JDK 8u411 Release Notes
Java SE 8u411 Bundled Patch Release (BPR) - Bug Fixes and Updates
The following sections summarize changes made in all Java SE 8u411 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.
Changes in Java SE 8u411 b32
Bug Fixes
Release date: June 10, 2024Fixes from the prior BPR are included in this version.
Java™ SE Development Kit 8, Update 411 (JDK 8u411)
Release date: April 16, 2024
The full version string for this update release is 8u411-b09 (where "b" means "build"). The version number is 8u411.
IANA TZ Data 2024a
JDK 8u411 contains IANA time zone data 2024a which contains the following changes:
- Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
- Vostok, Antarctica changed time zones on 2023-12-18.
- Casey, Antarctica changed time zones five times since 2020.
- Code and data fixes for Palestine timestamps starting in 2072.
- A new data file zonenow.tab for timestamps starting now.
- Kazakhstan unifies on UTC+5 beginning 2024-03-01.
- Palestine springs forward a week later after Ramadan.
- zic no longer pretends to support indefinite-past DST.
- localtime no longer mishandles Ciudad Juárez in 2422.
For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime at the time of the release of JDK 8u411 are specified in the following table:
| Java Family Version | Security Baseline (Full Version String) |
|---|---|
| 8 | 8u411-b09 |
Keeping the JDK up to Date
Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u411) be used after the next critical patch update scheduled for July 16, 2024.
Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u411) on 2024-08-16. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.
New Features
The XML Signature implementation has been updated to Santuario 3.0.3. Support for four new SHA-3 based RSA-MGF1 signature methods have been added: SHA3_224_RSA_MGF1, SHA3_256_RSA_MGF1, SHA3_384_RSA_MGF1, and SHA3_512_RSA_MGF1. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK update releases, they may be represented as string literals in order to be functionally equivalent. SHA-3 hash algorithm support was delivered to JDK 9 via JEP 287. Releases earlier than that may use third party security providers.
Additionally, support for the following EdDSA signatures has been added: ED25519 and ED448. While these new algorithm URIs are not defined in javax.xml.crypto.dsig.SignatureMethod in the JDK Update releases, they may be represented as string literals in order to be functionally equivalent. The JDK supports EdDSA since JDK 15. Releases earlier than that may use 3rd party security providers. One other difference is that the JDK still supports the here() function by default. However, we recommend avoiding the use of the here() function in new signatures and replacing existing signatures that use the here() function. Future versions of the JDK will likely disable, and eventually remove, support for this function, as it cannot be supported using the standard Java XPath API. Users can now disable the here() function by setting the security property jdk.xml.dsig.hereFunctionSupported to "false".
Other Notes
The java.awt.SystemTray API is used for notifications in a desktop taskbar and may include an icon representing an application. On Linux, the Gnome desktop's own icon support in the taskbar has not worked properly for several years due to a platform bug. This, in turn, has affected the JDK's API, which relies upon that.
Therefore, in accordance with the existing Java SE specification, java.awt.SystemTray.isSupported() will return false where ever the JDK determines the platform bug is likely to be present.
The impact of this is likely to be limited since applications always must check for that support anyway. Additionally, some distros have not supported the SystemTray for several years unless the end-user chooses to install non-bundled desktop extensions.
The following root certificates have been added to the cacerts truststore:
+ Certainly
+ certainlyrootr1
DN: CN=Certainly Root R1, O=Certainly, C=US
+ Certainly
+ certainlyroote1
DN: CN=Certainly Root E1, O=Certainly, C=US
The XML Signature secure validation mode has been enabled by default (previously it was not enabled by default unless running with a security manager). When enabled, validation of XML signatures are subject to stricter checking of algorithms and other constraints as specified by the jdk.xml.dsig.secureValidationPolicy security property.
If necessary, and at their own risk, applications can disable the mode by setting the org.jcp.xml.dsig.secureValidation property to Boolean.FALSE with the DOMValidateContext.setProperty() API.
Updates to Third Party Libraries
| Library | New Version | Module | JBS |
|---|---|---|---|
| Libxslt | 1.1.39 | javafx | JDK-8318388 |
| WebKit | 617.1 | javafx | JDK-8318614 |
| Glib | 2.78.1 | javafx | JDK-8318386 |
| GStreamer | 1.22.6 | javafx | JDK-8318387 |
| libpng | 1.6.40 | java.desktop | JDK-8316030 |
| Joni | 2.2.1 | jdk.scripting.nashorn | JDK-8322094 |
| Xalan Java | 2.7.3 | java.xml | JDK-8305814 |
| XML Security for Java | 3.0.3 | java.xml.crypto | JDK-8319124 |
Bug Fixes
This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.
