR recordings on Windows for release 8u111:

  1. hotspot/jvm/os/processor/cpu_load
  2. os/processor/context_switch_rate

This is due to regression JDK-8063089 that was introduced in 8u111 with the changes for JDK-8162419. The fix for JDK-8063089 could not be included in the 8u111 release. It will be available in the next 8u111 BPR build and in the next public release.

JDK-8063089 (not public)

 

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

# BugId Component Subcomponent Summary
1 JDK-8140530 client-libs 2d Creating a VolatileImage with size 0,0 results in no longer working g2d.drawString
2 JDK-8148127 client-libs 2d IllegalArgumentException thrown by JCK test api/java_awt/Component/FlipBufferStrategy/indexTGF_General in opengl pipeline
3 JDK-8147077 client-libs java.awt IllegalArgumentException thrown by api/java_awt/Component/FlipBufferStrategy/indexTGF_General
4 JDK-6882559 client-libs javax.swing new JEditorPane("text/plain","") fails for null context class loader
5 JDK-8157785 deploy webstart Signed JWS application unexpectedly asks for permission to open a socket
6 JDK-8161700 deploy webstart Deadlock in Java Web Start application involving JNLPClassLoader
7 JDK-8161986 deploy webstart Selecting 32/64 bit resources failed if user has installed both jre's
8 JDK-8148167 install install jdk 8u71 fails to install with no error message
9 JDK-8149518 install install Installer hangs during the JDK 8u74 installation process.

Java SE 8u102 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u102 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u102 b35

Bug Fixes

BugId Component Subcomponent Summary
8152438 hotspot gc Threads may do significant work out of the non-shared overflow buffer
8159410 core-libs java.net InetAddress.isReachable returns true for non existing IP addresses

Changes in Java SE 8u102 b34

Bug Fixes

BugId Component Subcomponent Summary
8153438 security-libs javax.smartcardio Avoid repeated "Please insert a smart card" popup windows
8164942
(Confidential)
deploy webstart Avoid repeated "Please insert a smart card" popup windows - DEPLOY part

Changes in Java SE 8u102 b33

Bug Fixes

BugId Component Subcomponent Summary
8141148 core-libs javax.naming LDAP "follow" throws ClassCastException with Java 8
8148984 client-libs java.awt [macosx] Chinese Comma cannot be entered using Pinyin Input Method on OS X
8158111 security-libs javax.net.ssl Make handling of 3rd party providers more stable
8080729 client-libs java.awt [macosx] java 7 and 8 JDialogs on multiscreen jump to parent frame on focus
8163583 client-libs java.awt [macosx] Press "To Back" button on the Dialog,the Dialog moves behind the Frame

Changes in Java SE 8u102 b31

Please note that fixes from the prior BPR (8u92 b34) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8154788
(Confidential)
install install ENT MSI installers should support system account

Java™ SE Development Kit 8, Update 102 (JDK 8u102)

July 19, 2016

The full version string for this update release is 1.8.0_102-b14 (where "b" means "build"). The version number is 8u102.

IANA Data 2016d

JDK 8u102 contains IANA time zone data version 2016d. For more information, refer to Timezone Data Versions in the JRE Software.

See JDK-8151876

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u102 are specified in the following table:

JRE Family Version JRE Security Baseline(Full Version String)
8 1.8.0_101-b13
7 1.7.0_111-b13
6 1.6.0_121-b09

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u102) will expire with the release of the next critical patch update scheduled for October 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u102) on November 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

MSI Enterprise JRE Installer option, REMOVEOLDERJRES

MSI Enterprise JRE Installer option, REMOVEOLDERJRES, does not remove static installs. JDK-8161098 (not public)

Enhancements

security-libs/javax.net.ssl

Support SHA224withDSA and SHA256withDSA in the SunJSSE provider

The SHA224withDSA and SHA256withDSA algorithms are now supported in the TLS 1.2 "signature_algorithms" extension in the SunJSSE provider. Note that this extension does not apply to TLS 1.1 and previous versions.

See JDK-8049321

core-libs/java.lang.invoke

Internal package sun.invoke.anon has been removed

The internal package sun.invoke.anon has been removed. The functionality it used to provide, namely anonymous class loading with possible constant pool patches, is available via the Unsafe.defineAnonymousClass() method.

See JDK-8081512

hotspot/runtime

New property jdk.lang.processReaperUseDefaultStackSize

When a large TLS (Thread local storage) size is set for Threads, the JVM results in a stack overflow exception. The reason for this behavior is that the reaper thread was created with a low stack size of 32768k. When a large TLS size is set, it steals space from the threads stack, which eventually results in a stack overflow. This is a known glibc bug. To overcome this issue, we have introduced a workaround (jdk.lang.processReaperUseDefaultStackSize) in which the user can set the reaper threads stack size to a default instead of to 32768. This gives the reaper thread a bigger stack size, so for a large TLS size, such as 32k, the process will not fail. Users can set this flag in one of two ways:

  1. -Djdk.lang.processReaperUseDefaultStackSize=true
  2. System.setProperty("jdk.lang.processReaperUseDefaultStackSize", "true")

The problem has been observed only when JVM is started from JNI code in which TLS is declared using "__thread"

See JDK-8130425

hotspot/compiler

Implemented performance improvements for BigInteger.montgomeryMultiply

We have implemented improvements that will improve performance of several security algorithms, especially when using ciphers with key lengths of 2048-bit or greater. To turn on these improvements, use the options -XX:+UseMontgomeryMultiplyIntrinsic and -XX:+UseMontgomerySquareIntrinsic. This improvement is only for Linux and Solaris on x86_64 architecture.

See JDK-8130150

New Features

deploy/webstart

32/64-bit interoperability in Java Web Start

The ability to specify a preference to launch a Java Web Start application in 64-bit or 32-bit architectures is now supported, by adding the 'arch' attribute to the JNLP resources block.

See JDK-8147627

core-libs

Ability to limit the capacity of buffers that can be held in the temporary buffer cache

The system property jdk.nio.maxCachedBufferSize has been introduced in 8u102 to limit the memory used by the "temporary buffer cache." The temporary buffer cache is a per-thread cache of direct memory used by the NIO implementation to support applications that do I/O with buffers backed by arrays in the java heap. The value of the property is the maximum capacity of a direct buffer that can be cached. If the property is not set, then no limit is put on the size of buffers that are cached. Applications with certain patterns of I/O usage may benefit from using this property. In particular, an application that does I/O with large multi-megabyte buffers at startup but does I/O with small buffers may see a benefit to using this property. Applications that do I/O using direct buffers will not see any benefit to using this system property.

See JDK-8147468

core-svc/java.lang.management

New system property for the remote JMX connector

*New JMX agent property - jmxremote.host* A new property, com.sun.management.jmxremote.host, is introduced that specifies the bind address for the default JMX agent. If the latter is not specified, the default JMX agent will listen on all interfaces (0.0.0.0) and the host value placed in the agent service URL (JMXServiceURL) is the IP address returned from invocation of the InetAddress.getLocalHost() method.

  • Name:

    com.sun.management.jmxremote.host

  • Definition:

    Specifies bind address for default JMX agent. It can be specified via command line while starting JVM or as part of agent config file (management.properties).

  • Value:

    IP address of any network interface of the machine

See JDK-6425769

Changes

javafx/web

Fixed memory leak when Java objects are passed into JavaScript

The bug fix for JDK-8089861, which was first integrated in JDK 8u102, fixes a memory leak when Java objects are passed into JavaScript. Prior to JDK 8u102, the WebView JavaScript runtime held a strong reference to such bound objects, which prevented them from being garbage collected. After the fix for JDK-8089861, the WebView JavaScript runtime uses weak references to refer to bound Java objects. The specification was updated to make it clear that this is the intended behavior. Applications which rely on the previously unspecified behavior might be affected by the updated behavior if the application does not hold a strong reference to an object passed to JavaScript. In such case, the Java object might be garbage collected prematurely. The solution is to modify the application to hold a strong reference in Java code for objects that should remain live after being passed into JavaScript.

See JDK-8089681

security-libs/javax.net.ssl

Modify requirements on Authority Key Identifier extension field during X509 certificate chain building

The requirement to have the Authority Key Identifier (AKID) and Subject Key Identifier (SKID) fields matching when building X509 certificate chains has been modified for some cases.

See JDK-8072463

hotspot/gc

Providing more granular levels for GC verification

This enhancement provides a way to specify more granular levels for the GC verification enabled using the VerifyBeforeGC, VerifyAfterGC, and VerifyDuringGC diagnostic options. It introduces a new diagnostic option VerifySubSet with which one can specify the subset of the memory system that should be verified. With this new option, one or more sub-systems can be specified in a comma separated string. Valid memory sub-systems are: threads, heap, symbol_table, string_table, codecache, dictionary, classloader_data_graph, metaspace, jni_handles, c-heap, and codecache_oops. During the GC verification, only the sub-systems specified using VerifySubSet get verified:

D:\\tests>java -XX:+UnlockDiagnosticVMOptions -XX:+VerifyBeforeGC -XX:VerifySubSet="threads,c-heap" -Xlog:gc+verify=debug Test
[0.095s][debug ][gc,verify] Threads
[0.099s][debug ][gc,verify] C-heap
[0.105s][info ][gc,verify] Verifying Before GC (0.095s, 0.105s) 10.751ms
[0.120s][debug ][gc,verify] Threads
[0.124s][debug ][gc,verify] C-heap
[0.130s][info ][gc,verify] Verifying Before GC (0.120s, 0.130s) 9.951ms
[0.148s][debug ][gc,verify] Threads
[0.152s][debug ][gc,verify] C-heap

If any invalid memory sub-systems are specified with VerifySubSet, the Java process exits with the following error message:

D:\\tests>java -XX:+UnlockDiagnosticVMOptions -XX:+VerifyBeforeGC -XX:VerifySubSet="threads,c-heap,hello" -Xlog:gc+verify=debug oom
Error occurred during initialization of VM
VerifySubSet: 'hello' memory sub-system is unknown, please correct it

See JDK-8072725

hotspot/compiler

Removed PICL warning message

In 8u40 and 7u80, a new feature was introduced to use the PICL library on Solaris to get some system information. If this library was not found, we printed an error message: Java HotSpot(TM) Server VM warning: PICL (libpicl.so.1) is missing. Performance will not be optimal. This warning was misleading. Not finding the PICL library is a very minor issue, and the warnings mostly lead to confusion. In this release, the warning was removed.

See JDK-8144957

core-libs/javax.naming

Improved exception handling for bad LDAP referral replies

The JDK was throwing a NullPointerException when a non-compliant REFERRAL status result was sent but no referral values were included. With this change, a NamingException with message value of "Illegal encoding: referral is empty" will be thrown in such circumstances.

See JDK-8149450 and JDK-8154304

Bug Fixes

client-libs
.oracle_jre_usage folder is no longer created in C\Users\myName
Since JDK 1.8.0_60, a folder named .oracle_jre_usage is created in the home directory. This folder and the files inside it are created by the Java Runtime Environment to track the last time a JRE was used. This information is very important in understanding what JRE installations are currently being used on the system.
On Windows, this folder was created under either C:\Users\\AppData\Local or C:\Users\myName\AppData\Roaming depending upon whether the user is local, or is a network user.
Writing content in this folder over the network on Windows can introduce performance overhead. This problem has been fixed with JDK-8134300. With this fix, the .oracle_jre_usage folder is created under %ProgramData%/Oracle/Java/.

See JDK-8134300

security-libs/javax.net.ssl

Fix to resolve "Unable to process PreMasterSecret, may be too big" issue

Recent JDK updates introduced an issue for applications that depend on having a delayed provider selection mechanism. The issue was introduced in JDK 8u71, JDK 7u95 and JDK 6u111. The main error seen corresponded to an exception like the following : handling exception: javax.net.ssl.SSLProtocolException: Unable to process PreMasterSecret, may be too big

See JDK-8149017

hotspot/gc

With UseG1GC, specifying -XX:ParallelGCThreads=0 is no longer allowed

With UseG1GC, specifying -XX:ParallelGCThreads=0 is no longer allowed. Previously, with -XX:ParallelGCThreads=0, G1 would execute some tasks using serial code executed by the VM thread. The closest approximation of this behavior is to specify -XX:ParallelGCThreads=1, which causes parallel tasks to be executed by a single GC worker thread using parallel code.

See JDK-8150518

 

Bug Fix List

This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

BugId Component Subcomponent Summary
JDK-8140620 client-libs   Find and load default.sf2 as the default soundbank on Linux
JDK-8073400 client-libs 2d Some Monospaced logical fonts have a different width
JDK-8076545 client-libs 2d Text size is twice bigger under Windows L&F on Win 8.1 with HiDPI display
JDK-8146035 client-libs 2d Windows - With LCD antialiasing, some glyphs are not rendered correctly
JDK-6961123 client-libs java.awt setWMClass fails to null-terminate WM_CLASS string
JDK-8130242 client-libs java.awt DataFlavorComparator transitivity exception
JDK-8139581 client-libs java.awt AWT components are not drawn after removal and addition to a container
JDK-8151998 client-libs java.awt VS2010 ThemeReader.cpp(758) : error C3861: 'round': identifier not found
JDK-8145228 client-libs javax.accessibility Java Access Bridge, getAccessibleStatesStringFromContext doesn't wrap the call to getAccessibleRole
JDK-8130735 client-libs javax.swing javax.swing.TimerQueue: timer fires late when another timer starts
JDK-8147994 client-libs javax.swing [macosx] JScrollPane jitters up/down during trackpad scrolling on MacOS/Aqua
JDK-8149368 client-libs javax.swing [hidpi] JLabel font is twice bigger than JTextArea font on Windows 7,HiDPI, Windows L&F
JDK-8149453 client-libs javax.swing [hidpi] JFileChooser does not scale properly on Windows with HiDPI display and Windows L&F
JDK-8157838 client-libs javax.swing Personalized Windows Font Size is not taken into account in Java8u102
JDK-8081771 core-libs   ProcessTool.createJavaProcessBuilder() needs new addTestVmAndJavaOptions argument
JDK-8059677 core-libs java.lang Thread.getName() instantiates Strings
JDK-8149330 core-libs java.lang Capacity of StringBuilder should not get close to Integer.MAX_VALUE unless necessary
JDK-8081512 core-libs java.lang.invoke Remove sun.invoke.anon classes, or move / co-locate them with tests
JDK-8065078 core-libs java.net NetworkInterface.getNetworkInterfaces() triggers intermittent test failures
JDK-8071125 core-libs java.net Improve exception messages in URLPermission
JDK-8135259 core-libs java.net InetAddress.getAllByName only reports "unknown error" instead of actual cause
JDK-8145388 core-libs java.net URLConnection.guessContentTypeFromStream returns image/jpg for some JPEG images
JDK-8147468 core-libs java.nio (bf) Allow users to bound the size of buffers cached in the per-thread buffer caches
JDK-8046339 core-libs java.rmi sun.rmi.transport.DGCAckHandler leaks memory
JDK-8151431 core-libs java.text DateFormatSymbols triggers this.clone() in the constructor
JDK-8068427 core-libs java.util Hashtable deserialization reconstitutes table with wrong capacity
JDK-8141243 core-libs java.util Unexpected timezone returned after parsing a date
JDK-8054446 core-libs java.util.concurrent Repeated offer and remove on ConcurrentLinkedQueue lead to an OutOfMemoryError
JDK-8148820 core-libs java.util.logging Missing @since Javadoc tag in Logger.log(Level, Supplier)
JDK-8149450 core-libs javax.naming LdapCtx.processReturnCode() throwing Null Pointer Exception
JDK-8154304 core-libs javax.naming NullpointerException at LdapReferralException.getReferralContext
JDK-8148379 core-libs jdk.nashorn jdk.nashorn.api.scripting spec. adjustments, clarifications
JDK-8148926 core-libs jdk.nashorn Call site profiling fails on braces-wrapped anonymous function
JDK-8149334 core-libs jdk.nashorn JSON.parse(JSON.stringify([])).push(10) creates an array containing two elements
JDK-8134300 core-svc   .oracle_jre_usage folder must not be created in C:\Users\myName
JDK-4515292 core-svc debugger ReferenceType.isStatic() returns true for arrays
JDK-4858370 core-svc debugger JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command
JDK-6425769 core-svc java.lang.management Allow specifying an address to bind JMX remote connector
JDK-8145982 core-svc java.lang.management JMXInterfaceBindingTest is failing intermittently
JDK-8146015 core-svc java.lang.management JMXInterfaceBindingTest is failing intermittently for IPv6 addresses
JDK-8133495 deploy   Platform.getInstalledJREList() returns only the jres of the current arch on windows.
JDK-6999748 deploy webstart Uninstaller Error occurs while trying to uninstall apps imported by 32 bit JWS on 64 bit systems
JDK-8003984 deploy webstart Allow relaunch between 32 / 64 bit versions in Java Web Start when you have latest versions of both
JDK-8055448 deploy webstart Provide a way to specify JRE data model requirements in JNLP file
JDK-8131070 deploy webstart re enable secure launcher for cross platform launches.
JDK-8147627 deploy webstart 64 bit only app may have problems when initially launched with 32 bit javaws
JDK-8149497 deploy webstart cannot relaunch to alternate architecture
JDK-8153087 deploy webstart URL Scheme handler problem
JDK-6675699 hotspot compiler need comprehensive fix for unconstrained ConvI2L with narrowed type
JDK-8055530 hotspot compiler assert(_exits.control()->is_top() || !_gvn.type(ret_phi)->empty()) failed: return value must be well defined
JDK-8081778 hotspot compiler Use Intel x64 CPU instructions for RSA acceleration
JDK-8130150 hotspot compiler Implement BigInteger.montgomeryMultiply intrinsic
JDK-8141420 hotspot compiler Compiler runtime entries don't hold Klass* from being GCed
JDK-8141551 hotspot compiler C2 can not handle returns with incompatible interface arrays
JDK-8144957 hotspot compiler Remove PICL warning message
JDK-8147645 hotspot compiler get_ctrl_no_update() code is wrong
JDK-8148752 hotspot compiler MethodHandle inlining with long/double arguments is broken in C2
JDK-8149543 hotspot compiler range check CastII nodes should not be split through Phi
JDK-8151522 hotspot compiler Disable 8130150 and 8081778 intrinsics by default
JDK-8017462 hotspot gc G1: guarantee fails with UseDynamicNumberOfGCThreads
JDK-8072725 hotspot gc Provide more granular levels for GC verification
JDK-8076995 hotspot gc gc/ergonomics/TestDynamicNumberOfGCThreads.java failed with java.lang.RuntimeException: 'new_active_workers' missing from stdout/stderr
JDK-8150002 hotspot gc Check for the validity of oop before printing it in verify_remembered_set
JDK-8150518 hotspot gc G1 GC crashes at G1CollectedHeap::do_collection_pause_at_safepoint(double)
JDK-8149743 hotspot jvmti JVM crash after debugger hotswap with lambdas
JDK-8130425 hotspot runtime libjvm crash due to stack overflow in executables with 32k tbss/tdata
JDK-8139040 hotspot runtime Fix initializations before ShouldNotReachHere() etc. and enable -Wuninitialized on linux.
JDK-8141445 hotspot runtime Use of Solaris/SPARC M7 libadimalloc.so can generate unknown signal in hs_err file
JDK-8153641 hotspot runtime assert(thread_state == _thread_in_native) failed: Assumed thread_in_native while heap dump
JDK-8153673 hotspot runtime [BACKOUT] JDWP: Memory Leak: GlobalRefs never deleted when processing invokeMethod command
JDK-8129419 hotspot svc heapDumper.cpp: assert(length_in_bytes > 0) failed: nothing to copy
JDK-8154022 javafx build Upgrade production compilers on Windows to Visual Studio 2013 SP4
JDK-8154803 javafx build Update license text in javadoc footer for FX API docs
JDK-8088397 javafx controls [Dialog] ButtonType text not updated when Locale changes
JDK-8145567 javafx controls Slider: snapToTicks not honoured on changing to true
JDK-8146325 javafx controls Spinner throws a ClassCastException under Linux
JDK-8151756 javafx controls JavaFX CSS is applied redundantly leading to significant performance degradation
JDK-8157398 javafx controls [TreeTableView] graphic property of TreeItem is still visible after collapsing tree
JDK-8130750 javafx media JFXMedia Player EventQueueThread does not always terminate
JDK-8150503 javafx media Provide media support for libav version 55 and 56
JDK-8153534 javafx media Intermittent hang in GSTMedia.gstDispose
JDK-8154287 javafx media Intermittent crash when disposing MediaPlayer
JDK-8088689 javafx web Several fast/regions/webkit-* tests fail
JDK-8088916 javafx web Replace sun.net.www.ParseUtil#decode with public API
JDK-8089681 javafx web WebView leaks memory when containing object acts as javascript callback handler
JDK-8089842 javafx web JavaScript2Java Bridge: A char value cannot be set from JavaScript
JDK-8133775 javafx web Some WebNode tests crash JVM
JDK-8139114 javafx web WebView crashes on Yahoo login page
JDK-8139317 javafx web [Mac] SecurityException when constructing WebView from JFXPanel application
JDK-8147851 javafx web jvm crash at javafx com.sun.webkit.WebPage.twkPrePaint
JDK-8149537 javafx web JavaFX WebView performance regression when inserting html via javascript
JDK-8149737 javafx web JRE crash in com.sun.webkit.network.URLLoader.twkDidFinishLoading
JDK-8149768 javafx web JavaFX Application Performance Issue
JDK-8152737 javafx web Crash in RuntimeObject::put when object passed to JSObject::setMember is GCed
JDK-8153148 javafx web Defer image decoding until WebCore requests ImageFrame
JDK-8153151 javafx web Call JavaScriptCore GC whenever JVM GC happens
JDK-8153501 javafx web Crash in ResourceLoader::releaseResources()
JDK-8154186 javafx web JVM crash while using JavaFW WebView and colgroup/cols html feature
JDK-8144144 other-libs corba ORB destroy() leaks filedescriptors after unsuccessful connection
JDK-8038837 security-libs java.security Add support to jarsigner for specifying timestamp hash algorithm
JDK-8072463 security-libs java.security Remove requirement that AKID and SKID have to match when building certificate chain
JDK-8143913 security-libs java.security MSCAPI keystore should accept Certificate[] in setEntry()
JDK-8149411 security-libs java.security PKCS12KeyStore cannot extract AES Secret Keys
JDK-6483657 security-libs javax.crypto MSCAPI provider does not create unique alias names
JDK-8133535 security-libs javax.crypto Better exception messaging in Ucrypto code
JDK-8149417 security-libs javax.crypto Use final restricted flag
JDK-8049321 security-libs javax.net.ssl Support SHA224withDSA and SHA256withDSA in the SunJSSE provider
JDK-8149017 security-libs javax.net.ssl Delayed provider selection broken in RSA client key exchange.
JDK-8153531 security-libs javax.net.ssl Improve exception messaging for RSAClientKeyExchange
JDK-8149029 security-libs javax.xml.crypto Secure validation of XML based digital signature always enabled when checking wrapping attacks
JDK-8066871 tools javac java.lang.VerifyError: Bad local variable type - local final String
JDK-8130304 tools javac Inference: NodeNotFoundException thrown with deep generic method call chain
JDK-8143647 tools javac Javac compiles method reference that allows results in an IllegalAccessError
JDK-8072081 xml javax.xml.parsers Supplementary characters are rejected in comments
JDK-8144593 xml jaxp Suppress not recognized property/feature warning messages from SAXParser
JDK-8145974 xml jaxp XMLStreamWriter produces invalid XML for surrogate pairs on OutputStreamWriter
JDK-8149915 xml jaxp enabling validate-annotations feature for xsd schema with annotation causes NPE
JDK-8150704 xml jaxp XALAN: ERROR: 'No more DTM IDs are available' when transforming with lots of temporary result trees

Java™ SE Development Kit 8, Update 101 (JDK 8u101)

July 19, 2016

The full version string for this update release is 1.8.0_101-b13 (where "b" means "build"). The version number is 8u101.

IANA Data 2016d

JDK 8u101 contains IANA time zone data version 2016d. For more information, refer to Timezone Data Versions in the JRE Software.

See JDK-8151876

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u101 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_101-b13
7 1.7.0_111-b13
6 1.6.0_121-b09

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u101) will expire with the release of the next critical patch update scheduled for October 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u101) on November 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Certificate Changes

New DTrust certificates added to root CAs

Two new root certificates have been added:

  1. D-TRUST Root Class 3 CA 2 2009
  2. alias: dtrustclass3ca2
  3. DN: CN=D-TRUST Root Class 3 CA 2 2009, O=D-Trust GmbH, C=DE
  4. D-TRUST Root Class 3 CA 2 EV 2009
  5. alias: dtrustclass3ca2ev
  6. DN: CN=D-TRUST Root Class 3 CA 2 EV 2009, O=D-Trust GmbH, C=DE

See JDK-8153080

New IdenTrust certificates added to root CAs

Three new root certificates have been added:

  1. IdenTrust Public Sector Root CA 1
  2. alias: identrustpublicca
  3. DN: CN=IdenTrust Public Sector Root CA 1, O=IdenTrust, C=US
  4. IdenTrust Commercial Root CA 1
  5. alias: identrustcommercial
  6. DN: CN=IdenTrust Commercial Root CA 1, O=IdenTrust, C=US
  7. IdenTrust DST Root CA X3
  8. alias: identrustdstx3
  9. DN: CN=DST Root CA X3, O=Digital Signature Trust Co.

See JDK-8154757

Comodo Root CA removed

The Comodo "UTN - DATACorp SGC" root CA certificate has been removed from the cacerts file.

See JDK-8141540

Sonera Class1 CA removed

The "Sonera Class1 CA" root CA certificate has been removed from the cacerts file.

See JDK-8141276

Changes

other-libs/corba

Improve access control to javax.rmi.CORBA.ValueHandler

The javax.rmi.CORBA.Util class provides methods that can be used by stubs and ties to perform common operations. It also acts as a factory for ValueHandlers. The javax.rmi.CORBA.ValueHandler interface provides services to support the reading and writing of value types to GIOP streams. The security awareness of these utilities has been enhanced with the introduction of a permission java.io.SerializablePermission("enableCustomValueHanlder"). This is used to establish a trust relationship between the users of the javax.rmi.CORBA.Util and javax.rmi.CORBA.ValueHandler APIs.

The required permission is "enableCustomValueHanlder" SerializablePermission. Third party code running with a SecurityManager installed, but not having the new permission while invoking Util.createValueHandler(), will fail with an AccessControlException.

This permission check behaviour can be overridden, in JDK8u and previous releases, by defining a system property, "jdk.rmi.CORBA.allowCustomValueHandler".

As such, external applications that explicitly call javax.rmi.CORBA.Util.createValueHandler require a configuration change to function when a SecurityManager is installed and neither of the following two requirements is met:

  1. The java.io.SerializablePermission("enableCustomValueHanlder") is not granted by SecurityManager.
  2. In the case of applications running on JDK8u and before, the system property "jdk.rmi.CORBA.allowCustomValueHandler" is either not defined or is defined equal to "false" (case insensitive).

Please note that the "enableCustomValueHanlder" typo will be corrected in the October 2016 releases. In those and future JDK releases, "enableCustomValueHandler" will be the correct SerializationPermission to use.

JDK-8079718 (not public)

security-libs/java.security

Support added to jarsigner for specifying timestamp hash algorithm

A new -tsadigestalg option is added to jarsigner to specify the message digest algorithm that is used to generate the message imprint to be sent to the TSA server. In older JDK releases, the message digest algorithm used was SHA-1. If this new option is not specified, SHA-256 will be used on JDK 7 Updates and later JDK family versions. On JDK 6 Updates, SHA-1 will remain the default but a warning will be printed to the standard output stream.

See JDK-8038837

security-libs/javax.crypto

MSCAPI KeyStore can handle same-named certificates

Java SE KeyStore does not allow certificates that have the same aliases (http://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html).

However, on Windows, multiple certificates stored in one keystore are allowed to have non-unique friendly names. The fix for JDK-6483657 makes it possible to operate on such non-uniquely named certificates through the Java API by artificially making the visible aliases unique.

Please note, this fix does not enable creating same-named certificates with the Java API. It only allows you to deal with same-named certificates that were added to the keystore by 3rd party tools.

It is still recommended that your design not use multiple certificates with the same name. In particular, the following sentence will not be removed from the Java documentation: "In order to avoid problems, it is recommended not to use aliases in a KeyStore that only differ in case."

(http://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html)

See JDK-6483657

security-libs/java.security

DomainCombiner will no longer consult runtime policy for static ProtectionDomain objects when combining ProtectionDomain objects

Applications which use static ProtectionDomain objects (created using the 2-arg constructor) with an insufficient set of permissions may now get an AccessControlException with this fix. They should either replace the static ProtectionDomain objects with dynamic ones (using the 4-arg constructor) whose permission set will be expanded by the current Policy or construct the static ProtectionDomain object with all the necessary permissions.

JDK-8147771 (not public)

 

Bug Fixes

This release contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.

BugId Component Subcomponent Summary
JDK-8130735 client-libs javax.swing javax.swing.TimerQueue: timer fires late when another timer starts
JDK-8151876 core-libs java.time (tz) Support tzdata2016d
JDK-7166247 deploy deployment_toolkit Deployment Toolkit should recognize IE Metro for Windows 8 and provide appropriate default response
JDK-8155076 deploy webstart Webstart loads JARs from MANIFEST.MF after loading the jars from resources-tag
JDK-8038837 security-libs java.security Add support to jarsigner for specifying timestamp hash algorithm
JDK-8139436 security-libs java.security sun.security.mscapi.KeyStore might load incomplete data
JDK-8145955 security-libs java.security Add new QuoVadis roots
JDK-8153080 security-libs java.security Add new DTrust roots
JDK-8154757 security-libs java.security Add new IdenTrust roots

 

Known Issues

deploy

JRE 8u101 is not recognized by Internet Explorer (IE) when using static class ID

When a static class id is used to launch an applet or web start application while using JRE 8u101, users will get an unwanted dialogue box stating that they either use the latest JRE or cancel the launch even though they have installed and are using the latest JRE (JRE 8u101).

This specific case is only applicable on Windows and IE.

We do not recommend using static class id for JRE version selection (since JDK 5u6, Dec 2005) per http://www.oracle.com/java/technologies/javase/family-clsid.html.

To work around this issue, users can do one of the following two things:

  1. Hit launch with the latest version (8u101) and ignore the warning.
  2. Install JRE 8u102 instead of JRE 8u101 to avoid this issue.

To address this issue, developers can do one of the following two things:

  1. Use a dynamic class id instead of static class id.
  2. Use java_version when using an HTML applet or a JNLP descriptor when using JNLP.

JDK-8147457 (not public)

Java SE 8u92 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u92 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u92 b34

Bug Fixes

BugId Component Subcomponent Summary
8132434 install install On Mac Install Run javawslauncher.app to register protocol handler with Launch Services
8159244 hotspot compiler Partially initialized string object created by C2's string concat optimization may escape
8155068
(Confidential)
deploy webstart jnlp protocol is not registered on mac after installing jre
8136844 deploy webstart Change JavawsLauncher.app to use NSTask or execv
8081847 deploy webstart Add a URL scheme handler to reliably launch .jnlp files - Mac registration part
8156977
(Confidential)
deploy webstart java.lang.NumberFormatException: For input string: 1z
8144348 deploy webstart Desktop shortcut is not updated after JNLP is changed in deployment cache

Changes in Java SE 8u92 b33

Bug Fixes

BugId Component Subcomponent Summary
6882559 client-libs javax.swing new JEditorPane("text/plain","") fails for null context class loader
8154899 deploy webstart System property 'user.dir' now set to 'java.home' value rather than user's working directory
8156822 deploy webstart Application started using javaws now starts in {java.home} rather than current directory
8063086 hotspot compiler Math.pow yields different results upon repeated calls
8158734 client-libs javax.swing JEditorPane.createEditorKitForContentType throws NPE after 6882559
8154287 javafx media Intermittent crash when disposing MediaPlayer
8153534 javafx media Intermittent hang in GSTMedia.gstDispose
8154186 javafx web JVM crash while using JavaFW WebView and colgroup/cols html feature
8153148 javafx web Defer image decoding until WebCore requests ImageFrame
8153501 javafx web Crash in ResourceLoader::releaseResources()
8153151 javafx web Call JavaScriptCore GC whenever JVM GC happens
8151459 javafx web Validation of new behaviour for JS callback memory leak
8152737 javafx web Crash in RuntimeObject::put when object passed to JSObject::setMember is GCed
8089681 javafx web WebView leaks memory when containing object acts as javascript callback handler
8149537 javafx web JavaFX WebView performance regression when inserting html via javascript
8149768 javafx web JavaFX Application Performance Issue
8147851 javafx web jvm crash at javafx com.sun.webkit.WebPage.twkPrePaint
8149737 javafx web JRE crash in com.sun.webkit.network.URLLoader.twkDidFinishLoading
8139114 javafx web WebView crashes on Yahoo login page
8154022 javafx build Upgrade production compilers on Windows to Visual Studio 2013 SP4

Changes in Java SE 8u92 b31

Please note that fixes from the prior BPR (8u77 b31) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
6483657 security-libs javax.crypto MSCAPI provider does not create unique alias names
8143913 security-libs java.security MSCAPI keystore should accept Certificate[] in setEntry()
8145844
(Confidential)
deploy plugin JARSigningException when loading jar file from JRE\lib\applet
8152917
(Confidential)
deploy webstart jarUpdate: javaws app has unexpectedly updated after choosing "cancel" on "Application Update" window

Java™ SE Development Kit 8, Update 92 (JDK 8u92)

The full version string for this update release is 1.8.0_92-b14 (where "b" means "build") for the Microsoft Windows JRE and JDK and 1.8.0_92-b14 for all other platforms and for the Microsoft Windows Server JRE. The version number is 8u92.

This update release contains several enhancements and changes including the following. 

IANA Data 2016a

JDK 8u92 contains IANA time zone data version 2016a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u92 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_91
7 1.7.0_101
6 1.6.0_115

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u92) will expire with the release of the next critical patch update scheduled for July 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u92) on August 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory. For a list of bug fixes included in this release, see JDK 8u92 Bug Fixes page.

The following are some of the notable bug fixes included in this release:

SHA224 removed from the default support list if SunMSCAPI enabled

SunJSSE allows SHA224 as an available signature and hash algorithm for TLS 1.2 connections. However, the current implementation of SunMSCAPI does not yet support SHA224. This can cause problems if SHA224 and SunMSCAPI private keys are used at the same time.

To mitigate the problem, we remove SHA224 from the default support list if SunMSCAPI is enabled.

See JDK-8064330.

New JVM Options added: ExitOnOutOfMemoryError and CrashOnOutOfMemoryError

Two new JVM flags have been added:

  • ExitOnOutOfMemoryError - When you enable this option, the JVM exits on the first occurrence of an out-of-memory error. It can be used if you prefer restarting an instance of the JVM rather than handling out of memory errors.

  • CrashOnOutOfMemoryError - If this option is enabled, when an out-of-memory error occurs, the JVM crashes and produces text and binary crash files (if core files are enabled).

See JDK-8138745.

Bug Fix List

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

BugId Component Subcomponent Summary
JDK-8041900 client-libs 2d [macosx] Java forces the use of discrete GPU
JDK-8132890 client-libs 2d Text Overlapping on Dot Matrix Printers
JDK-8132503 client-libs java.awt [macosx] Chinese full stop symbol cannot be entered with Pinyin IM on OS X
JDK-8138764 client-libs java.awt In some cases the usage of TreeLock can be replaced by other synchronization
JDK-8041501 client-libs javax.imageio ImageIO reader is not capable of reading JPEGs without JFIF header
JDK-8134828 client-libs javax.swing Scrollbar thumb disappears with Nimbus L&F
JDK-8131129 core-libs java.lang.invoke Attempt to define a duplicate BMH$Species class
JDK-8067800 core-libs java.time Clarify java.time.chrono.Chronology.isLeapYear for out of range years
JDK-8062901 core-libs java.util Iterators is spelled incorrectly in the Javadoc for Spliterator
JDK-8140587 core-libs java.util.concurrent Atomic*FieldUpdaters should use Class.isInstance instead of direct class check
JDK-8145539 core-libs java.util:collections (coll) AbstractMap.keySet and .values should not be volatile
JDK-8143297 core-libs jdk.nashorn Nashorn compilation time reported in nanoseconds
JDK-8143896 core-libs jdk.nashorn java.lang.Long is implicitly converted to double
JDK-8144020 core-libs jdk.nashorn Remove long as an internal numeric type
JDK-8144131 core-libs jdk.nashorn ArrayData.getInt implementations do not convert to int32
JDK-8146147 core-libs jdk.nashorn Java linker indexed property getter does not work for computed nashorn string
JDK-8147845 core-libs jdk.nashorn Varargs Array functions still leaking longs
JDK-8147857 core-svc javax.management RMIConnector logs attribute names incorrectly
JDK-8140244 core-svc tools Port fix of JDK-8075773 to AIX and possibly MacOSX
JDK-8139773 deploy   Add more debug traces to deployment registration process (RegFx.cpp)
JDK-8142982 deploy   Race Condition can cause CacheEntry.getJarSigningData() to return null.
JDK-8143294 deploy   cookie handler can't get JSESSIONID on linux
JDK-8145217 deploy   Fix GenericCookieHandlerTest
JDK-8143314 deploy packager Runtime not respected with INI-configuration while creating native bundle
JDK-8139389 deploy webstart Register a protocol handler for Java Webstart
JDK-6869327 hotspot compiler Add new C2 flag to keep safepoints in counted loops.
JDK-8058563 hotspot compiler InstanceKlass::_dependencies list isn't cleared from empty nmethodBucket entries
JDK-8080650 hotspot compiler Enable stubs to use frame pointers correctly
JDK-8129847 hotspot compiler Compiling methods generated by Nashorn triggers high memory usage in C2
JDK-8131782 hotspot compiler C1 Class.cast optimization breaks when Class is loaded from static final
JDK-8139421 hotspot compiler PPC64LE: MacroAssembler::bxx64_patchable kills register R12
JDK-8140483 hotspot compiler Atomic*FieldUpdaters final fields should be trusted
JDK-8144487 hotspot compiler PhaseIdealLoop::build_and_optimize() must restore major_progress flag if skip_loop_opts is true
JDK-8144935 hotspot compiler C2: safepoint is pruned from a non-counted loop
JDK-8145754 hotspot compiler PhaseIdealLoop::is_scaled_iv_plus_offset() does not match AddI
JDK-8065579 hotspot gc WB method to start G1 concurrent mark cycle should be introduced
JDK-8138966 hotspot gc Intermittent SEGV running ParallelGC
JDK-8145442 hotspot gc Add the facility to verify remembered sets for G1
JDK-8029630 hotspot runtime Thread id should be displayed as hex number in error report
JDK-8046611 hotspot runtime Build errors with gcc on sparc/fastdebug
JDK-8087120 hotspot runtime [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms
JDK-8138745 hotspot runtime Implement ExitOnOutOfMemory and CrashOnOutOfMemory in HotSpot
JDK-8139258 hotspot runtime PPC64LE: argument passing problem when passing 15 floats in native call
JDK-8143963 hotspot runtime improve ClassLoader::trace_class_path to accept an additional outputStream* arg
JDK-8029726 hotspot svc On OS X some dtrace probe names are mismatched with Solaris
JDK-8029727 hotspot svc On OS X dtrace probes Call<type>MethodA/Call<type>MethodV are not fired.
JDK-8029728 hotspot svc On OS X dtrace probes SetStaticBooleanField are not fired
JDK-8130910 hotspot svc hsperfdata file is created in wrong directory and not cleaned up if /tmp/hsperfdata_<username> has wrong permissions
JDK-8140031 hotspot svc SA: Searching for a value in Threads does not work
JDK-8144885 hotspot svc agent/src/os/linux/libproc.h needs to support Linux/SPARC builds
JDK-8145099 hotspot svc Better error message when SA can't attach to a process
JDK-8142443 javafx build Error compiling generated web classes with gradle 2.8
JDK-8136535 javafx controls JavaFX NumberAxis AutoRange Infinite Loop
JDK-8143266 javafx controls TreeTableView flickers when inserting elements
JDK-8089847 javafx graphics [JAVADOC] Change docs to not refer to full-screen exclusive mode
JDK-8090292 javafx web Test transitions/created-while-suspended.html fails
JDK-8141345 javafx web Cannot build WebKit with bison3
JDK-8141386 javafx web Unable to pass values to java functions which takes wrapper objects as arguments
JDK-8074935 security-libs java.security jdk8 keytool doesn't validate pem files for RFC 1421 correctness, as jdk7 did
JDK-8139436 security-libs java.security sun.security.mscapi.KeyStore might load incomplete data
JDK-8064330 security-libs javax.net.ssl Remove SHA224 from the default support list if SunMSCAPI enabled
JDK-8131665 security-libs javax.net.ssl Bad exception message in HandshakeHash.getFinishedHash
JDK-8136442 security-libs javax.net.ssl Don't tie Certificate signature algorithms to ciphersuites
JDK-8038184 security-libs javax.xml.crypto XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String
JDK-8038349 security-libs javax.xml.crypto Signing XML with DSA throws Exception when key is larger than 1024 bits
JDK-8065986 tools javac Compiler fails to NullPointerException when calling super with Object<>()
JDK-8066974 tools javac Compiler doesn't infer method's generic type information in lambda body
JDK-8068254 tools javac Method reference uses wrong qualifying type
JDK-8130506 tools javac javac AssertionError when invoking MethodHandle.invoke with lambda parameter
JDK-8134007 tools javac Improve string folding
JDK-8134759 tools javac jdb: Incorrect stepping inside finally block
JDK-8139751 tools javac Javac crash with -XDallowStringFolding=false
JDK-8145466 tools javac javac: No line numbers in compilation error
JDK-8145722 tools javadoc(tool) NullPointerException in javadoc
JDK-8133924 xml jaxp NPE may be thrown when xsltc select a non-existing node after JDK-8062518

Java™ SE Development Kit 8, Update 91 (JDK 8u91)

The full version string for this update release is 1.8.0_91-b15 (where "b" means "build") for the Microsoft Windows JRE and JDK and 1.8.0_91-b14 for all other platforms and for the Microsoft Windows Server JRE. The version number is 8u91.

