JDK 8u131 Release Notes
Java SE 8u131 Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 8u131 BPRs. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.
To determine the version of your JDK software, use the following command:
java -version
Changes in Java SE 8u131 b34
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8173654 | core-libs | java.lang | Regression since 8u60: System.getenv doesn't return env var set in JNI code |
| 8075484 | core-libs | java.net | SocketInputStream.socketRead0 can hang even with soTimeout set |
| 8180660 | tools | javac | missing LNT entry for finally block |
| 8164119 | client-libs | java.awt | MoveToOtherScreenTest fails due wrong key attribute |
| 8181192 | client-libs | 2d | [macos] javafx.print.PrinterJob.showPrintDialog() hangs on macOS |
| 8172297 | xml | jax-ws | In java 8, the marshalling with JAX-WS does not escape carriage return |
| 8181057 (Confidential) |
deploy | webstart | [regression] Fix of JDK-8174177 breaks existing scenarios of SingleInstanceService. |
| 8181892 (Confidential) |
core-svc | tools | Fix usagetracker use of getEnvVar |
Changes in Java SE 8u131 b33
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8175251 | security-libs | java.security | Failed to load RSA private key from pkcs12 |
| 8160696 | client-libs | java.awt | IllegalArgumentException: adding a component to a container on a different GraphicsDevice |
| 8168914 | hotspot | gc | Crash in ClassLoaderData/JNIHandleBlock::oops_do during concurrent marking |
| 8174177 (Confidential) |
deploy | webstart | JWS: SAXParseException due to JNLP file not escaped |
Changes in Java SE 8u131 b32
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8145207 | client-libs | javax.accessibility | [macosx] JList, VO can't access non-visible list items |
| 8076554 | client-libs | javax.accessibility | [macosx] Custom Swing text components need to allow standard accessibility |
| 8165829 | client-libs | javax.accessibility | Android Studio 2.x crashes with NPE at sun.lwawt.macosx.CAccessibility.getAccessibleIndexInParent |
| 8076249 | client-libs | javax.accessibility | NPE in AccessBridge while editing JList model |
| 8164002 | hotspot | compiler | Add a new CPU family (S_family) for SPARC S7 and above processors |
| 8167102 | client-libs | 2d | [macosx] PrintRequestAttributeSet breaks page size set using PageFormat |
| 8061258 | client-libs | 2d | [macosx] PrinterJob's native Print Dialog does not reflect specified Copies or Page Ranges |
| 8176490 (Confidential) |
client-libs | java.awt | [macosx] Sometimes NSWindow.isZoomed hangs |
| 8177449 | core-libs | java.time | (tz) Support tzdata2017b |
Changes in Java SE 8u131 b31
Please note that fixes from the prior BPR (8u121 b36) are included in this version.
Bug Fixes
| BugId | Component | Subcomponent | Summary |
|---|---|---|---|
| 8164293 | hotspot | compiler | HotSpot leaking memory in long-running requests |
| 8043913 | hotspot | compiler | remove legacy code in SPARC's VM_Version::platform_features |
| 8049717 | hotspot | runtime | expose L1_data_cache_line_size for diagnostic/sanity checks |
| 8177817 | hotspot | runtime | Remove assertions in 8u that were removed by 8056124 in 9. |
| 8134119 | hotspot | compiler | Use new API to get cache line sizes |
| 8165482 | hotspot | compiler | java in ldoms, with cpu-arch=generic has problems |
| 8165342 | javafx | scenegraph | NPE when JavaFX loads default stylesheet or font families if CCL is null |
Java™ SE Development Kit 8, Update 131 (JDK 8u131)
April 18, 2017
The full version string for this update release is 1.8.0_131-b11 (where "b" means "build"). The version number is 8u131.
IANA Data 2017a
JDK 8u131 contains IANA time zone data version 2017a. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u131 are specified in the following table:
| JRE Family Version | JRE Security Baseline (Full Version String) |
|---|---|
| 8 | 1.8.0_131-b11 |
| 7 | 1.7.0_141-b11 |
| 6 | 1.6.0_151-b10 |
JRE Expiration Date
The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u131) will expire with the release of the next critical patch update scheduled for July 18, 2017.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u131) on August 18, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
Changes
security-libs/java.security
MD5 added to jdk.jar.disabledAlgorithms Security property
This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:
- Applets or Web Start Applications
- Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.
The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.
To check if a weak algorithm or key was used to sign a JAR file, one can use the jarsigner binary that ships with this JDK. Running "jarsigner -verify" on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.