The following table lists the bug fixes included in the JDK 8u411 release:
| # | BugId | Component | Summary |
|---|---|---|---|
| 1 | JDK-8318951 | client-libs/2d | Additional negative value check in JPEG decoding |
| 2 | JDK-8152924 | core-libs/java.util.concurrent | Improve scalability of CompletableFuture with large number of dependents |
| 3 | JDK-8186464 | core-libs/java.util.jar | ZipFile cannot read some InfoZip ZIP64 zip files |
| 4 | JDK-8321480 | core-libs/java.util:i18n | ISO 4217 Amendment 176 Update |
| 5 | JDK-8260556 | docs/guides | Update Security Guide for Enable XML Signature secure validation mode by default |
| 6 | JDK-8244207 | hotspot/compiler | Simplify usage of Compile::print_method() when debugging with gdb and enable its use with rr |
| 7 | JDK-8144856 | hotspot/compiler | fix assert in CompiledStaticCall::set_to_interpreted |
| 8 | JDK-8236772 | hotspot/compiler | Fix build for windows 32-bit after 8212160 and 8234331. |
| 9 | JDK-8231430 | hotspot/compiler | C2: Memory stomp in max_array_length() for T_ILLEGAL type |
| 10 | JDK-8318889 | hotspot/compiler | C2: add bailout after assert Bad graph detected in build_loop_late |
| 11 | JDK-8317507 | hotspot/compiler | C2 compilation fails with "Exceeded _node_regs array" |
| 12 | JDK-8147611 | hotspot/gc | G1 - Missing memory barrier in start_cset_region_for_worker |
| 13 | JDK-8061467 | hotspot/gc | Bad page size passed to setup_large_pages() on Solaris |
| 14 | JDK-8212160 | hotspot/jvmti | JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value" |
| 15 | JDK-8227277 | hotspot/jvmti | HeapInspection::find_instances_at_safepoint walks dead objects |
| 16 | JDK-8236124 | hotspot/jvmti | Minimal VM slowdebug build failed after JDK-8212160 |
| 17 | JDK-8322321 | hotspot/runtime | Add man page doc for -XX:+VerifySharedSpaces |
| 18 | JDK-8059586 | hotspot/runtime | hs_err report should treat redirected core pattern. |
| 19 | JDK-8323243 | hotspot/runtime | JNI invocation of an abstract instance method corrupts the stack |
| 20 | JDK-8067447 | hotspot/svc | Factor out the shared implementation of the VM flags manipulation code |
| 21 | JDK-8284544 | javafx/accessibility | [Win] Name-Property of Spinner cannot be changed |
| 22 | JDK-8319079 | javafx/graphics | Missing range checks in decora |
| 23 | JDK-8320267 | javafx/web | WebView crashes on macOS 11 with WebKit 616.1 |
| 24 | JDK-8320260 | javafx/web | WebView: Update Public Suffix List to b5bf572 |
| 25 | JDK-8323879 | javafx/web | constructor Path(Path) which takes another Path object fail to draw on canvas html |
| 26 | JDK-8324337 | javafx/web | Cherry-pick WebKit 617.1 stabilization fixes |
| 27 | JDK-8322703 | javafx/web | Intermittent crash in WebView in a JFXPanel from IME calls on macOS |
| 28 | JDK-8325258 | javafx/web | Additional WebKit 617.1 fixes from WebKitGTK 2.42.5 |
| 29 | JDK-8323880 | javafx/web | Caret rendered at wrong position in case of a click event on RTL text |
| 30 | JDK-8326989 | javafx/web | Text selection issues on WebView after WebKit 617.1 |
| 31 | JDK-8221261 | javafx/window-toolkit | Deadlock on macOS in JFXPanel app when handling IME calls |
| 32 | JDK-8319669 | javafx/window-toolkit | [macos14] Running any JavaFX app prints Secure coding warning |
| 33 | JDK-8319727 | other-libs/corba:idl | Harden BufferManagerReadStream underflow logic |
| 34 | JDK-8307185 | security-libs/javax.crypto:pkcs11 | pkcs11 native libraries make JNI calls into java code while holding GC lock |
| 35 | JDK-8255867 | security-libs/javax.net.ssl | SignatureScheme JSSE property does not preserve ordering in handshake messages |
| 36 | JDK-8308245 | tools/javac | Add -proc:full to describe current default annotation processing policy |
| 37 | JDK-8317815 | xml/jaxp | Xerces-J - Version.java did not get updated in JDK-8282280 |