This update release contains several enhancements and changes including the following.

IANA Data 2016a

JDK 8u91 contains IANA time zone data version 2016a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u91 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_91
7 1.7.0_101
6 1.6.0_115

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u91) will expire with the release of the next critical patch update scheduled for July 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u91) on August 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

Removal of Static JREs

Java installers for Windows that were released prior to version 8u91 did not remove statically installed JREs by default. In order to remove JREs that were installed statically, users had to manually select those JREs in the Java installer's user interface. Now in Java releases 8u91 and above, JREs that were installed statically will automatically be removed, if they are below the security baseline. For more information on static install, please see Java Runtime Environment Configuration.

 

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.

The following are some of the notable bug fixes included in this release:

DSA signature generation is now subject to a key strength check

For signature generation, if the security strength of the digest algorithm is weaker than the security strength of the key used to sign the signature (e.g. using (2048, 256)-bit DSA keys with SHA1withDSA signature), the operation will fail with the error message:

"The security strength of SHA1 digest algorithm is not sufficient for this key size."

JDK-8138593 (not public)

Firefox 42 liveconnect problem

Because it might cause the browser to hang, we don't process JavaScript-to-Java calls when the Java plugin is launched from plugin-container.exe (the default behavior for Firefox 42) and the applet status is not Ready(2). If the applet is not ready (the status is not 2), we don't execute the actual Java method and only return null.

If the plugin is launched from plugin-container.exe, do not use JavaScript-To-Java calls that may require more than 11 seconds(the default value of dom.ipc.plugins.hangUITimeoutSecs) to be completed or show a modal dialog during JavaScript-To-Java call. In this case, the main browser thread must be blocked, which might cause the browser to hang and the plugin to terminate.

Workaround (for Firefox 42):

User’s can set dom.ipc.plugins.enabled=false. The side effect of this workaround is that it changes the setting for all plugins.

JDK-8144079 (not public)

New attribute for JMX RMI JRMP servers specifies a list of class names to use when deserializing server credentials

A new java attribute has been defined for the environment to allow a JMX RMI JRMP server to specify a list of class names. These names correspond to the closure of class names that are expected by the server when deserializing credentials. For instance, if the expected credentials were a List<string>, then the closure would constitute all the concrete classes that should be expected in the serial form of a list of Strings.

By default, this attribute is used only by the default agent with the following:

{   
   "[Ljava.lang.String;",   
   "java.lang.String" 
 }

Only arrays of Strings and Strings will be accepted when deserializing the credentials.

The attribute name is:

"jmx.remote.rmi.server.credential.types"

The following is an example of a user starting a server with the specified credentials class names:

Map<String, Object> env = new HashMap<>(1);
 env.put ( 
 "jmx.remote.rmi.server.credential.types",
   new String[]{
   String[].class.getName(),
   String.class.getName()
   }
   );
   JMXConnectorServer server
   = JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbeanServer);

The new feature should be used by directly specifying:

"jmx.remote.rmi.server.credential.types"

JDK-8144430 (not public)

New certificates added to root CAs

Eight new root certificates have been added :

  1. QuoVadis Root CA 1 G3
  2. alias: quovadisrootca1g3
  3. DN: CN=QuoVadis Root CA 1 G3, O=QuoVadis Limited, C=BM

  1. QuoVadis Root CA 2 G3
  2. alias: quovadisrootca2g3
  3. DN: CN=QuoVadis Root CA 2 G3

  1. QuoVadis Root CA 3 G3
  2. alias: quovadisrootca3g3
  3. DN: CN=QuoVadis Root CA 3 G3, O=QuoVadis Limited, C=BM

  1. DigiCert Assured ID Root G2
  2. alias: digicertassuredidg2
  3. DN: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

  1. DigiCert Assured ID Root G3
  2. alias: digicertassuredidg3
  3. DN: CN=DigiCert Assured ID Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US

  1. DigiCert Global Root G2
  2. alias: digicertglobalrootg2
  3. DN: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US

  1. DigiCert Global Root G3
  2. alias: digicertglobalrootg3
  3. DN: CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US

  1. DigiCert Trusted Root G4
  2. alias: digicerttrustedrootg4
  3. DN: CN=DigiCert Trusted Root G4, OU=www.digicert.com, O=DigiCert Inc, C=US

See JDK-8145954 and JDK-8145955

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-8148446 core-libs java.util:i18n
(tz) Support tzdata2016a
JDK-8144963 deploy   Javaws checks jar files twice if JVM needs to be restarted.
JDK-8145954 security-libs java.security Add new DigiCert roots.
JDK-8145955 security-libs java.security Add new QuoVadis roots.

Java SE 8u77 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u77 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u77 b31

Please note that fixes from the prior BPR (8u74 b32) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8130150 hotspot compiler Implement BigInteger.montgomeryMultiply intrinsic
8081778 hotspot compiler Use Intel x64 CPU instructions for RSA acceleration
8151522 hotspot compiler Disable 8130150 and 8081778 intrinsics by default
8147994 client.libs javax.swing [macosx] JScrollPane jitters up/down during trackpad scrolling on MacOS/Aqua

Java™ SE Development Kit 8, Update 77 (JDK 8u77)

The full version string for this update release is 1.8.0_77-b03 (where "b" means "build"). The version number is 8u77.

This update release contains several enhancements and changes including the following.

IANA Data 2016a

JDK 8u77 contains IANA time zone data version 2016a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u77 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_77
7 1.7.0_99
6 1.6.0_111

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u77) will expire with the release of the next critical patch update scheduled for April 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u77) on May 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
 

Notes

This Security Alert (8u77) is based on the earlier 8u74 PSU release. All users of earlier JDK 8 releases should update to this release. For more information on the difference between Critical Patch Updates and Patch Set Updates please visit Java CPU and PSU Releases Explained.

The demos, samples, and Documentation bundles for 8u77 are not impacted by the Security Alert for CVE-2016-0636, so version 8u73 demos, samples, and Documentation bundles remain the most up to-date version until the April Critical Patch Update release.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.

 

Java SE 8u74 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u74 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u74 b32

Bug Fixes

BugId Component Subcomponent Summary
6675699 hotspot compiler need comprehensive fix for unconstrained ConvI2L with narrowed typed
8130735 client-libs javax.swing javax.swing.TimerQueue: timer fires late when another timer starts
8038837 security-libs java.security Add support to jarsigner for specifying timestamp hash algorithm
8146336
(Confidential)
deploy plugin pac file returns wrong proxy with IE only due to broken wildcarding
8144864
(Confidential)
deploy plugin .pac file returns wrong proxy
8145712
(Confidential)
deploy webstart NPE is introduced by 8133458

Changes in Java SE 8u74 b31

Please note that fixes from the prior BPR (8u72 b31) are included in this version.

Bug Fixes

BugId Component Subcomponent Summary
8144963 deploy webstart Javaws checks jar files twice if JVM needs to be restarted
8140291
(Confidential)
deploy webstart (JWS)LazyRootStore leak when calling getResourceAsStream on non-class resource
8142982 deploy webstart Race Condition can cause CacheEntry.getJarSigningData() to return null.

Java™ SE Development Kit 8, Update 74 (JDK 8u74)

The full version string for this update release is 1.8.0_74-b02 (where "b" means "build"). The version number is 8u74.

This update release contains several enhancements and changes including the following. 

IANA Data 2015g

JDK 8u74 contains IANA time zone data version 2015g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u74 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_71
7 1.7.0_95
6 1.6.0_111

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u74) will expire with the release of the next critical patch update scheduled for April 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u74) on May 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

Oracle strongly recommends that Java users who have downloaded affected versions and plan future installations with these downloaded versions discard these old downloads. Java users who have installed the January 2016 Critical Patch Update versions of Java SE 6, 7, or 8 need take no action. Java users who have not installed the January 2016 Critical Patch Update versions of Java SE 6, 7, or 8 should upgrade to the Java SE 6, 7, or 8 releases from the Security Alert for CVE-2016-0603.

The demos, samples, and Documentation bundles for 8u74 are not impacted by the Security Alert for CVE-2016-0603, so version 8u72 demos, samples, and Documentation bundles remain the most up to-date version until the April Critical Patch Update release.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory.

Java™ SE Development Kit 8, Update 73 (JDK 8u73)

The full version string for this update release is 1.8.0_73-b02 (where "b" means "build"). The version number is 8u73.

This update release contains several enhancements and changes including the following.

IANA Data 2015g

JDK 8u73 contains IANA time zone data version 2015g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u73 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_71
7 1.7.0_95
6 1.6.0_111

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u73) will expire with the release of the next critical patch update scheduled for April 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u73) on May 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date

Notes

Oracle strongly recommends that Java users who have downloaded affected versions and plan future installations with these downloaded versions discard these old downloads. Java users who have installed the January 2016 Critical Patch Update versions of Java SE 6, 7, or 8 need take no action. Java users who have not installed the January 2016 Critical Patch Update versions of Java SE 6, 7, or 8 should upgrade to the Java SE 6, 7, or 8 releases from the Security Alert for CVE-2016-0603.

The demos, samples, and Documentation bundles for 8u73 are not impacted by the Security Alert for CVE-2016-0603, so version 8u71 demos, samples, and Documentation bundles remain the most up to-date version until the April Critical Patch Update release.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory.

Note that 8u73 does not contain the PSU builds found in 8u72. Customers who require the additional bug fixes contained in 8u72 should update to 8u74 instead of 8u73.

Java SE 8u72 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u72 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u72 b31

Please note that fixes from the prior BPR (8u66 b36) are included in this version.


Java™ SE Development Kit 8, Update 72 (JDK 8u72)

The full version string for this update release is 1.8.0_72-b15 (where "b" means "build") for the Microsoft Windows JRE and JDK and 1.8.0_72-b15 for all other platforms and for the Microsoft Windows Server JRE. The version number is 8u72.

This update release contains several enhancements and changes including the following. 

IANA Data 2015g

JDK 8u72 contains IANA time zone data version 2015g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u72 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_71
7 1.7.0_95
6 1.6.0_111

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u72) will expire with the release of the next critical patch update scheduled for April 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u72) on May 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes included in this release:
 

Regression in Applet startup time fixed

JDK-8080977 introduced delay on applet launch. The delay appears only on IE and lasts about 20 seconds. JDK-8136759 removed this delay.

See JDK-8136759

jps running as root fails after the fix of JDK-8050807
When running jps as root in solaris or linux, it should be able to display process information for all running java process in the system. This worked fine until 7u72:
For example:

jps running In 7u72 solaris machine:
7u72/bin/jps
1771 ControlPanel
722 Bootstrap
1224 ContainerPrivate
1637 swupna.jar
1772 Jp

jps running In 7u75 solaris machine:
7u75/bin/jps 
1746 Jps 
1739 -- process information unavailable 
722 -- process information unavailable 
1224 ContainerPrivate 
1637 -- process information unavailable

This bug was introduced when fix JDK-8050807 was merged in JDK repository. In this fix UID of directory is matched with the effective Id of process. When JPS command is executed as root, it tries to read the process information from "/tmp/hsperfdata_$username_$ProcessID" file. Before reading the process file or directory, it checks if the file or directory is secure or not. It opens the user directory and match the UID of that directory (which belong to other user) with the current process(root-jps) effective ID,which gets fail and process returns failure.

See JDK-8075773.

"Apply" button is permanently disabled in JCP, after roaming profile option is changed
After the option "Store user settings in the roaming profile" located in "Java Control Panel -> Advanced -> Miscellaneous" is changed and applied by a click on "Apply" button in Java Control Panel (JCP), "Apply" button becomes permanently disabled and changes of any other options in JCP do not lead to enabling of "Apply" button.

See JDK-8133985.

JFR reports abnormally high machine CPU consumption on Linux
On Linux kernels 2.6 and later, the JDK would include time spent waiting for IO completion as "CPU usage". During periods of heavy IO activity, this could result in misleadingly high values reported as CPU consumption in various tools like Flight Recorder and performance counters. This issue has been resolved.

JDK-8133527 (not public)

Problem with REMOVEOUTOFDATEJRES Installer option documentation corrected
Missing documentation for the REMOVEOUTOFDATEJRES installer option was added to the Java Platform, Standard Edition Installation Guide: http://docs.oracle.com/javase/8/docs/technotes/guides/install/config.html#table_config_file_options

See JDK-8133527.

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-8133917 client-libs   Please backport X11FontManager refactor to Java 8!
JDK-8130136 client-libs 2d Swing window sometimes fails to repaint partially when it becomes exposed
JDK-8132850 client-libs 2d java.lang.ArrayIndexOutOfBoundsException during text rendering with many fonts installed
JDK-8137106 client-libs 2d EUDC (End User Defined Characters) are not displayed on Windows with Java 8u60+
JDK-8065081 client-libs demo Intermittent NPE in Java2Demo applet on Stop/Restart in appletviewer
JDK-8081485 client-libs java.awt EDT auto shutdown is broken in case of new event queue usage
JDK-8081787 client-libs java.awt [macosx] MalformedURLException is thrown during reading data for application/x-java-url;class=java.net.URL flavor
JDK-8086038 client-libs java.awt [macosx] No available data flavors when copying from Microsoft Word for Mac
JDK-8130776 client-libs java.awt Remove EmbeddedFrame.requestFocusToEmbedder() method
JDK-8132382 client-libs java.awt [macosx] Crash during JMC or JavaFX execution when NSApplication is controlled by SWT or JavaFX libraries
JDK-8136763 client-libs java.awt [macosx] java always returns only one value for "text/uri-list" dataflavor even if several files were copied
JDK-8134828 client-libs javax.swing Scrollbar thumb disappears with Nimbus L&F
JDK-8134917 client-libs javax.swing [macosx] JOptionPane doesn't receive mouse events when opened from a drop event
JDK-8134356 core-libs   {@code} tag contains &lt; and &gt; sequences
JDK-8134569 core-libs   Add tests for prototype callsites
JDK-8134939 core-libs   Improve toString method of Dynalink DynamicMethod objects
JDK-8133249 core-libs java.io Occasional SIGSEGV: non thread-safe use of strerr in getLastErrorString
JDK-8073644 core-libs java.lang.invoke Assertion in LambdaFormEditor.bindArgumentType is too strict
JDK-8030785 core-libs java.lang:reflect Missing "since 1.8" javadoc for java.lang.reflect.Method:getParameterCount
JDK-8072466 core-libs java.net Deadlock when initializing MulticastSocket and DatagramSocket
JDK-8087190 core-libs java.net Regression in sun.net.util.IPAddressUtil.isIPv4LiteralAddress(String)
JDK-8133015 core-libs java.net InetAddress.isReachable(tmout) returning wrong value on Windows for IPv6
JDK-8143397 core-libs java.net It looks like InetAddress.isReachable(timeout) works incorrectly
JDK-6857566 core-libs java.nio (bf) DirectByteBuffer garbage creation can outpace reclamation
JDK-8029516 core-libs java.nio (fs) WatchKey cancel unreliable on Windows
JDK-8034057 core-libs java.nio Files.getFileStore and Files.isWritable do not work with SUBST'ed drives (win)
JDK-8080115 core-libs java.nio (fs) Crash in libgio when calling Files.probeContentType(path) from parallel threads
JDK-8130274 core-libs java.nio java/nio/file/FileStore/Basic.java fails when two successive stores in an iteration are determined to be equal
JDK-8133232 core-libs java.nio [fs] Regex has redundant | in the char class
JDK-8133647 core-libs java.nio (ch) Test java/nio/channels/AsynchronousSocketChannel/StressLoopback.java fails for Windows XP
JDK-8137121 core-libs java.nio (fc) Infinite loop FileChannel.truncate
JDK-8138819 core-libs java.nio (se) File descriptor leak when Selector.open fails
JDK-8081794 core-libs java.text ParsePosition getErrorIndex returns 0 for TimeZone parsing problem
JDK-8074032 core-libs java.time Instant.ofEpochMilli(millis).toEpochMilli() can throw arithmetic overflow in toEpochMilli()
JDK-8133022 core-libs java.time Instant.toEpochMilli() silently overflows
JDK-8139107 core-libs java.time DateTimeFormatter with Locale.UK throw a NullPointerException when parsing zone
JDK-6907252 core-libs java.util.jar ZipFileInputStream Not Thread-Safe
JDK-8038502 core-libs java.util.jar Deflater.needsInput() should use synchronization
JDK-8134505 core-libs java.util:i18n Cleanup of "TimeZone_md.c"
JDK-8129957 core-libs javax.naming Deadlock in JNDI LDAP implementation when closing the LDAP context
JDK-8027137 core-libs jdk.nashorn Merge ScriptFunction and ScriptFunctionImpl
JDK-8055917 core-libs jdk.nashorn jdk.nashorn.internal.codegen.CompilationPhase$N should be renamed to proper classes
JDK-8068901 core-libs jdk.nashorn Surprising behavior with more than one functional interface on a class
JDK-8068903 core-libs jdk.nashorn Can't invoke vararg @FunctionalInterface methods
JDK-8073613 core-libs jdk.nashorn Here documents: how to avoid string interpolation?
JDK-8073733 core-libs jdk.nashorn TypeError messages with "call" and "new" could be improved
JDK-8087292 core-libs jdk.nashorn nashorn should have a "fail-fast" option for scripting, analog to bash "set -e"
JDK-8087312 core-libs jdk.nashorn PropertyMapWrapper.equals should compare className
JDK-8114838 core-libs jdk.nashorn Anonymous functions escape to surrounding scope when defined under "with" statement
JDK-8129950 core-libs jdk.nashorn Wrong condition for checking absence of logger in MethodHandleFactory
JDK-8129959 core-libs jdk.nashorn DebugLogger has unnecessary API methods
JDK-8130234 core-libs jdk.nashorn Get rid of JSType.isNegativeZero
JDK-8130307 core-libs jdk.nashorn improve Nashorn Javadoc target
JDK-8130424 core-libs jdk.nashorn if directory specified with --dest-dir does not exist, only .class files are dumped and .js files are not
JDK-8130476 core-libs jdk.nashorn Remove unused methods in Global.java
JDK-8130663 core-libs jdk.nashorn 6 fields can be static fields in Global class
JDK-8130853 core-libs jdk.nashorn Non-extensible global is not handled property
JDK-8131039 core-libs jdk.nashorn after adding a function property to Object.prototype, JSON.parse with reviver function goes into infinite loop
JDK-8131340 core-libs jdk.nashorn Varargs function is recompiled each time it is linked
JDK-8131683 core-libs jdk.nashorn Delete fails over multiple scopes
JDK-8133119 core-libs jdk.nashorn Error message associated with TypeError for call and new should include stringified Node
JDK-8133300 core-libs jdk.nashorn Ensure symbol table immutability in Nashorn AST
JDK-8133785 core-libs jdk.nashorn SharedScopeCall should be enabled for non-optimistic call sites even with optimistic compilation
JDK-8134150 core-libs jdk.nashorn Make Nashorn Timing class both threadsafe and efficient
JDK-8134484 core-libs jdk.nashorn disallow backquotes as heredoc end marker delimiters
JDK-8134488 core-libs jdk.nashorn var statement in if(false) block incorrectly evacuated into enclosing function
JDK-8134490 core-libs jdk.nashorn Dead var statement evacuation incorrectly descends into nested functions
JDK-8134502 core-libs jdk.nashorn introduce abstraction for basic NodeVisitor usage
JDK-8134609 core-libs jdk.nashorn Allow constructors with same prototoype map to share the allocator map
JDK-8134731 core-libs jdk.nashorn Function.prototype.apply interacts incorrectly with 'arguments'
JDK-8134930 core-libs jdk.nashorn Defer stack trace walking of NashornException for extracting line number and file name
JDK-8134931 core-libs jdk.nashorn jdk.nashorn.internal.codegen.TypeMap should not use Map
JDK-8134973 core-libs jdk.nashorn Control flow exceptions should avoid filling stack trace
JDK-8135000 core-libs jdk.nashorn Number.prototype.toFixed returns wrong string for 0.5 and -0.5
JDK-8135054 core-libs jdk.nashorn Add more samples to nashorn samples directory
JDK-8135075 core-libs jdk.nashorn Reorder short-circuit tests in ApplySpecialization to run cheapest first
JDK-8135190 core-libs jdk.nashorn Method code too large in Babel browser.js script
JDK-8135262 core-libs jdk.nashorn Sanitize CodeInstaller and Compiler API
JDK-8135332 core-libs jdk.nashorn ScriptFunction constructor should use is bound and is strict check rather than checking for 'arguments' and 'caller'
JDK-8135337 core-libs jdk.nashorn NativeDebug.dumpCounters with incorrect scope count
JDK-8136349 core-libs jdk.nashorn Typos patch for nashorn sources submitted on Sep 10, 2015
JDK-8136544 core-libs jdk.nashorn Call site switching to megamorphic causes incorrect property read
JDK-8136694 core-libs jdk.nashorn Megemorphic scope access does not throw ReferenceError when property is missing
JDK-8137258 core-libs jdk.nashorn JSObjectLinker and BrowserJSObjectLinker should not expose internal JS objects
JDK-8137281 core-libs jdk.nashorn OutOfMemoryError with large numeric keys in JSON.parse
JDK-8137333 core-libs jdk.nashorn Boundless soft caching of property map histories causes high memory pressure
JDK-8138616 core-libs jdk.nashorn invokeFunction fails if function calls a function defined in GLOBAL_SCOPE
JDK-8138632 core-libs jdk.nashorn Sparse array does not handle growth of underlying dense array
JDK-8074696 core-svc debugger Remote debugging session hangs for several minutes when calling findBootType
JDK-8074368 core-svc java.lang.management ThreadMXBean.getThreadInfo() corrupts memory when called with empty array for thread ids
JDK-8133666 core-svc java.lang.management OperatingSystemMXBean reports abnormally high machine CPU consumption on Linux
JDK-8075773 core-svc tools jps running as root fails after the fix of JDK-8050807
JDK-8139613 deploy   push of backport of JDK-8081846 broke build
JDK-8138650 deploy packager Packager cannot bundle Mac App Store Apps because JavaFX WebKit uses apple private APIs
JDK-8133985 deploy plugin "Apply" button is permanently disabled in JCP, after roaming profile option is changed
JDK-8134109 deploy plugin Applet2Manager.getMainDeploymentRuleSet ignores jar version.
JDK-8134495 deploy plugin Cannot enable debugging on JNLP applet with java-vm-args params
JDK-7156268 deploy webstart app is stuck when launching with javaagent if there is no jre info in deployment.properties
JDK-8055464 deploy webstart Add a URL scheme handler to reliably launch .jnlp files - java part
JDK-8056013 deploy webstart Web Start looks in currently directory for all classes prior to jars - slow
JDK-8077380 deploy webstart JNLPSigning exception when signed jnlp is launched from local tomcat server
JDK-8081846 deploy webstart Add a URL scheme handler to reliably launch .jnlp files - Windows registration part
JDK-8135115 deploy webstart DRS1.3: App is not blocked when there is a invalid attribute in jnlp-checksum
JDK-8135227 deploy webstart DRS 1.3 enhancements doesn't work as expected when load no href jnlp by "javaws <local_path_of_jnlp_file>"
JDK-8136906 deploy webstart Extreme Application Startup Time due to frequent requests for the jnlp-6.0.dtd
JDK-8139323 deploy webstart JNLPSignedResourcesHelperTest shows regression caused by JDK-8129600
JDK-8140264 deploy webstart create junit test for JDK-8136906
JDK-8140740 deploy webstart Test jnlp_file/applicationDesc/index.html\#args is failing
JDK-8011858 hotspot compiler Use Compile::live_nodes() instead of Compile::unique() in appropriate places
JDK-8058737 hotspot compiler CodeCache::find_blob fails with 'unsafe access to zombie method'
JDK-8075805 hotspot compiler Crash while trying to release CompiledICHolder
JDK-8134031 hotspot compiler Incorrect JIT compilation of complex code with inlining and escape analysis
JDK-8134493 hotspot compiler Cleaning inline caches of unloaded nmethods should be done in sweeper
JDK-8133193 hotspot gc Memory leak in G1 because G1RootProcessor doesn't have desctructor
JDK-8029453 hotspot runtime java/util/concurrent/locks/ReentrantLock/TimeoutLockLoops.java failed by timeout
JDK-8135002 hotspot runtime Fix or remove broken links in objectMonitor.cpp comments
JDK-8139150 hotspot runtime ClassVerifier frees exception message while it's still in use
JDK-8140249 hotspot runtime JVM Crashing During startUp If Flight Recording is enabled
JDK-7194452 security-libs java.security Remove "Reverse" PKIX CertPathBuilder implementation
JDK-8130875 security-libs java.security Ucrypto library leaks memory when null output buffer is specified
JDK-8136534 security-libs java.security Loading JKS keystore using non-null InputStream results in closed stream
JDK-8132551 security-libs javax.crypto:pkcs11 Initialize local variables before returning them in p11_convert.c
JDK-8067422 tools javac Lambda method names are unnecessarily unstable
JDK-8071291 tools javac Compiler crashes trying to cast UnionType to IntersectionClassType
JDK-8073519 xml jaxb schemagen does not report errors while generating xsd files

Java™ SE Development Kit 8, Update 71 (JDK 8u71)

The full version string for this update release is 1.8.0_71-b15 (where "b" means "build"). The version number is 8u71.

This update release contains several enhancements and changes including the following.

IANA Data 2015g

JDK 8u71 contains IANA time zone data version 2015g. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u71 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_71
7 1.7.0_95
6 1.6.0_111

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u71) will expire with the release of the next critical patch update scheduled for April 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u71) on May 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes

The following are some of the notable new features and changes in this release:

*MD5 now disabled for X509 Certificate validating*
MD5 must not be used for digital signatures where collision resistance is required. To prevent the use of X.509 certificates that include an MD5-based digital signature algorithm, MD5 has been added to the jdk.certpath.disabledAlgorithms security property. Applications should upgrade or replace certificates that include an MD5-based digital signature.

Reversing this change is possible by removing MD5 from the jdk.certpath.disabledAlgorithms security property in the java.security file. This is not recommended.
JDK-8141287 (not public)

Disable MD5withRSA signature algorithm in the JSSE provider
The MD5withRSA signature algorithm is now considered insecure and should no longer be used. Accordingly, MD5withRSA has been deactivated by default in the Oracle JSSE implementation by adding "MD5withRSA" to the "jdk.tls.disabledAlgorithms" security property. Now, both TLS handshake messages and X.509 certificates signed with MD5withRSA algorithm are no longer acceptable by default. This change extends the previous MD5-based certificate restriction ("jdk.certpath.disabledAlgorithms") to also include handshake messages in TLS version 1.2. If required, this algorithm can be reactivated by removing "MD5withRSA" from the "jdk.tls.disabledAlgorithms" security property.
JDK-8144773 (not public)

Bug Fixes

This release contains fixes for security vulnerabilities. The following are some of the notable bug fixes included in this release:

Running jps as root does not show all information
After the fix of JDK-8050807 (fixed in 8u31, 7u75 and 6u91), running jps as root did not show all the information from Java processes started by other users on some systems. This has now been fixed.
See JDK-8075773.

Installers appearing stalled on ESC configurations
Users running Internet Explorer Enhance Security Configuration (ESC) on Windows Server 2008 R2 may have experienced issues installing Java in interactive mode. This issue has been resolved in the 8u71 release. Installers executed in interactive mode will no longer appear to be stalled on ESC configurations.
See JDK-8140197.

Problem with PBE algorithms using AES crypto corrected
An error was corrected for PBE using 256-bit AES ciphers such that the derived key may be different and not equivalent to keys previously derived from the same password.
JDK-8138589 (not public)
 

Problem with Enterprise MSI switch 'REMOVEOLDERJRES' documentation corrected
The Enterprise MSI documentation lists configuration options:

The REMOVEOLDERJRES option used to uninstall old JREs was missing. Added this option, with the description:
If set to 1, removes older releases of the JRE installed on the system.
Default: 0 does not remove any old JREs
JDK-8081237 (not public)

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-8138716 core-libs  
(tz) Support tzdata2015g
JDK-8075773 core-svc tools jps running as root fails after the fix of JDK-8050807
JDK-8134109 deploy plugin Applet2Manager.getMainDeploymentRuleSet ignores jar version.
JDK-8140197 install install JRE 8u65 installer doesn't work on Windows Server
JDK-8132082 security-libs javax.net.ssl Let OracleUcrypto accept RSAPrivateKey

Java SE 8u66 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u66 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u66 b36

Bug Fixes

BugId Component Subcomponent Summary
8130212
(Confidential)
hotspot runtime Thread::current() might access freed memory on Solaris
8132890 client-libs 2d Text Overlapping on Dot Matrix Printers
8133458
(Confidential)
deploy webstart 8u51 is slower than 6u101 to launch JWS application
8098826
(Confidential)
deploy webstart WS sends multiple request to server to download extensions
8141527 deploy webstart AddRemoveTest tests fail as second request to jnlp not getting to server, but resource requests going through fine

Changes in Java SE 8u66 b35

Bug Fixes

BugId Component Subcomponent Summary
8142908
(Confidential)
deploy plugin Java Plug-in crashes under some scenarios using FF42
8133523 deploy plugin _releaseObject called from wrong thread
8134828 client-libs javax.swing Scrollbar thumb disappears with Nimbus L&F
8144110
(Confidential)
install install 32-bit JRE install fails on 64-bit Windows Server 2012 under System Account
8140670
(Confidential)
install install 32-bit JRE silent install fails on 64-bit Windows under System Account
8067422 tools javac Lambda method names are unnecessarily unstable

Changes in Java SE 8u66 b33

Bug Fixes

BugId Component Subcomponent Summary
8136759
(Confidential)
deploy deployment_toolkit Regression in Applet startup time with Internet Explorer on 8u60 and 8u65-b14

Changes in Java SE 8u66 b31

Please note that fixes from the prior BPR (8u60 b32) are included in this BPR.

Bug Fixes

BugId Component Subcomponent Summary
8135307
(Confidential)
tools javac CompletionFailure thrown when calling FieldDoc.type, if the field's type is missing

Java™ SE Development Kit 8, Update 66 (JDK 8u66)

The full version string for this update release is 1.8.0_66-b18 (where "b" means "build") for the Microsoft Windows JRE and JDK and 1.8.0_66-b17 for all other platforms and for the Microsoft Windows Server JRE. The version number is 8u66.

This update release contains several enhancements and changes including the following. 

IANA Data 2015f

JDK 8u66 contains IANA time zone data version 2015f. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u66 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_65
7 1.7.0_91
6 1.6.0_105

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u66) will expire with the release of the next critical patch update scheduled for January 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u66) on February 20, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

When running on OSX 10.11 "El Capitan", when SIP is enabled, certain environment variables intended for debugging applications, such as DYLD_LIBRARY_PATH, may be stripped from the environment when running Java from the command line or when double-clicking a JAR file. Applications should not rely on these variables in a production environment, they are only intended for debugging during development.

New Features and Changes

The following are some of the notable new features and changes in this release: <br> 

Support ISO 4217 "Current funds codes" table (A.2)

This enhancement adds support for ISO 4217 table A.2 fund codes. Previously the JDK only supported those currencies listed in table A.1.
See JDK-8074350.


Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes included in this release:

Kerberos changes for applications running with security manager
This JDK release introduces some changes to how Kerberos requests are handled when a security manager is present.

Note that if a security manager is installed while a KerberosPricipal is being created, a {@link ServicePermission} must be granted and the service principal of the permission must minimally be inside the {@code KerberosPrincipal}'s realm.

For example, if the result of {@code new KerberosPrincipal("user")} is {@code user@EXAMPLE.COM}, then a {@code ServicePermission} with service principal {@code host/www.example.com@EXAMPLE.COM} (and any action) must be granted.

Also note that if a single GSS-API principal entity that contains a Kerberos name element without providing its realm is being created via the org.ietf.jgss.GSSName interface and a security manager is installed, then this release introduces a new requirement. A {@link javax.security.auth.kerberos.ServicePermission ServicePermission} must be granted and the service principal of the permission must minimally be inside the Kerberos name element's realm.

For example, if the result of {@link GSSManager#createName(String, Oid) createName("user", NT_USER_NAME)} contains a Kerberos name element {@code user@EXAMPLE.COM}, then a {@code ServicePermission} with service principal {@code host/www.example.com@EXAMPLE.COM} (and any action) must be granted. Otherwise, the creation will throw a {@link GSSException} containing the {@code GSSException.FAILURE} error code.
JDK-8048030 (not public)

Hotspot should use PICL interface to get cacheline size on SPARC
The libpicl library is now required on Solaris/SPARC to determine the size of the cache lines. In case the library is not present or the PICL service is not available the JVM will display a warning and compiler optimizations that utilize the BIS (Block Initializing Store) instruction will be turned off.
See JDK-8056124.

Preloading libjsig.dylib causes deadlock when signal() is called
Applications need to preload the libjsig library to enable signal chaining. Previously, on OS X, after libjsig.dylib was preloaded, any call from native code to signal() caused a deadlock. This has been corrected.
See JDK-8072147.

VM crash when class is redefined with Instrumentation.redefineClasses
The JVM could crash when a class was redefined with Instrumentation.redefineClasses(). The crash could either be a segmentation fault at SystemDictionary::resolve_or_null, or an internal error with the message "tag mismatch with resolution error table". This has now been fixed.
See JDK-8076110.

_releaseObject called from wrong thread
A recent change to Firefox caused the _releaseObject call to be made from a thread other than the main thread. This may cause a race condition, which may inadvertently crash the browser. This has been addressed in build 18 of 8u66.  For more information, see Bugs@Mozilla 1221448.
See JDK-8133523.

Java plug-in does not work in Firefox after installing Java
Firefox 42 may crash when trying to run the Java plug-in.

NOTE: The workaround applies to Firefox 42 and requires Windows Java Version 8 Update 66 Build 18 or later versions.

See JDK-8133523 for related information.

There are several workaround options. The simplest method is noted first and is recommended. The remaining available options are not recommended for non-technical users.

Option 1: Add property name dom.ipc.plugins.java.enabled in Firefox preferences

  1. Launch Firefox
  2. Type about:config in the address bar
  3. You will be presented with a Firefox warning about the configuration settings. After acknowledging the Firefox alert, you should see a listing of the configuration preferences.
  4. Right-click anywhere inside the displayed list of preferences. Select New then select Boolean.
  5. Add property name as dom.ipc.plugins.java.enabled
  6. Add Preference name as dom.ipc.plugins.java.enabled.
  7. A window will be displayed, select false. Then select OK.

Option 2: Create "user.js" file with preference entry

Instructions are based on Mozilla references listed below.

  1. Use a text editor to create a "user.js" file in your Firefox profiles folder
  2. Add entry: user_pref("dom.ipc.plugins.java.enabled", false);

Option 3: Update "pref.js" file with preference entry  

  1. Locate the "pref.js" file in the Mozilla profiles folder
  2. Find and update preference: user_pref("dom.ipc.plugins.java.enabled", false);

Correction to end time checking for native TGT
The end times for native TGTs (ticket-granting tickets) are now compared with UTC time stamps.
See JDK-8078495.

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-8087201 client-libs 2D
OGL: rendering of lcd text is slow
JDK-8130938 client-libs 2D [solaris] Incomplete 8ux fix for 8071710: libfontmanager & t2k should link against headless awt on solaris
JDK-8037371 client-libs java.awt [macosx] Test closed/java/awt/dnd/ImageTransferTest/ImageTransferTest.html fails
JDK-8131752 client-libs java.awt [Regression] Test java/awt/GraphicsDevice/CheckDisplayModes.java fails
JDK-8134453 client-libs javax.accessibility JAWS crashes in WindowsAccessBridge.DLL on 32 bit 8u60 running on 32 bit Win 7
JDK-8134403 core-libs jdk.nashorn Nashorn react.js benchmark performance regression
JDK-8079618 deploy plugin AccessControlException with deployment cache and RMI
JDK-8135116 globalization translation [de] Missing the link of license agreement
JDK-6904403 hotspot jvmti assert(f == k->has_finalizer(),"inconsistent has_finalizer") with debug VM
JDK-8048353 hotspot runtime jstack -l crashes VM when a Java mirror for a primitive type is locked
JDK-8072147 hotspot runtime Preloading libjsig.dylib causes deadlock when signal() is called
JDK-8076110 hotspot runtime VM crash when class is redefined with Instrumentation.redefineClasses
JDK-8133191 install   NVDA screen reader and JAWS can't read the "Look and Feel" Selections.
JDK-8078495 security-libs org.ietf.jgss:krb5 End time checking for native TGT is wrong
JDK-8131907 xml jaxp Numerous threads lock during XML processing while running Weblogic 12.1.3
JDK-8133523 deploy plugin _releaseObject called from wrong thread

Java™ SE Development Kit 8, Update 65 (JDK 8u65)

The full version string for this update release is 1.8.0_65-b17 (where "b" means "build"). The version number is 8u65.

This update release contains several enhancements and changes including the following.

