8u121 Update Release Notes
Java SE 8u121 Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 8u121 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Changes in Java SE 8u121 b36
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8058316 | client-libs | 2d | lookupDefaultPrintService returns null on Solaris 11 when default printer is set using lpoptions command |
| 8176044 | core-libs | java.time | (tz) Support tzdata2017a |
| 8165978 (Confidential) |
core-libs | java.net | SocketTest.java fails with NullPointerException |
| 8145826 (Confidential) |
core-svc | javax.management | closed/jdk/management/resource tests fail after JDK-8056152 |
Changes in Java SE 8u121 b35
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8162795 | hotspot | jvmti | [REDO] MemberNameTable doesn't purge stale entries |
| 8171808 | client-libs | javax.accessibility | Performance problems in dialogs with large tables when JAB activated |
| 8170950 | client-libs | 2d | Text is displayed in bold when fonts are installed into symlinked folder |
| 8163979 | client-libs | java.awt | [macosx] Chinese text shows as Latin w/ openVanilla input method |
| 8163889 (Confidential) |
client-libs | java.awt | [macosx] Can't print from browser on Mac OS X |
| 8171388 (Confidential) |
core-libs | javax.naming | Update JNDI Thread contexts |
A regression has been identified with this build which impacts resource manager functionality only. This regression is only encountered if the commercial resource manager feature is turned on via: "-XX:+UnlockCommercialFeatures -XX:+ResourceManagement". JDK-8145826 (not public)
Changes in Java SE 8u121 b34
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8173783 | security-libs | javax.net.ssl | IllegalArgumentException: jdk.tls.namedGroups |
| 8173145 | client-libs | javax.swing | Menu is activated after using mnemonic Alt/Key combination |
| 8038348 | hotspot | compiler | Instance field load is replaced by wrong data Phi |
| 8170888 | hotspot | runtime | [linux] Experimental support for cgroup memory limits in container (ie Docker) environments |
| 6515172 | hotspot | runtime | Runtime.availableProcessors() ignores Linux taskset command |
| 8147910 | hotspot | runtime | Cache initial active_processor_count |
| 8165153 | hotspot | runtime | Crash in rebuild_cpu_to_node_map |
| 8161993 | hotspot | gc | G1 crashes if active_processor_count changes during startup |
| 8170307 (Confidential) |
hotspot | runtime | Stack size option -Xss is ignored |
| 8157184 (Confidential) |
hotspot | compiler | java/lang/invoke/LFCaching/LFMultiThreadCachingTest.java failed with a fatal error |
| 8166158 (Confidential) |
deploy | webstart | correct version of jar is not asked in some cases when jar is originally downloaded using loadResource |
Changes in Java SE 8u121 b33
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8169465 | core-libs | javax.naming | Deadlock in com.sun.jndi.ldap.pool.Connections |
| 8152981 | client-libs | javax.swing | Double icons with JMenuItem setHorizontalTextPosition on Win 10 |
| 8075516 | client-libs | java.awt | Deleting a file from either the open or save java.awt.FileDialog hangs. |
| 7172652 | client-libs | javax.swing | With JDK 1.7 text field does not obtain focus when using mnemonic Alt/Key combin |
| 8159058 | xml | jax-ws | SAXParseException when sending soap message |
| 8141054 | deploy | webstart | WebStart does not clean up jnlp file after closing |
| 8169541 (Confidential) |
deploy | deployment_toolkit | security pop-up triggers each time when launching application |
| 8170668 (Confidential) |
deploy | webstart | java.lang.UnsupportedOperationException in javaws applications |
| 8168070 (Confidential) |
deploy | webstart | Extra window appears due to Preloader failed to handle AppletInitEvent |
Changes in Java SE 8u121 b31
Please note that fixes from the prior BPR (8u112 b32) are included in this version.
