Re: Certificate check on Apache reverse proxy with upstream SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



if you could i sure would appreciate getting rid of these certs   CA  .. it appears why i am here he continues to be a large problem with breaking serveral good productive working computers as well as having fun redirecting me and not allowing me anything but under his control .. this is why i am here .. thank you .. here was a first attempt prom a fellow member to help out .. i just didnt get it .. 

On Wed, Dec 2, 2015 at 4:29 PM, Christian Georg <mail@xxxxxxxxxxxxxxxxx> wrote:

Hi all,

 

I wanted to implement certificate pinning on an upstream SSL connection of a reverse proxy but I am struggling with the setup.

Please let me know where I am going wrong or if the expected setup should work.

 

My setup is as follows:

Multiple local applications ---HTTP via localhost --->  Apache httpd 2.2 as reverse proxy ------------------------- HTTPS via the internet ---------------> API Provider

 

I am having a bunch of applications which all consume an API provided by a third party. Connection to the third party is accessible via https and mutual SSL.

All local applications are running on the same server and we decided to bundle requests by using an apache reverse proxy which handles the SSL connections to the API Provider.

By doing this the Proxy also reduced the number of SSL connections needed while at the same time reducing latency as connections are be reused. I am running an apache 2.2 on CentOS.

Due to the fact that applications and proxy are living on the same host we decided to use only http via localhost.

 

The API Provider is using a server certificate which is derived from a public CA.

root CA => intermediate CA 1 => intermediate CA 2 => API Server Certificate.

 

The setup is working in general but I wanted to ensure that I am understanding the way certificate chains are evaluated correctly as my understanding of the trust model is not working a expected.

This where I hope you can help.

 

According to my understanding I should be able to place the Server Certificate in a file referred to via SSLProxyCACertificateFile

If I then set SSLProxyVerifyDepth to 0 only certificates included in the certificate file should be trusted.

 

During tests this setup failed and I am getting an handshake failure. My assumption is that this is due to the fact that the server certificate is not selfsigned but derived from an intermediate CA.

I got this to work by Adding all three CAs (root CA, intermediate CA 1 and intermediate CA 2) and setting SSLProxyVerifyDepth to 3

As soon as I started removing certificates from the top or reducing the verification level I was getting handshake errors stating either CA chain too long or CA not found.

 

Could you advice on the best way to ensure only specific certificates (Signed by public CAs) rather than whole CAs can be trusted in outgoing SSL Connections from Appache 2.2 using the SSLProxyEngine

 

 

Here is the config I am using:

 

 

SSLProxyEngine                               on

SSLProxyCACertificateFile           trusted_CAs.pem                            # this includes the 3 CAs and I even tried including the 3 CAs and the server certificate.

SSLProxyVerify                                 require

SSLProxyCheckPeerCN                 on

SSLProxyVerifyDepth                    3

 

ProxyPass / https://API-Server.X.Y/API-App

 

Thanks

 

Chris

 

 

 


Title: Complete JDK 8 Release Notes
Java Logo


 


Release Notes for JDK 8 and JDK 8 Update Releases


Red Triangle Cumulative Release Notes for JDK 8 and JDK 8 Update Releases
 

Java SE 8u66 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u66 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u66 b33

 

Bug Fixes

BugId Category Subcategory Description
8136759
(Confidential)
deploy deployment_toolkit Regression in Applet startup time with Internet Explorer on 8u60 and 8u65-b14

Changes in Java SE 8u66 b31

 

Please note that fixes from prior BPR (8u60 b32) are included in this BPR.

Bug Fixes

BugId Category Subcategory Description
8135307
(Confidential)
tools javac CompletionFailure thrown when calling FieldDoc.type, if the field's type is missing


Java™ SE Development Kit 8, Update 66 (JDK 8u66)

The full version string for this update release is 1.8.0_66-b18 (where "b" means "build") for the Microsoft Windows JRE and JDK and 1.8.0_66-b17 for all other platforms and for the Microsoft Windows Server JRE. The version number is 8u66.

This update release contains several enhancements and changes including the following. 

IANA Data 2015f

JDK 8u66 contains IANA time zone data version 2015f. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u66 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_65
7 1.7.0_91
6 1.6.0_105

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u66) will expire with the release of the next critical patch update scheduled for January 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u66) on February 20, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Notes

When running on OSX 10.11 "El Capitan", when SIP is enabled, certain environment variables intended for debugging applications, such as DYLD_LIBRARY_PATH, may be stripped from the environment when running Java from the command line or when double-clicking a JAR file. Applications should not rely on these variables in a production environment, they are only intended for debugging during development.