IANA Data 2015f

JDK 8u65 contains IANA time zone data version 2015f. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u65 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_65
7 1.7.0_91
6 1.6.0_105

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u65) will expire with the release of the next critical patch update scheduled for January 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u65) on February 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

When running on OSX 10.11 "El Capitan", when SIP is enabled, certain environment variables intended for debugging applications, such as DYLD_LIBRARY_PATH, may be stripped from the environment when running Java from the command line or when double-clicking a JAR file. Applications should not rely on these variables in a production environment, they are only intended for debugging during development.

New Features and Changes

The following are some of the notable new features and changes in this release:

Support ISO 4217 "Current funds codes" table (A.2)

This enhancement adds support for ISO 4217 table A.2 fund codes. Previously the JDK only supported those currencies listed in table A.1.

See JDK-8074350.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.

The following are some of the notable bug fixes included in this release:

Kerberos changes for applications running with security manager

This JDK release introduces some changes to how Kerberos requests are handled when a security manager is present.

Note that if a security manager is installed while a KerberosPricipal is being created, a {@link ServicePermission} must be granted and the service principal of the permission must minimally be inside the {@code KerberosPrincipal}'s realm.

For example, if the result of {@code new KerberosPrincipal("user")} is {@code user@EXAMPLE.COM}, then a {@code ServicePermission} with service principal {@code host/www.example.com@EXAMPLE.COM} (and any action) must be granted.

Also note that if a single GSS-API principal entity that contains a Kerberos name element without providing its realm is being created via the org.ietf.jgss.GSSName interface and a security manager is installed, then this release introduces a new requirement. A {@link javax.security.auth.kerberos.ServicePermission ServicePermission} must be granted and the service principal of the permission must minimally be inside the Kerberos name element's realm.

For example, if the result of {@link GSSManager#createName(String, Oid) createName("user", NT_USER_NAME)} contains a Kerberos name element {@code user@EXAMPLE.COM}, then a {@code ServicePermission} with service principal {@code host/www.example.com@EXAMPLE.COM} (and any action) must be granted. Otherwise, the creation will throw a {@link GSSException} containing the {@code GSSException.FAILURE} error code.

JDK-8048030 (not public)

Hotspot should use PICL interface to get cacheline size on SPARC

The libpicl library is now required on Solaris/SPARC to determine the size of the cache lines. In case the library is not present or the PICL service is not available the JVM will display a warning and compiler optimizations that utilize the BIS (Block Initializing Store) instruction will be turned off.

See JDK-8056124.

Preloading libjsig.dylib causes deadlock when signal() is called

Applications need to preload the libjsig library to enable signal chaining. Previously, on OS X, after libjsig.dylib was preloaded, any call from native code to signal() caused a deadlock. This has been corrected.

See JDK-8072147.

Use Safe Prime Diffie-Hellman Groups

In the JDK SSL/TLS implementation (SunJSSE provider), safe prime Diffie-Hellman groups are used by default. Users can customize Diffie-Hellman groups with the security property, "jdk.tls.server.defaultDHEParameters".

[macosx] JRE AU client installed fails update to NEXTVER on Mac 10.11

A new installer is introduced in the 8u65 release to update OS X users to the latest version. The installer will apply to both scheduled and manual updates, and bundles made available on java.com and OTN. Users who experience compatibility issues with the new installer can manually download and install the ".pkg" installer available on My Oracle Support.

VM crash when class is redefined with Instrumentation.redefineClasses

The JVM could crash when a class was redefined with Instrumentation.redefineClasses(). The crash could either be a segmentation fault at SystemDictionary::resolve_or_null, or an internal error with the message "tag mismatch with resolution error table". This has now been fixed.

See JDK-8076110.

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-8133321 core-libs  
(tz) Support tzdata2015f
JDK-8133665 deploy plugin REGRESSION: Hidden applet does not load in 8u60 and 8u65
JDK-8135116 globalization translation [de] Missing the link of license agreement

 

Known Issues

[macosx] Sponsor offer screen accessibility (a11y) issues

Users who operate the keyboard to access user interfaces in the Java installer will be unable to access hyperlinks and checkboxes in software add-on offer screens. As a workaround to setting preferences related to add-on software in the user interface, users can disable such offers either by disabling them in the Java Control Panel, or by passing 'SPONSORS=0' via the command line. For more information, refer to: https://www.java.com/en/download/faq/disable_offers.xml

The Java SE 8u60 SE Platform, available for Java SE Subscription customers, is based on the current Java SE 8u60 release. This release is also available for legacy Java SE Suite, Java SE Advanced, and Java SE Support and when directed by support to be used as part of another Oracle product.

For more information on installation and licensing of Java SE Suite and Java SE Advanced, visit Java SE Products Overview.

Find information about Java SE Support at Oracle Java SE Subscriptions.

Java SE 8u60 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u60 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u60 b32

 

Bug Fixes

BugId Component Subcomponent Summary
8081297
(Confidential)
security-libs javax.net.ssl Unable to process PreMasterSecret Tomcat issue
8132082 security-libs javax.net.ssl Let OracleUcrypto accept RSAPrivateKey
8075773 core-svc tools jps running as root fails after the fix of JDK-8050807
8133943
(Confidential)
hotspot gc Better TLAB handling for Resource Management
8134719
(Confidential)
hotspot gc Reduce locking at native layer when thread metrics are updated due to resource context switch at thread level
8134109 deploy plugin Applet2Manager.getMainDeploymentRuleSet ignores jar version.
8133196 core-libs java.net HTTPS hostname invalid issue with InetAddress

Changes in Java SE 8u60 b31

Please note that fixes from the prior BPR (8u51 b31) are included in this BPR.


Java™ SE Development Kit 8, Update 60 (JDK 8u60)

The full version string for this update release is 1.8.0_60-b27 (where "b" means "build"), except for OS X, where the version string is 1.8.0_60-b28. The version number is 8u60.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2015e

JDK 8u60 contains IANA time zone data version 2015e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u60 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_51
7 1.7.0_85
6 1.6.0_101

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u60) will expire with the release of the next critical patch update scheduled for October 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u60) on November 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Java SE Development Kit for ARM Release 8u60

This release includes Java Development Kit for ARM Release 8u60 (JDK 8u60 for ARM).

For ARM device support information, see Java SE Development Kit Downloads page.

For system requirements, installation instructions and troubleshooting tips, see Installation Instructions page.

Limitation: Native Memory Tracking support is limited in JDK for ARM. The java command line option XX:NativeMemoryTracking=detail is not supported for ARM targets (an error message is displayed to user). Instead, use the following option:

XX:NativeMemoryTracking=summary

Notes

deploy
New "Use roaming profile" option added in Java Control Panel (Windows only)
New option "Use roaming profile" added in JCP (Windows only).

1. The option is set when file <user_home>\AppData\Roaming\Sun\Java\Deployment\deployment.properties exists.

2. Setting this option in JCP results in deployment.properties file from LocalLow being copied to the Roaming folder.

3. Clearing this option results in the deployment.properties file being moved from the Roaming folder to the LocalLow folder.
 

When the option is set, the following data is stored in the roaming profile:

1. deployment.properties
2. local application properties
3. security baselines
4. blacklisted certs
5. blacklisted jars
6. user certs stores
7. exception site list

The rest of the cache ( the cache without LAP), temp and log folders are always stored in LocalLow regardless of the roaming profile settings.
JDK-8062830 (not public)

Different bytecode between JDK8u45 and JDK8u60
Fixing JDK-8064857 has provoked a benign, actually beneficial, side effect in javac's code generation. The mentioned fix has improved the information javac has about aliveness of local variables and thus jump chains have richer information allowing the compiler to generate direct jumps to the final destination when in the past a chain of intermediate jumps were generated.
See JDK-8080555.

New Features and Changes

IBM1166 character set now available
This release adds IBM1166 character set. It provides support for cyrillic multilingual with euro for Kazakhstan. Aliases for this new character set include cp1166,ibm1166, ibm-1166, and 1166.
See JDK-8071447.

Allow use of TransmitFile on Microsoft Windows
Applications running on server editions of Microsoft Windows that make heavy use of java.nio.channels.FileChannel.transferTo may see performance improvements if the implementation uses TransmitFile. TransmitFile makes use of the Windows cache manager to provide high-performance file data transfer over sockets. The system property jdk.nio.enableFastFileTransfer controls whether the JDK uses TransmitFile on Microsoft Windows. It is disabled by default but can be enabled by setting the system property on the command line with -Djdk.nio.enableFastFileTransfer or -Djdk.nio.enableFastFileTransfer=true.
See JDK-8064407.

Allow use of SIO_LOOPBACK_FAST_PATH on Microsoft Windows
Applications running on server editions of Microsoft Windows that make heavy use of loopback connections may see latency and performance improvements if SIO_LOOPBACK_FAST_PATH is enabled. The system property jdk.net.useFastTcpLoopback controls whether the JDK enables SIO_LOOPBACK_FAST_PATH on Microsoft Windows. It is disabled by default but can be enabled by setting the system property on the command line with -Djdk.net.useFastTcpLoopback or -Djdk.net.useFastTcpLoopback=true.
See JDK-8060170.

G1 now collects unreachable Humongous objects during young collections
G1 now tries to collect humongous objects of primitive type (char, integer, long, double) with few or no references from other objects at any young collection. During young collection, G1 checks if any remaining incoming references to these humongous objects are current. G1 will reclaim any humongous object having no remaining incoming references.

Three new experimental JVM options to control this behavior that have been added with this change: 1. G1EagerReclaimHumongousObjects - This option controls whether G1 makes any attempt to reclaim unreachable humongous objects at every young GC. Default is enabled. 2. G1EagerReclaimHumongousObjectsWithStaleRefs - When this option is enabled G1 attempts to reclaim humongous objects that may have a few stale incoming references at every young GC. Default is enabled. 3. G1TraceEagerReclaimHumongousObjects - This option enables printing of some information about the collection of humongous objects at every young GC. Default is disabled.


Documentation Updates due to Nashorn Enhancements
JDK 8u60 includes new enhancements to Nashorn. As a result the following documentation changes should be read in conjunction with the current Nashorn documentation:

  • Addition:
    In the previous section, we mentioned that every JavaScript object when exposed to Java APIs implements the java.util.Map interface. This is true even for JavaScript arrays. However, this behavior is often not desired or expected when the Java code expects JSON-parsed objects. Java libraries that manipulate JSON-parsed objects usually expect arrays to expose the java.util.List interface instead. If you need to expose your JavaScript objects so that arrays are exposed as lists and not maps, you can use the Java.asJSONCompatible(obj) function, where obj is the root of your JSON object tree.

  • Correction:
    The caution mentioned at the end of Mapping Data Types section, is no longer applicable.

    Nashorn ensures that internal JavaScript strings are converted to java.lang.String when exposed externally.

  • Correction:
    The statement in the section Mapping Data Types, that mentions "For example, arrays must be explicitly converted,........." is not correct.

    Arrays are automatically converted to Java array types, such as java.util.List, java.util.Collection, java.util.Queue and java.util.Deque and so on.

Changes in Deployment Rule Set v1.2
JDK 8u60 implements Deployment Rule Set (DRS) 1.2, which includes the following changes:

  • Add "checksum" element as sub element of "id" which can allow unsigned jars to be identified by the SHA-256 checksum of the uncompressed form of a jar:

    • The "checksum" element will match only unsigned jars, and the given hash will be compared only against the uncompressed form of the jar.
    • The "checksum" element (similar to "certificate" element) has two arguments "hash" and "algorithm", however, unlike "certificate" element, the only supported value for "algorithm" is "SHA-256". Any other value provided will be ignored.
  • Allow "message" element to apply to all rule types, where previously it only applied to a block rule:

    • In a run rule, a message sub element will cause a message dialog to be displayed where without a run rule, the default behavior would be to show certificate or unsigned dialog. The message will be displayed in the message dialog.
    • In a default rule, the message will only be displayed if the default action is to block. In such a case the message will be included in the block dialog.
  • Echo "customer" blocks in the Java Console, trace files, and Java Usage Tracker records.

    • Previous to DRS 1.2, "customer" elements could be included (with any sub-elements) in the ruleset.xml file. This element and all its sub elements are ignored. In DRS 1.2, the elements are still functionally ignored. However:
      • When parsing the ruleset.xml file, all "customer" blocks will be echoed to the Java Console and deployment trace file (if Console and Tracing are enabled).
      • When using a rule, all "customer" records included within that rule will be added to the Java Usage Tracker (JUT) record (if JUT is enabled).
  • As a result of the above changes, the DTD for DRS 1.2 is as follows:

    <!ELEMENT ruleset (rule*)>
    <!ATTLIST ruleset href CDATA #IMPLIED>
    <!ATTLIST ruleset version CDATA #REQUIRED>
    
    <!ELEMENT rule (id, action)>
    
    <!ELEMENT id (certificate?, checksum?) >
    <!ATTLIST id title CDATA #IMPLIED>
    <!ATTLIST id location CDATA #IMPLIED>
    
    <!ELEMENT certificate EMPTY>
    <!ATTLIST certificate algorithm CDATA #IMPLIED>
    <!ATTLIST certificate hash CDATA #REQUIRED>
    
    <!ELEMENT checksum EMPTY>
    <!ATTLIST checksum algorithm CDATA #IMPLIED>
    <!ATTLIST checksum hash CDATA #REQUIRED>
    
    <!ELEMENT action (message?)>
    <!ATTLIST action permission (run | block | default) #REQUIRED>
    <!ATTLIST action version CDATA #IMPLIED>
    <!ATTLIST action force (true|false) "false">
    
    <!ELEMENT message (#PCDATA)>
    <!ATTLIST message locale CDATA #IMPLIED>

Bug Fixes

The following are some of the notable bug fixes included in JDK 8u60 release:

Area: hotspot/ compiler
Synopsis: Nondeterministic wrong answer on arithmetic corrected
When performing OSR on loops with huge stride and/or initial values, in very rare cases, the tiered/server compilers could produce non-canonical loop shapes that produce nondeterministic answers when the answers should be deterministic. This issue has now been fixed.

See JDK-8072753.

Area: security-libs/org.ietf.jgss:krb5
Synopsis: dns_lookup_realm should be false by default

The dns_lookup_realm setting in Kerberos' krb5.conf file is by default false.

See 8080637.

Area: security-libs/javax.net.ssl
Synopsis: Disable RC4 cipher suites

RC4-based TLS ciphersuites (e.g. TLS_RSA_WITH_RC4_128_SHA) are now considered compromised and should no longer be used (see RFC 7465). Accordingly, RC4-based TLS ciphersuites have been deactivated by default in the Oracle JSSE implementation by adding "RC4" to "jdk.tls.disabledAlgorithms" security property, and by removing them from the default enabled ciphersuites list. These cipher suites can be reactivated by removing "RC4" form "jdk.tls.disabledAlgorithms" security property in the java.security file or by dynamically calling Security.setProperty(), and also readding them to the enabled ciphersuite list using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.

You can also use the -Djava.security.properties command line option to override the jdk.tls.disabledAlgorithms security property. For example:

java -Djava.security.properties=my.java.security ...

where my.java.security is a file containing the property without RC4:

jdk.tls.disabledAlgorithms=SSLv3

Even with this option set from commandline, the RC4 based ciphersuites need to be re-added to the enabled ciphersuite list by using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.

See 8076221.

Area: security-libs/java.secuirty
Synopsis: Support keystore type detection for JKS and PKCS12 keystores

Keystore Compatibility Mode:
To aid interoperability, the Java keystore type JKS now supports keystore compatibility mode by default. This mode enables JKS keystores to access both JKS and PKCS12 file formats. To disable keystore compatibility mode set the Security property keystore.type.compat to the string value false.

See 8062552.

Area: core-libs/java.lang
Synopsis: Deprecate Unsafe monitor methods in JDK 8u release

The methods monitorEnter, monitorExit and tryMonitorEnter on sun.misc.Unsafe are marked as deprecated in JDK 8u60 and will be removed in a future release. These methods are not used within the JDK itself and are very rarely used outside of the JDK.

See 8069302.

Area: hotspot/jfr
Synopsis: Extract JFR recording from the core file using SA

DumpJFR is a Serviceability Agent based tool that can be used to extract Java Flight Recorder(JFR) data from the core files and live Hotspot processes. DumpJFR can be used in one of the following methods:

  • Attach DumpJFR to a live process:

    java -cp $JAVA_HOME/lib/sa-jdi.jar sun.jvm.hotspot.tools.DumpJFR <pid>

  • Attach DumpJFR to a core file:

    java -cp $JAVA_HOME/lib/sa-jdi.jar sun.jvm.hotspot.tools.DumpJFR <java> <core>

DumpJFR tool dumps the JFR data to a file called recording.jfr in the current working folder. 8065301(not public).

Area: tools/javac
Synopsis: Local variables named 'enum' lead to spurious compiler crashes

The javac parser is incorrectly parsing local variables with name 'enum'; this results in spurious failures when a program containing such local variables is compiled with a 'source' flag corresponding to a release in which the enum construct is not available (such as '-source 1.4').

See 8069181.