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8167179 | xml | jaxp | Make XSL generated namespace prefixes local to transformation process |
| 8166208 | hotspot | svc | FlightRecorderOptions settings for defaultrecording ignored. |
| 8155211 | security-libs | java.security | Ucrypto Library leaks native memory |
| 8035568 | client-libs | java.awt | [macosx] Cursor management unification |
| 8169589 | client-libs | java.awt | [macosx] Activating a JDialog puts to back another dialog |
| 8163195 (Confidential) |
deploy | webstart | Release DeploymentRuleSet.jar as soon as app is launched |
| 8160275 (Confidential) |
deploy | deployment_toolkit | 7u95 java does not start after the java splash screen in jws application |
| 8161609 (Confidential) |
deploy | plugin | Deploy starts applets even if mandatory config hasn't been found |
| 8164476 (Confidential) |
deploy | deployment_toolkit | JWS: JNLP file not removed when using SingleInstanceService |
| 8171949 (Confidential) |
client-libs | java.awt | [macosx] AWT_ZoomFrame Automated tests fail with error: The bitwise mask Frame.ICONIFIED is not setwhen the frame is in ICONIFIED state |
| 8171952 (Confidential) |
client-libs | java.awt | [macosx] ModelessDialog test fails as DummyButton on Dialog did not gain focus when clicked. |
The fix made under JDK-8164476 does not take any effect without changes for JDK-8141054. JDK-8141054 will be included in the next JDK8u121 BPR build
Java™ SE Development Kit 8, Update 121 (JDK 8u121)
January 17, 2017
The full version string for this update release is 1.8.0_121-b13 (where "b" means "build"). The version number is 8u121.
IANA Data 2016i
JDK 8u121 contains IANA time zone data version 2016i. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u121 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 8 | 1.8.0_121-b13 |
| 7 | 1.7.0_131-b12 |
| 6 | 1.6.0_141-b12 |
JRE Expiration Date
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u121) will expire with the release of the next critical patch update scheduled for April 18, 2017.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u121) on May 18, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
Notes
core-libs/javax.naming
Improved protection for JNDI remote class loading
Remote class loading via JNDI object factories stored in naming and directory services is disabled by default. To enable remote class loading by the RMI Registry or COS Naming service provider, set the following system property to the string "true", as appropriate:
com.sun.jndi.rmi.object.trustURLCodebase
com.sun.jndi.cosnaming.object.trustURLCodebase
JDK-8158997 (not public)
security-libs/java.security
jarsigner -verbose -verify should print the algorithms used to sign the jar
The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak.
Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property, jdk.jar.disabledAlgorithms, it will be labeled with "(weak)".
For example:
- Signed by "CN=weak_signer"
Digest algorithm: MD2 (weak)
Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
See JDK-8163304
New Features
security-libs/javax.xml.crypto
Added security property to configure XML Signature secure validation mode
A new security property named jdk.xml.dsig.secureValidationPolicy has been added that allows you to configure the individual restrictions that are enforced when the secure validation mode of XML Signature is enabled. The default value for this property in the java.security configuration file is:
jdk.xml.dsig.secureValidationPolicy=\
disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,\
disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
noDuplicateIds,\
noRetrievalMethodLoops
Please refer to the definition of the property in the java.security file for more information.
See JDK-8151893
core-libs/java.io:serialization
Serialization Filter Configuration
Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in JEP 290 Serialization Filtering and in <JRE>/lib/security/java.security. Filter actions are logged to the 'java.io.serialization' logger, if enabled.
See JDK-8155760
core-libs/java.rmi
RMI Better constraint checking
RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 Serialization Filtering to improve service robustness.
RMI Registry and DGC implement built-in white-list filters for the typical classes expected to be used with each service.
Additional filter patterns can be configured using either a system property or a security property. The "sun.rmi.registry.registryFilter" and "sun.rmi.transport.dgcFilter" property pattern syntax is described in JEP 290 and in <JRE>/lib/security/java.security.
JDK-8156802 (not public)
security-libs
Add mechanism to allow non-default root CAs to not be subject to algorithm restrictions
*New certpath constraint: jdkCA*
In the java.security file, an additional constraint named "jdkCA" is added to the jdk.certpath.disabledAlgorithms property. This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in the lib/security/cacerts keystore. If the jdkCA constraint is not set, then all chains using the specified algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm expression.