For example, to check a JAR file named test.jar, use the following command:
jarsigner -verify test.jar
If the file in this example was signed with a weak signature algorithm like MD5withRSA, the following output would be displayed:
The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled. Re-run jarsigner with the -verbose option for more details.
More details can be displayed by using the verbose option:
jarsigner -verify -verbose test.jar
The following output would be displayed:
- Signed by "CN=weak_signer"
Digest algorithm: MD5 (weak)
Signature algorithm: MD5withRSA (weak), 512-bit key (weak)
Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
To address the issue, the JAR file will need to be re-signed with a stronger algorithm or key size. Alternatively, the restrictions can be reverted by removing the applicable weak algorithms or key sizes from the jdk.jar.disabledAlgorithms security property; however, this option is not recommended. Before re-signing affected JARs, the existing signature(s) should be removed from the JAR file. This can be done with the .zip utility, as follows:
zip -d test.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*.DSA'
Please periodically check the Oracle JRE and JDK Cryptographic Roadmap at http://java.com/cryptoroadmap for planned restrictions to signed JARs and other security components.
JDK-8171121 (not public)
core-libs/java.net
New system property to control caching for HTTP SPNEGO connection.
A new JDK implementation specific system property to control caching for HTTP SPNEGO (Negotiate/Kerberos) connections is introduced. Caching for HTTP SPNEGO connections remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.
When connecting to an HTTP server that uses SPNEGO to negotiate authentication, and when connection and authentication with the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP server using SPNEGO usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP SPNEGO (Negotiate/Kerberos) protocol in order to force requesting new authentication with each new request to the server.
With this change, we now provide a new system property that allows control of the caching policy for HTTP SPNEGO connections. If jdk.spnego.cache is defined and evaluates to false, then all caching will be disabled for HTTP SPNEGO connections. Setting this system property to false may, however, result in undesirable side effects:
- Performance of HTTP SPNEGO connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
- Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.
JDK-8170814 (not public)
core-libs/java.net
New system property to control caching for HTTP NTLM connection.
A new JDK implementation specific system property to control caching for HTTP NTLM connection is introduced. Caching for HTTP NTLM connection remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.
On some platforms, the HTTP NTLM implementation in the JDK can support transparent authentication, where the system user credentials are used at system level. When transparent authentication is not available or unsuccessful, the JDK only supports getting credentials from a global authenticator. If connection to the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP NTLM server usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP NTLM protocol in order to force requesting new authentication with each new requests to the server.
With this change, we now provide a new system property that allows control of the caching policy for HTTP NTLM connections. If jdk.ntlm.cache is defined and evaluates to false, then all caching will be disabled for HTTP NTLM connections. Setting this system property to false may, however, result in undesirable side effects:
- Performance of HTTP NTLM connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
- Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.
JDK-8163520 (not public)
tools/visualvm
New version of VisualVM
VisualVM 1.3.9 was released on October 4th, 2016 http://visualvm.github.io/relnotes.html and has been integrated into 8u131.
See JDK-8167485
Bug Fixes
The following are some of the notable bug fixes included in this release:
client-libs/java.awt
Introduced a new window ordering model
On the OS X platform, the AWT framework used native services to implement parent-child relationship for windows. That caused some negative visual effects especially in multi-monitor environments. To get rid of the disadvantages of such an approach, the new window ordering model, which is fully implemented at the JDK layer, was introduced. Its main principles are listed below:
- A window should be placed above its nearest parent window.
- If a window has several child windows, all child windows should be located at the same layer and the window from the active window chain should be ordered above its siblings.
- Ordering should not be performed for a window that is in an iconified state or when the transition to an iconified state is in progress.
These rules are applied to every frame or dialog from the window hierarchy that contains the currently focused window.
See JDK-8169589
security-libs/javax.net.ssl
Correction of IllegalArgumentException from TLS handshake
A recent issue from the JDK-8173783 fix can cause issue for some TLS servers. The problem originates from an IllegalArgumentException thrown by the TLS handshaker code:
java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves
The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified.