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-8075244 client-libs   [macosx] The fix for JDK-8043869 should be reworked
JDK-8077518 client-libs   XMLParserTest unit test failure.
JDK-8077982 client-libs   GIFLIB upgrade
JDK-8078654 client-libs   CloseTTFontFileFunc callback should be removed
JDK-8081315 client-libs   8077982 giflib upgrade breaks system giflib builds with earlier versions
JDK-8129116 client-libs   Deadlock with multimonitor fullscreen windows.
JDK-7145508 client-libs   [embedded] java.awt.GraphicsDevice.get/setDisplayMode behavior is incorrect when no display is present
JDK-8017773 client-libs 2d OpenJDK7 returns incorrect TrueType font metrics
JDK-8023794 client-libs 2d [macosx] LCD Rendering hints seems not working without FRACTIONALMETRICS=ON
JDK-8035371 client-libs 2d gcc compiler warnings in closed source code
JDK-8036930 client-libs 2d Type1 font not loaded by java.awt.Font.createFont
JDK-8061831 client-libs 2d [OGL] "java.lang.InternalError: not implemented yet" during the blit of VI to VI in xor mode
JDK-8064833 client-libs 2d [macosx] Native font lookup uses family+style, not full name/postscript name
JDK-8066132 client-libs 2d BufferedImage::getPropertyNames() always returns null
JDK-8067364 client-libs 2d Printing to Postscript doesn't support dieresis
JDK-8071710 client-libs 2d [solaris] libfontmanager should be linked against headless awt library
JDK-8073001 client-libs 2d Java's system LnF on OS X: editable JComboBoxes are being rendered incorrectly
JDK-8076419 client-libs 2d Path2D copy constructors and clone method propagate size of arrays from source path
JDK-8078331 client-libs 2d Upgrade JDK to use LittleCMS 2.7
JDK-8078464 client-libs 2d Path2D storage growth algorithms should be less linear
JDK-8079652 client-libs 2d Could not enable D3D pipeline
JDK-8085910 client-libs 2d OGL text renderer: gamma lut cleanup
JDK-8104577 client-libs demo Remove debugging message from Font2DTest demo
JDK-6475361 client-libs java.awt Attempting to remove help menu from java.awt.MenuBar throws NullPointerException
JDK-7155963 client-libs java.awt Deadlock in SystemFlavorMap.getFlavorsForNative and SunToolkit.awtLock
JDK-8020443 client-libs java.awt Frame is not created on the specified GraphicsDevice with two monitors
JDK-8039926 client-libs java.awt -spash:<image> can't be combined with -xStartOnFirstThread since JDK 7
JDK-8042585 client-libs java.awt [macosx] Unused code in LWCToolkit.m
JDK-8043393 client-libs java.awt NullPointerException and no event received when clipboard data flavor changes
JDK-8056151 client-libs java.awt Switching to GTK L&F on-the-fly leads to X Window System error RenderBadPicture
JDK-8056915 client-libs java.awt Focus lost in applet when browser window is minimized and restored
JDK-8058930 client-libs java.awt GraphicsEnvironment.getHeadlessProperty() does not work for AIX
JDK-8061636 client-libs java.awt Fix for JDK-7079254 changes behavior of MouseListener, MouseMotionListener
JDK-8064934 client-libs java.awt Incorrect Exception message from java.awt.Desktop.open()
JDK-8068886 client-libs java.awt IDEA IntelliJ crashes in objc_msgSend when an accessibility tool is enabled
JDK-8071306 client-libs java.awt GUI perfomance are very slow compared java 1.6.0_45
JDK-8072069 client-libs java.awt Toolkit.getScreenInsets() doesn't update if insets change
JDK-8072088 client-libs java.awt [PIT] NPE in DnD tests apparently because of the fix to JDK-8061636
JDK-8072769 client-libs java.awt System tray icon title freezes java
JDK-8072775 client-libs java.awt Tremendous memory usage by JTextArea
JDK-8073008 client-libs java.awt press-and-hold input method for accented characters works incorrectly on OS X
JDK-8073453 client-libs java.awt Focus doesn't move when pressing Shift + Tab keys
JDK-8074500 client-libs java.awt java.awt.Checkbox.setState() call causes ItemEvent to be filed
JDK-8074921 client-libs java.awt OS X build broken by reference to XToolkit
JDK-8075609 client-libs java.awt java.lang.IllegalArgumentException: aContainer is not a focus cycle root of aComponent
JDK-8076106 client-libs java.awt [macosx] Drag image of TransferHandler does not honor MultiResolutionImage
JDK-8077409 client-libs java.awt Drawing deviates when validate() is invoked on java.awt.ScrollPane
JDK-8077686 client-libs java.awt OperationTimedOut exception inside from XToolkit.syncNativeQueue call on Ubuntu 15.04
JDK-8078149 client-libs java.awt [macosx] The text of the TextArea is not wrapped at word boundaries
JDK-8078165 client-libs java.awt [macosx] NPE when attempting to get image from toolkit
JDK-8078606 client-libs java.awt Deadlock in awt clipboard
JDK-8080137 client-libs java.awt Dragged events for extra mouse buttons (4,5,6) are not generated on JSplitPane
JDK-8081371 client-libs java.awt [PIT] Test closed/java/awt/FullScreen/DisplayMode/CycleDMImage.java switches Linux to the single device mode
JDK-8130752 client-libs java.awt Wrong changes were pushed with 8068886
JDK-8132382 client-libs java.awt [macosx] Crash during JMC or JavaFX execution when NSApplication is controlled by SWT or JavaFX libraries
JDK-8076455 client-libs java.awt:i18n IME Composition Window is displayed on incorrect position
JDK-8067657 client-libs java.beans Dead/outdated links in Javadoc of package java.beans
JDK-8069268 client-libs javax.accessibility JComponent.AccessibleJComponent.addPropertyListeners adds exponential listeners
JDK-8076182 client-libs javax.accessibility Open Source Java Access Bridge - Create Patch for JEP C127 8055831
JDK-8078408 client-libs   Java version applet hangs with Voice over turned on
JDK-4952954 client-libs   abort flag is not cleared for every write operation for JPEG ImageWriter
JDK-4958064 client-libs javax.imageio JPGWriter does not throw UnsupportedException when canWriteSequence retunsfalse
JDK-8074954 client-libs javax.imageio ImageInputStreamImpl.readShort/readIntdo not behave correctly at EOF
JDK-8068412 client-libs javax.sound [macosx] Initialization of Cocoa hangs if CoreAudio was initialized before
JDK-6206437 client-libs javax.swing Typo in JInternalFrame setDefaultCloseOperation() doc (WindowClosing --> internalFrameClosing)
JDK-6338077 client-libs javax.swing link back to self in javadoc JTextArea.replaceRange()
JDK-6459798 client-libs javax.swing JDesktopPane,JFileChooser violate encapsulation by returning internal Dimensions
JDK-6459800 client-libs javax.swing Some Swing classes violate encapsulation by returning internal Insets
JDK-6470361 client-libs javax.swing Swing's Threading Policy example does not compile
JDK-6515713 client-libs javax.swing example in JFormattedTextField API docs instantiates abstract class
JDK-6573305 client-libs javax.swing Animated icon is not visible by click on menu
JDK-7180976 client-libs javax.swing Pending String deadlocks UIDefaults
JDK-8013820 client-libs javax.swing JavaDoc for JSpinner contains errors
JDK-8015085 client-libs javax.swing [macosx] Label shortening via " ... " broken when String contains combining diaeresis
JDK-8033000 client-libs javax.swing No Horizontal Mouse Wheel Support In BasicScrollPaneUI
JDK-8033069 client-libs javax.swing mouse wheel scroll closes combobox popup
JDK-8041470 client-libs javax.swing JButtons stay pressed after they have lost focus if you use the mouse wheel
JDK-8041642 client-libs javax.swing Incorrect paint of JProgressBar in Nimbus LF
JDK-8041654 client-libs javax.swing OutOfMemoryError: RepaintManager doesn't clean up cache of volatile images
JDK-8044444 client-libs javax.swing The output's 'Page-n' footer does not show completely.
JDK-8048289 client-libs javax.swing Gtk: call to UIManager.getSystemLookAndFeelClassName() leads to crash
JDK-8051617 client-libs javax.swing Fullscreen mode is not working properly on Xorg
JDK-8064939 client-libs javax.swing SwingSet2: Themes are incorrectly enabled when running with Nimbus Look and feel
JDK-8068040 client-libs javax.swing [macosx] Combo box consuming ENTER key events
JDK-8071705 client-libs javax.swing Java application menu misbehaves when running multiple screen stacked vertically
JDK-8072448 client-libs javax.swing Can not input Japanese in JTextField on RedHat Linux
JDK-8072676 client-libs javax.swing [macosx] Jtree icon painted over label when scrollbars present in window
JDK-8072900 client-libs javax.swing [macosx] Mouse events are captured by the wrong menu in OS X
JDK-8073795 client-libs javax.swing JMenuBar looks bad under retina
JDK-8074956 client-libs javax.swing ArrayIndexOutOfBoundsException in javax.swing.text.html.parser.ContentModel.first()
JDK-8080628 client-libs javax.swing No mnemonics on Open and Save buttons in JFileChooser
JDK-8066504 core-libs   GetVersionEx in java.base/windows/native/libjava/java_props_md.c might not get correct Windows version
JDK-8068580 core-libs   JavaAdapterFactory.isAutoConvertibleFromFunction should be more robust
JDK-8074657 core-libs   Missing space on a boundary of concatenated strings
JDK-8081674 core-libs   EmptyStackException at startup if running with extended or unsupported charset
JDK-8098547 core-libs   (tz) Support tzdata2015e
JDK-8065372 core-libs java.lang Object.wait(ms, ns) timeout returns early
JDK-8067471 core-libs java.lang Use private static final char[0] for empty Strings
JDK-8067748 core-libs java.lang (process) Child is terminated when parent's console is closed [win]
JDK-8069302 core-libs java.lang Deprecate Unsafe monitor methods in JDK 8u release
JDK-8059455 core-libs java.lang.invoke LambdaForm.prepare() does unnecessary work for cached LambdaForms
JDK-8063137 core-libs java.lang.invoke Never taken branches should be pruned when GWT LambdaForms are shared
JDK-8069591 core-libs java.lang.invoke Customize LambdaForms which are invoked using MH.invoke/invokeExact
JDK-8071788 core-libs java.lang.invoke CountingWrapper.asType() is broken
JDK-8077054 core-libs java.lang.invoke DMH LFs should be customizeable
JDK-8078290 core-libs java.lang.invoke Customize adapted MethodHandle in MH.invoke() case
JDK-8064846 core-libs java.lang:reflect Lazy-init thread safety problems in core reflection
JDK-8066842 core-libs java.math java.math.BigDecimal.divide(BigDecimal, RoundingMode) produces incorrect result
JDK-8065994 core-libs java.net HTTP Tunnel connection to NTLM proxy reauthenticates instead of using keep-alive
JDK-8067680 core-libs java.net (sctp) Possible race initializing native IDs
JDK-8067846 core-libs java.net (sctp) InternalError when receiving SendFailedNotification
JDK-8068028 core-libs java.net JNI exception pending in jdk/src/solaris/native/java/net
JDK-8068795 core-libs java.net HttpServer missing tailing space for some response codes
JDK-8072384 core-libs java.net Setting IP_TOS on java.net sockets not working on unix
JDK-8077155 core-libs java.net LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection
JDK-8080819 core-libs java.net Inet4AddressImpl regression caused by JDK-7180557
JDK-8064407 core-libs java.nio (fc) FileChannel transferTo should use TransmitFile on Windows
JDK-8068507 core-libs java.nio (fc) Rename the new jdk.net.enableFastFileTransfer system property to jdk.nio.enableFastFileTransfer
JDK-8071599 core-libs java.nio (so) Socket adapter sendUrgentData throws IllegalBlockingMode when channel configured non-blocking
JDK-8071447 core-libs java.nio.charsets IBM1166 Locale Request for Kazakh characters
JDK-8080248 core-libs java.nio.charsets Coding regression in HKSCS charsets
JDK-8081479 core-libs java.sql Backport JDBC tests from JDK 9 from test/java/sql and test/javax/sql to JDK 8u.
JDK-8074791 core-libs java.text Long-form date format incorrect month string for Finnish locale
JDK-8075173 core-libs java.text DateFormat in german locale returns wrong value for month march
JDK-8034906 core-libs java.time Fix typos, errors and Javadoc differences in java.time
JDK-8062796 core-libs java.time java.time.format.DateTimeFormatter error in API doc example
JDK-8062803 core-libs java.time principal' should be 'principle' in java.time package description
JDK-8075676 core-libs java.time java.time package javadoc typos
JDK-8075678 core-libs java.time java.time javadoc error in DateTimeFormatter::parsedLeapSecond
JDK-8081022 core-libs java.time java/time/test/java/time/format/TestZoneTextPrinterParser.java fails by timeout on slow device
JDK-8068790 core-libs java.util ZipEntry/JarEntry.setCreation/LastAccessTime(null) don't throw NPE as specified
JDK-8072909 core-libs java.util TimSort fails with ArrayIndexOutOfBoundsException on worst case long arrays
JDK-8068432 core-libs java.util.concurrent Inconsistent exception handling in CompletableFuture.thenCompose
JDK-8078490 core-libs java.util.concurrent Missed submissions in ForkJoinPool
JDK-8080623 core-libs java.util.concurrent CPU overhead in FJ due to spinning in awaitWork
JDK-8085978 core-libs java.util.concurrent LinkedTransferQueue<T>.spliterator can report LTQ.Node object, not T
JDK-8068338 core-libs java.util.jar Better message about incompatible zlib in Deflater.init
JDK-8073497 core-libs java.util.jar Lazy conversion of ZipEntry time
JDK-8076641 core-libs java.util.jar getNextEntry throws ArrayIndexOutOfBoundsException when unzipping file
JDK-8129120 core-libs java.util.stream Terminal operation properties should not be back-propagated to upstream operations
JDK-7044727 core-libs java.util:i18n (tz) TimeZone.getDefault() call returns incorrect value in Windows terminal session
JDK-8055088 core-libs java.util:i18n Optimization for locale resources loading isn't working
JDK-8072602 core-libs java.util:i18n Unpredictable timezone on Windows when OS's timezone is not found in tzmappings
JDK-8074350 core-libs java.util:i18n Support ISO 4217 "Current funds codes" table (A.2)
JDK-8075548 core-libs java.util:i18n SimpleDateFormat formatting of "LLLL" in English is incorrect; should be identical to "MMMM"
JDK-8076287 core-libs java.util:i18n Performance degradation observed with TimeZone Benchmark
JDK-6991580 core-libs javax.naming IPv6 Nameservers in resolv.conf throws NumberFormatException
JDK-7011441 core-libs javax.naming ./jndi/ldap/Connection.java needs to avoid spurious wakeup
JDK-8074761 core-libs javax.naming Empty optional parameters of LDAP query are not interpreted as empty
JDK-8062030 core-libs javax.script Nashorn bug retrieving array property after key string concatenation
JDK-8068279 core-libs javax.script (typo in the spec) javax.script.ScriptEngineFactory.getLanguageName
JDK-8068462 core-libs javax.script javax.script.ScriptEngineFactory.getParameter spec is not completely consistent with the rest of the API
JDK-8068872 core-libs javax.script Nashorn JSON.parse drops numeric keys
JDK-8071928 core-libs javax.script Instance properties with getters returning wrong values
JDK-8072002 core-libs javax.script The spec on javax.script.Compilable contains a typo and confusing inconsistency
JDK-8073846 core-libs javax.script Javascript for-in loop returned extra keys
JDK-8059411 core-libs javax.sql RowSetWarning does not correctly chain warnings
JDK-8062198 core-libs javax.sql Add RowSetMetaDataImpl Tests and add column range validation to isdefinitlyWritable
JDK-8066188 core-libs javax.sql BaseRowSet returns the wrong default value for escape processing
JDK-8007456 core-libs jdk.nashorn Nashorn test framework @argument does not handle quoted strings
JDK-8012190 core-libs jdk.nashorn Global scope should be initialized lazily
JDK-8035712 core-libs jdk.nashorn Investigate if RuntimeCallSite linkage can be removed
JDK-8049300 core-libs jdk.nashorn jjs scripting: need way to quote $EXEC command arguments to protect spaces
JDK-8053905 core-libs jdk.nashorn Eager code generation fails for earley boyer with split threshold set to 1000
JDK-8066407 core-libs jdk.nashorn Function with same body not reparsed after SyntaxError
JDK-8066773 core-libs jdk.nashorn JSON-friendly wrapper for objects
JDK-8067139 core-libs jdk.nashorn Finally blocks inlined incorrectly
JDK-8067215 core-libs jdk.nashorn Disable dual fields when not using optimistic types
JDK-8067420 core-libs jdk.nashorn BrowserJSObjectLinker should give priority to beans linker for property get/set
JDK-8067636 core-libs jdk.nashorn ant javadoc target is broken
JDK-8067774 core-libs jdk.nashorn Local variable type calculation mismatch
JDK-8067854 core-libs jdk.nashorn bound java static method throws NPE when 'null' is used for this argument
JDK-8067880 core-libs jdk.nashorn Dead typed push methods in ArrayData
JDK-8067931 core-libs jdk.nashorn Improve error message when with statement is passed a POJO
JDK-8068431 core-libs jdk.nashorn @since and @jdk.Exported are missing in jdk.nashorn.api.scripting classes and package-info.java files
JDK-8068524 core-libs jdk.nashorn NashornScriptEngineFactory.getParameter() throws IAE for an unknown key, doesn't conform to the general spec
JDK-8068603 core-libs jdk.nashorn NashornScriptEngine.put/get() impls don't conform to NPE, IAE spec assertions
JDK-8068784 core-libs jdk.nashorn Halve the function object creation code size
JDK-8068985 core-libs jdk.nashorn Wrong 'this' bound to eval call within a function when caller's 'this' is a Java object
JDK-8071989 core-libs jdk.nashorn NashornScriptEngine returns javax.script.ScriptContext instance with insonsistent get/remove methods behavior for undefined attributes
JDK-8071991 core-libs jdk.nashorn Build errors in 8u-dev after backporting JDK-8067139 and JDK-8066232
JDK-8072000 core-libs jdk.nashorn New compiler warning after JDK-8067139
JDK-8072426 core-libs jdk.nashorn Can't compare Java enums to strings
JDK-8072595 core-libs jdk.nashorn nashorn should not use obj.getClass() for null checks
JDK-8072596 core-libs jdk.nashorn Arrays.asList results in ClassCastException with a JS array
JDK-8072626 core-libs jdk.nashorn Test for JDK-8068872 fails in tip
JDK-8072853 core-libs jdk.nashorn SimpleScriptContext used by NashornScriptEngine doesn't completely complies to the spec regarding exception throwing
JDK-8073707 core-libs jdk.nashorn const re-assignment should not reported as a "early error"
JDK-8073868 core-libs jdk.nashorn Regex matching causes java.lang.ArrayIndexOutOfBoundsException: 64
JDK-8074021 core-libs jdk.nashorn Indirect eval fails when used as an element of an array or as a property of an object
JDK-8074031 core-libs jdk.nashorn Canonicalize "is a JS string" tests
JDK-8074410 core-libs jdk.nashorn Startup time: Port shell.js to Java
JDK-8074484 core-libs jdk.nashorn More aggressive value discarding
JDK-8074487 core-libs jdk.nashorn Static analysis of IfNode should consider terminating branches
JDK-8074687 core-libs jdk.nashorn Add tests for JSON parsing of numeric keys
JDK-8075006 core-libs jdk.nashorn Threads spinning infinitely in WeakHashMap.get running test262parallel
JDK-8075090 core-libs jdk.nashorn Add tests for the basic failure of try/finally compilation
JDK-8075231 core-libs jdk.nashorn Typed array setters are very slow when index exceeds capacity
JDK-8075366 core-libs jdk.nashorn Slow scope access to global let/const does not work
JDK-8075604 core-libs jdk.nashorn jjs exits even when non-daemon threads are still active
JDK-8075927 core-libs jdk.nashorn toNumber(String) accepts illegal characters
JDK-8076646 core-libs jdk.nashorn nashorn tests should avoid using package names used by nashorn sources
JDK-8076972 core-libs jdk.nashorn Several nashorn tests failing
JDK-8077955 core-libs jdk.nashorn Undeclared globals in eval code should not be handled as fast scope
JDK-8078049 core-libs jdk.nashorn Nashorn crashes when attempting to start TypeScript compiler
JDK-8078414 core-libs jdk.nashorn Don't create impossible converters for ScriptObjectMirror
JDK-8078612 core-libs jdk.nashorn Persistent code cache should support more configurations
JDK-8079145 core-libs jdk.nashorn jdk.nashorn.internal.runtime.arrays.IntArrayData.convert assertion
JDK-8079269 core-libs jdk.nashorn Optimistic rewrite in object literal causes ArrayIndexOutOfBoundsException
JDK-8079349 core-libs jdk.nashorn Eliminate dead code around Nashorn code generator
JDK-8079362 core-libs jdk.nashorn Enforce best practices for Node token API usage
JDK-8079424 core-libs jdk.nashorn Code generator emits an extra POP for discarded boolean logical operation
JDK-8079470 core-libs jdk.nashorn Misleading error message when explicit signature constructor is called with wrong arguments
JDK-8080087 core-libs jdk.nashorn Nashorn $ENV.PWD is originally undefined
JDK-8080090 core-libs jdk.nashorn -d option should dump script source as well
JDK-8080275 core-libs jdk.nashorn transparently download testng.jar for Nashorn testing
JDK-8080286 core-libs jdk.nashorn use path separator setting consistently in Nashorn project properties
JDK-8080471 core-libs jdk.nashorn fix usage of replace and file separator in Nashorn tests
JDK-8080490 core-libs jdk.nashorn add $EXECV command to Nashorn scripting mode
JDK-8080598 core-libs jdk.nashorn Javadoc warnings in Global.java after lazy initialization
JDK-8080848 core-libs jdk.nashorn delete of bound Java method property results in crash
JDK-8081015 core-libs jdk.nashorn Allow conversion of native arrays to Queue and Collection
JDK-8081062 core-libs jdk.nashorn ListAdapter should take advantage of JSObject
JDK-8081156 core-libs jdk.nashorn jjs "nashorn.args" system property is not effective when script arguments are passed
JDK-8081204 core-libs jdk.nashorn ListAdapter throws NPE when adding/removing elements outside of JS context
JDK-8081603 core-libs jdk.nashorn erroneous dot file generated from Nashorn --print-code
JDK-8081604 core-libs jdk.nashorn rename ScriptingFunctions.tokenizeCommandLine
JDK-8081609 core-libs jdk.nashorn engine.eval call from a java method which was called from a previous engine.eval results in wrong ScriptContext being used.
JDK-8081668 core-libs jdk.nashorn fix Nashorn ant externals command
JDK-8081696 core-libs jdk.nashorn reduce dependency of Nashorn tests on external components
JDK-8081809 core-libs jdk.nashorn Missing final modifier in method parameters (nashorn code convention)
JDK-8081813 core-libs jdk.nashorn JSONListAdapter should delegate its [[DefaultValue]] to wrapped object
JDK-8085802 core-libs jdk.nashorn Nashorn -nse option causes parse error on anonymous function definition
JDK-8085810 core-libs jdk.nashorn Return value of Objects.requireNonNull call can be used
JDK-8085885 core-libs jdk.nashorn address Javadoc warnings in Nashorn source code
JDK-8085937 core-libs jdk.nashorn add autoimports sample script to easily explore Java classes in interactive mode
JDK-8087136 core-libs jdk.nashorn regression: apply on $EXEC fails with ClassCastException
JDK-8087211 core-libs jdk.nashorn Indirect evals should be strict with -strict option
JDK-8098546 core-libs jdk.nashorn eval within a 'with' leaks definitions into global scope
JDK-8098578 core-libs jdk.nashorn Global scope is not accessible with indirect load call
JDK-8098807 core-libs jdk.nashorn Strict eval throws ClassCastException with large scripts
JDK-8098808 core-libs jdk.nashorn Convert Scope from interface to class
JDK-8098847 core-libs jdk.nashorn obj."prop" and obj.'prop' should result in SyntaxError
JDK-8117883 core-libs jdk.nashorn nasgen prototype, instance member count calculation is wrong
JDK-8129410 core-libs jdk.nashorn Java adapters with class-level overrides should preserve variable arity constructors
JDK-4505697 core-svc debugger nsk/jdi/ExceptionEvent/_itself_/exevent006 and exevent008 tests fail with InvocationTargetException
JDK-8071657 core-svc debugger JDI ObjectReferenceImpl.invokeMethod() validation fails for virtual invocations of method with declaring type being an interface
JDK-6712222 core-svc java.lang.management Race condition in java/lang/management/ThreadMXBean/AllThreadIds.java
JDK-8048050 core-svc javax.management Agent NullPointerException when rmi.port in use
JDK-8064331 core-svc javax.management JavaSecurityAccess.doIntersectionPrivilege() drops the information about the domain combiner of the stack ACC
JDK-8071687 core-svc tools AIX port of "8039173: Propagate errors from Diagnostic Commands as exceptions in the attach framework"
JDK-6554593 deploy   Java Control Panel accessibility problem with labels and text fields
JDK-7017683 deploy   java.com link in some of the dialogs are not accessible
JDK-8023324 deploy   With expired or selfsigned DeploymentRuleSet, not hint is provied in JCP Rule Set dialog.
JDK-8024156 deploy   DRS: The messaging for invalid rule set jar is not explicit.
JDK-8046790 deploy   echo <customer> elements in ruleset.xml
JDK-8047698 deploy   Clicking cancel on security dialog for preloader clears the DeniedCertStore
JDK-8049999 deploy   DRS: Want customizable message in case of application blocking if only default rule is specified
JDK-8067171 deploy   [parfait] File Handle Leak in configcache_pd.c
JDK-8068456 deploy   Revert project file accidentally pushed
JDK-8069275 deploy   The text location of "More information" overlap with "code" in mixed code dialog
JDK-8072431 deploy   Unit test failures: JNLPClassloaderTest, JNLP2ClassLoaderTest
JDK-8074105 deploy   Remove support for downloaded JavaFX classes
JDK-8074402 deploy   Add DRS rules <customer> block to Java Usage Tracker records.
JDK-8074961 deploy   Ensure JFR options could be passed to webstart app by specifying VM arguments in the JCP
JDK-8078534 deploy   DRS 1.2: checksum algorithm needs to be restricted to SHA-256
JDK-8022268 deploy deployment_toolkit DRS: Unable to include escaped characters in message
JDK-8075179 deploy deployment_toolkit Test jnlp_file/applicationDesc/index.html#args fails with incorrect arg value
JDK-8131321 deploy packager 8u60 Windows 64-bit packager - install succeeds but application fails to start
JDK-8035582 deploy plugin DeploymentRuleSet <message> on run action
JDK-8058474 deploy plugin Applet is not started in IE on dynamic insertion into a web page
JDK-8059622 deploy plugin Java Console GUI is irresponsive in JRE 8u20 on OS X
JDK-8061642 deploy plugin Plugin missing MIME type registration for application/x-java-applet;version=1.8
JDK-8069161 deploy plugin Slow cache performance since JRE 7u06
JDK-8074481 deploy plugin [macosx] Menu items are appearing on top of other windows
JDK-8074482 deploy plugin [macosx] Menu items disappear and redrawn quickly when moving mouse into applet frame
JDK-8077855 deploy plugin When applet is relaunched, extra JUT records can be sent
JDK-8079677 deploy plugin fix to JDK-8078534 removed part of fix to JDK-8076220
JDK-8080123 deploy plugin StringIndexOutOfBoundsException in CertUtils.checkWildcardDomain
JDK-8080955 deploy plugin embedded_jnlp param requires also code or jnlp_href param or applet arg.
JDK-8081330 deploy plugin The applet thrown NullPointerException when loading it
JDK-8042632 deploy webstart Application with Signed JNLP cannot pass accented characters in <argument>
JDK-8051030 deploy webstart Web Start applet process fails to exit
JDK-8066985 deploy webstart Java Webstart downloading packed files can result in Timezone set to UTC
JDK-8067172 deploy webstart Xcode javaws Project to Debug Native Code
JDK-8068187 deploy webstart Fix Xcode project
JDK-8068531 deploy webstart Netbeans javaws Project to Debug Native Code
JDK-8068939 deploy webstart Visual Studio javaws Project to Debug Native Code
JDK-8072003 deploy webstart NPE (instead of proper error dialog) thrown when some jnlp files have no resources
JDK-8072999 deploy webstart DRS certificate based rule does not match with Java WS Application compressed by pack200
JDK-8077285 deploy webstart jnlp spec version 8.20 is not supported
JDK-8077649 deploy webstart jnlp "codebase" attribute has been made mandatory
JDK-8077925 deploy webstart Jnlp fails to load with CouldNotLoadArgumentException after JDK-8075179
JDK-8078893 deploy webstart cert based run rule doesn't work when running offline
JDK-8080607 deploy webstart Web Start does not honor height / width % values
JDK-8080785 deploy webstart remove dead code to donwload JavaFX on demand.
JDK-8080774 globalization   DateFormat for Singapore/English locale (en_SG) is M/d/yy instead of d/M/yy
JDK-8072453 globalization translation [de,fr,pt_BR,sv] duplicate mnemonics in JCP security tab.
JDK-8072589 globalization translation [windows 8] S. Chinese quotation mark needs to be replaced by English quotation mark
JDK-8079361 globalization translation Broken Localization Strings (XMLSchemaMessages_de.properties)
JDK-8083601 globalization translation jdk8u60 l10n resource file translation update 2
JDK-8075798 hotspot   Allow ADLC register class to depend on runtime conditions also for cisc-spillable classes
JDK-8006960 hotspot compiler hotspot, "impossible" assertion failure
JDK-8036851 hotspot compiler volatile double accesses are not explicitly atomic in C2
JDK-8036913 hotspot compiler make DeoptimizeALot dependent on number of threads
JDK-8037140 hotspot compiler C1: Incorrect argument type used for SharedRuntime::OSR_migration_end in LIRGenerator::do_Goto
JDK-8060036 hotspot compiler C2: CmpU nodes can end up with wrong type information
JDK-8062280 hotspot compiler C2: inlining failure due to access checks being too strict
JDK-8062591 hotspot compiler SPARC PICL causes significantly longer startup times
JDK-8065915 hotspot compiler Fix includes after 8058148: MaxNodeLimit and LiveNodeCountInliningCutoff
JDK-8068881 hotspot compiler SIGBUS in C2 compiled method weblogic.wsee.jaxws.framework.jaxrpc.EnvironmentFactory$SimulatedWsdlDefinitions.<init>
JDK-8068909 hotspot compiler SIGSEGV in c2 compiled code with OptimizeStringConcat
JDK-8068915 hotspot compiler C2: uncommon trap w/ Reason_speculate_class_check causes performance regression due to continuous deoptimizations
JDK-8068945 hotspot compiler Use RBP register as proper frame pointer in JIT compiled code on x86
JDK-8069263 hotspot compiler assert(fm == NULL || fm->method_holder() == _participants[n]) failed: sanity
JDK-8071302 hotspot compiler assert(!_reg_node[reg_lo] || edge_from_to(_reg_node[reg_lo],def)) failed: after block local scheduling
JDK-8071534 hotspot compiler assert(!failing()) failed: Must not have pending failure. Reason is: out of memory
JDK-8072383 hotspot compiler resolve conflicts between open and closed ports
JDK-8072753 hotspot compiler Nondeterministic wrong answer on arithmetic
JDK-8074548 hotspot compiler Never-taken branches cause repeated deopts in MHs.GWT case
JDK-8074551 hotspot compiler GWT can be marked non-compilable due to deopt count pollution
JDK-8074869 hotspot compiler C2 code generator can replace -0.0f with +0.0f on Linux
JDK-8075587 hotspot compiler Compilation of constant array containing different sub classes crashes the JVM
JDK-8076523 hotspot compiler assert(((ABS(iv_adjustment_in_bytes) % elt_size) == 0)) fails in superword.cpp
JDK-8077504 hotspot compiler Unsafe load can loose control dependency and cause crash
JDK-8078113 hotspot compiler 8011102 changes may cause incorrect results.
JDK-8078482 hotspot compiler ppc: pass thread to throw_AbstractMethodError
JDK-8078497 hotspot compiler C2's superword optimization causes unaligned memory accesses
JDK-8078666 hotspot compiler JVM fastdebug build compiled with GCC 5 asserts with "widen increases"
JDK-8078866 hotspot compiler compiler/eliminateAutobox/6934604/TestIntBoxing.java assert(p_f->Opcode() == Op_IfFalse) failed
JDK-8079343 hotspot compiler Crash in PhaseIdealLoop with "assert(!had_error) failed: bad dominance"
JDK-8080012 hotspot compiler JVM times out with vdbench on SPARC M7-16
JDK-8080156 hotspot compiler Integer.toString(int value) sometimes throws NPE
JDK-8080190 hotspot compiler PPC64: Fix wrong rotate instructions in the .ad file
JDK-8080281 hotspot compiler 8068945 changes break building the zero JVM variant
JDK-7176220 hotspot gc Full GC' events miss date stamp information occasionally
JDK-8027962 hotspot gc Per-phase timing measurements for strong roots processing
JDK-8031686 hotspot gc G1: assert(_hrs.max_length() == _expansion_regions) failed
JDK-8033440 hotspot gc jmap reports unexpected used/free size of concurrent mark-sweep generation
JDK-8048179 hotspot gc Early reclaim of large objects that are referenced by a few objects
JDK-8049536 hotspot gc os::commit_memory on Solaris uses aligment_hint as page size
JDK-8049864 hotspot gc TestParallelHeapSizeFlags fails with unexpected heap size
JDK-8051837 hotspot gc Remove temporary G1UseParallelRSetUpdating and G1UseParallelRSetScanning flags
JDK-8053998 hotspot gc Hot card cache flush chunk size too coarse grained
JDK-8057037 hotspot gc Verification in ClassLoaderData::is_alive is too slow
JDK-8058354 hotspot gc SPECjvm2008-Derby -2.7% performance regression on Solaris-X64 starting with 9-b29
JDK-8058801 hotspot gc G1TraceReclaimDeadHumongousObjectsAtYoungGC only prints humongous object liveness output when there is at least one candidate humongous object
JDK-8060025 hotspot gc Object copy time regressions after JDK-8031323 and JDK-8057536
JDK-8061259 hotspot gc ParNew promotion failed is serialized on a lock
JDK-8061630 hotspot gc G1 iterates over JNIHandles two times
JDK-8062672 hotspot gc JVM crashes during GC on various asserts which checks that HeapWord ptr is an oop
JDK-8064473 hotspot gc Improved handling of age during object copy in G1
JDK-8065358 hotspot gc Refactor G1s usage of save_marks and reduce related races
JDK-8066771 hotspot gc Refactor VM GC operations caused by allocation failure
JDK-8067469 hotspot gc G1 ignores AlwaysPreTouch
JDK-8067655 hotspot gc Clean up G1 remembered set oop iteration
JDK-8068036 hotspot gc assert(is_available(index)) failed in G1 cset
JDK-8069273 hotspot gc Decrease Hot Card Cache Lock contention
JDK-8069367 hotspot gc Eagerly reclaimed humongous objects left on mark stack
JDK-8069760 hotspot gc When iterating over a card, G1 often iterates over much more references than are contained in the card
JDK-8073944 hotspot gc Simplify ArgumentsExt and remove unneeded functionallity
JDK-8074037 hotspot gc Refactor the G1GCPhaseTime logging to make it easier to add new phases
JDK-8074561 hotspot gc Wrong volatile qualifier for field ClassLoaderDataGraphKlassIteratorAtomic::_next_klass
JDK-8075210 hotspot gc Refactor strong root processing in order to allow G1 to evolve separately from GenCollectedHeap
JDK-8075215 hotspot gc SATB buffer processing found reclaimed humongous object
JDK-8075466 hotspot gc SATB queue pre-filter verify found reclaimed humongous object
JDK-8076265 hotspot gc Simplify deal_with_reference
JDK-8077255 hotspot gc TracePageSizes output reports wrong page size on Windows with G1
JDK-8078021 hotspot gc SATB apply_closure_to_completed_buffer should have closure argument
JDK-8078023 hotspot gc verify_no_cset_oops found reclaimed humongous object in SATB buffer
JDK-8085965 hotspot gc VM hangs in C2Compiler
JDK-8086111 hotspot gc BACKOUT - metaspace/shrink_grow/CompressedClassSpaceSize fails with OOM: Compressed class space
JDK-8087200 hotspot gc Code heap does not use large pages
JDK-8129108 hotspot gc nmethod related crash in CMS
JDK-6584008 hotspot jvmti jvmtiStringPrimitiveCallback should not be invoked when string value is null
JDK-8013942 hotspot jvmti JSR 292: assert(type() == T_OBJECT) failed: type check
JDK-8042796 hotspot jvmti jvmtiRedefineClasses.cpp: guarantee(false) failed: OLD and/or OBSOLETE method(s) found
JDK-8046246 hotspot jvmti the constantPoolCacheOopDesc::adjust_method_entries() used in RedefineClasses does not scale
JDK-8067662 hotspot jvmti "java.lang.NullPointerException: Method name is null" from StackTraceElement.<init>
JDK-8073705 hotspot jvmti more performance issues in class redefinition
JDK-8076579 hotspot jvmti Popping a stack frame after exception breakpoint sets last method param to exception
JDK-6536943 hotspot runtime Bogus -Xcheck:jni warning for SIG_INT action for SIGINT in JVM started from non-interactive shell
JDK-7127066 hotspot runtime Class verifier accepts an invalid class file
JDK-8027914 hotspot runtime Client JVM silently exit with fail exit code when running in compact(1,2) with options -Dcom.sun.management and -XX:+ManagementServer
JDK-8043224 hotspot runtime -Xcheck:jni improvements to exception checking and excessive local refs
JDK-8046668 hotspot runtime Excessive checked JNI warnings from Java startup
JDK-8047382 hotspot runtime hotspot build failed with gcc version Red Hat 4.4.6-4
JDK-8051045 hotspot runtime HotSpot fails to wrap Exceptions from invokedynamic in a BootstrapMethodError
JDK-8053995 hotspot runtime Add method to WhiteBox to get vm pagesize.
JDK-8055231 hotspot runtime ZERO variant build is broken
JDK-8058345 hotspot runtime Refactor native stack printing from vmError.cpp to debug.cpp to make it available in gdb as well
JDK-8058935 hotspot runtime CPU detection gives 0 cores per cpu, 2 threads per core in Amazon EC2 environment
JDK-8064815 hotspot runtime Zero+PPC64: Stack overflow when running Maven
JDK-8066875 hotspot runtime VirtualSpace does not use large pages
JDK-8067231 hotspot runtime Zero builds fails after JDK-6898462
JDK-8067331 hotspot runtime Zero: Atomic::xchg and Atomic::xchg_ptr need full memory barrier
JDK-8069412 hotspot runtime Locks need better debug-printing support
JDK-8071501 hotspot runtime perfMemory_solaris.cpp failing to compile with "Error: dd_fd is not a member of DIR."
JDK-8072588 hotspot runtime JVM crashes in JNI if toString is declared as an interface method
JDK-8072863 hotspot runtime Replace fatal() with vm_exit_during_initialization() when an incorrect class is found on the bootclasspath
JDK-8075118 hotspot runtime JVM stuck in infinite loop during verification
JDK-8076212 hotspot runtime AllocateHeap() and ReallocateHeap() should be inlined.
JDK-8077674 hotspot runtime BSD build failures due to undefined macros
JDK-8078470 hotspot runtime [Linux] Replace syscall use in os::fork_and_exec with glibc fork() and execve()
JDK-8025636 hotspot svc Hide lambda proxy frames in stacktraces
JDK-8044416 hotspot svc serviceability/sa/jmap-hashcode/Test8028623.java fails with AssertionFailure: can not get class data for java/lang/UNIXProcess$Platform$$Lambda
JDK-8044531 hotspot svc Event based tracing locks to rank as leafs where possible
JDK-8046282 hotspot svc SA update
JDK-8049881 hotspot svc jstack not working on core files
JDK-8053902 hotspot svc Fix for 8030115 breaks build on Windows and Solaris
JDK-8069030 hotspot svc support new PTRACE_GETREGSET
JDK-8072932 hotspot svc Test fails with java.security.AccessControlException: access denied ("java.security.SecurityPermission" "getDomainCombiner")
JDK-8073688 hotspot svc Infinite loop reading types during jmap attach.
JDK-8075331 hotspot svc jdb eval java.util.Arrays.asList(array) shows inconsistent behaviour
JDK-8081475 hotspot svc SystemTap does not work when JDK is compiled with GCC 5
JDK-8080600 hotspot test AARCH64: testlibrary does not support AArch64
JDK-8067630 install   [mac os x] Update '3 Billion Devices' Advert on SetupProgress Dialog
JDK-8072868 install   8u20 and later should not change the MSI UpgradeCode for each JRE version
JDK-8076982 install   Create HKLM\SOFTWARE\JavaSoft\Java Runtime Environment\<VERSION> registry keys with msi.
JDK-8078310 install   [macosx] StagedXML is missing
JDK-8081423 install   Improve naming consistency in make/installer/bundles/macosx/Makefile
JDK-8056992 install auto_update [AU]The auto update window does not read the <moreinfo> tag of au-descriptor.xml file to set the "More information" link
JDK-8058929 install auto_update [de, fr, it, ko, pt_BR, sv] Layout issue (truncation) in AUWelcome dialog
JDK-8071490 install auto_update JDK9 nightly build from 01/23 failed
JDK-8071838 install auto_update Add files skipped from the fix to JDK-8071490 by mistake
JDK-6580611 install install Install dialogs look bad on Windows when display is set to high DPI
JDK-6745371 install install MSI/MST files should be deleted after install
JDK-7198599 install install Incorrect UninstallString windows register key in JDK 1.6, 1.7 and 8
JDK-8049608 install install HtmlUI: "Change destination folder" checkbox in WelcomeDialog is not accessible by mouse
JDK-8049614 install install HtmlUI: checkbox text labels should be clickable
JDK-8072940 install install 8u60 nightly solaris_sparcv9_5.10-product build fails
JDK-8075409 install install jre8-40 fails to install on SuSE 11.3
JDK-8050123 other-libs corba Incorrect property name documented in CORBA InputStream API
JDK-8068721 other-libs corba RMI-IIOP communication fails when ConcurrentHashMap is passed to remote method
JDK-8081590 performance   The CDS classlist needs to be updated for 8u60
JDK-8054037 security-libs java.security Improve tracing for java.security.debug=certpath
JDK-8058547 security-libs java.security Memory leak in ProtectionDomain cache
JDK-8062264 security-libs java.security KeychainStore requires non-null password to be supplied when retrieving a private key
JDK-8062552 security-libs java.security Support keystore type detection for JKS and PKCS12 keystores
JDK-8077418 security-libs java.security StackOverflowError during PolicyFile lookup
JDK-8079129 security-libs java.security NullPointerException in PKCS#12 Keystore in PKCS12KeyStore.java
JDK-7065233 security-libs javax.crypto To interpret case-insensitive string locale independently
JDK-8069072 security-libs javax.crypto Improve GHASH performance
JDK-8080102 security-libs javax.crypto Java 8 cannot load its cacerts in FIPS. no such provider: SunEC
JDK-8062170 security-libs javax.crypto:pkcs11 java.security.ProviderException: Error parsing configuration with space
JDK-8055207 security-libs javax.net.ssl keystore and truststore debug output could be much better
JDK-8059588 security-libs javax.net.ssl deadlock in java/io/PrintStream when verbose java.security.debug flags are set
JDK-8072385 security-libs javax.net.ssl Only the first DNSName entry is checked for endpoint identification
JDK-8076221 security-libs javax.net.ssl Disable RC4 cipher suites
JDK-8077102 security-libs org.ietf.jgss:krb5 dns_lookup_realm should be false by default
JDK-8068937 tools   jdeps shows "not found" if target class has no reference other than its own package
JDK-8080815 tools   Update 8u jdeps list of internal APIs
JDK-8028389 tools javac NullPointerException compiling annotation values that have bodies
JDK-8037546 tools javac javac -parameters does not emit parameter names for lambda expressions
JDK-8039262 tools javac Java compiler performance degradation jdk1.7 vs. jdk1.6 should be amended
JDK-8054220 tools javac Debugger doesn't show variables *outside* lambda
JDK-8055963 tools javac Inference failure with nested invocation
JDK-8058227 tools javac Debugger has no access to outer variables inside Lambda
JDK-8061778 tools javac Wrong LineNumberTable for default constructors
JDK-8064803 tools javac Javac erroneously uses instantiated signatures when merging abstract most-specific methods
JDK-8064857 tools javac javac generates LVT entry with length 0 for local variable
JDK-8066808 tools javac langtools/test/Makefile should not use OS-specific jtreg binary
JDK-8068489 tools javac remove unnecessary complexity in Flow and Bits, after JDK-8064857
JDK-8068517 tools javac Compiler may generate wrong InnerClasses attribute for static enum reference
JDK-8068639 tools javac Make certain annotation classfile warnings opt-in
JDK-8069181 tools javac java.lang.AssertionError when compiling JDK 1.4 code in JDK 8
JDK-8069545 tools javac javac, shouldn't check nested stuck lambdas during overload resolution
JDK-8073372 tools javac Redundant CONSTANT_Class entry not generated for inlined constant
JDK-8075520 tools javac Varargs access check mishandles capture variables
JDK-8077786 tools javac Check varargs access against inferred signature
JDK-8078560 tools javac The crash reporting URL listed by javac needs to be updated
JDK-8079613 tools javac Deeply chained expressions + several overloads + unnecessary inference result in excessive compile times.
JDK-8080842 tools javac Using Lambda Expression with name clash results in ClassFormatError
JDK-8072461 tools javadoc(tool) Table's field width in "Use" page generated by javadoc with '-s' is unbalanced
JDK-8073972 tools launcher Deprecate Multi-Version Java Launcher (mJRE) for JDK8
JDK-8077822 tools launcher javac does not recognize '*.java' as file if '-J' option is specified
JDK-7156085 xml javax.xml.parsers ArrayIndexOutOfBoundsException throws in UTF8Reader of SAXParser
JDK-8062518 xml jaxp AIOBE occurs when accessing to document function in extended function in JAXP
JDK-8062924 xml jaxp XSL: wrong answer from substring() function
JDK-8081392 xml jaxp getNodeValue should return 'null' value for Element nodes

 

Known Issues

Area: auto-update (OS X 10.11+ only)
Synopsis: Auto-update error when auto-updating to earlier versions
A change in OS X 10.11 caused the auto-update mechanism to fail when a system running OS X 10.11 is auto-updated from versions 8u40 through 8u60 build 27, inclusive.  This issue was addressed in 8u60 build 28 and later. The issue only appears when a JRE release between 8u40 and 8u60 b27 has been installed on Mac OS X 10.11 and is then used to trigger an auto-update sequence. Impacted machines would appear to go through the update flow but at the end of the process the newer JRE would not be installed, the older JRE would remain, and therefore the auto-update mechanism would continue prompting the user to update. Workaround: Manually install a JRE version 8u60 b28 or higher into the affected system.

Java SE 8u51 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u51 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u51 b34

Bug Fixes

BugId Component Subcomponent Summary
8067422 tools javac Lambda method names are unnecessarily unstable

Changes in Java SE 8u51 b31

Please note that fixes from the prior BPR (8u45 b37) are included in this BPR.

Java™ SE Development Kit 8, Update 51 (JDK 8u51)

The full version string for this update release is 1.8.0_51-b16 (where "b" means "build"). The version number is 8u51.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2015d

JDK 8u51 contains IANA time zone data version 2015d. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u51 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_51
7 1.7.0_85
6 1.6.0_101

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u51) will expire with the release of the next critical patch update scheduled for October 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u51) on November 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes

Ephemeral DH keys less than 768 bits deactivated
Ephemeral DH keys less than 768 bits are deactivated in JDK. New algorithm restriction DH keySize < 768 is added to Security Property jdk.tls.disabledAlgorithms.

JDK-8076328 (not public).


Operating system's restricted environment (Native Sandbox)

JDK 8u51 introduced the following changes to Native Sandbox:

  • Native sandbox is available on Windows platform only.

  • Native sandbox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system's restricted environment (native sandbox) or by setting deployment.security.use.native.sandbox property to true in deployment.properties file.

    Native sandbox is disabled by default.

  • When native sandbox is enabled, the sandbox applets or web-start applications will run in a restricted environment, that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.

  • Native sandbox will be disabled for applications included the in Exception Site List (ESL) or when Deployment Rule Set (DRS) is used.

  • Sandbox applets deployed with HTML applet tag which includes all-permissions JAR files from the Class-Path manifest attribute, will run in native sandbox.

    In such cases, a special warning dialog will display, informing the user that the applet may not work properly, when such an applet tries to access the all-permission JAR files.

  • Custom preloader will be disabled in certain cases when native sandbox is enabled:

    • Custom preloader will be disabled when sandbox applets or web-start applications are initializing and the default preloader will be used instead. After application is initialized, Java VM restarts with native sandbox enabled and the custom preloader will be used.
    • For all-permission applications, custom preloader will be disabled if it is located in the JNLP file with sandbox permission, until user agrees to run application from the Security Dialog, which grants unrestricted access (privileged) to application.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes included in this release:

Area: security-libs/java.security
Synopsis: Add new Comodo roots to root CAs

Four new root certificates have been added for Commodo:

1. COMODO ECC Certification Authority
    alias: comodoeccca
    DN: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, 
    ST=Greater Manchester, C=GB

2. COMODO RSA Certification Authority
    alias: comodorsaca
    DN: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, 
    ST=Greater Manchester, C=GB

3. USERTrust ECC Certification Authority
    alias: usertrusteccca
    DN: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, 
    L=Jersey City, ST=New Jersey, C=US

4. USERTrust RSA Certification Authority
    alias: usertrustrsaca
    DN: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, 
    L=Jersey City, ST=New Jersey, C=US

JDK-8077652 (not public)

Area: security-libs/java.security
Synopsis: Add new GlobalSign roots to root CAs

Two root certificates have been added for GlobalSign:

1. GlobalSign ECC Root CA - R4
   alias: globalsigneccrootcar4
   DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4

2. GlobalSign ECC Root CA - R5
   alias: globalsigneccrootcar5
   DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5

JDK-8077653 (not public)

Area: security-libs/java.security
Synopsis: Add Actalis to root CAs

Added one new root certificate:

Actalis Authentication Root CA

   alias: actalisauthenticationrootca
   DN: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, 
   L=Milan, C=IT

JDK-8077651 (not public)

Area: security-libs/java.security
Synopsis: Add new Entrust ECC root

Added one new root certificate:

Entrust Root Certification Authority - EC1

  alias: entrustrootcaec1
  DN: CN=Entrust Root Certification Authority - EC1, 
  OU="(c) 2012 Entrust, Inc. - for authorized use only", 
  OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US

JDK-8072961 (not public)

Area: security-libs/java.security
Synopsis: Remove old Valicert Class 1 and 2 Policy roots

Removed two root certificates with 1024-bit keys:

1. ValiCert Class 1 Policy Validation Authority
      alias: secomvalicertclass1ca
      DN: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, 
      OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", 
      L=ValiCert Validation Network

  2. ValiCert Class 2 Policy Validation Authority
      alias: valicertclass2ca
      DN: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, 
      OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", 
      L=ValiCert Validation Network

JDK-8077354 (not public)

Area: security-libs/java.security
Synopsis: Remove old Thawte roots

Removed two root certificates with 1024-bit keys:

1. Thawte Server CA

    alias: thawteserverca
    DN: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, 
    OU=Certification Services Division, O=Thawte Consulting cc, 
    L=Cape Town, ST=Western Cape, C=ZA

2. Thawte Personal Freemail CA
    alias: thawtepersonalfreemailca
    DN: EMAILADDRESS=personal-freemail@thawte.com, 
    CN=Thawte Personal Freemail CA, OU=Certification Services Division, 
    O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA

JDK-8073271 (not public)

Area: security-libs/java.security
Synopsis: Remove more old Verisign, Equifax, and Thawte roots

Removed five root certificates with 1024-bit keys:

1. Verisign Class 3 Public Primary Certification Authority - G2
    alias: verisignclass3g2ca
    DN: OU=VeriSign Trust Network, 
    OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
    OU=Class 3 Public Primary Certification Authority - G2, 
    O="VeriSign, Inc.", C=US

2. Thawte Premium Server CA
    alias: thawtepremiumserverca
    DN: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, 
    OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, 
    ST=Western Cape, C=ZA

3. Equifax Secure Certificate Authority
    alias: equifaxsecureca
    DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

4. Equifax Secure eBusiness CA-1
    alias: equifaxsecureebusinessca1
    DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

5. Equifax Secure Global eBusiness CA-1,
    alias: equifaxsecureglobalebusinessca1
    DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

JDK-8075091 (not public)

Area: security-libs/java.security
Synopsis: Remove TrustCenter CA roots from cacerts

Removed three root certificates:

1. TC TrustCenter Universal CA I
    alias: trustcenteruniversalcai
    DN: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, 
    O=TC TrustCenter GmbH, C=DE

2. TC TrustCenter Class 2 CA II
    alias: trustcenterclass2caii
    DN: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, 
    O=TC TrustCenter GmbH, C=DE

3. TC TrustCenter Class 4 CA II
    alias: trustcenterclass4caii
    DN: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, 
    O=TC TrustCenter GmbH, C=DE

JDK-8071699 (not public)

Area: security-libs/javax.net.ssl
Synopsis: Deprecate RC4 in SunJSSE provider

RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list.

JDK-8043201 (not public)

Area: security-libs/javax.net.ssl
Synopsis: Prohibit RC4 cipher suites

RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods.

JDK-8043202 (not public)

Area: security-libs/javax.net.ssl
Synopsis: Improved certification checking

With this fix, JSSE endpoint identification does not perform reverse name lookup for IP addresses by default in JDK.

If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks.

JDK-8067694 (not public)

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-8071668 client-libs java.awt [macosx] Clipboard does not work with 3rd parties Clipboard Managers
JDK-8077685 core-libs java.util:i18n (tz) Support tzdata2015d
JDK-8075602 deploy   Applet throws java.security AccessControlException in java console when playing it
JDK-8079223 deploy   unnecessary performance degradation caused by fix to JDK-8052111
JDK-8069161 deploy plugin Slow cache performance since JRE 7u06
JDK-8076343 deploy plugin JNLP property apple.laf.useScreenMenuBar no longer treated as secure for Mac OS
JDK-8071897 deploy webstart JRE 8U25 and 8u31 b32 cannot launch Java Web Start with proxy pac but works fine for 7u67
JDK-8078815 deploy webstart Launching of jnlp app fails with JNLPException
JDK-8035938 hotspot jvmti Memory leak in JvmtiEnv::GetConstantPool
JDK-8064546 security-libs javax.crypto CipherInputStream throws BadPaddingException if stream is not fully read
JDK-8078439 security-libs org.ietf.jgss SPNEGO auth fails if client proposes MS krb5 OID
JDK-8073357 xml jaxb schema1.xsd has wrong content. Sequence of the enum values has been changed
JDK-8073385 xml jaxp Bad error message on parsing illegal character in XML attribute
JDK-8074297 xml jaxp substring in XSLT returns wrong character if string contains supplementary chars

 

Known Issues

Area: deploy/plugin
Synopsis: Java issue with Firefox 38, long delay with MyD loading

Java Plugin is unable to obtain proxy settings from Firefox 38 due to a bug in Mozilla framework. It may cause a long delay during RIA start up or can even cause start up failures. See the related issue:

https://bugzilla.mozilla.org/show_bug.cgi?id=1165286

According to Mozilla, Firefox 39 will contain a fix for this problem.

Workarounds:

  • Use another supported browser
  • Downgrade browser to Firefox 37
  • Specify proxy settings in JCP (NOT in "Browser settings")

JDK-8081459 (not public)


Area: deploy
Synopsis: JNLP files won't launch from IE11 on Windows 10 Creators Update

Web-start applications cannot be launched when clicking JNLP link from IE 11 on Windows 10 Creators Update when 64-bit JRE is installed. Workaround is to uninstall 64-bit JRE and use only 32-bit JRE.

See JDK-8185661.

Java SE 8u45 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u45 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u45 b37

Bug Fixes

BugId Component Subcomponent Summary
8085965 hotspot gc VM hangs in C2Compiler
8075210 hotspot gc Refactor strong root processing in order to allow G1 to evolve separately from GenCollectedHeap
8074037 hotspot gc Refactor the G1GCPhaseTime logging to make it easier to add new phases
8061630 hotspot gc G1 iterates over JNIHandles two times
8067655 hotspot gc Clean up G1 remembered set oop iteration
8051837 hotspot gc Remove temporary G1UseParallelRSetUpdating and G1UseParallelRSetScanning flags
8072384 core-libs java.net Setting IP_TOS on java.net sockets not working on unix

Changes in Java SE 8u45 b36

Bug Fixes

BugId Component Subcomponent Summary
8072999 deploy webstart DRS certificate based rule does not match with Java WS Application compressed by pack200
8076220
(Confidential)
deploy plugin If checksum rule is specified drs tries to calculate checksum for folder (DRS1.2)
8069161 deploy plugin Slow cache performance since JRE 7u06
8072619
(Confidential)
deploy plugin OutOfMemoryError in Java Plugin for IE
8076189
(Confidential)
install install Update Makefiles to Roll a .dmg File for the .pkg Installer
8080288
(Confidential)
deploy plugin Applet failed to reload after "javaws -uninstall"
8072676 client-libs javax.swing [macosx] Jtree icon painted over label when scrollbars present in window
8079223 deploy   unnecessary performance degradation caused by fix to JDK-8052111
8077155 core-libs java.net LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection

Changes in Java SE 8u45 b33

Bug Fixes

BugId Component Subcomponent Summary
8073072
(Confidential)
deploy plugin 8u25-b31/8u31-b32 fails to evaluate proxy pac file for some URLs
8073008 client-libs java.awt press-and-hold input method for accented characters works incorrectly on OS X

Changes in Java SE 8u45 b32

Please note that fixes from the prior BPR (8u40 b32) are included in this BPR.


Java™ SE Development Kit 8, Update 45 (JDK 8u45)

The full version string for this update release is 1.8.0_45-b14 (where "b" means "build") except for Windows, where the version string is 1.8.0_45-b15. The version number is 8u45.

IANA Data 2015a

JDK 8u45 contains IANA time zone data version 2015a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u45 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_45
7 1.7.0_79
6 1.6.0_95
5.0 1.5.0_85

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u45) will expire with the release of the next critical patch update scheduled for July 14, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u45) on August 14, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Blacklist Entries

A new blacklist entry is included in this release.

For more details on the entry, see the related Cisco Security Advisory.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes included in this release:

Area: tools/jar
Synopsis: Improve jar file handling

Starting with JDK 8u45 release, the jar tool no longer allows the leading slash "/" and ".." (dot-dot) path component in zip entry file name when creating new and/or extracting from zip and jar file. If needed, the new command line option "-P" should be used explicitly to preserve the dot-dot and/or absolute path component.

See 8064601 (not public).

Area: deploy/webstart
Synopsis: jnlp app with nested "resource" section fails with NPE on load in jre8u40

A jnlp application, with nested <resources> tags within a <java> or <j2se> tag, can throw an NPE. The issue is now fixed. The <resources> tag should be used only if the <java> is actually used.

See 8072631 (not public).

 

Bug Fix List

BugId Component Subcomponent Summary
8065373 client-libs 2d [macosx] jdk8, jdk7u60 Regression in Graphics2D drawing of derived Fonts
8065709 client-libs java.awt Deadlock in awt/logging apparently introduced by 8019623
7178362 core-libs java.net Socket impls should ignore unsupported proxy types rather than throwing
8072042 core-libs java.util.i18n (tz) Support tzdata2015a
8068313 deploy   Parsing JNLP file should not cause download of extensions.
8061648 deploy webstart JavaWS fails with proxy autoconfig due to missing "dnsResolve"
7014194 install install 32-bit JRE silent install fails on WINDOWS 2008 SERVER 64-bit under System account
8065553 security-libs java.security Failed Java web start via IPv6 (Java7u71 or later)
8055045 security-libs org.ietf.jgss:krb5 StringIndexOutOfBoundsException while reading krb5.conf
8029012 tools javac parameter_index for type annotation not updated after outer.this added
8046817 xml jaxb JDK 8 schemagen tool does not generate xsd files for enum types
8062923 xml jaxp XSL: Run-time internal error in 'substring()'
8062924 xml jaxp XSL: wrong answer from substring() function

 

Known Issues

Area: core-libs/jdk.nashorn
Synopsis: Finally blocks inlined incorrectly.

Nashorn has known issues where it incorrectly compiles try/finally constructs. For more information on this issue and a workaround, see Try/finally compilation issues wiki page.

See 8067139.

Java SE 8u40 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u40 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u40 b32

Please note that fixes from the prior BPR (8u31 b33) are included in this BPR.

Bug Fixes

BugId Component Subcomponent Summary
8071897 deploy webstart JRE 8U25 and 8u31 b32 cannot launch Java Web Start with proxy pac but works fine for 7u67
8066436
(Confidential)
client-libs java.awt Minimize can cause window to disappear on osx

Java™ SE Development Kit 8, Update 40 (JDK 8u40)

The full version string for this update release is 1.8.0_40-b26 (where "b" means "build") except for OS X, where the version string is 1.8.0_40-b27. The version number is 8u40.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2014j

JDK 8u40 contains IANA time zone data version 2014j. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u40 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_31
7 1.7.0_75
6 1.6.0_91
5.0 1.5.0_81

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u40) will expire with the release of the next critical patch update scheduled for April 14, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u40) on May 14, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes

Java Packager Tool Enhancements
JDK 8u40 release contains the following enhancements to the Java Packager:


Deprecated APIs
The endorsed-standards override mechanism and the extension mechanism are deprecated and may be removed in future releases. There are no runtime changes. Existing applications using the 'endorsed-standards override' or 'extension' mechanisms are recommended to migrate away from using these mechanisms. To help identify any existing uses of these mechanisms, the -XX:+CheckEndorsedAndExtDirs command-line option is available. It will fail if any of the following conditions is true:

  • -Djava.endorsed.dirs or -Djava.ext.dirs system property is set to alter the default location; or
  • ${java.home}/lib/endorsed directory exists; or
  • ${java.home}/lib/ext contains any JAR files excluding the ones that JDK ships or
  • any platform-specific system-wide extension directory contains any JAR files.