Example: To apply this constraint to SHA-1 certificates, include the following: SHA1 jdkCA
See JDK-8140422
Changes
security-libs/javax.net.ssl
Make 3DES as a legacy algorithm in the JSSE provider
For SSL/TLS/DTLS protocols, the security strength of 3DES cipher suites is not sufficient for persistent connections. By adding 3DES_EDE_CBC to the jdk.tls.legacyAlgorithms security property by default in JDK, 3DES cipher suites will not be negotiated unless there are no other candidates during the establishing of SSL/TLS/DTLS connections.
At their own risk, applications can update this restriction in the security property (jdk.tls.legacyAlgorithms) if 3DES cipher suites are really preferred.
JDK-8165071 (not public)
security-libs/javax.net.ssl
Improve the default strength of EC in JDK
To improve the default strength of EC cryptography, EC keys less than 224 bits have been deactivated in certification path processing (via the jdk.certpath.disabledAlgorithms Security Property) and SSL/TLS connections (via the jdk.tls.disabledAlgorithms Security Property) in JDK. Applications can update this restriction in the Security Properties and permit smaller key sizes if really needed (for example, "EC keySize < 192"). EC curves less than 256 bits are removed from the SSL/TLS implementation in JDK. The new System Property, jdk.tls.namedGroups, defines a list of enabled named curves for EC cipher suites in order of preference. If an application needs to customize the default enabled EC curves or the curves preference, please update the System Property accordingly. For example:
jdk.tls.namedGroups="secp256r1, secp384r1, secp521r1"Note that the default enabled or customized EC curves follow the algorithm constraints. For example, the customized EC curves cannot re-activate the disabled EC keys defined by the Java Security Properties.
See JDK-8148516
tools/javadoc(tool)
New --allow-script-in-comments option for javadoc
The javadoc tool will now reject any occurrences of JavaScript code in the javadoc documentation comments and command-line options, unless the command-line option, --allow-script-in-comments is specified.
With the --allow-script-in-comments option, the javadoc tool will preserve JavaScript code in documentation comments and command-line options. An error will be given by the javadoc tool if JavaScript code is found and the command-line option is not set.
JDK-8138725 (not public)
security-libs/javax.xml.crypto
Increase the minimum key length to 1024 for XML Signatures
The secure validation mode of the XML Signature implementation has been enhanced to restrict RSA and DSA keys less than 1024 bits by default as they are no longer secure enough for digital signatures. Additionally, a new security property named jdk.xml.dsig.SecureValidationPolicy has been added to the java.security file and can be used to control the different restrictions enforced when the secure validation mode is enabled.
The secure validation mode is enabled either by setting the xml signature property org.jcp.xml.dsig.secureValidation to true with the javax.xml.crypto.XMLCryptoContext.setProperty method, or by running the code with a SecurityManager.
If an XML Signature is generated or validated with a weak RSA or DSA key, an XMLSignatureException will be thrown with the message, "RSA keys less than 1024 bits are forbidden when secure validation is enabled" or "DSA keys less than 1024 bits are forbidden when secure validation is enabled."
JDK-8140353 (not public)
docs/release_notes
Restrict certificates with DSA keys less than 1024 bits.
DSA keys less than 1024 bits are not strong enough and should be restricted in certification path building and validation. Accordingly, DSA keys less than 1024 bits have been deactivated by default by adding "DSA keySize < 1024" to the jdk.certpath.disabledAlgorithms security property. Applications can update this restriction in the security property (jdk.certpath.disabledAlgorithms) and permit smaller key sizes if really needed (for example, "DSA keySize < 768").
JDK-8139565 (not public)
security-libs
More checks added to DER encoding parsing code
More checks are added to the DER encoding parsing code to catch various encoding errors. In addition, signatures which contain constructed indefinite length encoding will now lead to IOException during parsing. Note that signatures generated using JDK default providers are not affected by this change.
JDK-8168714 (not public)
core-libs/java.net
Additional access restrictions for URLClassLoader.newInstance
Class loaders created by the java.net.URLClassLoader.newInstance methods can be used to load classes from a list of given URLs. If the calling code does not have access to one or more of the URLs and the URL artifacts that can be accessed do not contain the required class, then a ClassNotFoundException, or similar, will be thrown. Previously, a SecurityException would have been thrown when access to a URL was denied. If required to revert to the old behavior, this change can be disabled by setting the jdk.net.URLClassPath.disableRestrictedPermissions system property.