See JDK-8173783
Bug Fix list
This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory.
| # | BugId | Component | Subcomponent | Summary |
|---|---|---|---|---|
| 1 | JDK-7155957 | client‑libs | java.awt | closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.java hangs on win 64 bit with jdk8 |
| 2 | JDK-8035568 | client‑libs | java.awt | [macosx] Cursor management unification |
| 3 | JDK-8079595 | client‑libs | java.awt | Resizing dialog which is JWindow parent makes JVM crash |
| 4 | JDK-8169589 | client‑libs | java.awt | [macosx] Activating a JDialog puts to back another dialog |
| 5 | JDK-8147842 | client‑libs | javax.swing | IME Composition Window is displayed at incorrect location |
| 6 | JDK-7167293 | core‑libs | java.net | FtpURLConnection connection leak on FileNotFoundException |
| 7 | JDK-8169465 | core‑libs | javax.naming | Deadlock in com.sun.jndi.ldap.pool.Connections |
| 8 | JDK-8133045 | deploy | deployment_toolkit | java.lang.SecurityException: Failed to extract baseline.versions error |
| 9 | JDK-8028538 | deploy | webstart | Fedora Linux issue with jnlp‑servlet.jar demo source code license |
| 10 | JDK-8170646 | deploy | webstart | JNLP fails to get loaded with old javaws when multiple jres (jre9 and jre8u111) installed |
| 11 | JDK-8075196 | docs | guides | CosNaming's implementation doesn't comply with the specification |
| 12 | JDK-8161147 | hotspot | compiler | jvm crashes when ‑XX:+UseCountedLoopSafepoints is enabled |
| 13 | JDK-8161993 | hotspot | gc | G1 crashes if active_processor_count changes during startup |
| 14 | JDK-8147910 | hotspot | runtime | Cache initial active_processor_count |
| 15 | JDK-8150490 | hotspot | runtime | Update OS detection code to recognize Windows Server 2016 |
| 16 | JDK-8170888 | hotspot | runtime | [linux] Experimental support for cgroup memory limits in container (ie Docker) environments |
| 17 | JDK-8166208 | hotspot | svc | FlightRecorderOptions settings for defaultrecording ignored. |
| 18 | JDK-8161945 | install | install | REGRESSION: 8u91 update of 32 bit JRE removes preferences of the 64 bit JRE |
| 19 | JDK-8172932 | install | install | JRE installation fails with 1603 on Windows 10 with enabled Deviceguard |
| 20 | JDK-8089915 | javafx | web | Input of type file doesn't honor "accept" attribute. |
| 21 | JDK-8090216 | javafx | web | HTMLEditor: font bold doesn't work when an indent is set |
| 22 | JDK-8144263 | javafx | web | [WebView, OS X] Webkit rendering artifacts with inertia scrolling |
| 23 | JDK-8150982 | javafx | web | Crash when calling WebEngine.print on background thread |
| 24 | JDK-8164314 | javafx | web | [WebView] Debug build is no longer working after JDK‑8089681 |
| 25 | JDK-8165098 | javafx | web | WebEngine.print will attempt to print even if the printer job is complete or has an error |
| 26 | JDK-8165173 | javafx | web | canvas/philip/tests/2d.path.clip.empty.html fails with 8u112 |
| 27 | JDK-8165508 | javafx | web | Incorrect Bug ID in comment for JDK-8164076 |
| 28 | JDK-8166231 | javafx | web | use @Native annotation in web classes |
| 29 | JDK-8166677 | javafx | web | HTMLEditor freezes after restoring previously maximized window |
| 30 | JDK-8166775 | javafx | web | Audio slider works incorrectly for short files |
| 31 | JDK-8166999 | javafx | web | Update to newer version of WebKit |
| 32 | JDK-8167098 | javafx | web | Backport of JDK‑8158926 to JDK 8u mistakenly used preliminary patch |
| 33 | JDK-8167100 | javafx | web | Minor source diffs introduced in backports of JDK-8160837 and JDK-8163582 |
| 34 | JDK-8167675 | javafx | web | Animated gifs are not working |
| 35 | JDK-8169204 | javafx | web | Need to document JSObject Call and setSlot APIs to use weak references |
| 36 | JDK-8170585 | javafx | web | Fix PlatformContextJava type leaking to GraphicsContext |
| 37 | JDK-8170938 | javafx | web | Memory leak in JavaFX WebView |
| 38 | JDK-8173783 | security‑libs | javax.net.ssl | IllegalArgumentException: jdk.tls.namedGroups |
| 39 | JDK-6474807 | security‑libs | javax.smartcardio | (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException |
| 40 | JDK-8168774 | tools | javac | Polymorhic signature method check crashes javac |
| 41 | JDK-8167485 | tools | visualvm | Integrate new version of Java VisualVM based on VisualVM 1.3.9 into JDK |
| 42 | JDK-8167179 | xml | jaxp | Make XSL generated namespace prefixes local to transformation process |