The -XX:+CheckEndorsedAndExtDirs command-line option is supported in JDK 8u40 and later releases.

Multiple JRE Launcher feature Deprecated

The Launch-Time JRE Version Selection or the Multiple JRE Launcher feature is deprecated in JDK 8u40. Visit http://openjdk.java.net/jeps/231 for further information. Applications that require specific Java versions deployed using this feature must switch to alternate deployment solutions such as Java WebStart.

JJS Tool Page Differences

The Japanese version of the jjs help page is different from the English version. Some of the unsupported options have been removed from the English version of the jjs tool page. The Japanese version of document will be updated in future.

See 8062100 (not public).

For other jjs tool page changes, see Tools Enhancements in JDK 8.

Java SE Tools Updated

Java SE tools have been updated. See Tools Enhancements in JDK 8 for details.

Change in default values for G1HeapWastePercent and G1MixedGCLiveThresholdPercent

The default value for G1HeapWastePercent was changed from 10 to 5 to reduce the need for full GCs. For the same reason the default value for G1MixedGCLiveThresholdPercent was changed from 65 to 85.

Nashorn Enhancements

The new jdk.nashorn.api.scripting.ClassFilter interface enables you to restrict access to specified Java classes from scripts run by a Nashorn script engine. See Restricting Script Access to Specified Java Classes in the Nashorn User's Guide and 8043717 (not public) for more information.

The Nashorn compiler now has static type inference capabilities for local variables and expressions. While JavaScript is hard to analyze statically, Nashorn is able to generate code optimized for specific types.

Nashorn now supports optimistic typing, which complements static type inference. For types that can't be statically inferred, Nashorn will make optimistic assumptions and gradually deoptimize when assumptions turn out to be wrong. To activate this feature use the --optimistic-types=true option. See Nashorn Architecture and Performance Improvements for more information.

Function.prototype.bind and Function.prototype.call are enhanced to work on everything that can be invoked in Nashorn, such as POJO methods, instances of @FunctionalInterface classes.

Issues with Third party's JCE Providers

The fix for JDK-8023069 (in JDK 8u20) updated both the SunJSSE and and SunJCE providers, including some internal interfaces.

Some third party JCE providers (such as RSA JSAFE) are using some sun.* internal interfaces, and therefore will not work with the updated SunJSSE provider. Such providers will need to be updated in order for them to work with the updated SunJSSE provider.

If you have been impacted by this issue, contact your JCE vendor for an update.

See 8058731.

Message digest algorithms are now enabled by default for SunPKCS11 provider on Solaris

If you are using Solaris 10, a change was made to re-enable operations with MD5, SHA1, and SHA2 through the Solaris Crypto Framework. If you experience a CloneNotSupportedException or PKCS11 error CKR_SAVED_STATE_INVALID message with JDK 8u40, you should verify and apply the following patches or newer versions of them:

  • 150531-02 on sparc
  • 150636-01 on x86

See 8037745.

Troubleshooting Guide Updates for NMT, JMC, and JFR

The Native Memory Tracking (NMT) is a Java Hotspot VM feature that tracks internal memory usage for a HotSpot JVM. Native Memory Tracking can be used to monitor VM internal memory allocations and diagnose VM memory leaks.

VM enhancements page is updated with NMT features. See Java Virtual Machine Enhancements in Java SE 8.

Troubleshooting Guide is updated with NMT features. See Native Memory Tracking.

Troubleshooting Guide is also updated with content for Troubleshooting using Java Mission Control, Debug Memory Leaks using Java Flight Recorder (JFR), and Troubleshooting Performance Issues using JFR.

JavaFX Enhancements

Starting with JDK 8u40 release, JavaFX controls are enhanced to support assistive technologies, meaning that JavaFX controls are now accessible. In addition, a public API is provided to allow developers to write their own accessible controls.

Accessibility support is provided on Windows and Mac OS X platforms and includes:

  • Support for reading JavaFX controls by a screen reader
  • JavaFX controls are traversable using the keyboard
  • Support for a special high-contrast mode that makes controls more visible to users.

See 8043344 (not public).

JDK 8u40 release includes new JavaFX UI controls; a spinner control, formatted-text support, and a standard set of alert dialogs.

See 8043350 (not public).

Commercial Features

  • Application Class Data Sharing (AppCDS):

    Application Class Data Sharing (AppCDS) extends CDS (see Class Data Sharing) to enable you to place classes from the standard extensions directories and the application class path in the shared archive. This is an experimental feature and not licensed for commercial use. See the -XX:+UseAppCDS option in the java launcher tool page.

  • Cooperative Memory Management:

    Starting with JDK 8u40, the notion of "memory pressure" has been added to the JDK. Memory pressure is a property that represents the total memory usage (RAM) on the system. The higher the memory pressure, the closer the system is to running out of memory.  This is an experimental feature and not licensed for commercial use.

    As a reaction to increased memory pressure, the JDK will try to reduce its memory usage. This is mainly done by reducing the Java heap size. The actions the JDK will take to reduce memory usage may lead to reduced performance. This is an intentional choice.

    The pressure level is provided by the application through a JMX MXBean using a scale from 0 (no pressure) to 10 (almost out of memory). To enable this feature, the jdk.management.cmm.SystemResourcePressureMXBean should be registered. The memory pressure is then set using the "MemoryPressure" attribute.

    A new command line flag -XX:MemoryRestriction that takes one of the arguments 'none', 'low', 'medium', or 'high', is also available. This flag will set the initial pressure in the JDK and will work also in cases where the MXBean is not registered.

    Cooperative Memory Management requires the G1 GC (-XX:+UseG1GC). This feature is not compatible with the flag -XX:+ExplicitGCInvokesConcurrent.

  • New Commercial Flags:

    Two new VM options are now available for commercial license holders:

    • -XX:+ResourceManagement
    • -XX:ResourceManagementSampleInterval=value (milliseconds)

    For more information, see Java Launcher documentation.

  • Java Flight Recorder(JFR) Enhancements

    It is now possible to enable Java Flight Recorder at runtime. For details, see the Java Flight Recorder Runtime Guide at http://docs.oracle.com/javacomponents/jmc-5-5/jfr-runtime-guide/index.html.

  • New MSI Installer Documentation:

    The Microsoft Windows Installer (MSI) Enterprise JRE Installer Guide is available at https://docs.oracle.com/javacomponents/msi-jre8/install-guide. The MSI Enterprise JRE Installer requires a commercial license for use in production. To learn more about commercial features and how to enable them, visit https://www.oracle.com/java/technologies/javase-subscription-overview.html.


Bug Fixes


For a list of bug fixes included in this release, see JDK 8u40 Bug Fixes page.

The following are some of the notable bug fixes included in JDK 8u40 release:

Area: core-svc
Synopsis: Default and static interface methods in JDI, JDWP and JDB

Since JDK 8 it is possible to have directly executable static and default methods in interfaces. These methods are not executable via JDWP or JDI and therefore can not be properly debugged. See JDK 8 Compatibility Guide for more details.

See 8042123.

Area: install
Synopsis: Java Access Bridge can be enabled from Control panel for 32 bit JREs.

Previously the "Enable Java Access Bridge" check box got removed from the Java Control Panel with 64 bit JRE uninstall even when 32 bit JRE was still present on the system.

Starting with JDK 8u40 release, the "Enable Java Access Bridge" checkbox is retained, at Control Panel -> Ease of Access -> Ease of Access Center -> Use the computer without a display, if a 32 bit jre is present. So, a user can enable Java Access bridge via control panel for 32 bit JREs.

See 8030124.

Area: client-libs
Synopsis: Modernizing the JavaFX Media Stack on Mac OS X

An AVFoundation based player platform is added to JavaFX media. The old QTKit based platform is now removable for Mac App Store compatibility.

See 8043697 (not public).

Area: deploy/plugin
Synopsis: Missing DOM APIs

In JDK 8u40 release, the old plugin DOM APIs were inadvertently removed. If an applet requires the use of com.sun.java.browser.dom.DOMService to communicate with the browser, then users may need to update their applet to use netscape.javascript.JSObject or continue using JDK 8 Update 31.

This issue has been resolved in build 26 and new 8u40 installers have been posted. If you are experiencing this problem, download and run the updated JDK 8u40 installers.

See 8074564.

Area: client-libs/java.awt
Synopsis: Mac 10.10: Application run with splash screen has focus issues

Applications started through webstart or standalone applications, which use splash screen, cannot get keyboard focus.

Workaround: Launch javaws using the -Xnosplash option.

This issue has been resolved in build 27 and a new 8u40 installer has been posted. If you are experiencing this problem, download and run the updated JDK 8u40 installer.

See 8074668.

Bug Fix List

BugId Component Subcomponent Summary
8028241 client-libs   Java Access Bridge: F key shortcuts not working if Ctrl, Alt, Shift modifier used
8040279 client-libs   [macosx] Do not use the base image in the MultiResolutionBufferedImage constructor
8059944 client-libs   [OGL] Metrics for a method choice copying of texture should be improved
8064468 client-libs   ownedWindowList access requires synchronization in Window.setAlwaysOnTop() method
7067052 client-libs 2d Default printer media is ignored
8028539 client-libs 2d Endless loop in native code of sun.java2d.loops.ScaledBlit
8034218 client-libs 2d AIX: Provide a better fontconfig.properties file
8039444 client-libs 2d Swing applications not being displayed properly
8046007 client-libs 2d Java app receives javax.print.PrintException: Printer is not accepting job.
8047066 client-libs 2d Test test/sun/awt/image/bug8038000.java fails with ClassCastException
8048583 client-libs 2d CustomMediaSizeName class matching to standard media is too loose
8054638 client-libs 2d xrender: text drawn after setColor(Color.white) is actually black
8056122 client-libs 2d Upgrade JDK to use LittleCMS 2.6
8057830 client-libs 2d Crash in Java2D Queue Flusher, OGLSD_SetScratchSurface
8057934 client-libs 2d Upgrade to LittleCMS 2.6 breaks AIX build
8059941 client-libs 2d [D3D] The fix for JDK-8029253 should be ported to d3d pipeline
8059942 client-libs 2d Default implementation of DrawImage.renderImageXform() should be improved for d3d/ogl
8061392 client-libs 2d PrinterJob NPE when drawing translucent image with null user clip
8061456 client-libs 2d [OGL] Incorrect clip is used during sw->surface blit in xor mode
8062164 client-libs 2d Incorrect color conversion, when bicubic interpolation is used
8026497 client-libs demo Font2DTest demo: unused resource files
6624085 client-libs java.awt Fourth mouse button (wheel) is treated like second button - isPopupTrigger returns true
7033533 client-libs java.awt realSync() doesn't work with Xfce
8003900 client-libs java.awt X11 dependencies should be removed from Mac OS X build.
8024626 client-libs java.awt CTW CRASH: SIGSEGV in ctw/jre/lib/rt_jar/preloading_1 and ctw/jre/lib/rt_jar/sun_awt_X11_ListHelper
8026385 client-libs java.awt [macosx] (awt) setjmp/longjmp changes the process signal mask on OS X
8029253 client-libs java.awt [macosx] Performance problems with Retina display on Mac OS X
8032864 client-libs java.awt [macosx] sigsegv (0Xb) Being Generated When Starting JDev With Voiceover Running
8033141 client-libs java.awt Cleanup of sun.awt.X11 package
8040007 client-libs java.awt GtkFileDialog strips user inputted filepath
8041734 client-libs java.awt JFrame in full screen mode leaves empty workspace after close
8043869 client-libs java.awt [macosx] java -splash does not honor @2x hi dpi notation for retina support
8046495 client-libs java.awt KeyEvent can not be accepted in quick mouse clicking
8048549 client-libs java.awt [macosx] Disable usage of system menu bar if AWT is embedded in FX
8049065 client-libs java.awt [JLightweightFrame] Support DnD for SwingNode
8049198 client-libs java.awt [macosx] Incorrect thread access when showing splash screen
8049996 client-libs java.awt [macosx] test java/awt/image/ImageIconHang.java fails with NPE
8051857 client-libs java.awt OperationTimedOut exception inside from XToolkit.syncNativeQueue call
8057788 client-libs java.awt [macosx] "Pinch to zoom" does not work since jdk7
8058197 client-libs java.awt AWT fails on generic non-reparenting window managers
8059590 client-libs java.awt ArrayIndexOutOfBoundsException occurs when Container with overridden getComponents() is deserialized
8059998 client-libs java.awt Broken link in java.awt.event Interface KeyListener
8062021 client-libs java.awt NPE in sun/lwawt/macosx/CPlatformWindow::toFront after 8060146
8065627 client-libs java.awt Animated GIFs fail to display on a HiDPI display
8066986 client-libs java.awt [headless] DataTransferer.getInstance throws ClassCastException in headless mode
8034085 client-libs java.beans Do not prefer indexed properties
8034164 client-libs java.beans Introspector ignores indexed part of the property sometimes
8054157 client-libs javax.accessibility Access Bridge; add definitions for bits 8 and 9 for for new accelerator support
8057977 client-libs javax.accessibility Java Access Bridge, regression, NPE, occurs randomly
4991647 client-libs javax.imageio PNGMetadata.getAsTree() sets bitDepth to invalid value
7058697 client-libs javax.sound Unexpected exceptions in MID parser code
7058700 client-libs javax.sound Unexpected exceptions and timeouts in SF2 parser code
8054431 client-libs javax.sound Some of the input validation in the javasound is too strict
6302052 client-libs javax.swing Reference to nonexistant Class in javadoc
6521706 client-libs javax.swing A switch operator in JFrame.processWindowEvent() should be rewritten
7169583 client-libs javax.swing JInternalFrame title not antialiased in Nimbus LaF
7170310 client-libs javax.swing ScrollBar doesn't become active when tabs are created more than frame size
8029536 client-libs javax.swing JFileChooser filter uses .toString() instead of getDescription() for filter text on GTK laf
8033699 client-libs javax.swing Incorrect radio button behavior
8042835 client-libs javax.swing Unexpected mnemonic in JFileChooser
8046559 client-libs javax.swing NPE when changing Windows theme
8048110 client-libs javax.swing Using tables in JTextPane leads to infinite loop in FlowLayout.layoutRow
8048887 client-libs javax.swing SortingFocusTraversalPolicy throws IllegalArgumentException from the sort method
8057893 client-libs javax.swing JComboBox actionListener never receives "comboBoxEdited" from getActionCommand
8058193 client-libs javax.swing [macosx] Potential incomplete fix for 8031485
8058870 client-libs javax.swing Mac: JFXPanel deadlocks in jnlp mode
8059739 client-libs javax.swing Dragged and Dropped data is corrupted for two data types
8059943 client-libs javax.swing [macosx] Aqua LaF should use BI.TYPE_INT_ARGB_PRE for a better performance
8065098 client-libs javax.swing JColorChooser no longer supports drag and drop between two JVM instances
8044533 core-libs   Deoptimizing negation produces wrong result for zero
8044534 core-libs   Constant folding for unary + should produce int for boolean literals
8044638 core-libs   Tidy up Nashorn codebase for code standards
8044816 core-libs   On-demand compiled top-level program doesn't need :createProgramFunction
8046201 core-libs   Avoid repeated flattening of nested ConsStrings
8056926 core-libs   Improve caching of GuardWithTest combinator
7011804 core-libs java.io SequenceInputStream with lots of empty substreams can cause StackOverflowError
8055949 core-libs java.io ByteArrayOutputStream capacity should be maximal array size permitted by VM
6853696 core-libs java.lang (ref) ReferenceQueue.remove(timeout) may return null even if timeout has not expired
8000975 core-libs java.lang (process) Merge UNIXProcess.java.bsd & UNIXProcess.java.linux
8047340 core-libs java.lang (process) Runtime.exec() fails in Turkish locale
8048515 core-libs java.lang Read outside array bounds in jdk/src/solaris/native/java/lang/java_props_md.c
8054841 core-libs java.lang (process) ProcessBuilder leaks native memory
8060485 core-libs java.lang (str) contentEquals checks the String contents twice on mismatch
8031373 core-libs java.lang.invoke Fix deprecation and raw lint warnings in java.lang.invoke
8037209 core-libs java.lang.invoke Improvements and cleanups to bytecode assembly for lambda forms
8037210 core-libs java.lang.invoke Get rid of char-based descriptions 'J' of basic types
8038261 core-libs java.lang.invoke JSR292: cache and reuse typed array accessors
8049555 core-libs java.lang.invoke Move varargsArray from sun.invoke.util package to java.lang.invoke
8050052 core-libs java.lang.invoke Small cleanups in java.lang.invoke code
8050053 core-libs java.lang.invoke Improve caching of different invokers
8050057 core-libs java.lang.invoke Improve caching of MethodHandle reinvokers
8050166 core-libs java.lang.invoke Get rid of some package-private methods on arguments in j.l.i.MethodHandle
8050173 core-libs java.lang.invoke Generalize BMH.copyWith API to all method handles
8050174 core-libs java.lang.invoke Support overriding of isInvokeSpecial flag in WrappedMember
8050200 core-libs java.lang.invoke Make LambdaForm intrinsics detection more robust
8050877 core-libs java.lang.invoke Improve code for pairwise argument conversions and value boxing/unboxing
8050884 core-libs java.lang.invoke Intrinsify ValueConversions.identity() functions
8050887 core-libs java.lang.invoke Intrinsify constants for default values
8057020 core-libs java.lang.invoke LambdaForm caches should support eviction
8057042 core-libs java.lang.invoke LambdaFormEditor: ability to derive new LFs from a base LF
8057654 core-libs java.lang.invoke Extract checks performed during MethodHandle construction into separate methods
8057656 core-libs java.lang.invoke Improve MethodType.isCastableTo() & MethodType.isConvertibleTo() checks
8057657 core-libs java.lang.invoke Annotate LambdaForm parameters with types
8057922 core-libs java.lang.invoke Improve LambdaForm sharing by using LambdaFormEditor more extensively
8058291 core-libs java.lang.invoke Missing some checks during parameter validation
8058293 core-libs java.lang.invoke Bit set computation in MHs.findFirstDupOrDrop/findFirstDrop is broken
8058661 core-libs java.lang.invoke Compiled LambdaForms should inherit from Object to improve class loading performance
8058892 core-libs java.lang.invoke FILL_ARRAYS and ARRAYS are eagely initialized in MethodHandleImpl
8059877 core-libs java.lang.invoke GWT branch frequencies pollution due to LF sharing
8059880 core-libs java.lang.invoke Get rid of LambdaForm interpretation
8060483 core-libs java.lang.invoke NPE with explicitCastArguments unboxing null
8063135 core-libs java.lang.invoke Enable full LF sharing by default
8066746 core-libs java.lang.invoke MHs.explicitCastArguments does incorrect type checks for VarargsCollector
8064667 core-libs java.lang:class_loading Add -XX:+CheckEndorsedAndExtDirs flag to JDK 8
8065675 core-libs java.lang:class_loading Deprecate the Endorsed-Standards Override Mechanism
8065702 core-libs java.lang:class_loading Deprecate the Extension Mechanism
8054987 core-libs java.lang:reflect (reflect) Add sharing of annotations between instances of Executable
8055063 core-libs java.lang:reflect Parameter#toString() fails w/ AIOOBE for ctr of inner class w/ generic type
8062771 core-libs java.lang:reflect Core reflection should use final fields whenever possible
8064391 core-libs java.lang:reflect More thread safety problems in core reflection
8057793 core-libs java.math BigDecimal is no longer effectively immutable
7010989 core-libs java.net Duplicate closure of file descriptors leads to unexpected and incorrect closure of sockets
7150092 core-libs java.net NTLM authentication fail if user specified a different realm
8029607 core-libs java.net Type of Service (TOS) cannot be set in IPv6 header
8042622 core-libs java.net Check for CRL results in IllegalArgumentException "white space not allowed"
8047186 core-libs java.net jdk.net.Sockets throws InvocationTargetException instead of original runtime exceptions
8048212 core-libs java.net Two tests failed with "java.net.SocketException: Bad protocol option" on Windows after 8029607
8050983 core-libs java.net Misplaced parentheses in sun.net.www.http.HttpClient break HTTP PUT streaming
8057936 core-libs java.net java.net.URLClassLoader.findClass uses exceptions in control flow
8058216 core-libs java.net NetworkInterface.getHardwareAddress can return zero length byte array when run with preferIPv4Stack
8062744 core-libs java.net jdk.net.Sockets.setOption/getOption does not support IP_TOS
8011537 core-libs java.nio (fs) Path.register(..) clears interrupt status of thread with no InterruptedException
8042470 core-libs java.nio (fs) Path.register doesn't throw IllegalArgumentException if multiple OVERFLOW events are specified
8042816 core-libs java.nio (fs) Path.register doesn't throw IllegalArgumentException if multiple OVERFLOW events are specified, part 2
8054029 core-libs java.nio (fc) FileChannel.size() returns 0 for block devices on Linux
8055421 core-libs java.nio (fs) bad error handling in java.base/unix/native/libnio/fs/UnixNativeDispatcher.c
8062501 core-libs java.nio Modifications of server socket channel accept() methods for instrumentation purposes
8062233 core-libs java.rmi add java/rmi/server/Unreferenced/finiteGCLatency/FiniteGCLatency.java to problem list
8039915 core-libs java.text Wrong NumberFormat.format() HALF_UP rounding when last digit exactly at rounding position greater than 5
8042126 core-libs java.time DateTimeFormatter "MMMMM" returns English value in Japanese locale
8044671 core-libs java.time NPE from JapaneseEra when a new era is defined in calendar.properties
8040806 core-libs java.util BitSet.toString() can throw IndexOutOfBoundsException
8048209 core-libs java.util SynchronizedNavigableSet tailSet uses wrong mutex
8056248 core-libs java.util.concurrent Improve ForkJoin thread throttling
8056249 core-libs java.util.concurrent Improve CompletableFuture resource usage
8066397 core-libs java.util.concurrent Remove network-related seed initialization code in ThreadLocal/SplittableRandom
8048020 core-libs java.util.logging Regression on java.util.logging.FileHandler
8059269 core-libs java.util.logging FileHandler may throw NPE if pattern is a simple name and the lock file already exists
8065991 core-libs java.util.logging LogManager unecessarily calls JavaAWTAccess from within a critical section
8029452 core-libs java.util.stream Fork/Join task ForEachOps.ForEachOrderedTask clarifications and minor improvements
8030079 core-libs java.util.stream Fix raw and unchecked warnings java.util.stream
6904367 core-libs java.util:collections (coll) IdentityHashMap is resized before exceeding the expected maximum size
8033893 core-libs java.util:i18n jdk build is broken due to the changeset of JDK-8033370
8060006 core-libs java.util:i18n No Russian time zones mapping for Windows
8047062 core-libs javax.naming Improve diagnostic output in com/sun/jndi/ldap/LdapTimeoutTest.java
8049884 core-libs javax.naming Reduce possible timing noise in com/sun/jndi/ldap/LdapTimeoutTest.java
8062132 core-libs javax.script Nashorn incorrectly binds "this" for constructor created by another function
8066932 core-libs javax.script __noSuchMethod__ binds to this-object without proper guard
8025435 core-libs jdk.nashorn Specialized library functions for optimistic typing
8028345 core-libs jdk.nashorn Remove nashorn repo "bin" scripts to avoid confusion with JDK bin launcher programs
8029090 core-libs jdk.nashorn Developers should be able to pass nashorn properties and enable/disable JFR from command line
8035312 core-libs jdk.nashorn push() on frozen array increases its length property
8038396 core-libs jdk.nashorn 8037534 breaks richards Octane benchmark
8038413 core-libs jdk.nashorn NPE in unboxInteger
8038416 core-libs jdk.nashorn Access to undefined scoped variables deoptimized too much
8040024 core-libs jdk.nashorn BranchOptimizer produces bad code for NaN FP comparison
8043002 core-libs jdk.nashorn Improve performance of Nashorn equality operators
8043003 core-libs jdk.nashorn Use strongly referenced generic invokers
8043004 core-libs jdk.nashorn Reduce variability at JavaAdapter call sites
8043133 core-libs jdk.nashorn Fix corner cases of JDK-8041995
8043137 core-libs jdk.nashorn Collapse long sequences of NOP in Nashorn bytecode output
8043232 core-libs jdk.nashorn Index selection of overloaded java new constructors
8043235 core-libs jdk.nashorn Type-based optimizations interfere with continuation methods
8043431 core-libs jdk.nashorn Fix yet another corner case of JDK-8041995
8043605 core-libs jdk.nashorn Enable history for empty property maps
8043956 core-libs jdk.nashorn Make code caching work with optimistic typing and lazy compilation
8044171 core-libs jdk.nashorn Make optimistic exception handlers smaller
8044502 core-libs jdk.nashorn Get rid of global optimistic flag
8044518 core-libs jdk.nashorn Ensure exceptions related to optimistic recompilation are not serializable
8044803 core-libs jdk.nashorn Unnecessary restOf check in CodeGenerator.undefinedCheck
8044851 core-libs jdk.nashorn nashorn properties leak memory
8046013 core-libs jdk.nashorn TypeError: Cannot apply "with" to non script object
8046014 core-libs jdk.nashorn MultiGlobalCompiledScript used to cache method handle and strict mode - not anymore
8046202 core-libs jdk.nashorn Make persistent code store more flexible
8046215 core-libs jdk.nashorn Running uncompilable scripts throws NullPointerException
8046921 core-libs jdk.nashorn Deoptimization type information peristence
8047331 core-libs jdk.nashorn Assertion in CompiledFunction when running earley-boyer after Merge
8047764 core-libs jdk.nashorn Indexed or polymorphic set on global affects Object.prototype
8048009 core-libs jdk.nashorn Type info caching accidentally defeated
8048079 core-libs jdk.nashorn Persistent code store is broken after optimistic types merge
8048505 core-libs jdk.nashorn readFully does not handle ConsString file names
8048586 core-libs jdk.nashorn String concatenation with optimistic types is slow
8048718 core-libs jdk.nashorn JSON.parse('{"0":0, "64":0}') throws ArrayindexOutOfBoundsException
8049086 core-libs jdk.nashorn Minor API convenience functions on "Java" object
8049242 core-libs jdk.nashorn Explicit constructor overload selection should work with StaticClass as well
8049524 core-libs jdk.nashorn Global object initialization via javax.script API should be minimal
8050432 core-libs jdk.nashorn javax.script.filename variable should not be enumerable with nashorn engine's ENGINE_SCOPE bindings
8050964 core-libs jdk.nashorn OptimisticTypesPersistence.java should use java.util.Date instead of java.sql.Date
8050977 core-libs jdk.nashorn Java8 Javascript Nashorn exception: no current Global instance for nashorn
8051439 core-libs jdk.nashorn Wrong type calculated for ADD operator with undefined operand
8051778 core-libs jdk.nashorn Function.prototype.bind doesn't work on all callables
8053910 core-libs jdk.nashorn ScriptObjectMirror causing havoc with Invocation interface
8053913 core-libs jdk.nashorn Auto format caused warning in CompositeTypeBasedGuardingDynamicLinker
8054223 core-libs jdk.nashorn Nashorn: AssertionError when use __DIR__ and ScriptEngine.eval()
8054411 core-libs jdk.nashorn Add "nashorn.args.prepend" system property
8054503 core-libs jdk.nashorn test/script/external/test262/test/suite/ch12/12.6/12.6.4/12.6.4-2.js fails with tip
8054651 core-libs jdk.nashorn Global.initConstructor and ScriptFunction.getPrototype(Object) can have stricter types
8054898 core-libs jdk.nashorn Avoid creation of empty type info files
8055034 core-libs jdk.nashorn jjs exits interactive mode if exception was thrown when trying to print value of last evaluated expression
8055042 core-libs jdk.nashorn Compile-time expression evaluator was missing variables
8055107 core-libs jdk.nashorn Extension directives to turn on callsite profiling, tracing, AST print and other debug features locally
8055199 core-libs jdk.nashorn Tidy up Nashorn codebase for code standards (August 2014)
8055687 core-libs jdk.nashorn Wrong "this" passed to JSObject.eval call
8055762 core-libs jdk.nashorn Nashorn misses linker for netscape.javascript.JSObject instances
8055796 core-libs jdk.nashorn JSObject and browser JSObject linkers should provide fallback to call underlying Java methods directly
8055870 core-libs jdk.nashorn iteration fails if index var is not used
8055906 core-libs jdk.nashorn jdk.nashorn.internal.codegen.ApplySpecialization$1.leaveIdentNode() should throw stackless Exception
8055911 core-libs jdk.nashorn Questionable String.intern() in jdk.nashorn.internal.ir.IdentNode()
8055913 core-libs jdk.nashorn jdk.nashorn.internal.ir.Node.hashCode() delegates to Object.hashCode() and is hot
8055923 core-libs jdk.nashorn jdk.nashorn.internal.{codegen.CompilationPhase|runtime.Timing} should use System.nanoTime
8055954 core-libs jdk.nashorn Questionable use of parallelStream() in jdk.nashorn.internal.runtime.Context$ContextCodeInstaller.initialize()
8056025 core-libs jdk.nashorn jdk.nashorn.internal.codegen.CompilationPhase.setStates() is hot in class installation phase
8056052 core-libs jdk.nashorn jdk.nashorn.internal.runtime.Source.getContent() does excess Object.clone()
8056123 core-libs jdk.nashorn Anonymous function statements leak internal function names into global scope
8056129 core-libs jdk.nashorn AtomicInteger is treated as primitive number with optimistic compilation
8056978 core-libs jdk.nashorn ClassCastException: cannot cast jdk.nashorn.internal.scripts.JO*
8057019 core-libs jdk.nashorn Additional arguments to Function.prototype.apply messes up actual arguments passed
8057021 core-libs jdk.nashorn UserAccessorProperty guards fail with multiple globals
8057148 core-libs jdk.nashorn Skip nested functions on reparse
8057551 core-libs jdk.nashorn Make class dumping available outside --compile-only mode
8057588 core-libs jdk.nashorn Lots of trivial classes are generated by Nashorn compiler
8057611 core-libs jdk.nashorn jdk/nashorn/internal/scripts/JO* classes are missing from the generated methods dump
8057691 core-libs jdk.nashorn Nashorn: let & const declarations are not shared between scripts
8057703 core-libs jdk.nashorn Still, lots of trivial classes are generated by Nashorn compiler
8057743 core-libs jdk.nashorn Single quotes must be escaped in message resource file
8057825 core-libs jdk.nashorn emitted socket arg becomes null in avatar.js http tests
8057930 core-libs jdk.nashorn Remove "eval id" from eval locations
8057931 core-libs jdk.nashorn Instead of not skipping small functions in parser, make lexer avoid them instead
8057980 core-libs jdk.nashorn let & const: remaining issues with lexical scoping
8058100 core-libs jdk.nashorn Reduce the RecompilableScriptFunctionData footprint
8058179 core-libs jdk.nashorn Global constants get in the way of self-modifying properties
8058304 core-libs jdk.nashorn Non-serializable fields in serializable classes
8058422 core-libs jdk.nashorn Users should be able to overwrite "context" and "engine" variables
8058561 core-libs jdk.nashorn NullPointerException at
jdk.nashorn.internal.codegen.LocalVariableTypesCalculator.
symbolIsUsed(LocalVariableTypesCalculator.java:224)
8058610 core-libs jdk.nashorn Pessimistic LMUL used where optimistic should be
8058615 core-libs jdk.nashorn Overload resolution ambiguity involving ConsString
8059231 core-libs jdk.nashorn Octane Raytrace fails when optimistic typing turned off
8059236 core-libs jdk.nashorn Memory leak when executing octane pdfjs with optimistic typing
8059321 core-libs jdk.nashorn Significant parser/frontend overhead in recompilation of avatar.js
8059346 core-libs jdk.nashorn Single class loader is used to load compiled bytecode
8059370 core-libs jdk.nashorn Unnecessary work in deoptimizing recompilation
8059371 core-libs jdk.nashorn Code duplication in handling of break and continue
8059372 core-libs jdk.nashorn Code duplication in split emitter
8059443 core-libs jdk.nashorn Logical NOT operator throws NullPointerException for null Boolean return values
8059813 core-libs jdk.nashorn Type Info Cache flag must must be documented
8059938 core-libs jdk.nashorn NPE restoring cached script with optimistic types disabled
8060011 core-libs jdk.nashorn Concatenating an array and converting it to Java gives wrong result
8060101 core-libs jdk.nashorn AssertionError: __noSuchProperty__ placeholder called from NativeJavaImporter
8060471 core-libs jdk.nashorn GlobalConstants.findSetMethod calls DynamicLinker.getLinkedCallSiteLocation, which does Throwables
8060688 core-libs jdk.nashorn Nashorn: Generated script class name fails --verify-code for names with special chars
8061113 core-libs jdk.nashorn Boolean used as optimistic call return type
8061257 core-libs jdk.nashorn nashorn ant build script should have a sanity target
8061959 core-libs jdk.nashorn Missing ArrayBuffer.isView() Method
8062024 core-libs jdk.nashorn Issue with date.setFullYear when time other than midnight
8062308 core-libs jdk.nashorn b36 of 9 introduces regressions over b35 when running lyra
8062381 core-libs jdk.nashorn String.prototype.charCodeAt called with invalid index throws ClassCastException
8062386 core-libs jdk.nashorn Different versions of nashorn use same code cache directory
8062490 core-libs jdk.nashorn JDK-8061391 regresses typescript: OOME with too fat SparseArrayData instances
8062583 core-libs jdk.nashorn Throwing object with error prototype causes error proto to be caught
8062624 core-libs jdk.nashorn java.lang.String methods not available on concatenated strings
8062799 core-libs jdk.nashorn Binary logical expressions can have numeric types
8062937 core-libs jdk.nashorn GlobalConstants produces wrong result with Object.defineProperty
8063036 core-libs jdk.nashorn Cosmetics: The recompile log produces double lines for some reason
8063037 core-libs jdk.nashorn Trivial bugfixing and exception reuse in ApplySpecialization
8064467 core-libs jdk.nashorn Deoptimization type information persistence doesn't work - "Failed to calculate version dir name"
8064707 core-libs jdk.nashorn Remove NativeArray link logic fields
8064789 core-libs jdk.nashorn Nashorn should just warn on code store instantiation error
8065769 core-libs jdk.nashorn OOM on Window/Solaris in test compile-octane-splitter.js
8065985 core-libs jdk.nashorn Inlining failure of Number.doubleValue() in JSType.toNumeric() causes 15% peak perf regresion on Box2D
8066119 core-libs jdk.nashorn Missing resource type.error.not.an.arraybuffer
8066146 core-libs jdk.nashorn jdk.nashorn.api.scripting package javadoc should be included in jdk docs
8066669 core-libs jdk.nashorn dust.js performance regression caused by primitive field conversion
8067136 core-libs jdk.nashorn BrowserJSObjectLinker does not handle call on JSObjects
8067219 core-libs jdk.nashorn NPE in ScriptObject.clone() when running with object fields
8068573 core-libs jdk.nashorn POJO setter using [] syntax throws an exception
8068889 core-libs jdk.nashorn Calling a @FunctionalInterface from JS leaks internal objects
8069002 core-libs jdk.nashorn REGRESSION: test/script/external/test262/test/suite/ch11/11.2/11.2.3/S11.2.3_A3_T5.js fails with tip
8042123 core-svc   Support default and static interface methods in JDI, JDWP and JDB
8044473 core-svc   Allow for extended set of platform MXBeans
8064288 core-svc   sun.management.Flag should loadLibrary()
8028430 core-svc debugger JDI: ReferenceType.visibleMethods() return wrong visible methods
8056049 core-svc java.lang.management getProcessCpuLoad() stops working in one process when a different process exits
8065397 core-svc java.lang.management Remove ExtendedPlatformComponent.java from EXFILES list
8049303 core-svc javax.management Transient network problems cause JMX thread to fail silenty
8039173 core-svc tools Propagate errors from Diagnostic Commands as exceptions in the attach framework
8044135 core-svc tools Add API to start JMX agent from attach framework
8049340 core-svc tools sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java timed out
8027809 deploy   ClassNotFound exception when loading jnlp applet in nested resource tag
8031989 deploy   Provide API to get all the JNLP artifacts
8037417 deploy   javaws fails to launch app with empty href in jnlp file if Application-Library-Allowable-Codebase is used
8038599 deploy   Move com.sun.java.browser.dom and com.sun.java.browser.net to deploy
8039007 deploy   jdeps incorrectly reports javax.jnlp as JDK internal APIs
8046476 deploy   VPAT: Application Blocked dialog issues
8049088 deploy   Close icon not highlighted and no name/description readable by screen readers
8052106 deploy   [jcck] extra mnemonics in security dialog.
8054971 deploy   Applet is blocked when requesting sandbox permission and loading loose resource
8059136 deploy   Reverse removal of applet demos [backout 8015376]
8062183 deploy   Change the order of linux proxy detection
8068969 deploy   Add missing information to AppModel
8037471 deploy deployment_toolkit The warning message displays the app name and publisher as "UNKNOWN" if cache is disabled
8046709 deploy deployment_toolkit Java Control Panel Security Level Radio Buttons do not have name, screen read not able to read the name
8059387 deploy javafx Unexpected SSV warning appears on Linux for FX applet requesting JRE 1.7+
8060719 deploy javafx TrustDecider.checkMainJarManifest will fail for fx app with embedded certificate.
6845304 deploy plugin HTMLStyleElement can't be cast to LinkStyle
8011182 deploy plugin Unable to enable the last jre remaining on the system
8023095 deploy plugin Applet with legacy_lifecycle=true and jdwp properties destroyed on browseaway
8025917 deploy plugin JDK demo applets not running with >=7u40 or (JDK 8 and JDK 9)
8032835 deploy plugin Security Dialogs should display OU/O field for Publisher if CN field is empty
8042626 deploy plugin Exception occurs when writing many texts to java console
8042696 deploy plugin Existing Java method cannot be called from JavaScript in IE
8043230 deploy plugin MacNPAPIJavaPlugin incorrectly constructed which sometimes causes Applet not to load
8043231 deploy plugin [mac] Too long pipe names: sometimes duplicate names arisesm when many applets on page
8023094 deploy webstart web start short cut icon disappear when launch disconnected
8027019 deploy webstart Sometimes, codebase property is not written in .lap file in cache before loading app
8029579 deploy webstart "Application Error" dialog will show up after click "OK" on "Application Blocked" dialog
8046501 deploy webstart DRS - cert based run rule doesn't work when running offline
8051890 deploy webstart Java Web Start raises "Unable to create a shortcut for <APP_NAME>" dialog
8055179 deploy webstart Security Dialog for unsigned jnlp still different in jnlp Application case.
8064358 deploy webstart JnlpxArgs NullPointerException
8066447 deploy webstart 8u40: URL.openConnection fails with exception if "use browser settings" is set and browser itself uses system settings
8055175 globalization translation [de] Truncation issue in EULA dialog.
8058184 hotspot   Move _highest_comp_level and _highest_osr_comp_level from MethodData to MethodCounters
6351437 hotspot compiler PIT : compiler/6329104/Test6329104.sh fails due to execution time variation
6642881 hotspot compiler Improve performance of Class.getClassLoader()
6898462 hotspot compiler The escape analysis with G1 cause crash assertion src/share/vm/runtime/vframeArray.cpp:94
8023461 hotspot compiler Thread holding lock at safepoint that vm can block on: MethodCompileQueue_lock
8026796 hotspot compiler Make replace_in_map() on parent maps generic
8029443 hotspot compiler 'assert(klass->is_loader_alive(_is_alive)) failed: must be alive' during VM_CollectForMetadataAllocation
8031994 hotspot compiler java/lang/Character/CheckProp test times out
8034775 hotspot compiler Failing to initialize VM when running with negative value for -XX:CICompilerCount
8035328 hotspot compiler closed/compiler/6595044/Main.java failed with timeout
8035605 hotspot compiler Expand functionality of PredictedIntrinsicGenerator
8035968 hotspot compiler C2 support for SHA on SPARC
8039498 hotspot compiler Add iterators to GrowableArray
8040798 hotspot compiler compiler/startup/SmallCodeCacheStartup.java timed out in RT_Baseline
8041984 hotspot compiler CompilerThread seems to occupy all CPU in a very rare situation
8041992 hotspot compiler Fix of JDK-8034775 neglects to account for non-JIT VMs
8042235 hotspot compiler redefining method used by multiple MethodHandles crashes VM
8042428 hotspot compiler CompileQueue::free_all() code is incorrect
8042431 hotspot compiler compiler/7200264/TestIntVect.java fails with: Test Failed: AddVI 0 < 4
8042737 hotspot compiler Introduce umbrella header prefetch.inline.hpp
8044538 hotspot compiler assert(which != imm_operand) failed: instruction is not a movq reg, imm64
8046289 hotspot compiler compiler/6340864/TestLongVect.java timeout with
8046698 hotspot compiler assert(false) failed: only Initialize or AddP expected macro.cpp:943
8047326 hotspot compiler Consolidate all CompiledIC::CompiledIC implementations and move it to compiledIC.cpp
8047362 hotspot compiler Add a version of CompiledIC_at that doesn't create a new RelocIterator
8047373 hotspot compiler Clean the ExceptionCache in one pass
8047383 hotspot compiler SIGBUS in C2 compiled method weblogic.wsee.jaxws.framework.jaxrpc.EnvironmentFactory$SimulatedWsdlDefinitions.<init>
8048703 hotspot compiler ReplacedNodes dumps it's content to tty
8048879 hotspot compiler "unexpected yanked node" opto/postaloc.cpp:139
8049252 hotspot compiler VerifyStack logic in Deoptimization::unpack_frames does not expect to see invoke bc at the top frame during normal deoptimization
8049528 hotspot compiler Method marked w/ @ForceInline isn't inlined with "executed < MinInliningThreshold times" message
8049529 hotspot compiler LogCompilation: annotate make_not_compilable with compilation level
8049530 hotspot compiler Provide descriptive failure reason for compilation tasks removed for the queue
8049532 hotspot compiler LogCompilation: C1: inlining tree is flat (no depth is stored)
8050079 hotspot compiler crash while compiling java.lang.ref.Finalizer::runFinalizer
8050972 hotspot compiler Concurrency problem in PcDesc cache
8051344 hotspot compiler JVM crashed in Compile::start() during method parsing w/ UseRTMDeopt turned on
8052081 hotspot compiler Optimize code generated by C2 for Intel's Atom processor
8054224 hotspot compiler Recursive method that was compiled by C1 is unable to catch StackOverflowError
8054376 hotspot compiler Move RTM flags from Experimental to Product
8054402 hotspot compiler "klass->is_loader_alive(_is_alive)) failed: must be alive" for anonymous classes
8054478 hotspot compiler C2: Incorrectly compiled char[] array access crashes JVM
8054927 hotspot compiler Missing MemNode::acquire ordering in some volatile Load nodes
8055286 hotspot compiler Extend CompileCommand=option to handle numeric parameters
8055494 hotspot compiler Add C2 x86 intrinsic for BigInteger::multiplyToLen() method
8055946 hotspot compiler assert(result == NULL || result->is_oop()) failed: must be oop
8056071 hotspot compiler compiler/whitebox/IsMethodCompilableTest.java fails with 'method() is not compilable after 3 iterations'
8056124 hotspot compiler Hotspot should use PICL interface to get cacheline size on SPARC
8056964 hotspot compiler JDK-8055286 changes are incomplete.
8057129 hotspot compiler Fix AIX build after the Extend CompileCommand=option change 8055286
8057750 hotspot compiler CTW should not make MH intrinsics not entrant
8057758 hotspot compiler Tests run TypeProfileLevel=222 crash with guarantee(0) failed: must find derived/base pair
8058148 hotspot compiler MaxNodeLimit and LiveNodeCountInliningCutoff should be increased
8058536 hotspot compiler java/lang/instrument/NativeMethodPrefixAgent.java fails due to VirtualMachineError: out of space in CodeCache for method handle intrinsic
8058564 hotspot compiler Tiered compilation performance drop in PIT
8058744 hotspot compiler Crash in C1 OSRed method w/ Unsafe usage
8058825 hotspot compiler EA: ConnectionGraph::split_unique_types does incorrect scalar replacement
8058828 hotspot compiler Wrong ciConstant type for arrays from ConstantPool::_resolved_reference
8058847 hotspot compiler C2: EliminateAutoBox regression after 8042786
8059139 hotspot compiler It should be possible to explicitly disable usage of TZCNT instr w/ -XX:-UseBMI1Instructions
8059226 hotspot compiler Names of rtm_state_change and unstable_if deoptimization reasons were swapped in 8u40
8059299 hotspot compiler assert(adr_type != NULL) failed: expecting TypeKlassPtr
8059556 hotspot compiler C2: crash while inlining MethodHandle invocation w/ null receiver
8059592 hotspot compiler Recent bugfixes in ppc64 port.
8059621 hotspot compiler JVM crashes with "unexpected index type" assert in LIRGenerator::do_UnsafeGetRaw
8059780 hotspot compiler SPECjvm2008-MPEG performance regressions on x64 platforms
8060147 hotspot compiler SIGSEGV in Metadata::mark_on_stack() while marking metadata in ciEnv
8062169 hotspot compiler Multiple OSR compilations issued for same bci
8062950 hotspot compiler Bug in locking code when UseOptoBiasInlining is disabled: assert(dmw->is_neutral()) failed: invariant
8065618 hotspot compiler C2 RA incorrectly removes kill projections
8066045 hotspot compiler opto/node.hpp:355, assert(i < _max) failed: oob: i=1, _max=1
8066103 hotspot compiler C2's range check smearing allows out of bound array accesses
8066199 hotspot compiler C2 escape analysis prevents VM from exiting quickly
8066775 hotspot compiler opto/node.hpp:355, assert(i < _max) failed: oob: i=1, _max=1
8066900 hotspot compiler Array Out Of Bounds Exception causes variable corruption
8067144 hotspot compiler SIGSEGV with +TraceDeoptimization in Deoptimization::print_objects
7132678 hotspot gc G1: verify that the marking bitmaps have no marks for objects over TAMS
8019342 hotspot gc G1: High "Other" time most likely due to card redirtying
8024366 hotspot gc Make UseNUMA enable UseNUMAInterleaving
8026784 hotspot gc Error message in AdaptiveFreeList<Chunk>::verify_stats is wrong
8027553 hotspot gc Change the in_cset_fast_test functionality to use the G1BiasedArray abstraction
8027959 hotspot gc Early reclamation of large objects in G1
8028710 hotspot gc G1 does not retire allocation buffers after reference processing work
8032379 hotspot gc Remove the is_scavenging flag to process_strong_roots
8033764 hotspot gc Remove the usage of StarTask from BufferingOopClosure
8033923 hotspot gc Use BufferingOopClosure for G1 code root scanning
8034056 hotspot gc assert(_heap_alignment >= _space_alignment) failed: heap_alignment less than space_alignment
8034761 hotspot gc Remove the do_code_roots parameter from process_strong_roots
8034764 hotspot gc Use process_strong_roots to adjust the StringTable
8035393 hotspot gc Use CLDClosure instead of CLDToOopClosure in frame::oops_interpreted_do
8035400 hotspot gc Move G1ParScanThreadState into its own files
8035401 hotspot gc Fix visibility of G1ParScanThreadState members
8035412 hotspot gc Cleanup ClassLoaderData::is_alive
8035648 hotspot gc Don't use Handle in java_lang_String::print
8035746 hotspot gc Add missing Klass::oop_is_instanceClassLoader() function
8037344 hotspot gc Use the "next" field to iterate over fine remembered instead of using the hash table
8037958 hotspot gc ConcurrentMark::cleanup leaks BitMaps if VerifyDuringGC is enabled
8038265 hotspot gc CMS: enable time based triggering of concurrent cycles
8038399 hotspot gc Remove dead oop_iterate MemRegion variants from SharedHeap, Generation and Space classes
8038404 hotspot gc Move object_iterate_mem from Space to CMS since it is only ever used by CMS
8038405 hotspot gc Clean up some virtual fucntions in Space class hierarchy
8038412 hotspot gc Move object_iterate_careful down from Space to ContigousSpace and CFLSpace
8038423 hotspot gc G1: Decommit memory within the heap
8038829 hotspot gc G1: More useful information in a few assert messages
8038928 hotspot gc gc/g1/TestGCLogMessages.java fail with "[Evacuation Failure' found"
8039147 hotspot gc Cleanup SuspendibleThreadSet
8039596 hotspot gc Remove HeapRegionRemSet::clear_incoming_entry
8040002 hotspot gc Clean up code and code duplication in re-diryting cards for verification
8040722 hotspot gc G1: Clean up usages of heap_region_containing
8040792 hotspot gc G1: Memory usage calculation uses sizeof(this) instead of sizeof(classname)
8040977 hotspot gc G1 crashes when run with -XX:-G1DeferredRSUpdate
8042255 hotspot gc make gc src file exclusion more automatic
8043607 hotspot gc Add a GC id as a log decoration similar to PrintGCTimeStamps
8043722 hotspot gc Swapped usage of idx_t and bm_word_t types in parMarkBitMap.cpp
8043723 hotspot gc max_heap_for_compressed_oops() declared with size_t, but defined with uintx
8046670 hotspot gc Make CMS metadata aware closures applicable for other collectors
8047323 hotspot gc Remove unused _copy_metadata_obj_cl in G1CopyingKeepAliveClosure
8047818 hotspot gc G1 HeapRegions can no longer be ContiguousSpaces
8047819 hotspot gc G1 HeapRegionDCTOC does not need to inherit ContiguousSpaceDCTOC
8047820 hotspot gc G1 Block offset table does not need to support generic Space classes
8047821 hotspot gc G1 Does not use the save_marks functionality as intended
8047976 hotspot gc Ergonomics for GC thread counts should update the flags
8048085 hotspot gc Aborting marking just before remark results in useless additional clearing of the next mark bitmap
8048088 hotspot gc Conservative maximum heap alignment should take vm_allocation_granularity into account
8048112 hotspot gc G1 Full GC needs to support the case when the very first region is not available
8048214 hotspot gc Linker error when compiling G1SATBCardTableModRefBS after include order changes
8048268 hotspot gc G1 Code Root Migration performs poorly
8048269 hotspot gc Add flag to turn off class unloading after G1 concurrent mark
8049051 hotspot gc Use of during_initial_mark_pause() in G1CollectorPolicy::record_collection_pause_end() prevents use of seperate object copy time prediction during marking
8049411 hotspot gc Minimal VM build broken after gcId.cpp was added
8049421 hotspot gc G1 Class Unloading after completing a concurrent mark cycle
8049426 hotspot gc Minor cleanups after G1 class unloading
8049831 hotspot gc Metadata Full GCs are not triggered when CMSClassUnloadingEnabled is turned off
8050973 hotspot gc CMS/G1 GC: add missing Resource and Handle mark
8051973 hotspot gc Eager reclaim leaves marks of marked but reclaimed objects on the next bitmap
8052170 hotspot gc G1 asserts at collection exit with -XX:-G1DeferredRSUpdate
8052172 hotspot gc Evacuation failure handling in G1 does not evacuate all objects if -XX:-G1DeferredRSUpdate is set
8054341 hotspot gc Remove some obsolete code in G1CollectedHeap class
8054808 hotspot gc Bitmap verification sometimes fails after Full GC aborts concurrent marking
8054818 hotspot gc Refactor HeapRegionSeq to manage heap region and auxiliary data
8054819 hotspot gc Rename HeapRegionSeq to HeapRegionManager
8054970 hotspot gc gc src file exclusion should exclude alternative sources
8055006 hotspot gc Store original value of Min/MaxHeapFreeRatio
8055525 hotspot gc Bigapp weblogic+medrec fails to startup after JDK-8038423
8055635 hotspot gc Missing include in g1RegionToSpaceMapper.hpp results in unresolved symbol of fastdebug build without precompiled headers
8055816 hotspot gc Remove dead code in g1BlockOffsetTable
8055919 hotspot gc Remove dead code in G1 concurrent marking code
8056043 hotspot gc G1 does not uncommit within the heap after JDK-8038423
8056240 hotspot gc Investigate increased GC remark time after class unloading changes in CRM Fuse
8057143 hotspot gc Incomplete renaming of variables containing "hrs" to "hrm" related to HeapRegionSeq
8057531 hotspot gc refactor gc argument processing code slightly
8057536 hotspot gc Refactor G1 to allow context specific allocations
8057658 hotspot gc Enable G1 FullGC extensions
8057710 hotspot gc Refactor G1 heap region default sizes
8057713 hotspot gc Destroy resource context and clean out allocation context
8057722 hotspot gc G1: Code root hashtable updated incorrectly when evacuation failed
8057768 hotspot gc Make heap region region type in G1 HeapRegion explicit
8057799 hotspot gc G1: Unnecessary NULL check in G1KeepAliveClosure
8057818 hotspot gc collect allocation context statistics at gc pauses
8057824 hotspot gc methods to copy allocation context statistics
8057827 hotspot gc notify an obj when allocation context stats are available
8057916 hotspot gc Sort includes and verify copyright for new files
8058209 hotspot gc Race in G1 card scanning could allow scanning of memory covered by PLABs
8058235 hotspot gc identify GCs initiated to update allocation context stats
8058475 hotspot gc TestCMSClassUnloadingEnabledHWM.java fails with '.*CMS Initial Mark.*' missing from stdout/stderr
8058568 hotspot gc GC cleanup phase can cause G1 skipping a System.gc()
8059452 hotspot gc G1: Change the default values for G1HeapWastePercent and G1MixedGCLiveThresholdPercent
8059466 hotspot gc Force young GC to initiate marking cycle when stat update is requested
8059758 hotspot gc Footprint regressions with JDK-8038423
8060116 hotspot gc After JDK-8047976 gc/g1/TestSummarizeRSetStatsThreads fails
8060467 hotspot gc CMS: small OldPLABSize and -XX:-ResizePLAB cause assert(ResizePLAB || n_blks == OldPLABSize) failed: Error
8062036 hotspot gc ConcurrentMarkThread::slt may be invoked before ConcurrentMarkThread::makeSurrogateLockerThread causing intermittent crashes
8062063 hotspot gc Usage of UseHugeTLBFS, UseLargePagesInMetaspace and huge SurvivorAlignmentInBytes cause crashes in CMBitMapClosure::do_bit
8064556 hotspot gc G1: ParallelGCThreads=0 may cause assert(!MetadataOnStackMark::has_buffer_for_thread(Thread::current())) failed: Should be empty
8065227 hotspot gc Report allocation context stats at end of cleanup
8065305 hotspot gc Make it possible to extend the G1CollectorPolicy
8065634 hotspot gc Crash in InstanceKlass::clean_method_data when _method is NULL
8040011 hotspot jfr Metaspace events are missing from JFC files
8034935 hotspot jvmti JSR 292 support for PopFrame has a fragile coupling with DirectMethodHandle
8057043 hotspot jvmti Type annotations not retained during class redefine / retransform
6311046 hotspot runtime -Xcheck:jni should support checking of GetPrimitiveArrayCritical
8025842 hotspot runtime Convert warning("Thread holding lock at safepoint that vm can block on") to fatal(...)
8031376 hotspot runtime TraceClassLoading expects there to be a (Java) caller when you load a class with the bootstrap class loader
8035893 hotspot runtime JVM_GetVersionInfo fails to zero structure
8038268 hotspot runtime VM Crashes in MetaspaceShared::generate_vtable_methods while creating CDS archive with limiting SharedMiscCodeSize
8038422 hotspot runtime CDS test failed: assert((size % os::vm_allocation_granularity()) == 0) failed when limiting SharedMiscDataSize
8042195 hotspot runtime Introduce umbrella header orderAccess.inline.hpp
8043275 hotspot runtime interface initialization for default methods
8046662 hotspot runtime Check JNI ReleaseStringChars / ReleaseStringUTFChars verify_guards test inverted
8046715 hotspot runtime Add a way to verify an extended set of command line options
8048169 hotspot runtime Change 8037816 breaks HS build on PPC64 and CPP-Interpreter platforms
8050942 hotspot runtime PPC64: implement template interpreter for ppc64le
8051002 hotspot runtime Incorrectly merged share/vm/classfile/classFileParser.cpp was pushed to 8u20
8054368 hotspot runtime nsk/jdi/VirtualMachine/exit/exit002 crash with detail tracking on (NMT2)
8054546 hotspot runtime NMT2 leaks memory
8054547 hotspot runtime Re-enable warning for incompatible java launcher
8055007 hotspot runtime NMT2: emptyStack missing in minimal build
8055051 hotspot runtime runtime/NMT/CommandLineEmptyArgument.java fails
8055061 hotspot runtime assert at share/vm/services/virtualMemoryTracker.cpp:332 Error: ShouldNotReachHere() when running NMT tests
8055236 hotspot runtime Deadlock during NMT2 shutdown on Windows
8055289 hotspot runtime Internal Error: mallocTracker.cpp:146 fatal error: Should not use malloc for big memory block, use virtual memory instead
8055684 hotspot runtime runtime/NMT/CommandLineEmptyArgument.java fails
8056084 hotspot runtime Refactor Hashtable to allow implementations without rehashing support
8056175 hotspot runtime Change "8048150: Allow easy configurations for large CDS archives" triggers conversion warning with older GCC
8056971 hotspot runtime Minor class loading clean-up
8057623 hotspot runtime add an extension class for argument handling
8058251 hotspot runtime assert(_count > 0) failed: Negative counter when running runtime/NMT/MallocTrackingVerify.java
8058818 hotspot runtime Allocation of more then 1G of memory using Unsafe.allocateMemory is still causing a fatal error on 32bit platforms
8059100 hotspot runtime SIGSEGV VirtualMemoryTracker::remove_released_region
8059216 hotspot runtime Make PrintGCApplicationStoppedTime print information about stopping threads
8059803 hotspot runtime Update use of GetVersionEx to get correct Windows version in hs_err files
8061651 hotspot runtime Add an interface to the JVM's Class/Resource Lookup Index Cache for improving sun.misc.URLClassPath search time
8064375 hotspot runtime Change certain errors to warnings in CDS output
8064701 hotspot runtime Some CDS optimizations should be disabled if bootclasspath is modified by JVMTI
8065346 hotspot runtime WB_AddToBootstrapClassLoaderSearch calls JvmtiEnv::create_a_jvmti when not in _thread_in_vm state
8065765 hotspot runtime Missing space in output message from -XX:+CheckEndorsedAndExtDirs
8066670 hotspot runtime -XX:+PrintSharedArchiveAndExit does not exit the VM when the archive is invalid
8029070 hotspot svc memory leak in jmm_SetVMGlobal
8032247 hotspot svc SA: Constantpool lookup for invokedynamic is not implemented
8035650 hotspot svc Exclude AIX from VS.NET make/windows/projectcreator.make
8044398 hotspot svc Attach code should propagate errors in Diagnostic Commands as errors
8046783 hotspot svc Add hidden field to methods for event based tracing
8055662 hotspot svc Update mapfile for libjfr
8055677 hotspot svc java/lang/instrument/RedefineBigClass.sh RetransformBigClass.sh start failing after JDK-8055012
8057535 hotspot svc add a thread extension class
8057564 hotspot svc JVM hangs at getAgentProperties after attaching to VM with lower IntegrityLevel
8061621 hotspot svc *** java.lang.instrument ASSERTION FAILED ***: "!errorOutstanding" with message transform method call failed at JPLISAgent.c line: 844
8065361 hotspot svc Fixup headers and definitions for INCLUDE_TRACE
8069590 hotspot svc AIX port of "8050807: Better performing performance data handling"
8041383 install   Restore Java-Security Dialog truncated
8048122 install   VPAT: Mnemonics not set for integrated JRE Uninstall Tool buttons
8049060 install   JDK installer "Java Setup" dialog a11y issue
8060057 install   No checkbox "Enable JAB" after installation of public JRE 8 (only x86 JRE)
8062502 install   Make the MacJREInstallerTests scheme shared across project
8065940 install   not compressing the non-english msi's will speed up the build
8067251 install   RegisterDeploy ping not working correctly
8055701 install auto_update Incomplete letters displayed in Java update Welcome dialog
8062407 install auto_update jucheck incorrectly uses cached iftw-au.exe if already present in %TEMP%
8037813 install install Image on in-progress dialog is not localized
8039950 install install JRE installer accessibility issues
8051701 install install [de] Minor truncation in Uninstall out-of-date versions dialog
8057085 install install 64bit offline isn't compressed
8054633 other-libs corba [since-tag]: javadoc for corba classes has invalid @since tag
7095856 other-libs corba:rmi-iiop OutputStreamHook doesn't handle null values
8061830 other-libs other [asm] refresh internal ASM version v5.0.3
8028727 security-libs   [parfait] warnings from b116 for jdk.src.share.native.sun.security.ec: JNI pending exceptions
8063700 security-libs   -Xcheck:jni changes cause many JCK failures in api/javax_crypto tests in SunPKCS11
7107611 security-libs java.security sun.security.pkcs11.SessionManager is scalability blocker
8032573 security-libs java.security CertificateFactory.getInstance("X.509").generateCertificates(InputStream) does not throw CertificateException for invalid input
8035974 security-libs java.security Refactor DigestBase.engineUpdate() method for better code generation by JIT compiler
8039921 security-libs java.security SHA1WithDSA with key > 1024 bits not working
8042053 security-libs java.security Broken links to jarsigner and keytool docs in java.security package summary
8044215 security-libs java.security Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
8058657 security-libs java.security Add @jdk.Exported to com.sun.jarsigner.ContentSigner API
8036970 security-libs javax.crypto Accessing Tomcat 8.0.3 via HTTPS doesn't work using TLS 1.2 GCM with ucrypto provider
8056026 security-libs javax.crypto Debug security logging should print Provider used for each crypto operation
8037745 security-libs javax.crypto:pkcs11 Consider re-enabling PKCS11 mechanisms previously disabled due to Solaris bug 7050617
8041142 security-libs javax.crypto:pkcs11 Re-enabling CBC_PAD PKCS11 mechanisms for Solaris
8042982 security-libs javax.net.ssl Unexpected RuntimeExceptions being thrown by SSLEngine
8052406 security-libs javax.net.ssl SSLv2Hello protocol may be filtered out unexpectedly
8028780 security-libs javax.security JDK KRB5 module throws OutOfMemoryError when CCache is corrupt
8048512 security-libs javax.security Uninitialised memory in jdk/src/share/native/sun/security/ec/ECC_JNI.cpp
8046343 security-libs javax.smartcardio (smartcardio) CardTerminal.connect('direct') does not work on MacOSX
8049244 security-libs javax.xml.crypto XML Signature performance issue caused by unbuffered signature data
8048194 security-libs org.ietf.jgss GSSContext.acceptSecContext fails when a supported mech is initiator preferred
8048073 security-libs org.ietf.jgss:krb5 Cannot read ccache entry with a realm-less service name
8054817 security-libs org.ietf.jgss:krb5 File ccache only recognizes Linux and Solaris defaults
8029548 tools   (jdeps) use @jdk.Exported to determine supported vs JDK internal API
8048063 tools   (jdeps) Add filtering capability
8050804 tools   (jdeps) Recommend supported API to replace use of JDK internal API
8056051 tools   int[]::clone causes "java.lang.NoClassDefFoundError:Array"
8068495 tools   Update the protocol for references of docs.oracle.com to HTTPS in langtools.
8033421 tools javac @SuppressWarnings("deprecation") does not work when overriding deprecated method
8033483 tools javac Should ignore nested lambda bodies during overload resolution
8036953 tools javac Fix timing of varargs access check, per JDK-8016205
8037404 tools javac javac NPE or VerifyError for code with constructor reference of inner class
8038776 tools javac VerifyError when running successfully compiled java class
8042347 tools javac javac, Gen.LVTAssignAnalyzer should be refactored, it shouldn't be a static class
8043926 tools javac javac, code valid in 7 is not compiling for 8
8044546 tools javac Crash on faulty reduce/lambda
8044737 tools javac Lambda: NPE while obtaining method reference through lambda expression
8044748 tools javac JVM cannot access constructor though ::new reference although can call it directly
8046060 tools javac Different results of floating point multiplication for lambda code block
8047341 tools javac lambda reference to inner class in base class causes LambdaConversionException
8048121 tools javac javac complex method references: revamp and simplify
8049075 tools javac javac, wildcards and generic vararg method invocation not accepted
8051402 tools javac javac, type containment should accept that CAP <= ? extends CAP and CAP <= ? super CAP
8051958 tools javac Cannot assign a value to final variable in lambda
8054210 tools javac NullPointerException when compiling specific code.
8054448 tools javac (ann) Cannot reference field of inner class in an anonymous class
8055514 tools javac Wrong, confusing error when non-static varargs referenced in static context
8056014 tools javac Type inference may be skipped for a complex receiver generic method in a parameter position
8056984 tools javac Exception in compiler: java.lang.AssertionError: isSubClass T
8057794 tools javac Compiler Error when obtaining .class property
8057800 tools javac Method reference with generic type creates NPE when compiling
8058112 tools javac Invalid BootstrapMethod for constructor/method reference
8058511 tools javac StackOverflowError at com.sun.tools.javac.code.Types.lub
8059710 tools javac javac, the same approach used in fix for JDK-8058708 should be applied to Code.closeAliveRanges
8059921 tools javac Missing compile error in Java 8 mode for Interface.super.field access
8062359 tools javac javac Attr crashes with NPE in TypeAnnotationsValidator visitNewClass
8062747 tools javac Compiler error when anonymous class uses method with parametrized exception
8063052 tools javac Inference chokes on wildcard derived from method reference
8066541 tools javac An unknown compilation problem occurred
8067039 tools javac Revert changes to annotation attribute generation
8067111 tools javac Exception in compiler: java.lang.AssertionError: isSubClass E
8042469 tools launcher Launcher changes for native memory tracking scalability enhancement
8058101 tools visualvm Integrate new version of Java VisualVM based on VisualVM 1.3.8 into JDK
8037948 xml   Improve documentation for org.w3c.dom package
8049514 xml javax.xml.validation FEATURE_SECURE_PROCESSING can not be turned off on a validator through SchemaFactory
8066077 xml jax-ws java.util.MissingResourceException
8032908 xml jaxp getTextContent doesn't return string in JAXP
8062608 xml jaxp BCEL corrupts debug data of methods that use generics