New Features and Changes

The following are some of the notable new features and changes in this release:
 

Support ISO 4217 "Current funds codes" table (A.2)

This enhancement adds support for ISO 4217 table A.2 fund codes. Previously the JDK only supported those currencies listed in table A.1.

See JDK-8074350.


Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory. For a list of bug fixes included in this release, see JDK 8u66 Bug Fixes page.

The following are some of the notable bug fixes included in this release:
 

Hotspot should use PICL interface to get cacheline size on SPARC The libpicl library is now required on Solaris/SPARC to determine the size of the cache lines. In case the library is not present or the PICL service is not available the JVM will display a warning and compiler optimizations that utilize the BIS (Block Initializing Store) instruction will be turned off.

See JDK-8056124.

 

Preloading libjsig.dylib causes deadlock when signal() is called

Applications need to preload the libjsig library to enable signal chaining. Previously, on OS X, after libjsig.dylib was preloaded, any call from native code to signal() caused a deadlock. This has been corrected.

See JDK-8072147.
 

VM crash when class is redefined with Instrumentation.redefineClasses

The JVM could crash when a class was redefined with Instrumentation.redefineClasses(). The crash could either be a segmentation fault at SystemDictionary::resolve_or_null, or an internal error with the message "tag mismatch with resolution error table". This has now been fixed .

See JDK-8076110.
 

_releaseObject called from wrong thread

A recent change to Firefox caused the _releaseObject call to be made from a thread other than the main thread. This may cause a race condition, which may inadvertently crash the browser. This has been addressed in build 18 of 8u66.  For more information, see Bugs@Mozilla 1221448.

See JDK-8133523.
 
Java plug-in does not work in Firefox after installing Java

Firefox 42 and later versions may crash when trying to run the Java plug-in.

There are several workaround options. The simplest method is noted first and is recommended. The remaining available options are not recommended for non-technical users. 
 

Option 1: Add property name dom.ipc.plugins.java.enabled in Firefox preferences

1. Launch Firefox
2. Type about:config in the address bar
3. You will be presented with a Firefox warning about the configuration settings. After acknowledging the Firefox alert, you should see a listing of the configuration preferences.
4. Right-click anywhere inside the displayed list of preferences. Select New then select Boolean.
5. Add property name as dom.ipc.plugins.java.enabled
6. Add Preference name as dom.ipc.plugins.java.enabled.
7. A window will be displayed, select false. Then select OK

Option 2: Create "user.js" file with preference entry

Instructions are based on Mozilla references listed below.

1. Use a text editor to create a "user.js" file in your Firefox profiles folder
2. Add entry: user_pref("dom.ipc.plugins.java.enabled", false);  

Option 3: Update "pref.js" file with preference entry  

1. Locate the "pref.js" file in the Mozilla profiles folder
2. Find and update preference: user_pref("dom.ipc.plugins.java.enabled", false);

 

 


 



Java™ SE Development Kit 8, Update 65 (JDK 8u65)

The full version string for this update release is 1.8.0_65-b17 (where "b" means "build"). The version number is 8u65.

This update release contains several enhancements and changes including the following.

 

IANA Data 2015f

JDK 8u65 contains IANA time zone data version 2015f. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u65 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_65
7 1.7.0_91
6 1.6.0_105

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u65) will expire with the release of the next critical patch update scheduled for January 19, 2016.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u65) on February 19, 2016. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.
 

Notes

When running on OSX 10.11 "El Capitan", when SIP is enabled, certain environment variables intended for debugging applications, such as DYLD_LIBRARY_PATH, may be stripped from the environment when running Java from the command line or when double-clicking a JAR file. Applications should not rely on these variables in a production environment, they are only intended for debugging during development.

New Features and Changes

The following are some of the notable new features and changes in this release: 
 

Support ISO 4217 "Current funds codes" table (A.2)

This enhancement adds support for ISO 4217 table A.2 fund codes. Previously the JDK only supported those currencies listed in table A.1.

See JDK-8074350.


Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory. For a list of bug fixes included in this release, see JDK 8u65 Bug Fixes page.

The following are some of the notable bug fixes included in this release:
 

Hotspot should use PICL interface to get cacheline size on SPARC

The libpicl library is now required on Solaris/SPARC to determine the size of the cache lines. In case the library is not present or the PICL service is not available the JVM will display a warning and compiler optimizations that utilize the BIS (Block Initializing Store) instruction will be turned off.

See JDK-8056124.

Preloading libjsig.dylib causes deadlock when signal() is called

Applications need to preload the libjsig library to enable signal chaining. Previously, on OS X, after libjsig.dylib was preloaded, any call from native code to signal() caused a deadlock. This has been corrected.