JDK-8151934 (not public)
Bug Fixes
The following are some of the notable bug fixes included in this release:
client-libs/javax.swing
Trackpad scrolling of text on OS X 10.12 Sierra is very fast
The MouseWheelEvent.getWheelRotation() method returned rounded native NSEvent deltaX/Y events on Mac OS X. The latest macOS Sierra 10.12 produces very small NSEvent deltaX/Y values so rounding and summing them leads to the huge value returned from the MouseWheelEvent.getWheelRotation(). The JDK-8166591 fix accumulates NSEvent deltaX/Y and the MouseWheelEvent.getWheelRotation() method returns non-zero values only when the accumulated value exceeds a threshold and zero value. This is compliant with the MouseWheelEvent.getWheelRotation() specification (https://docs.oracle.com/javase/8/docs/api/java/awt/event/MouseWheelEvent.html#getWheelRotation):
"Returns the number of "clicks" the mouse wheel was rotated, as an integer. A partial rotation may occur if the mouse supports a high-resolution wheel. In this case, the method returns zero until a full "click" has been accumulated."
For the precise wheel rotation values, use the MouseWheelEvent.getPreciseWheelRotation() method instead.
See JDK-8166591
Bug Fix List
This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.
| # | BugId | Component | Subcomponent | Summary |
|---|---|---|---|---|
| 1 | JDK-8037099 | client-libs | java.awt | [macosx] Remove all references to GC from native OBJ-C code |
| 2 | JDK-8166591 | client-libs | javax.swing | [macos 10.12] Trackpad scrolling of text on macOS 10.12 Sierra is very fast (Trackpad, Retina only) |
| 3 | JDK-8152438 | hotspot | gc | Threads may do significant work out of the non‑shared overflow buffer |
| 4 | JDK-8163171 | install | install | Java installer leaves cached files on host after update |
| 5 | JDK-8164908 | other‑libs | corba | ReflectionFactory support for IIOP and custom serialization |
| 6 | JDK-8161571 | security-libs | java.security | Verifying ECDSA signatures permits trailing bytes |
| 7 | JDK-8163304 | security-libs | java.security | jarsigner -verbose -verify should print the algorithms used to sign the jar |
| 8 | JDK-8167591 | security-libs | java.security | Add MD5 to signed JAR restrictions |
| 9 | JDK-8167459 | security-libs | javax.net.ssl | Add debug output for indicating if a chosen ciphersuite was legacy |
| 10 | JDK-8167472 | security-libs | javax.net.ssl | Chrome interop regression with JDK‑8148516 |
| 11 | JDK-8170131 | security-libs | javax.net.ssl | Certificates not being blocked by jdk.tls.disabledAlgorithms property |
| 12 | JDK-8151893 | security-libs | javax.xml.crypto | Add security property to configure XML Signature secure validation mode |
Known Issues
security-libs/javax.net.ssl
IllegalArgumentException from TLS handshake
A recent issue from the JDK-8148516 fix can cause issue for some TLS servers. The problem originates from an *IllegalArgumentException* thrown by the TLS handshaker code:
java.lang.IllegalArgumentException: System property
jdk.tls.namedGroups(null) contains no supported elliptic curves
The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified.
See JDK-8173783
deploy/packager
javapackager and fx:deploy bundle the whole JDK instead of JRE
There is a known bug in the Java Packager for Mac where the entire JDK may be bundled with the application bundle resulting in an unusually large bundle. The work around is to use the bundler option -Bruntime option. For example: -Bruntime=JavaAppletPlugin.plugin sets where the JavaAppletPlugin.plugin for the desired JRE to bundle is located in the current directory.
See JDK-8166835
install/install
Java Installation will fail for non-admin users with UAC off
The Java installation on Windows will fail without warning or prompting, for non-admin users with User Access Control (UAC) disabled. The installer will leave a directory, jds<number>.tmp, in the %TEMP% directory.
JDK-8161460 (not public)