 

Known Issues


JDK

Area: hotspot/gc
Synopsis: Performance degradation on G1 on Solaris when large pages are requested

When using G1 on Solaris where large pages are requested, the VM does not always use large pages when it could. This may result in significant throughput degradation, particularly on the Solaris x64 platform.

See 8058354.

Area: hotspot/compiler
Synopsis: Nondeterministic arithmetic when converting long strings to integers and performing OSR

For JRE 6 and above, when performing OSR on loops with huge stride and/or initial values, in a very rare case the tiered/server compilers can produce non-canonical loop shapes that can produce nondeterministic answers, when answers should be deterministic.

Workaround: Launch Java using the -XX:-UseOnStackReplacement flag.

See 8072753.

JavaFX

Area: Control
Synopsis: Behavior and access of Control#getUserAgentStylesheet method changed in 8u40.

In JDK 8u40, the getUserAgentStylesheet() method moved from the Control class to the Region superclass.

The method was promoted from protected to public, which preserves binary compatibility, but breaks source compatibility for subclasses of Control that override this method. The solution is to make the overridden method public in the subclass of Control.

The semantics of the method are also changed such that any CSS that is applied from CSS files imported via the getUserAgentStylesheet() method is only applied to the Region in which it is a user agent stylesheet. Previously, a CSS file imported in this way could make changes throughout the application user interface, which could result in unintended style clobbering. This is no longer possible from JDK 8u40 onwards, and applications which might have been relying on this unintended behavior, may see differences in styling as a result.

See RT-38640.

Area: Control
Synopsis: PopupControl$CSSBridge changed to extend Pane in 8u40.

In JDK 8u40, the object inheritance hierarchy of the protected javafx.scene.control.PopupControl$CSSBridge inner class has changed in an incompatible manner. Prior to JDK 8u40, PopupControl$CSSBridge extended from Group and now it extends from Pane.

This is primarily an internal class for custom PopupControls such as Tooltip, but it is possible that a third-party control might subclass this class. Such applications that subclass PopupControl$CSSBridge might be affected if they were calling or overriding methods in Group that are not in Pane.

See RT-33696.

Java SE 8u31 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u31 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u31 b33

Bug Fixes

BugId Component Subcomponent Summary
8062032
(Confidential)
deploy plugin Client certificate authentication issues with TLS 1.2 and browser keystore
8068283 client-libs java.awt Mac OS Incompatibility between JDK 6 and 8 regarding input method handling
8037417 deploy   javaws fails to launch app with empty href in jnlp file if Application-Library-Allowable-Codebase is used
8063047
(Confidential)
deploy webstart Need jnlp information from cached webstart application
8062375
(Confidential)
deploy webstart Warning message doesn't contain additional info: "Launched from downloaded JNLP file" when launched from shortcut or cache viewer
8037471 deploy deployment_toolkit The warning message displays the app name and publisher as "UNKNOWN" if cache is disabled

Changes in Java SE 8u31 b32

Bug Fixes

BugId Component Subcomponent Summary
8065858
(Confidential)
deploy plugin Applet doesn't load after upgrade to JDK 8u25

Changes in Java SE 8u31 b31

Please note that fixes from the prior BPR (8u25 b32) are included in this BPR.

Bug Fixes

BugId Component Subcomponent Summary
8061648 deploy webstart JavaWS fails with proxy autoconfig due to missing "dnsResolve"

Java™ SE Development Kit 8, Update 31 (JDK 8u31)

The full version string for this update release is 1.8.0_31-b13 (where "b" means "build"). The version number is 8u31.

Highlights

This update release contains several enhancements and changes including the following:


IANA Data 2014j

JDK 8u31 contains IANA time zone data version 2014j. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u31 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_31
7 1.7.0_75
6 1.6.0_91
5.0 1.5.0_81

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u31) will expire with the release of the next critical patch update scheduled for April 14, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u31) on May 14, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes

SSLv3 is disabled by default

Starting with JDK 8u31 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security file.

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

It should be noted that SSLv3 is obsolete and should no longer be used.

Changes to Java Control Panel

Starting with JDK 8u31 release, SSLv3 protocol is removed from Java Control Panel Advanced options.

If the user needs to use SSLv3 for applications, re-enable it manually as follows:

  • Enable SSLv3 protocol on JRE level: as described in the previous section.
  • Enable SSLv3 protocol on deploy level: edit the deployment.properties file and add the following:


    deployment.security.SSLv3=true

Bug Fixes


This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

BugId Component Subcomponent Summary
8040617 client-libs 2d [macosx] Large JTable cell results in a OutOfMemoryException
8041990 client-libs java.awt [macosx] Language specific keys does not work in applets whenopened outside the browser
8043610 client-libs java.awt Sorting columns in JFileChooser fails with AppContext NPE
8051359 client-libs javax.swing [headless] JPopupMenu creation in headless mode with JDK9b23causes NPE
8055949 core-libs java.io ByteArrayOutputStream capacity should be maximal array sizepermitted by VM
8055222 core-libs java.util:i18n Currency update needed for ISO 4217 Amendment #159
8064560 core-libs java.util:i18n (tz) Support tzdata2014j
8033245 deploy   RFE: Instructions Not Clear For Adding Site To ESL
8048089 deploy   ClientConfig.refreshIfNeeded() doesn't restore properties with"active." prefix.
8050838 deploy   JRE Install Error in localized Windows 8.1 after join in ADdomain
8044290 deploy webstart Shortcuts are not created for javaws x64 with JRE 7u55 onWindows OS
8056979 deploy webstart Roaming user profiles by USER_JPI_PROFILE env variablesdoesn't work anymore
8061342 deploy webstart javaws help message in Japanese is corrupted
8061643 deploy webstart JavaWS fails with proxy autoconfig due to missing "resolve"permission
8062392 deploy webstart Jnlp fails to load with CouldNotLoadArgumentException
8054883 hotspot compiler Segmentation error while running program
8026303 hotspot gc CMS: JVM intermittently crashes with "FreeList of size258 violates Conservation Principle" assert
8044406 hotspot gc JVM crash with JDK8 (build 1.8.0-b132) with G1 GC
8058715 hotspot runtime stability issues when being launched as an embedded JVM viaJNI
8060169 hotspot runtime Update the Crash Reporting URL in the Java crash log
8059079 install install Typo in Installer Removal Tool UE, "hightly"
8050386 tools javac javac, follow-up of fix for 8049305
8059327 xml javax.xml.parsers XML parser returns corrupt attribute value
8038966 xml jax-ws JAX-WS handles wrongly xsd:any arguments for Web services
8036981 xml jaxb JAXB not preserving formatting for xsd:any Mixed content
8029837 xml jaxp NPE seen in XMLDocumentFragmentScannerImpl.setProperty since7u40b33

Java SE 8u25 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u25 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u25 b32

Bug Fixes

BugId Component Subcomponent Summary
8061643 deploy webstart JavaWS fails with proxy autoconfig due to missing "resolve" permission

Changes in Java SE 8u25 b31

Please note that fixes from the prior BPR (8u20 b32) are included in this BPR.


Java™ SE Development Kit 8, Update 25 (JDK 8u25)

The full version string for this update release is 1.8.0_25-b17 (where "b" means "build") except for Windows, where the version string is 1.8.0_25-b18 . The version number is 8u25.

IANA Data 2014c

JDK 8u25 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u25 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_25
7 1.7.0_71
6 1.6.0_85
5.0 1.5.0_75

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u25) will expire with the release of the next critical patch update scheduled for January 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u25) on February 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Instructions to disable SSL v3.0 in Oracle JDK and JRE

Oracle recommends that users and developers disable use of the SSLv3 protocol. Please follow the Instructions to disable SSL v3.0 in Oracle JDK and JRE.

Unsafe Server Certificate Change in SSL/TLS Renegotiations Not Allowed.

Starting with JDK 8u25, unsafe server certificate change in SSL/TLS renegotiations is not allowed by default. Server certificate change in an SSL/TLS renegotiation may be unsafe and should be restricted:

  • if endpoint identification is not enabled in an SSL/TLS handshaking; and
  • if the previous handshake is a session-resumption abbreviated initial handshake; and
  • the identities represented by both certificates (in previous handshake and this handshake) cannot be regraded as the same.

If unsafe server certificate change is really required, please set the system property, jdk.tls.allowUnsafeServerCertChange, to "true" before JSSE is initialized. Note that this would re-establish the unsafe server certificate change issue.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes in this release:

Area: security-libs/javax.net.ssl
Synopsis: Decrease the preference mode of RC4 in the enabled cipher suite list

This fix decreases the preference of RC4 based cipher suites in the default enabled cipher suite list of SunJSSE provider.

See 8043200 (not public).

Area: client-libs
Synopsis: JRE 8u20 crashes while using Japanese IM on Windows

The VM crashes while using Swing controls when some Japanese or Chinese characters are input on Windows platform. The issue is now fixed.

See 8058858 (not public).

Bug Fix List

BugId Component Subcomponent Summary
8047288 client-libs java.awt [macosx] Endless loop in EDT on Mac
8051588 client-libs java.awt [headless] DataTransferer.getInstance throws ClassCastException in headless mode
8057184 client-libs javax.swing JCK8's api/javax_swing/JDesktopPane/descriptions.html#getset failed with GTKLookAndFeel on Linux and Solaris run v.s. JDK8+
8057770 client-libs javax.swing api/javax_swing/JScrollPane/indexTGF.html#UpdateUI failed with MotifLookAndFeel on all platform
8048207 core-libs java.util CheckedQueue.offer calls wrong method on wrapped queue
8054904 deploy   Webstart cache path error for Java >= 7u65
8051891 deploy webstart SWT cannot load native look&feel
8046233 hotspot runtime VerifyError on backward branch
8051012 hotspot runtime Regression in verifier for <init> method call from inside of a branch
8035613 xml jaxb With active Securitymanager JAXBContext.newInstance fails

Java SE 8u20 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u20 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u20 b32

Bug Fixes

BugId Component Subcomponent Summary
8047288 client-libs java.awt [macosx] Endless loop in EDT on Mac

Changes in Java SE 8u20 b31

Please note that fixes from the prior BPR (8u11 b31) are included in this BPR.

Bug Fixes

BugId Component Subcomponent Summary
8029837 xml jaxp NPE seen in XMLDocumentFragmentScannerImpl.setProperty since 7u40b33
8051012 hotspot runtime Regression in verifier for <init> method call from inside of a branch

Java™ SE Development Kit 8, Update 20 (JDK 8u20)

The full version string for this update release is 1.8.0_20-b26 (where "b" means "build"). The version number is 8u20.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2014c

JDK 8u20 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u20 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_11
7 1.7.0_65
6 1.6.0_81
5.0 1.5.0_71

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u20) will expire with the release of the next critical patch update scheduled for October 14, 2014.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u20) on November 14, 2014. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Java Mission Control

This JDK release includes Java Mission Control (JMC) version 5.4. For more information, see JMC 5.4 Release Notes.

Advanced Management Console (AMC) 1.0

Advanced Management Console (AMC) 1.0 is a commercial product available for Java users who license Java SE Advanced or Java SE Suite. AMC is downloaded separately from the JDK and is available to customers from My Oracle Support (MOS) or can be downloaded from OTN for trial purposes.

A primary benefit of Advanced Management Console is the ability to learn which applications are being run in the enterprise as well as the JREs that are being used. Additional information, such as the location of the application, vendor, permission level, number of JAR files and extensions, and number of times the application has been run is also provided. Information from Java Usage Tracker is collected by the AMC Collector, stored in the AMC database and displayed in the AMC UI.

Deployment rules can be created directly from this information and packaged into rule sets. The guided rule creation and packaging support greatly simplifies developing Deployment Rule Sets. The AMC UI can also be used to determine which rules and rule sets an application matches, helping system administrators understand the impact of installing a particular rule set prior to physically testing it in user environments.

For a summary of this feature, see Advanced Management Console documentation.

New Features and Changes

Changes to default methods affect the result of Class.getMethod and Class.getMethods

core-libs/java.lang:reflect

The javadoc for the Class.getMethod and Class.getMethods refer to the definition of inheritance in the Java Language Specification. Java SE 8 changed these rules in order to support default methods and reduce the number of redundant methods inherited from superinterfaces (see JLS 8, 8.4.8).

Class.getMethod and Class.getMethods were not updated with the 8 release to match the new inheritance definition (both may return non-inherited superinterface methods). Typically, the distinction is of no consequence; and for compatibility, it is preferred that the identity and number of returned methods match Java SE 7 as closely as possible. However, when the overriding method is a default method, it is important to filter out other overridden methods. As of 8u20, the implementation has been changed to perform this filtering step when the overrider is a default method.

See JDK-8029674.

sun.security.krb5.KdcComm interprets kdc_timeout as msec instead of sec

security-libs/org.ietf.jgss:krb5

An interoperability issue is found between Java and the native Kerberos implementation on BSD (including macOS) on the kdc_timeout setting in krb5.conf, where Java interpreted it as milliseconds and BSD as seconds when no unit is specified. This code change adds support for the "s" (second) unit. Therefore if the timeout is 5 seconds, Java accepts both "5000" and "5s". Customers concerned about interoperability between Java and BSD should use "5s".