See JDK-8072147.
 

Use Safe Prime Diffie-Hellman Groups

In the JDK SSL/TLS implementation (SunJSSE provider), safe prime Diffie-Hellman groups are used by default. Users can customize Diffie-Hellman groups with the security property, "jdk.tls.server.defaultDHEParameters".
 

[macosx] JRE AU client installed fails update to NEXTVER on Mac 10.11

A new installer is introduced in the 8u65 release to update OS X users to the latest version. The installer will apply to both scheduled and manual updates, and bundles made available on java.com and OTN. Users who experience compatibility issues with the new installer can manually download and install the ".pkg" installer available on My Oracle Support.
 

VM crash when class is redefined with Instrumentation.redefineClasses

The JVM could crash when a class was redefined with Instrumentation.redefineClasses(). The crash could either be a segmentation fault at SystemDictionary::resolve_or_null, or an internal error with the message "tag mismatch with resolution error table". This has now been fixed .

See JDK-8076110.

 

Known Issues


[macosx] Sponsor offer screen accessibility (a11y) issues

Users who operate the keyboard to access user interfaces in the Java installer will be unable to access hyperlinks and checkboxes in software add-on offer screens. As a workaround to setting preferences related to add-on software in the user interface, users can disable such offers either by disabling them in the Java Control Panel, or by passing 'SPONSORS=0' via the command line. For more information, refer to: https://www.java.com/en/download/faq/disable_offers.xml

See JDK-8061886.

 

 


Java SE 8u60 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u60 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u60 b32

 

Bug Fixes

BugId Category Subcategory Description
8081297
(Confidential)
security-libs javax.net.ssl Unable to process PreMasterSecret Tomcat issue
8132082 security-libs javax.net.ssl Let OracleUcrypto accept RSAPrivateKey
8075773 core-svc tools jps running as root fails after the fix of JDK-8050807
8133943
(Confidential)
hotspot gc Better TLAB handling for Resource Management
8134719
(Confidential)
hotspot gc Reduce locking at native layer when thread metrics are updated due to resource context switch at thread level
8134109 deploy plugin Applet2Manager.getMainDeploymentRuleSet ignores jar version.
8133196 core-libs java.net HTTPS hostname invalid issue with InetAddress

Changes in Java SE 8u60 b31

 

Please note that fixes from prior BPR (8u51 b31) are included in this BPR.



Java™ SE Development Kit 8, Update 60 (JDK 8u60)

The full version string for this update release is 1.8.0_60-b27 (where "b" means "build"). The version number is 8u60.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2015e

JDK 8u60 contains IANA time zone data version 2015e. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u60 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_51
7 1.7.0_85
6 1.6.0_101

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u60) will expire with the release of the next critical patch update scheduled for October 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u60) on November 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Java SE Development Kit for ARM Release 8u60

This release includes Java Development Kit for ARM Release 8u60 (JDK 8u60 for ARM).

For ARM device support information, see Java SE Development Kit Downloads page.

For system requirements, installation instructions and troubleshooting tips, see Installation Instructions page.

Limitation: Native Memory Tracking support is limited in JDK for ARM. The java command line option XX:NativeMemoryTracking=detail is not supported for ARM targets (an error message is displayed to user). Instead, use the following option:

XX:NativeMemoryTracking=summary

New Features and Changes


Documentation Updates due to Nashorn Enhancements

JDK 8u60 includes new enhancements to Nashorn. As a result the following documentation changes should be read in conjunction with the current Nashorn documentation:

  • Addition:
    In the previous section, we mentioned that every _javascript_ object when exposed to Java APIs implements the java.util.Map interface. This is true even for _javascript_ arrays. However, this behavior is often not desired or expected when the Java code expects JSON-parsed objects. Java libraries that manipulate JSON-parsed objects usually expect arrays to expose the java.util.List interface instead. If you need to expose your _javascript_ objects so that arrays are exposed as lists and not maps, you can use the Java.asJSONCompatible(obj) function, where obj is the root of your JSON object tree.

  • Correction:
    The caution mentioned at the end of Mapping Data Types section, is no longer applicable.

    Nashorn ensures that internal _javascript_ strings are converted to java.lang.String when exposed externally.

  • Correction:
    The statement in the section Mapping Data Types, that mentions "For example, arrays must be explicitly converted,........." is not correct.

    Arrays are automatically converted to Java array types, such as java.util.List, java.util.Collection, java.util.Queue and java.util.Deque and so on.