See JDK-8036779.

New flags added to Java Management API

The flags MinHeapFreeRatio and MaxHeapFreeRatio have been made manageable. This means they can be changed at runtime using the management API in Java. Support for these flags have also been added to the ParallelGC as part of the adaptive size policy.

Java Installer Changes

A new Microsoft Windows Installer (MSI) Enterprise JRE Installer which enables user to install the JRE across the enterprise, is available. See Downloading the Installer section in JRE Installation for Microsoft Windows for more information. The MSI Enterprise JRE Installer is only available as part of Java SE Advanced or Java SE Suite. For information about these commercial products, see Java SE Advanced and Java SE Suite.

The following new configuration parameters are added to support commercial features, for use by Java SE Advanced or Java SE Suite licensees only.

USAGETRACKER_CFG=

DEPLOYMENT_RULE_SET=

See Installing With a Configuration File for more information about these and other installer parameters.

The Java Uninstall Tool is integrated with the installer to provide an option to remove older versions of Java from the system. The change is applicable to 32 bit and 64 bit Windows platforms. See Uninstalling the JRE.

JRE Installation Directory

Starting with JDK 8u20 release, the JRE will be installed in a version specific directory. For example:

C:\Program Files\Java\jre1.8.0_20

The version specific directory naming is intentional and it does not indicate that the JRE install is static.

As with the earlier releases, static JRE install is performed only if STATIC=1 option is passed (via command line or config file) by the user.

Existing Java applications that depend on the physical location of the JRE should be updated to reflect the new installation directory format.

Java Control Panel Changes

The Update tab in the Java Control Panel now enables the users to automatically update 64-bit JREs (in addition to 32-bit versions) that are installed on their system.

The Medium security level has been removed. Now only High and Very High levels are available.

Applets that do not conform with the latest security practices can still be authorized to run by including the sites that host them to the Exception Site List.

The exception site list provides users with the option of allowing the same applets that would have been allowed by selecting the Medium option but on a site-by-site basis therefore minimizing the risk of the using more permissive settings.

Java Compiler updated

The javac compiler has been updated to implement definite assignment analysis for blank final field access using "this". See JDK 8 Compatibility Guide for more details.

Change in minimum required Java Version for Java Plugin and Java Webstart

The minimum version of Java required for Java Plugin and Java Webstart is now Java 5. Applets that do not run in Java 5 or later must be ported to a later version of Java to continue to function. Applets written for earlier versions but able to run in at least Java 5 will continue to work.

Change in UsageTracker output formatting

UsageTracker output formatting has been changed to use quoting, to avoid confusion in the log. This may require changes to the way such information is read. The feature can be configured to behave as in previous versions, although the new format is recommended.

See Java Usage Tracker documentation.

Changes to Java Packaging Tools

  • javafxpackager has been renamed to javapackager
  • The "-B" option has been added to the javapackager deploy command to enable you to pass arguments to the bundlers that are used to create self-contained applications. See javapackager (Windows)/(Unix) documentation for information
  • The <fx:bundleArgument> helper parameter argument has been added to JavaFX Ant Task Reference. It enables you to specify an argument (in the <fx:deploy> element) for the bundler that is used to create self-contained applications.

Change in javax.smartcardio.Card.disconnect(boolean reset) method behavior

Prior to the JDK 8u20 and JDK 7u72 releases, the javax.smartcardio.Card.disconnect(boolean reset) method had inverted logic for the 'reset' boolean value passed to it. The card was reset upon a disconnect if false was passed to it and vice versa. Starting with JDK 7u72 and JDK 8u20, the correct behavior as per API documentation has been implemented.

In order to provide backwards compatibility to users who rely on the old behavior, a new system property has been introduced. The following command-line option can be used to enforce the old broken behavior:

-Dsun.security.smartcardio.invertCardReset=true

This property is set by default for 7u72 and later JDK 7 update releases. By default, no behavioral change will be noticed in this area for JDK 7 update releases.

Also the following command-line option can be used to enforce the new correct behavior:

-Dsun.security.smartcardio.invertCardReset=false

This is default for 8u20 and later JDK 8 update releases. In future Java releases, the property will be ignored/disabled and default disconnect method behavior will be as specified by API.

Linux JRE RPM package Name Change

Starting with JDK 8u20, the RPM package name has been changed to include the Java product version.

For example, whereas the rpm name used to be returned simply as "jre", it is now returned as follows:

rpm -qp --qf "%{name}\n" ./jre-8u20-linux-x64.rpm
jre1.8.0_20

JDK 8 Documentation Updates

New Garbage Collection Tuning Guide added to JDK 8 documentation

The Java HotSpot Virtual Machine Garbage Collection Tuning Guide has been added to the Java SE 8 Developer Guides. This guide describes the garbage collectors included with the Java HotSpot VM and helps you decide which garbage collector can best optimize the performance of your application, especially if it handles large amounts of data (multiple gigabytes), has many threads, and has high transaction rates.

New Deployment Guide

The Java SE Deployment Guide combines information for Java SE and JavaFX deployment into a single guide. This guide provides information about the Java packaging tools, creating self-contained applications, and deploying Java and JavaFX applications that are embedded in a web page or launched from a browser.

Updated Troubleshooting Guide

The Java SE Troubleshooting Guide combines and replaces the Desktop Technologies Troubleshooting Guide and the HotSpot Virtual Machine Troubleshooting Guide, to provide a single location for diagnosing and solving problems that may occur with Java applications created on the Java SE 8 Platform and on Java HotSpot VM. The document introduces the new and improved troubleshooting tools and techniques like Java Mission Control, Java Flight Recordings, and JCMD.

Installation Guide has been updated with changes to Installing With a Configuration File.

Options related to string deduplication have been added to the java command tool page. String deduplication reduces the memory footprint of String objects on the Java heap by taking advantage of the fact that many String objects are identical. Instead of each String object pointing to its own character array, identical String objects can point to and share the same character array. See the option -XX:+UseStringDeduplication for more information.

Bug Fixes

The following are some of the notable bug fixes in this release:

Area: tools/javac

Synopsis: Implement eager resolution of return types

The compiler specification, see JLS8 18.5.2, modified the treatment of nested generic method invocations for which the return type is an inference variable. The compiler has been adapted to implement the new logic. This is important to minimize incompatibility with the javac 7 inference algorithm. Three cases are considered:

  • The return type needs to be captured
  • The return type needs to have unchecked conversion
  • The return type needs to be unboxed

The compiler update implies an eager resolution for generic method invocations, provided that the return type is an inference variable.

See 8030741.

Area: security-libs/org.ietf.jgss:krb5

Synopsis: sun.security.krb5.KdcComm interprets kdc_timeout as msec instead of sec

An interop issue is found between Java and native Kerberos implementation on BSD (including Apple OS X) regarding the kdc_timeout setting in krb5.conf, which Java interprets as milliseconds and BSD as seconds (when no unit is specified). This release adds support for the "s" (seconds) unit. Therefore if the timeout is 5 seconds, Java accepts both "5000" and "5s". Customers concerned about the interop between Java and BSD should use the later format.

See 8044399.

Area: other-libs/corba

Synopsis: org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader

The system property org.omg.CORBA.ORBSingletonClass is used to configure the system-wide/singleton ORB. The handling of this system property has changed in 7u55 release to require that the system wide/singleton ORB be visible to the system class loader.

In this release the handling of this system property has been changed to match the behavior found in JDK versions prior to 7u55 release, i.e. the singleton ORB is once again located using the thread context class loader of the first thread to call the no-argument ORB.init method. The change was made to support applications which have been designed to depend on this behavior. Note that this change is applicable to 8u20, 7u65, 6u85 and 5.0u75 releases. For JDK 9, the new behavior where the system wide/singleton ORB needs to be visible to the system class loader, will continue.

See 8042789.

Area: core-libs/java.util.collections

Synopsis: Collection.sort defers now defers to List.sort

Previously Collection.sort copied the elements of the list to sort into an array, sorted that array, then updated list, in place, with those elements in the array, and the default method List.sort deferred to Collection.sort. This was a non-optimal arrangement.

From 8u20 release onwards Collection.sort defers to List.sort. This means, for example, existing code that calls Collection.sort with an instance of ArrayList will now use the optimal sort implemented by ArrayList.

See 8032636.

Area: core-libs/java.net

Synopsis: Digest authentication interop issue

With older versions of Apache Tomcat, certain protocol parameters are expected to be surrounded by double quotes(""). This was the behavior in JDK 7, but was corrected in JDK 8 to be compatible with RFC2617. This caused digest authentication interoperability issues.

Setting the networking property http.auth.digest.quoteParameters to true restores the JDK 7 behavior for compatibility with the older versions of Tomcat.

See 8034170(not public).

Area: tools/javac

Synopsis: javac crashes when mixing lambdas and inner classes

Previously the following sample code was making the compiler fail with a NPE:

class LambdaExpressionWithNonExistentIdCrashesJavacTest {
    void foo() {
        bar(()-> {
            new NonExistentClass(){
                public void any() {}
            };
        });

    }

    void bar(Runnable r) {}
}

where the NonExistentClass was an existing but inaccessible class. Starting with JDK 8u20, javac produces an error message indicating correctly that symbol "NonExistentClass" can't be found.

See 8030816.

Area: tools/javac

Synopsis: ElementType.TYPE_USE is introduced in JDK 8 and should be considered a logical superset of ElementType.TYPE and ElementType.ANNOTATION_TYPE. However, the javac command does not currently recognize ElementType.TYPE_USE as a superset.

javac has been corrected to recognize ElementType.TYPE_USE appropriately.

See 8029017.

Area: tools/javac

Synopsis: javac generates incorrect exception table for multi-catch statements inside a lambda

Handling of try-catch with multiple catches inside a lambda has been corrected.

See 8036942.

Area: core-libs/java.lang.reflect

Synopsis: Default methods affect the result of Class.getMethod and Class.getMethods

Class.getMethod and Class.getMethods were not updated with the 8 release to match the new inheritance definition (both may return non-inherited superinterface methods). Starting with JDK 8u20, the implementation has been changed to match defintion. See JDK 8 Compatibility Guide for more details.

See 8046505.

Bug Fix List

BugId Component Subcomponent Summary
8028212 client-libs   Custom cursor HiDPI support
8029979 client-libs   Allow multiple calls to DropTargetDropEvent.acceptDrop()
8012351 client-libs 2d Bold fonts everywhere in GTK L&F on Ubuntu with JDK 7
8015100 client-libs 2d [macosx] Applet graphics corrupted when applet width/height exceeds screen dimensions
8017472 client-libs 2d [macosx] Transparency demo is not correctly dragged on the second monitor
8031134 client-libs 2d PPC64: implement printing on AIX
8032693 client-libs 2d javax.print.PrintService does not find any CUPS-Printers on Linux
8036022 client-libs 2d D3D: rendering with XOR composite causes InternalError.
8038106 client-libs 2d PIT: access problem to a PrinterJob on OS X
8039418 client-libs 2d [macosx] Calling JNI functions in the scope of Get/ReleasePrimitiveArrayCritical
8039774 client-libs 2d [OGL] Image painting is broken if 'sun.java2d.accthreshold' is set to 0
8041129 client-libs 2d [OGL] surface->sw blit is extremely slow
8041644 client-libs 2d [OGL] clip is ignored during surface->sw blit
6744401 client-libs java.awt Consider removal of code disabling JIT in Toolkit.getDefaultToolkit
6788138 client-libs java.awt leak in Java_sun_awt_X11_XlibWrapper_getStringBytes?
7124255 client-libs java.awt [macosx] java.awt.List: method select(int) doesn't work before be visible
7124417 client-libs java.awt [macosx] failure in Window.initGC on Mac with monitor sleeping
7154841 client-libs java.awt [macosx] Popups appear behind taskbar
7157680 client-libs java.awt XAWT: Native components should not paint native part on UPDATE event
8007220 client-libs java.awt [macosx] Setting popupmenu on TrayIcon do not work if done *after* adding TrayIcon
8010999 client-libs java.awt [macosx] a constrain of the top level window should be improved
8012224 client-libs java.awt AWT_TopLevels/TopLevelEvents/Automated/WindowIconifyDeiconifyEventsTest02 fails on Ubuntu 12.04 Unity shell
8013116 client-libs java.awt Robot moves mouse to point which differs from set in mouseMove on Unity shell
8017626 client-libs java.awt [OGL] Translucent VolatileImages don't paint correctly
8023148 client-libs java.awt [macosx] java.util.NoSuchElementException at java.util.LinkedList.getFirst
8024061 client-libs java.awt Exception thrown when drag and drop between two components is executed quickly
8024185 client-libs java.awt [macosx] Fullscreen button freezes application when started with -splash
8024926 client-libs java.awt [macosx] AquaIcon HiDPI support
8026869 client-libs java.awt [macosx] Support apple.awt.use-file-dialog-packages property
8027561 client-libs java.awt [macosx] Cleanup "may not respond to selector" warnings in native code
8027778 client-libs java.awt [macosx] Full screen not working properly on 7u45 and jdk8
8028617 client-libs java.awt Dvorak keyboard mapping not honored when ctrl key pressed
8030100 client-libs java.awt java.awt.Desktop: Enable check for supported URI schemes on Linux
8030987 client-libs java.awt sun_awt_X11_GtkFileDialogPeer.h can be removed
8031090 client-libs java.awt [macosx] LWToolkit should not depends from the macosx.
8031471 client-libs java.awt Test closed/java/awt/dnd/FileDialogDropTargetTest/FileDialogDropTargetTest.java fails on Solaris zones virtual hosts
8031694 client-libs java.awt [macosx] TwentyThousandTest test intermittently hangs
8031964 client-libs java.awt [macosx] Dragging images from the browser does not work
8032078 client-libs java.awt [macosx] CPlatformWindow.setWindowState throws RuntimeException, if windowState=ICONIFIED:MAXIMIZED_BOTH
8032219 client-libs java.awt [macosx] Scrollbars looks bad under retina in Motif and Metal L&F
8032435 client-libs java.awt Cleanup of sun.awt.windows package
8032595 client-libs java.awt [macosx] setResizable(false) makes a frame slide down
8032667 client-libs java.awt [macosx] Components cannot be rendered in HiDPI to BufferedImage
8032788 client-libs java.awt ImageIcon constructor throws an NPE and hangs when passed a null String parameter
8032961 client-libs java.awt A JTextField of an applet loses the abillity to receive the focus under certain circumstances.
8033534 client-libs java.awt [macosx] Get MultiResolution image from native system
8034068 client-libs java.awt Label.toString performance improvement
8035069 client-libs java.awt [macosx] Loading resolution variants by demand
8036103 client-libs java.awt Cleanup of java.awt and java.awt.peer packages
8036110 client-libs java.awt In TextField can only select text visible or to the left of the cursor
8036882 client-libs java.awt [macosx] Native memory leak in Java_sun_lwawt_macosx_CImage_nativeGetNSImageRepresentationSizes
8037287 client-libs java.awt Windows build failed after JDK-8030787
8038113 client-libs java.awt [macosx] JTree icon is not rendered in high resolution on Retina
8038765 client-libs java.awt [macosx] Toolkit.sync should be implemented
8038999 client-libs java.awt In Java 8 java.awt.datatransfer.DataFlavor.equals is no longer symmetric
8039267 client-libs java.awt Test closed/java/awt/Choice/ChoiceLocationTest/ChoiceLocationTest.html should be removed
8041987 client-libs java.awt [macosx] setDisplayMode crashes
8042103 client-libs java.awt Deserialization of empty java.awt.geom.Path2D will cause an exception
8042440 client-libs java.awt awt_Plugin no longer needed
8047061 client-libs java.awt [macosx] Crash when setting display mode
8048265 client-libs java.awt AWT crashes inside CCombinedSegTable::In called from Java_sun_awt_windows_WDefaultFontCharset_canConvert
8019990 client-libs java.awt:i18n IM candidate window appears on the South-East corner of the display.
8039776 client-libs java.beans Introspector throws NullPointerException for subclasses' mismatched get/setter
8040656 client-libs java.beans Classes with overriden methods with covariant returns return random read methods
8009883 client-libs javax.accessibility REGRESSION: test/closed/javax/swing/AbstractButton/4246045/bug4246045.java fails
8032443 client-libs javax.accessibility Java Access Bridge version strings need to be fixed
8036819 client-libs javax.accessibility JAB: mneumonics not read for textboxes
8036983 client-libs javax.accessibility JAB:Multiselection Ctrl+CursorUp/Down and ActivateDescenderPropertyChanged event
8040756 client-libs javax.accessibility Add lint check fixes to Java Access Bridge files
8042672 client-libs javax.accessibility JAB throw NPE when trying to do reference increment on a NULL object
8037117 client-libs javax.sound Javadoc cleanup of javax.sound.midi.spi package
7100952 client-libs javax.swing closed/javax/swing/JComboBox/6246463/bug6246463.java deadlocks on MacOS
7124250 client-libs javax.swing [macosx] JOptionPane dialogs show wrong icons
8010718 client-libs javax.swing [macosx] JFileChooser current filter nullified by addChoosableFileFilter
8019180 client-libs javax.swing Use JComboBox as it's own ActionListener leads to unexpected behaviour
8028616 client-libs javax.swing Htmleditorkit parser doesn't handle leading slash (/)
8029196 client-libs javax.swing Focus border of JButton.buttonType=roundRect is cut off
8029455 client-libs javax.swing [JLightweightFrame] support scaled painting
8031485 client-libs javax.swing [macosx] Combo box consuming escape key events
8031573 client-libs javax.swing [macosx] Checkmarks of JCheckBoxMenuItems aren't rendered in high resolution on Retina
8032872 client-libs javax.swing [macosx] Cannot select from JComboBox in a JWindow
8032874 client-libs javax.swing ArrayIndexOutOfBoundsException in JTable while clearing data in JTable
8032878 client-libs javax.swing Editable combos in table do not behave as expected
8033233 client-libs javax.swing [JLightweightFrame] support default JViewport BLIT_SCROLL_MODE
8033786 client-libs javax.swing White flashing when opening Dialogs and Menus using Nimbus with dark background
8034955 client-libs javax.swing JLabel/JToolTip throw ClassCastException for "<html>a<title>"
8039464 client-libs javax.swing The scrollbar in JScrollPane has no right border if used WindowsLookAndFeel
8040291 client-libs javax.swing [macosx] Http-Images are not fully loaded when using ImageIcon
8041725 client-libs javax.swing Nimbus JList selection colors persist across L&F changes
8041917 client-libs javax.swing unexcepted behavior of LineBorder while using Boolean variable true
8043705 client-libs javax.swing Can't exit color chooser dialog when running as an applet
8048506 client-libs javax.swing [macosx] javax.swing.PopupFactory issue with null owner
8024854 core-libs   PPC64: Basic changes and files to build the class library on AIX
8024900 core-libs   PPC64: Enable new build on AIX (jdk part)
8028537 core-libs   PPC64: Updated the JDK regression tests to run on AIX
8030875 core-libs   Macros for checking and returning on exceptions
8031581 core-libs   PPC64: Addons and fixes for AIX to pass the jdk regression tests
8031737 core-libs   CHECK_NULL and CHECK_EXCEPTION macros cleanup
8035881 core-libs   PPC64: Fix AIX build in ppc-aix-port/stage after syncing 7133499 and 8028293 from jdk8u
8033911 core-libs java.io Simplify instrumentation of FileInputStream and RandomAccessFile
8033917 core-libs java.io Keep track of file paths in file streams and channels for instrumentation purposes
8027348 core-libs java.lang (process) Enhancement of handling async close of ProcessInputStream
8034944 core-libs java.lang (process) Improve subprocess handling on Solaris
8035640 core-libs java.lang JNU_CHECK_EXCEPTION should support c++ JNI syntax
8039916 core-libs java.lang AnnotatedType.getType() of a Executable parameters may return wrong type
8041791 core-libs java.lang String.toLowerCase regression - violates Unicode standard
8047777 core-libs java.lang (process) ProcessEnvironment_md.c not compiling on 8uX
8027827 core-libs java.lang.invoke Improve performance of catchException combinator
8032400 core-libs java.lang.invoke JSR292: invokeSpecial: InternalError attempting to lookup a method
8034120 core-libs java.lang.invoke MethodHandles.catchException doesn't handle VarargsCollector right
8036117 core-libs java.lang.invoke MethodHandles.catchException doesn't handle VarargsCollector right (8034120 failed)
8044206 core-libs java.lang.invoke LambdaMetafactory.altMetafactory javadoc refers to wrong method
8046903 core-libs java.lang.invoke VM anonymous class members can't be statically invocable
8029674 core-libs java.lang:reflect (reflect) getMethods returns default methods that are not members of the class
8033584 core-libs java.lang:reflect Remove java/lang/reflect/Method/invoke/TestPrivateInterfaceMethodReflect.java from exclude list
8038994 core-libs java.lang:reflect AnnotatedType.getType() of a TypeVariable boundary without annotations return null
4891331 core-libs java.math BigInteger a.multiply(a) should use squaring code
8025710 core-libs java.net Proxied HTTPS connections reused by HttpClient can send CONNECT to the server
8032832 core-libs java.net Applet/browser deadlocks, when IIS integrated authentication is used
8034181 core-libs java.net (sctp) SIGBUS in SctpChannelImpl receive
8034912 core-libs java.net backport of 8031737 to jdk8u breaks linux buld.
8040747 core-libs java.net Improve performance of IP address parsing
8040837 core-libs java.net Avoid provoking NumberFormatException when initializing InetAddrCachePolicy
8041621 core-libs java.net java/net/Inet4Address/textToNumericFormat.java fails on Solaris and Mac
8043954 core-libs java.net Behavior difference when connect() is interrupted by signal on AIX
8044590 core-libs java.net Broken links in jre.api.net.socketoptions
8044766 core-libs java.net New jdk.net classes have @since 1.9 tags in 8u20
8046588 core-libs java.net test for SO_FLOW_SLA availability does not check for EACCESS
7133499 core-libs java.nio (fc) FileChannel.read not preempted by asynchronous close on OS X
8031997 core-libs java.nio PPC64: Make the various POLL constants system dependant
8032220 core-libs java.nio Files.createDirectories throws exception with confusing message for root directories that exist
8034801 core-libs java.nio AIX: (ch) Fix synchronization issue in AixPollPort.java
8037945 core-libs java.nio Paths.get("").normalize() throws ArrayIndexOutOfBoundsException
8043495 core-libs java.nio (fc) Provide native implementation of FileChannel.transferTo for AIX
8039751 core-libs java.nio.charsets UTF-8 decoder fails to handle some edge cases correctly
8032491 core-libs java.time DateTimeFormatter fixed width adjacent value parsing does not match spec
8032494 core-libs java.time DateTimeFormatter spec includes irrelevant detail on parsing pattern
8032502 core-libs java.time java.time add @param tags to readObject
8032558 core-libs java.time Instant spec includes incorrect assertion wrt valid range
8032749 core-libs java.time Typo in java.time.Clock
8032888 core-libs java.time Error message typo in TemporalAccessor
8033662 core-libs java.time java.time.format.DateTimeFormatter doesn't set zone when parsing
8035099 core-libs java.time LocalTime with(MILLI_OF_DAY/MICRO_OF_DAY) incorrect
8035106 core-libs java.time Typo in java.time.format.Parsed error message
8036785 core-libs java.time ChronoLocalDate refers to generics that have been removed
8036818 core-libs java.time DateTimeFormatter withResolverFields() fails to accept null
8040058 core-libs java.time IsoFields.WEEK_BASED_YEAR adjustInto incorrect
8046416 core-libs java.time Unable to parse an Instant from fields
8046707 core-libs java.time Performance of java.time could be better
8039527 core-libs java.util Broken links in ConcurrentMap javadoc
8040809 core-libs java.util '}' left in the spec for j.u.Random.doubles(..)
8011645 core-libs java.util.concurrent CopyOnWriteArrayList.COWSubList.subList does not validate range properly
8029646 core-libs java.util.jar [pack200] should support the new zip64 format.
8038491 core-libs java.util.jar Improve synchronization in ZipFile.read()
8044725 core-libs java.util.jar Bug in zlib 1.2.5 prevents inflation of some gzipped files
8044727 core-libs java.util.jar Problem reading the contents of some zip files
8037857 core-libs java.util.stream Methods j.u.Arrays.spliterator/stream(X[], int, int) throw IAE instead of specified AIOOBE when endIndex < startIndex
8042355 core-libs java.util.stream stream with sorted() causes downstream ops not to be lazy
8030848 core-libs java.util:collections Collections.sort(List l, Comparator) should defer to List.sort(Comparator )
8035284 core-libs java.util:collections AbstractMap unnecessarily initializes two volatiles to null
8035584 core-libs java.util:collections ArrayList(c) should avoid inflation if c is empty
8037106 core-libs java.util:collections Optimize Arrays.asList(...).forEach
8046085 core-libs java.util:collections HashMap.put with null key may throw NullPointerException
8047795 core-libs java.util:collections Collections.checkedList checking bypassed by List.replaceAll
8033627 core-libs java.util:i18n UTC+02:00 time zones are not detected correctly on Windows
8034220 core-libs java.util:i18n AIX: Provide better time zone mappings (i.e. tzmappings file)
8035726 core-libs java.util:i18n A sentence is truncated in the API doc for j.u.Locale.LanguageRange.parse(String, Map).
8042360 core-libs java.util:i18n Subtag syntax check is incomplete in Locale.LanguageRange
8038080 core-libs javax.annotation.processing annotation processors don't visit declaration parameter annotations
8042857 core-libs javax.naming 14 stuck threads waiting for notification on LDAPRequest
8031359 core-libs javax.script Invocable.getInterface() works incorrectly if interface has default methods
8041697 core-libs javax.script CompiledScript slower when eval with binding
8011964 core-libs jdk.nashorn need indexed access to externally-managed ByteBuffer
8015958 core-libs jdk.nashorn DataView constructor is not defined
8021350 core-libs jdk.nashorn Share script classes between threads/globals within context
8027933 core-libs jdk.nashorn Add --const-as-var option
8029003 core-libs jdk.nashorn setField in ScriptObject is incorrect for non extensible objects
8029031 core-libs jdk.nashorn "ant clean jar" on nashorn repo results in number of ASM deprecated warnings
8029332 core-libs jdk.nashorn Do not require nasgen-generated functions to return Object
8029364 core-libs jdk.nashorn NashornException to expose thrown object
8029667 core-libs jdk.nashorn Prototype linking is incorrect
8029953 core-libs jdk.nashorn Backport ASM warning fixes to JDK 8
8030182 core-libs jdk.nashorn scopeCall with -1 as line number
8030197 core-libs jdk.nashorn Nashorn: Object.defineProperty() can be lured to change fixed NaN property
8030199 core-libs jdk.nashorn Nashorn: Uint8ClampedArray - Incorrect ToUint8Clamp implementation
8030200 core-libs jdk.nashorn Wrong result for Number.prototype.toString() for certain radix/inputs
8030202 core-libs jdk.nashorn Nashorn: Multiple RegExp#ignoreCase issues
8030809 core-libs jdk.nashorn Anonymous functions should not be shown with internal names in script stack trace
8031106 core-libs jdk.nashorn Nashorn: IndexOutOfBoundsException in NashornCallSiteDescriptor.getNameToken()
8031317 core-libs jdk.nashorn SyntaxError when property setter has no parameter
8031715 core-libs jdk.nashorn Indexed access to java package not working
8031983 core-libs jdk.nashorn Error objects should capture stack at the constructor
8032004 core-libs jdk.nashorn instance property "message" of Error objects should be non-enumerable
8032060 core-libs jdk.nashorn PropertyMap of Error objects is not stable
8032068 core-libs jdk.nashorn implement @sourceURL and #sourceURL directives
8033763 core-libs jdk.nashorn Add tests to assert map identity of certain objects
8033924 core-libs jdk.nashorn Default permissions are not given for eval code
8033951 core-libs jdk.nashorn nasgen needs the newly build nasgen and nashorn classes in the bootclasspath
8034055 core-libs >jdk.nashorn delete on global object not properly guarded
8035948 core-libs jdk.nashorn Redesign property listeners for shared classes
8037400 core-libs jdk.nashorn Remove getInitialMap getters and GlobalObject interface.
8037562 core-libs jdk.nashorn Nashorn: JSON.parse comes up with nonexistent entries if there are gaps between the keys
8038456 core-libs jdk.nashorn improve nasgen type checks and use specific return type for @Function, @SpecializedFunctio methods
8038615 core-libs jdk.nashorn test262 repo is now a git repo in github
8038638 core-libs jdk.nashorn Persistent store for compiled scripts
8039047 core-libs jdk.nashorn Parser accepts conditional catch clauses even when --no-syntax-extensions / -nse option is passed
8039181 core-libs jdk.nashorn Persistent code store does not use absolute paths internally
8039387 core-libs jdk.nashorn Nashorn supports indexed access of List elements, but length property is not supported
8040078 core-libs jdk.nashorn Avoid repeated reading of source for cached loads
8041953 core-libs jdk.nashorn JDK-8031359.js fails in 8u-dev
8041998 core-libs jdk.nashorn RegExp implementation is not thread-safe
8042364 core-libs jdk.nashorn Make __proto__ ES6 draft compliant
8042600 core-libs jdk.nashorn Add more samples in nashorn/samples directory
8043443 core-libs jdk.nashorn Test framework changes to run script tests without security manager
8043930 core-libs jdk.nashorn TypeError when attemping to create an instance of non-public class could be better
8044000 core-libs jdk.nashorn Access to undefined property yields "null" instead of "undefined"
8044415 core-libs jdk.nashorn ant makefile should have a target to generate javadoc only for jdk.nashorn.api and sub-packages
8044517 core-libs jdk.nashorn Run & debug single Nashorn test
8044520 core-libs jdk.nashorn Nashorn cannot execute node.js's express module
8044612 core-libs jdk.nashorn StringIndexOutOfBoundException in NativeRegExp.appendReplacement
8044695 core-libs jdk.nashorn __stack__ becomes visible in Error properties
8044750 core-libs jdk.nashorn megamorphic getter for scope objects does not call __noSuchProperty__ hook
8044798 core-libs jdk.nashorn API for debugging Nashorn
8030036 core-svc debugger Updates to ProblemList.txt after same-binaries run
8032901 core-svc debugger WaitForMultipleObjects() return value not handled appropriately
7142035 core-svc java.lang.instrument assert in j.l.instrument agents during shutdown when daemon thread is running
8027230 core-svc java.lang.instrument Overflow in java.lang.instrument.Instrumentation.getObjectSize() method
6486771 core-svc java.lang.management Fix snmp tests connection timeout problem.
8038940 core-svc javax.management c.s.j.r.i.ClientNotifForwarder$LinearExecutor prone to data races
8028623 core-svc tools SA: hash codes in SymbolTable mismatching java_lang_String::hash_code for extended characters.
8030103 core-svc tools Java Usage Tracker: need to escape separator chars
8009764 deploy   Java Web Start app run on Java SE 8 b79 shows "trust level" SecurityExceptions
8027821 deploy   For signed jars without manifest "Permissions", there is still security warning dialog before Application Error (Or blocked) Dialog.
8031993 deploy   Provide API to check if a given DRS allows or blocks a given application
8035706 deploy   [parfait] Refix Parfait Bugs
8036634 deploy   More Information hyperlink in Blocked Application Dialog needs to use a new URL
8037518 deploy   Unit Test Failures due to RDF and other 8u5 changes.
8038986 deploy   Nashorn fails to evaluate autoconfig-script when used via JavaWS
8039113 deploy   Remove unused code left after JDK-8001167 changes
8039364 deploy   Wrong port in HTTPS connection warning
8040668 deploy   Automate Securitypack.jar creation
8041123 deploy   DRS: messaging is incorrect when blocking due to DRS version mismatch
8041128 deploy   DRS ruleset path matching problem
8042124 deploy   fix to JDK-8033756 is incomplete
8042571 deploy   Cannot run FX applets if Java 7 and 8 are installed and Java 8 is disabled via JCP
8043030 deploy   Fix JUnit compilation error
8043134 deploy   refactoring existing DRS functionality - splitting RuleId class into smaller classes
8043449 deploy   Remove AppInfo.getFutureBlock*** methods
8043547 deploy   SecurityBaseLine test doesn't fully restore the baseline configuration after completion
8043887 deploy   Multiple applet jars are reported to Java Usage Tracker incorrectly
8028619 deploy deployment_toolkit Display issue of java control panel in ko and ja locale
8031490 deploy deployment_toolkit Broken Java SE 7 jnlp samples (app2 and app3)
8042641 deploy deployment_toolkit jcontrol script should use pwd with -P flag
8046006 deploy javafx 8u20: FX app fails to connect domain:80 while this domain is allowed in cross domain file
8050428 deploy javafx JavaFX client authentication dialog is not a JavaFX-based dialog
8051494 deploy javafx One More File for JavaFX client authentication dialog is not a JavaFX-based dialog
7094099 deploy plugin DropDown List of JComboBox detached
8004653 deploy plugin AuthCacheBridge should not be in sun.net.www.protocol.http package
8026841 deploy plugin Java update needed dialog on mac doesn't have a title
8028753 deploy plugin Confusing Error messages shown by ESL under some blocked scenarios
8029248 deploy plugin Layout problem on Exception site list dialog in ja, ko, de, es, fr, pt_BR
8029872 deploy plugin "Always allow this application to access the printer" option doesn't work for jnlp application
8032883 deploy plugin java.lang.UnsupportedClassVersionError occurs while accessing an applet
8033806 deploy plugin Java Control Panel appears at center and then slides to bottom left of screen
8034819 deploy plugin Java Control Panel does not honor system date/time settings
8035321 deploy plugin REGRESSION: There is no '-Daaa=/home/test' for javaplugin.vm.options after clicking on the JCP and pressing 's' key to dump system properties
8035572 deploy plugin build broken: imports were missed
8036620 deploy plugin JAR file is downloaded on DownloadService.removeResource, if it is not in Deployment Cache
8038006 deploy plugin RDF: Security dialog popup while Java <--> JavaScript communication
8039034 deploy plugin 8u20: No blocked dialog for plugin and javafx apps when no jre matches the rule specified by Admin(DRS with force)
8040786 deploy plugin Text is truncated in JavaScript to Java security warning dialog on OS X
8043229 deploy plugin NPE in sun.lwawt.macosx.CEmbeddedFrame.getLayerPtr during applet startup
8043478 deploy plugin Oracle Linux 5.x: Expired JRE disabled in the browser automatically and no native dialog prompting for the JRE update
8044055 deploy plugin jfxrt.jar has a duplicate JSObject class without getWindow(Applet)
8048906 deploy plugin Broken exception site list GUI- Unable to add a site to the list
8050875 deploy plugin regression - java_arguments not accepted after Update to 7u65
6438917 deploy webstart JNLP parser accepts illegal XML in comments
8022939 deploy webstart REGRESSION:NullPointerException at com.sun.javaws.Launcher.prepareToLaunch()
8025726 deploy webstart Certificate rule in DRS does not work for Java Web Start app when caching is turned off
8029785 deploy webstart When any applet-desc is launched via java web start and gets an error, it does not exit (process keeps running)
8034816 deploy webstart Old version of jnlp file is used
8035058 deploy webstart "Don't ask again..." doesn't work for expired native dialog on Ubuntu
8035386 deploy webstart backout parfait changes for javaws crash
8036050 deploy webstart launcher.c DetermineVersion() does not use jreversion or jrelocation
8039120 deploy webstart Backout 8034028 [parfait] JNI exception pending in deploy/src/common/macosx/native/MacOSXBundleUtil.m
8039126 deploy webstart Refix [parfait] JNI exception pending in deploy/src/common/macosx/native/MacOSXBundleUtil.m
8043453 deploy webstart deploy.dll needs to stop copying javaws.exe to the system dir
8043582 deploy webstart App gets blocked instead of showing multiple click dialog when no ocsp and crl info in certificate
8043641 deploy webstart ExtensionInstallerService.updateProgress() doesn't force the progress bar to be visible after calling hideProgressBar() as specified
8017142 globalization locale-data Time display for Spanish(Chile, Ecuador ) locale doesn't show 24-hour format
8037343 globalization locale-data Wrong dateformat for locale es_DO
8041424 globalization translation 8u20 l10n resource file translation update 1
8049128 globalization translation 8u20 l10n resource file translation update 2 - jaxp
6653795 hotspot compiler C2 intrinsic for Unsafe.getAddress performs pointer sign extension on 32-bit systems
8002074 hotspot compiler Support for AES on SPARC
8003854 hotspot compiler PPC64 (part 115): expand nodes after register allocation
8005873 hotspot compiler JRuby test_respond_to.rb asserts with: MT-unsafe modification of inline cache
8007270 hotspot compiler Make IsMethodCompilable test work with tiered
8011391 hotspot compiler C1: assert(code_offset() - offset == NativeInstruction::nop_instruction_size) failed: only one instruction can go in a delay slot
8016696 hotspot compiler PPC64 (part 4): add relocation for trampoline stubs
8019517 hotspot compiler PPC64 (part 102): cppInterpreter: implement G1 support
8019518 hotspot compiler PPC64 (part 104) : cppInterpreter: implement support for compressed Oops
8019519 hotspot compiler PPC64 (part 105): cppInterpreter: implement support for early return
8019929 hotspot compiler PPC64 (part 107): Extend ELF-decoder to support PPC64 function descriptor tables
8019972 hotspot compiler PPC64 (part 9): platform files for interpreter only VM
8019973 hotspot compiler PPC64 (part 11): Fix IA64 preprocessor conditionals on AIX.
8020121 hotspot compiler PPC64 (part 105-2): fix build in cppInterpreter after 8019519
8022494 hotspot compiler Make compilation IDs sequential
8023033 hotspot compiler PPC64 (part 13): Basic shared changes for AIX
8023038 hotspot compiler PPC64 (part 15): Platform files for AIX/PPC64 support
8024342 hotspot compiler PPC64 (part 111): Support for C calling conventions that require 64-bit ints.
8024344 hotspot compiler PPC64 (part 112): C argument in register AND stack slot.
8024468 hotspot compiler PPC64 (part 201): cppInterpreter: implement bytecode profiling
8024469 hotspot compiler PPC64 (part 202): cppInterpreter: support for OSR.
8024921 hotspot compiler PPC64 (part 113): Extend Load and Store nodes to know about memory ordering.
8024922 hotspot compiler PPC64 (part 116): Extend adlc to generate fields into nodes.
8025277 hotspot compiler Add -XX: flag to print code cache sweeper statistics
8025644 hotspot compiler java/util/stream/test/org/openjdk/tests/java/util/stream/ToArrayOpTest.java fails with TestData$OfRef): failure java.lang.AssertionError: expected [true] but found [false]
8026253 hotspot compiler New type profiling points: sparc support
8026478 hotspot compiler -XX:+VerifyAdapterSharing is broken
8027388 hotspot compiler JVM crashes with SIGSEGV (0xb) at pc=0x00000001077cbbf6
8027422 hotspot compiler assert(_gvn.type(obj)->higher_equal(tjp)) failed: cast_up is no longer needed
8027571 hotspot compiler fatal error: meet not symmetric
8027754 hotspot compiler Enable loop optimizations for loops with MathExact inside
8027966 hotspot compiler Adapt PPC to 8023657: New type profiling points: arguments to call
8027969 hotspot compiler Adapt PPC to 8026328: Setting a breakpoint on invokedynamic crashes the JVM
8028064 hotspot compiler tiered may collect wrong receiver type at virtual call
8028401 hotspot compiler PPC64 (part 117): Improve usability of adlc and format() functionality.
8028468 hotspot compiler Add inlining information into ciReplay
8028471 hotspot compiler PPC64 (part 215): opto: Extend ImplicitNullCheck optimization.
8028515 hotspot compiler PPC64 (part 113.2): opto: Introduce LoadFence/StoreFence.
8028580 hotspot compiler PPC64 (part 114/120): Support for Call nodes with constants.
8028767 hotspot compiler PPC64: (part 121): smaller shared changes needed to build C2
8029015 hotspot compiler PPC64 (part 216): opto: trap based null and range checks
8029025 hotspot compiler PPC64 (part 203): opto: Move static _in_dump_cnt to Compile object.
8029091 hotspot compiler Bug in calculation of code cache sweeping interval
8029302 hotspot compiler Performance regression in Math.pow intrinsic
8029436 hotspot compiler CICompilerCount is not updated when the number of compiler threads is adjusted to the number of CPUs
8029873 hotspot compiler compiler/uncommontrap/TestStackBangRbp.java crashes with SIGSEGV
8029940 hotspot compiler PPC64 (part 122): C2 compiler port
8030662 hotspot compiler "assert(counter_changed) failed: failed dependencies, but counter didn't change" still fails
8030783 hotspot compiler Provide regression test for 8026478: -XX:+VerifyAdapterSharing is broken
8030863 hotspot compiler PPC64: (part 220): ConstantTableBase for calls between args and jvms
8031115 hotspot compiler intrinsics for Math.decrementExact(J) and incrementExact(J) don't work
8031188 hotspot compiler Fix for 8029015: PPC64 (part 216): opto: trap based null and range checks
8031475 hotspot compiler Missing oopmap in patching stubs
8031752 hotspot compiler Failed speculative optimizations should be reattempted when root of compilation is different
8031754 hotspot compiler Type speculation should favor profile data from outermost inlined method
8032490 hotspot compiler Remove -XX:+-UseOldInlining
8032633 hotspot compiler Enable type speculation by default
8033117 hotspot compiler PPC64: Adapt to 8002074: Support for AES on SPARC
8033168 hotspot compiler PPC64: gcc 4.8 warning in output_c.cpp
8033626 hotspot compiler assert(ex_map->jvms()->same_calls_as(_exceptions->jvms())) failed: all collected exceptions must come from the same place
8033805 hotspot compiler Move Fast_Lock/Fast_Unlock code from .ad files to macroassembler
8034188 hotspot compiler OSR methods may not be recompiled at proper compilation level after deoptimization
8035394 hotspot compiler PPC64: Make usage of intrinsic dsqrt depend on processor recognition.
8035585 hotspot compiler Restore UseOldInlining in jdk8u
8035647 hotspot compiler PPC64: Support for elf v2 abi.
8035828 hotspot compiler Turn on @Stable support in VM
8035841 hotspot compiler assert(dp_src->tag() == dp_dst->tag()) failed: should be same tags 1 != 0 at ciMethodData.cpp:90
8035887 hotspot compiler VM crashes trying to force inlining the recursive call
8035936 hotspot compiler SIGBUS in StubRoutines::aesencryptBlock, solaris-sparc
8035970 hotspot compiler PPC64: fix ad file after 8027754: Enable loop optimizations for loops with MathExact inside
8036619 hotspot compiler Shark: add LLVM 3.4 support
8036667 hotspot compiler "assert(adr->is_AddP() && adr->in(AddPNode::Offset)->is_Con()) failed: offset is a constant" with FoldStableValues on
8037821 hotspot compiler Account for trampoline stubs when estimating code buffer sizes
8038048 hotspot compiler assert(null_obj->escape_state() == PointsToNode::NoEscape,etc) runThese -full
8038181 hotspot compiler Can't build product VM without precompiled header
8038222 hotspot compiler Assembler::bsrl fails on assert when -UseCountLeadingZerosInstruction is used on CPU with LZCNT support
8038240 hotspot compiler new WB API to get nmethod
8038286 hotspot compiler nm->set_rtm_state() should be called after (nm != NULL) check
8038297 hotspot compiler Avoid placing CTI immediately following cbcond instruction on T4
8038633 hotspot compiler crash in VM_Version::get_processor_features() on startup
8038939 hotspot compiler Some options related to RTM locking optimization works inconsistently
8039043 hotspot compiler Implicit null check is in the wrong place in C1 -UseCompressedOops
8039298 hotspot compiler C2: assert(base == NULL || t_adr->isa_rawptr() || !phase->type(base)->higher_equal(TypePtr::NULL_PTR)) failed: NULL+offs not RAW address?
8039597 hotspot compiler WhiteBox :: clean type profiling data
8039975 hotspot compiler SIGSEGV in MethodData::next_data(ProfileData*)
8040085 hotspot compiler dtrace/jsdt tests crash on solaris. found an unadvertised bad scavengable oop in the code cache
8041351 hotspot compiler Crash in src/share/vm/opto/loopnode.cpp:3215 - assert(!had_error) failed: bad dominance
8041458 hotspot compiler JVM crashes with collect_args_for_profiling
8041481 hotspot compiler JVM crashes with collect_args_for_profiling
8041957 hotspot compiler -XX:UseAVX=0 cause assert(UseAVX) failed
8041959 hotspot compiler Skip replay parsing errors with ReplayIgnoreInitErrors
8042052 hotspot compiler assert(t != NULL) failed: must set before get
8042281 hotspot compiler compiler/7184394/TestAESMain.java fails with: javax.crypto.IllegalBlockSizeException: Input length not multiple of 16 bytes
8042309 hotspot compiler Some bugfixes for the ppc64 port.
8042786 hotspot compiler Proper fix for 8032566
8043274 hotspot compiler Test compiler/7184394/TestAESMain.java gets NPE on solaris
8043354 hotspot compiler OptimizePtrCompare too aggressive when allocations are present
8043413 hotspot compiler REGRESSION: Hotspot causes segmentation fault in jdk8ux, but not in jdk7ux
8044090 hotspot compiler C1: Old value instead of new one is passed to post-barrier in UnsafeGetAndSetObject
8046275 hotspot compiler Fastdebug build failing on jdk9/hs/ control jobs after pulling some hs-comp changes
8046516 hotspot compiler Segmentation fault in JVM (easily reproducible)
8050978 hotspot compiler Fix bad field access check in C1 and C2
6991197 hotspot gc G1: specialize deal_with_reference() for narrowOop*
7090324 hotspot gc gclog rotation via external tool
8016302 hotspot gc Change type of the number of GC workers to unsigned int (2)
8027295 hotspot gc Free CSet takes ~50% of young pause time
8027364 hotspot gc PSScavenge accounts too large code section to StringTable unlink
8027454 hotspot gc Do not traverse string table during G1 remark when treating them as strong roots during initial mark
8027455 hotspot gc Improve symbol table scan times during gc pauses
8027476 hotspot gc Improve performance of Stringtable unlink
8027559 hotspot gc Decrease code size and templatizing in G1ParCopyClosure::do_oop_work
8027746 hotspot gc Remove do_gen_barrier template parameter in G1ParCopyClosure
8027964 hotspot gc Adapt PPC to 6843347: Boundary values in some public GC options cause crashes
8027965 hotspot gc Adapt PPC to 8015107: NPG: Use consistent naming for metaspace concepts
8028391 hotspot gc Make the Min/MaxHeapFreeRatio flags manageable
8029075 hotspot gc String deduplication in G1
8029162 hotspot gc G1: Shared SATB queue never enabled
8029255 hotspot gc G1: Reference processing should not enqueue references on the shared SATB queue
8030177 hotspot gc G1: Enable TLAB resizing
8031703 hotspot gc Missing post-barrier in ReferenceProcessor
8033106 hotspot gc Wrong predicate for checking whether the correct amount of symbol table entries have been processed in G1
8033426 hotspot gc Scale initial NewSize using NewRatio if not set on command line
8033545 hotspot gc Missing volatile specifier in Bitmap::par_put_range_within_word
8034079 hotspot gc G1: Refactor the HeapRegionSet hierarchy
8034852 hotspot gc Shrinking of Metaspace high-water-mark causes incorrect OutOfMemoryErrors or back-to-back GCs
8034868 hotspot gc Extract G1 From Card Cache into separate class
8034948 hotspot gc Back out JDK-6976350 since it does not fix any issue
8035057 hotspot gc NewSize ergonomics wrong when setting small or unaligned size on command line
8035326 hotspot gc Assume non-NULL references in G1CollectedHeap::in_cset_fast_test
8035329 hotspot gc Move G1ParCopyClosure::copy_to_survivor_space into G1ParScanThreadState
8035330 hotspot gc Remove G1ParScanPartialArrayClosure and G1ParScanHeapEvacClosure
8035398 hotspot gc Add card redirty time in "Other" time in G1
8035406 hotspot gc Improve data structure for Code Cache remembered sets
8035654 hotspot gc Add times for evacuation failure handling in "Other" time
8035667 hotspot gc EventMetaspaceSummary doesn't report committed Metaspace memory
8035815 hotspot gc Cache-align and pad the from card cache
8035822 hotspot gc Unable to test minimalVM
8036025 hotspot gc Sort the freelist in order to shrink the heap
8036672 hotspot gc G1: alloc_purpose in copy_to_survivor_space() used incorrectly
8036673 hotspot gc G1: Abort weak reference processing if mark stack overflows
8036696 hotspot gc Add metaspace gc threshold to metaspace summary trace event
8036698 hotspot gc Add trace event for updates to metaspace gc threshold
8036699 hotspot gc Add trace event when a metaspace allocation fails
8036701 hotspot gc Add trace event when a metaspace throws out of memory error
8036703 hotspot gc Add trace event with statistics for the metaspace chunk free lists
8036860 hotspot gc Pad and cache-align the BiasedMappedArray
8037112 hotspot gc gc/g1/TestHumongousAllocInitialMark.java caused SIGSEGV
8037407 hotspot gc G1: Remove heapRegionSets.cpp
8037962 hotspot gc metaspaceTracer.cpp misses a symbol
8038498 hotspot gc Fix includes and C inlining after 8035330
8038934 hotspot gc Remove prefix allocated_ from methods and variables in Metaspace
8039042 hotspot gc G1: Phantom zeros in cardtable
8039089 hotspot gc List verification enabled in product builds
8040245 hotspot gc G1: VM hangs during shutdown
8040803 hotspot gc G1: Concurrent mark hangs when mark stack overflows
8040804 hotspot gc G1: Concurrent mark stuck in loop calling os::elapsedVTime()
8042310 hotspot gc TestStringDeduplicationMemoryUsage test failing
8042933 hotspot gc assert(capacity_until_gc >= committed_bytes) failed
8043239 hotspot gc G1: Missing post barrier in processing of j.l.ref.Reference objects
8044796 hotspot gc G1: Enabled G1CollectedHeap::stop()
8031693 hotspot jfr Two nsk/hprof/options/cpu failed with Stack Overflow in JFR on Linux-amd64 in Promotion testing of JDK8 b123
8034176 hotspot jfr Update mapfile for libjfr
8042311 hotspot jfr oracle/jrockit/jfr/JIInliner.java imports wrong ASM
8025841 hotspot jvmti JVMTI: "vtable stub" dynamic code notification is misplaced
8030027 hotspot jvmti nsk/jvmti/scenarios/hotswap/HS101/hs101t006 Crashed the vm on Linux-amd64: SIGSEGV in JavaThread::last_java_vframe(RegisterMap*)+0xfa
8031968 hotspot jvmti Mac OS X: VM starts the agent by calling both Agent_OnAttach and Agent_OnAttach_L functions if its agent library is dynamically linked.
8035150 hotspot jvmti ShouldNotReachHere() in ConstantPool::copy_entry_to
8035423 hotspot jvmti AIX: Fix os::get_default_process_handle() in os_aix.cpp after 8031968
6498581 hotspot runtime ThreadInterruptTest3 produces wrong output on Windows
8016491 hotspot runtime PPC64 (part 2): Clean up PPC defines.
8016586 hotspot runtime PPC64 (part 3): basic changes for PPC64
8016644 hotspot runtime Improve UnsupportedClassVersionError message
8017313 hotspot runtime PPC64 (part 6): stack handling improvements
8017317 hotspot runtime PPC64 (part 7): cppInterpreter: implement support for biased locking
8020775 hotspot runtime PPC64 (part 12): posix signal printing
8024379 hotspot runtime PPC64: Adapt PPC64 port to 8003424
8026300 hotspot runtime VM warning: increase O_BUFLEN in ostream.hpp -- output truncated occurs with fastdebug VM when printing flags
8026334 hotspot runtime hs_err improvement: Print elapsed time in a humanly readable format
8026487 hotspot runtime PPC64: Implement 'os::fork_and_exec' on AIX
8027146 hotspot runtime Class loading verification failure if GC occurs in Universe::flush_dependents_on
8027314 hotspot runtime Java should recognize Diagnostic options if -XX:+UnlockDiagnosticVMOptions is not specified and print an informative message
8027968 hotspot runtime Adapt PPC to 8024927: Nashorn performance regression with CompressedOops
8028073 hotspot runtime race condition in ObjectMonitor implementation causing deadlocks
8028280 hotspot runtime ParkEvent leak when running modified runThese which only loads classes
8028470 hotspot runtime PPC64 (part 214): linux: extend signal handler to catch SIGTRAP on ppc64.
8028497 hotspot runtime SIGSEGV at ClassLoaderData::oops_do(OopClosure*, KlassClosure*, bool)
8028514 hotspot runtime PPC64: Fix C++ Interpreter after '7195622: CheckUnhandledOops has limited usefulness now'
8028553 hotspot runtime The JVM should not throw VerifyError when 'overriding' a static final method in a superclass.
8029101 hotspot runtime PPC64 (part 211): ordering of Independent Reads of Independent Writes
8029178 hotspot runtime Parallel class loading test anonymous-simple gets SIGSEGV in Metaspace::contains
8029957 hotspot runtime PPC64 (part 213): cppInterpreter: memory ordering for object initialization
8030955 hotspot runtime assert(_prologue != NULL) failed: prologue pointer must be initialized
8031045 hotspot runtime Access checks should precede additional per-instruction checks
8031290 hotspot runtime Adjust call to getisax() for additional words returned
8032010 hotspot runtime Attempt to resolve abstract method in concrete class fails with AbstractMethodError
8032024 hotspot runtime Test not added for bug 8025937: assert(existing_f1 == NULL || existing_f1 == f1) failed: illegal field,change
8032634 hotspot runtime Add #ifdef PPC64 around OrderAccess operations on _thread_state.
8033126 hotspot runtime Can't call default methods from JNI
8033150 hotspot runtime invokestatic: IncompatibleClassChangeError trying to invoke static method from a parent in presence of conflicting defaults
8033696 hotspot runtime "assert(thread != NULL) failed: just checking" due to Thread::current() and JNI pthread interaction
8033792 hotspot runtime AltHashing used jint for imprecise bit shifting
8033931 hotspot runtime Several nightly tests failing with assert(imin < imax) failed: Unexpected page size
8034171 hotspot runtime Remove use of template template parameters from binaryTreeDictionary.
8034797 hotspot runtime AIX: Fix os::naked_short_sleep() in os_aix.cpp after 8028280
8034860 hotspot runtime Fatal error due to incorrect thread state during nightly testing
8035396 hotspot runtime Introduce accessor for tmp_oop in frame.
8035983 hotspot runtime Fix "Native frames:" in crash report (hs_err file)
8036767 hotspot runtime PPC64: Support for little endian execution model
8036823 hotspot runtime Stack trace sometimes shows 'locked' instead of 'waiting to lock'
8036976 hotspot runtime PPC64: implement the template interpreter
8038201 hotspot runtime Clean up misleading usage of malloc() in init_system_properties_values()
8038274 hotspot runtime update 8u fix for 8028073 now that 8028280 is backported to 8u
8039146 hotspot runtime Fix 64-bit store to int JNIHandleBlock::_top
8039150 hotspot runtime host_klass invariant fails when verifying newly loaded JSR-292 anonymous classes
8039904 hotspot runtime dtrace/hotspot/Monitors/Monitors001 fails with "assert(s > 0) failed: Bad size calculated"
8040140 hotspot runtime System.nanoTime() is slow and non-monotonic on OS X
8041918 hotspot runtime BootstrapMethods attribute cannot be empty
8042059 hotspot runtime Various fixes to linux/sparc
8051378 hotspot runtime AIX: Change "8030763: Validate global memory allocation" breaks the HotSpot build
8030184 hotspot svc Remove unneeded "content_type" declarations from tracetypes.xml
8032250 hotspot svc Add trace event for VM flag changes
8032466 hotspot svc serviceability/sa/jmap-hashcode/Test8028623.java fails with compilation errors
8032518 hotspot svc fatal error has been detected by the Java Runtime Environment (access violation)
8037340 hotspot svc Linux semaphores to use CLOCK_REALTIME
8041723 hotspot svc Event Based tracing ids to be reassigned for CDS klasses
8046408 hotspot svc Build failure from multiple ptrace.h
8047812 hotspot svc Ensure ClassLoaderDataGraph::classes_unloading_do only delivers klasses from CLDs with non-reclaimed class loader oops
8003653 install   Java items on Start Menu still exist even after all JREs from the system are removed.
8003661 install   $(CD) $(CURRENTDIR)/jre/; directory does not exist
8027686 install   Fail to install on MacOS 10.10
8027770 install   need to consolidate our registry manipulation approach
8031597 install   Need msi with one-file-per-componet
8032038 install   need to fix new msi wrapper extraction issue
8034956 install   fully commit to new msi design
8036950 install   need to turn on new patching mechanism during install runtime
8037542 install   uninstaller not removing AU2.0
8037870 install   "Back" button should not be shown on the JDK public jre's changefolder dialog.
8039182 install   jds catch breaks the installer.exe
8039249 install   Registry class enhancements
8039281 install   ErrorHandling macros log wrong source position
8044173 install   VPAT: "Uninstall out-of-date versions" dialogs - JAWS issues
8049056 install   Deployment .jar files are missing in JAVA_HOME\lib, when installer calls RegisterDeployEx() from deploy.dll
8041144 install auto_update AU should be easier to setup after a DS build
8042957 install auto_update The new au64 project has several issues
7058601 install install Registry key shows incorrect location of jvm.dll on Win 7 64 bit installation
8021612 install install [macosx] The JRE installer does not look right with 8 b100 promotion build.
8031405 install install jdk9/dev build fails in install on solaris after JDK_MINOR_VERSION was changed to 9
8034219 install install 8u5 JDK welcome dialog: Update text is missed
8037044 install install unpack200.exe calls are broken on windows
8037267 install install zh-SG (Chinese Singapore) locale should be handled as Chinese Simplified
8038395 install install enterprise MSI PIT has 2 major issues
8039085 install install Unittests for new functionality in FileUtils is required
8039347 install install 8u20 Patch Installer Failure
8039397 install install msi installers should support rollback
8040924 install install [MSI] Start menu is not created when install MSI with NOSTARTMENU=0
8040925 install install [MSI] FIU dialog appears when uninstall MSI with Java App running
8040927 install install [MSI] Access Bridge is installed when install test jre with STATIC=1 after higher version installed
8040930 install install [MSI] Some files left after uninstalled 32bit JRE if 64bit JRE exists
8041553 install install 8u20-b10: Jre can't be installed to folders containing non-ASCII chara
8042080 install install SDK installer can not run on windows zh_CN and ja
8043777 install install VPAT: "Uninstall out-of-date versions" dialogs - keyboard a11y issue
8044035 install install RPM internal names must match the standard bundle file name patterns
8048064 install install out-of-date dialogs are not displayed correctly in sv
8048909 install uninstall msi uninstaller not localized
8029073 other-libs corba (corba) New connection reclaimed when number of connection is greater than highwatermark
8042789 other-libs corba org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader
8037221 other-libs other [asm] refresh internal ASM version
8044046 other-libs other [asm] refresh internal ASM version to v5.0.3
8021804 security-libs java.security Certpath validation fails if validity period of root cert does not include validity period of intermediate cert
8025708 security-libs java.security Certificate Path Building problem with AKI serial number
8031025 security-libs java.security SQE test CertPath/CertPathBuilderTest/* failed with java.lang.IndexOutOfBoundsException
8037258 security-libs java.security AIOB while parsing CRL for revoked certificate
8039358 security-libs java.security com.sun.jarsigner.ContentSignerParameters.getTSAPolicyID() should be a default method
8028627 security-libs javax.crypto Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
8042449 security-libs javax.net.ssl Issue for negative byte major record version
7047033 security-libs javax.smartcardio (smartcardio) Card.disconnect(boolean reset) does not reset when reset is true
7195480 security-libs javax.smartcardio javax.smartcardio does not detect cards on Mac OS X
8039118 security-libs javax.smartcardio Windows build failure (j2pcsc.dll : fatal error unresolved external symbol throwByName)
8043507 security-libs javax.smartcardio (smartcardio) javax.smartcardio.CardTerminals.list() fails on MacOSX
8043720 security-libs javax.smartcardio (smartcardio) Native memory should be handled more accurately
8049250 security-libs javax.smartcardio (smartcardio) Need a flag to invert the Card.disconnect(reset) argument
8031046 security-libs org.ietf.jgss:krb5 Native Windows ccache might still get unsupported ticket
8036779 security-libs org.ietf.jgss:krb5 sun.security.krb5.KdcComm interprets kdc_timeout as msec instead of sec
8036971 security-libs org.ietf.jgss: krb5.conf does not accept directive lines before the first section
8039431 tools   Integrate new version of Java VisualVM based on VisualVM 1.3.7 into JDK
8036709 tools jar Java 7 jarsigner displays warning about cert policy tree
8015101 tools javac Covariance of return type implied by upper bounding on type parameter is ignored
8027477 tools javac Enable repeating annotations test cases since JDK-8004912 is fixed
8027886 tools javac javac allows illegal receiver parameters
8028503 tools javac javac, for method references a primitive type can be added as a bound
8028576 tools javac Incorrect RuntimeVisibleTypeAnnotations for exception parameters when not generating debuging info
8029002 tools javac javac should take multiple upper bounds into account in incorporation
8029017 tools javac ElementType.TYPE_USE should be a logical superset of ElementType.TYPE and ANNOTATION_TYPE
8029042 tools javac Receiver parameter not supported on local class constructor
8029240 tools javac Default methods not always visible under -source 7
8029718 tools javac Should always use lambda body structure to disambiguate overload resolution
8029725 tools javac Lambda reference to containing local class causes javac infinite recursion
8029800 tools javac Flags.java uses String.toLowerCase without specifying Locale
8029852 tools javac Bad code generated (VerifyError) when lambda instantiates enclosing local class and has captured variables
8030049 tools javac RoundEnvironment.getElementsAnnotatedWith receives wrong elements
8030218 tools javac javac, compile time error isn't shown when final static field is not assigned, follow-up
8030741 tools javac Inference: implement eager resolution of return types, consistent with JDK-8028800
8030816 tools javac javac crashes when mixing lambdas and inner classes
8030855 tools javac Default methods should be visible under source previous to 8
8031023 tools javac [javac] LambdaToMethod is missing forceSerializedRepresentation logic and switch
8031425 tools javac Two langtools/javac tests fail by timeout on Windows
8031967 tools javac For some sources compiler compiles for ever
8033287 tools javac Reduce the size of the endPosTable
8033437 tools javac javac, inconsistent generic types behaviour when compiling together vs. separate
8033718 tools javac Inference ignores capture variable as upper bound
8034048 tools javac javac crash with method references plus lambda plus var args
8034147 tools javac javac crashes with a NullPointerException during bounds checking
8034223 tools javac Most-specific should not have any special treatment for boxed vs. unboxed types
8034854 tools javac outer_class_info_index of synthetic class is not zero
8034924 tools javac Incorrect inheritance of inaccessible static method
8035890 tools javac jdk8 javac -source 7 compiles test case it should not
8036007 tools javac javac crashes when encountering an unresolvable interface
8036942 tools javac javac generates incorrect exception table for multi-catch statements inside a lambda
8037379 tools javac fix for JDK-8029569 doesn't cover all possible cases
8037385 tools javac constant pool errors with -target 1.7 and static default methods
8037934 tools javac Javac generates invalid signatures for local types
8037935 tools javac Javac: final local String var referenced in binary/unary op in lambda produces code that does not verify
8037937 tools javac javac: AssertionError during LVT generation, wrong variable ranges
8038023 tools javac Compiler crash: ClassCastException
8038182 tools javac javac crash with FunctionDescriptorLookupError for invalid functional interface
8038420 tools javac Lambda returning post-increment generates wrong code
8038788 tools javac javac behaves incorrectly for annotations after method type parameters in some cases
8038975 tools javac Access control in enhanced for
8039026 tools javac Definitely unassigned field can be accessed
8040822 tools javac Duplicated notifications can be sent to TaskListener
8041663 tools javac Sensitive dependence on location of nested interface
8041704 tools javac wrong error message when mixing lambda expression and inner class
8041713 tools javac Type inference of non-existent method references crashes the compiler
8042338 tools javac Refactor Types.upperBound to treat wildcards and variables separately
8042656 tools javac Inference produces spurious error for intersection type bounds check
8042741 tools javac Java 8 compiler throws NullPointerException depending location in source file
8042759 tools javac Lambda returning implicitly-typed lambdas considered pertinent to applicability
8042785 tools javac javac, bridge methods are not getting the flags from the original method
8042803 tools javac Types.wildLowerBound and cvarLowerBound should call unannotatedType()
8043186 tools javac javac test langtools/tools/javac/util/StringUtilsTest.java fails
8043253 tools javac Slow javac compile times in JDK 8
8043725 tools javac javac fails with StackOverflowException
8044487 tools javac Fix for 8042785 causes regression tests to fail with java.lang.VerifyError
8046762 tools javac Revert some inference fixes in JDK-8033718
8046916 tools javac Type parameter annotations don't work with multiple type parameters
8029145 tools javadoc(tool) javadoc fails with java.lang.IllegalStateException: endPosTable already set
8031212 tools javadoc(tool) doclint incorrectly rejects some @see tags in javadoc comments
8037484 tools javadoc(tool) [javadoc] fails with java.lang.IllegalStateException: endPosTable already set
8037881 tools javadoc(tool) javax.crypto is not listed in the compact* profiles javadoc
8038976 tools javadoc(tool) javadoc requires a trailing / for links where java 7's javadoc didn't
8039231 tools javadoc(tool) [javadoc] test failure caused by javax.crypto fix
8032814 tools javap LineNumberTable/LocalVariableTable tables duplication for the "-v -l" combination of options
8032819 tools javap Extra empty line between field declarations for the "-v -c" and "-v -l" combination of options
8032869 tools javap remove support for legacy options in javap
8033114 tools javap The values of non-static final fields are printed for the -constants option
8033180 tools javap An inappropriate newline symbol in the help section
8033581 tools javap Incorrect comment alignment
8033686 tools javap Internal error for zero indent
8033711 tools javap An exception is thrown if using the "-classpath" option with no arguments
8033726 tools javap StackMapTable does not unindent properly
8033798 tools javap javap output has unnecessary trailing whitespace
8033913 tools javap Incorrect indentation of StackMapTable entries
8033930 tools javap Unnecessary new line after the StackMapTable
8035104 tools javap reorder class file attributes in javap listing
8035364 tools javap An extra space in the comments of constant pool entries
8030698 tools jconsole Some messages in jconsole in 7u40 (and later) aren't displayed correctly
8029388 tools launcher java.exe consumes argument intended for launched java class
8046502 tools visualvm visualvm ClassNotFoundException on CPU profile
8033113 xml jax-ws wsimport fails on WSDL:header parameter name customization
8038307 xml jax-ws JAX-WS conformance tests fail when running JCK-devtools-8 suite against RI in EBCDIC emulation mode
8039899 xml jax-ws Missing licence headers in test for JDK-8033113
8043129 xml jax-ws JAF initialisation in SAAJ clashing with the one in javax.mail
8027359 xml jaxp XML parser returns incorrect parsing results
8032392 xml jaxp Spec: javax.xml.stream.XMLEventFactory/XMLOutputFactory/XMLInputFactory.newFactory(String, ClassLoader) referring to ServiceLoader.load(Class, ClassLoader)
8032909 xml jaxp XSLT string-length returns incorrect length when string includes complementary chars
8011795 xml org.w3c.dom DOM Serializer prints stack traces to System.err

 

Known Issues

JDK

Area: install

Synopsis: 64 bit JRE Offline Installer is uncompressed

The 64 bit JRE offline installer for Windows was released as an uncompressed binary in 8u20. In its uncompressed state, the binary is 91.68MB in size.

Only the Windows offline 64 bit JRE bundle is impacted. This does not apply to any other JRE/JDK Windows installers (e.g. 32 bit offline, 32 bit online, or any auto-update bundle, 32 bit or 64 bit).

JavaFX

Area: media

Synopsis: [Linux] JavaFX Media does not run on Ubuntu 14.04

The JavaFX Media component in 8u20 requires the following packages which are not shipped with Ubuntu 14.04:

  • libavcodec53
  • libavformat53
  • libavutil51

Ubuntu 14.04 ships with newer, incompatible versions of these packages.

Workaround: install the specific versions of the required packages.

Area: client-libs

Synopsis: JRE 8u20 crashes while using Japanese IM on Windows

The VM crashes while using Swing controls when some Japanese or Chinese characters are input on Windows platform. There is no workaround.

See 8058858 (not public).

Java SE 8u11 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in the Java SE 8u11 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u11 b31

Please note that fixes from the prior BPR (8u5 b31) are included in this BPR.


Java™ SE Development Kit 8, Update 11 (JDK 8u11)

The full version string for this update release is 1.8.0_11-b12 (where "b" means "build"). The version number is 8u11.

Highlights

This update release contains the following  enhancements and changes:

IANA Data 2014c

JDK 8u11 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u11 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_11
7 1.7.0_65
6 1.6.0_81
5.0 1.5.0_71

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u11) will expire with the release of the next critical patch update scheduled for October 14, 2014.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u11) on November 15, 2014. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes

Java Dependency Analysis Tool (jdeps)

A new command-line tool, Java Dependency Analysis Tool (jdeps), is now available that can be used by developers to understand the static dependencies of their applications and libraries. It also provides an -jdkinternals option to find dependencies of any JDK internal APIs that are unsupported and private to JDK implementation.

See jdeps man page and the jdeps Open JDK wiki page.

New Java Control Panel option to disable sponsors

Currently, to disable sponsor offers at the time of installation, the user can deselect the option during installation or can pass SPONSORS=0 as a command line option.

In this release, a new Java Control Panel(JCP) option to disable sponsors is available. To use this option, go to JCP's "Advanced" tab, and check or uncheck "Suppress sponsor offers when updating Java".

This option is applicable to 32 and 64 bit Windows operating systems.

New JAR file attribute - Entry-Point

From this release, a new JAR file attribute, Entry-Point is available. The Entry-Point attribute is used to identify the classes that are allowed to be used as 'entry points' to the RIA. Identifying the entry points helps to prevent unauthorized code from being run when a JAR file has more than one class with a main() method, multiple Applet classes, or multiple JavaFX Application classes. Set this attribute to the fully qualified class name that can be used as the entry point for the RIA. To specify more than one class, separate the classes by a space, for example: Entry-Point: apps.test.TestUI apps.test.TestCLI

If the JAR manifest is signed and the main-class or applet-class entry point specified in the JNLP file or application descriptor differs from the class specified for the Entry-Point attribute, then the RIA is blocked. If the Entry-Point attribute is not present, any class with a main() method, or any Applet or JavaFX Application class in the JAR file can be used to start the RIA.

New JAXP processing limit property - maxElementDepth

A new property, maxElementDepth, is added to provide applications the ability to set limit on maximum element depth in an xml file that they parse. This may be helpful for applications that may use too much resources when processing an xml file with excessive element depth.

  • Name: http://java.sun.com/xml/jaxp/properties/maxElementDepth
  • Definition: Limit the maximum element depth
  • Value: A positive integer. 0 is treated as no limit. Negative numbers are treated as 0.
  • Defaule value: 0
  • System property: jdk.xml.maxElementDepth

See 8031541 (not public).

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes in this release:

Area: client-libs/AWT

Synopsis: Using RMI from a restricted environment may cause a NullPointerException.

If an application uses RMI and runs in a restricted environment (ie. Java Plugin, Java Web Start), it may not work. In particular, if you run a UI from an RMI callback, a NullPointerException is likely to be thrown.

See 8019274.

 

Bug Fix List

BugId Component Subcomponent Summary
8023990 client-libs 2d Regression: postscript size increase from 6u18
8041572 client-libs java.awt [macosx] huge native memory leak in AWTWindow.m
8041987 client-libs java.awt [macosx] setDisplayMode crashes
8019990 client-libs java.awt:i18n IM candidate window appears on the South-East corner of the display
8035897 core-libs java.net Better memory allocation for file descriptors greater than 1024 on macosx
8043012 core-libs java.util:i18n (tz) Support tzdata2014c
8019274 deploy   RMI thread can no longer call out to AWT thread for webstart app
8032781 deploy deployment_toolkit Run rule not working in case of html applet
8030636 deploy plugin Accessibility class in jar on -xbootclasspath/a is not loaded by jvm
8031996 deploy plugin Java.Lang.Reflect.InvocationTargetException When Cache Has Disabled
8032206 deploy plugin Applet with jnlp.Packenabled=True And jnlp.versionEnabled=True Fails
8034230 deploy plugin Applet caller check should not compare URLs
8035449 deploy plugin security prompt is shown twice when 'Do not show' checkbox is checked
8041339 deploy webstart JNLP with java-vm-args whose length exceeded 512 chars failed to get loaded with CouldNotLoadArgumentException
8035613 xml jaxb With active Securitymanager JAXBContext.newInstance fails

Known Issues

Area: xml/jax-ws

Synopsis: JAF initialization in SAAJ clashing with the one in javax.mail

After initialization of SAAJ components, the javax.mail library may fail to work under certain circumstances, which in turn could break the javax.mail's JAF setup.

A possible workaround is to re-add the javax.mail handler before using javax.mail API:

MailcapCommandMap mailMap = (MailcapCommandMap) 
    CommandMap.getDefaultCommandMap();
    mailMap.addMailcap("multipart/mixed;;x-java-content-
    handler=com.sun.mail.handlers.multipart_mixed");

See 8043129.

Java SE 8u5 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u5 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version

Changes in Java SE 8u5 b31

Bug Fixes

BugId Component Subcomponent Summary
8028192
(Confidential)
security-libs java.net.ssl PKCS11 is not working correctly.
8038202
(Confidential)
deploy plugin Inconsistent behavior on systems using Deployment Rule Set

Java™ SE Development Kit 8, Update 5 (JDK 8u5)

The full version string for this update release is 1.8.0_5-b13 (where "b" means "build"). The version number is 8u5.

Highlights

This update release contains enhancements and changes including the following:

Olson Data 2013i

JDK 8u5 contains Olson time zone data version 2013i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u5 are specified in the following table:

JRE Family Version JRE Security Baseline (Full Version String)
8 1.8.0_5
7 1.7.0_55
6 1.6.0_75
5.0 1.5.0_65

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u5) will expire with the release of the next critical patch update scheduled for July 15, 2014.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u5) on August 15, 2014. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes

The frequency of some security dialogs has been reduced on systems that run the same RIA multiple times.

See 8029649.

Using "*" in Caller-Allowable-Codebase Attribute.

If a stand-alone asterisk (*) is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to RIA will show a security warning, and users have the choice to allow the call or block the call.

For more information, see JAR File Manifest Attributes for Security documentation.

See 8033707.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

The following are some of the notable bug fixes in this release:

Area: deploy/plugin
Synopsis: java plugin compatibility with windows 8.1 / IE 11 enhanced protected mode

Starting in this release Java Plug-in is compatible with Windows Enhanced Protected Mode (EPM) on Windows 8.1 and IE 11. You should no longer see any warning related to EPM when trying to run an applet in Internet Explorer (IE). There is a special case for 64-bit Windows - EPM requires both 32-bit and 64-bit Plug-in installed. Please make sure you have both 32-bit and 64-bit JRE installed, otherwise there will be a warning from IE, but Java Plug-in will still run under EPM.

See JDK-8024903 (not public).

Area: other-libs/corba
Synopsis: Enhanced CORBA initializations

The system property org.omg.CORBA.ORBSingletonClass is used to configure the system-wide/singleton ORB. The handling of this system property has changed to require that the system wide/singleton ORB be visible to the system class loader. This is a change from previous releases where the singleton ORB was located using the thread context class loader of the first thread to call the no-argument ORB.init method. The implication of this change is that the system-wide/singleton ORB needs to be deployed on the class path or in the extension directory.

Applications that bundle their own ORB and only configure the property org.omg.CORBA.ORBClass should not be impacted by this change. The per-application ORB will be located via the thread context class loader of the thread calling the 2-argument ORB.init method as before.

See 8025005 (not public).

Area: xml/jaxp
Synopsis: Custom entities mapping files are no longer loaded with full permission

Legacy code may use the JDK internal API SerializerFactory to create a Serializer. In the process, a custom entity mapping file may be specified through the format parameter. The custom file was then loaded with full permission. As of this release, files that complies with java.util.ResourceBundle format, that is, with a ".properties" extension, will continue to be loaded with full permission. However, any other custom mapping files will require specific file access permission when the program is running with a SecurityManager.

The workaround to any issues caused by lack of permission to using an arbitrary file as the entity mapping file is, either changing the file to a resource bundle, or granting file read permission.

See 8029282 (not public).

 

Bug Fix List

BugId Component Subcomponent Summary
JDK-6571600 client-libs java.awt JNI use results in UnsatisfiedLinkError looking for libmawt.so
JDK-8030822 core-libs java.time (tz) Support tzdata2013i
JDK-8036568 core-libs java.util:collections Serial incompatibility in java.util.TreeMap.NavigableSubMap
JDK-8028691 deploy plugin loading browser proxy via config script should not trigger JAR download
JDK-8029649 deploy plugin Reduce dialog frequency when app is run multiple times
JDK-8033705 deploy plugin Array out of bounds exception in PluginMain.performSSVValidation
JDK-8033779 deploy plugin JRE 7u51 Plugin Failing to Run Older JRE Version < 1.6.0
JDK-8028577 deploy webstart [regression] Unsigned warning dialog is shown twice for applet with extension launched thru javaws
JDK-8029922 deploy webstart 32-bit only Java Web Start apps fail to run on 32- and 64-bit JRE configs
JDK-8031579 deploy webstart Spurious Missing Manifest Permissions Attribute Warning When Launching versioned Java Web Start app
JDK-8035283 hotspot compiler Second phase of branch shortening doesn't account for loop alignment

Known Issues

Area: Install
Synopsis: Patching of JDK8 SUNWj8* Packages is not Supported on Solaris:

In order to update SunWj8* Solaris pkgs consecutively for JDK 8 family releases, JDK 8u5 must be installed as a base package. For example, SUNWj8* pkgs cannot be patched for JDK 8 to JDK 8u5 updates. Full packages must be downloaded and installed.

The following packages cannot be patched directly from the JDK8 release:

SUNWj8cfg, SUNWj8dev, SUNWj8dmo, SUNWj8jmp, SUNWj8man, SUNWj8rt

Patching support of the above packages will resume in JDK 8u5 and later releases of Java.

JDK 8 Release Notes

The Java Platform, Standard Edition 8 Development Kit (JDK 8) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas.

See the following links to release information about enhancements, changes, bugs, installation, runtime deployment, and documentation. Release Notes files are located on our website only and are not in the documentation download bundle, unless otherwise noted.

JRE Expiration Date

The expiration date for JRE 8 is 05/15/2014. After this date, Java will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.