Changes in Deployment Rule Set v1.2

JDK 8u60 implements Deployment Rule Set (DRS) 1.2, which includes the following changes:

  • Add "checksum" element as sub element of "id" which can allow unsigned jars to be identified by the SHA-256 checksum of the uncompressed form of a jar:

    • The "checksum" element will match only unsigned jars, and the given hash will be compared only against the uncompressed form of the jar.
    • The "checksum" element (similar to "certificate" element) has two arguments "hash" and "algorithm", however, unlike "certificate" element, the only supported value for "algorithm" is "SHA-256". Any other value provided will be ignored.
  • Allow "message" element to apply to all rule types, where previously it only applied to a block rule:

    • In a run rule, a message sub element will cause a message dialog to be displayed where without a run rule, the default behavior would be to show certificate or unsigned dialog. The message will be displayed in the message dialog.
    • In a default rule, the message will only be displayed if the default action is to block. In such a case the message will be included in the block dialog.
  • Echo "customer" blocks in the Java Console, trace files, and Java Usage Tracker records.

    • Previous to DRS 1.2, "customer" elements could be included (with any sub-elements) in the ruleset.xml file. This element and all its sub elements are ignored. In DRS 1.2, the elements are still functionally ignored. However:
      • When parsing the ruleset.xml file, all "customer" blocks will be echoed to the Java Console and deployment trace file (if Console and Tracing are enabled).
      • When using a rule, all "customer" records included within that rule will be added to the Java Usage Tracker (JUT) record (if JUT is enabled).
  • As a result of the above changes, the DTD for DRS 1.2 is as follows:

    <!ELEMENT ruleset (rule*)>
    <!ATTRIBUTE ruleset href CDATA #IMPLIED>
    <!ATTRIBUTE ruleset version CDATA #REQUIRED>
    
    <!ELEMENT rule (id, action)>
    
    <!ELEMENT id (certificate?) (checksum?) >
    <!ATTRIBUTE id title CDATA #IMPLIED>
    <!ATTRIBUTE id location CDATA #IMPLIED>
    
    <!ELEMENT certificate EMPTY>
    <!ATTLIST certificate algorithm CDATA #IMPLIED>
    <!ATTLIST certificate hash CDATA #REQUIRED>
    
    <!ELEMENT checksum EMPTY>
    <!ATTLIST checksum algorithm CDATA #IMPLIED>
    <!ATTLIST checksum hash CDATA #REQUIRED>
     
    <!ELEMENT action (message?)>
    <!ATTRIBUTE permission (run | block | default) #REQUIRED>
    <!ATTRIBUTE version CDATA #IMPLIED>
    <!ATTRIBUTE force (true|false) "false">
    
    <!ELEMENT message (#PCDATA)>
    <!ATTLIST message locale CDATA #IMPLIED>
    
    

Bug Fixes


For a list of bug fixes included in this release, see JDK 8u60 Bug Fixes page.

The following are some of the notable bug fixes included in JDK 8u60 release:

Area: security-libs/org.ietf.jgss:krb5
Synopsis: dns_lookup_realm should be false by default

The dns_lookup_realm setting in Kerberos' krb5.conf file is by default false.

See 8080637.

Area: security-libs/javax.net.ssl
Synopsis: Disable RC4 cipher suites

RC4-based TLS ciphersuites (e.g. TLS_RSA_WITH_RC4_128_SHA) are now considered compromised and should no longer be used (see RFC 7465). Accordingly, RC4-based TLS ciphersuites have been deactivated by default in the Oracle JSSE implementation by adding "RC4" to "jdk.tls.disabledAlgorithms" security property, and by removing them from the default enabled ciphersuites list. These cipher suites can be reactivated by removing "RC4" form "jdk.tls.disabledAlgorithms" security property in the java.security file or by dynamically calling Security.setProperty(), and also readding them to the enabled ciphersuite list using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.

You can also use the -Djava.security.properties command line option to override the jdk.tls.disabledAlgorithms security property. For example:

java -Djava.security.properties=my.java.security ...

where my.java.security is a file containing the property without RC4:

jdk.tls.disabledAlgorithms=SSLv3

Even with this option set from commandline, the RC4 based ciphersuites need to be re-added to the enabled ciphersuite list by using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.

See 8076221.

Area: security-libs/java.secuirty
Synopsis: Support keystore type detection for JKS and PKCS12 keystores

Keystore Compatibility Mode:
To aid interoperability, the Java keystore type JKS now supports keystore compatibility mode by default. This mode enables JKS keystores to access both JKS and PKCS12 file formats. To disable keystore compatibility mode set the Security property keystore.type.compat to the string value false.

See 8062552.

Area: core-libs/java.lang
Synopsis: Deprecate Unsafe monitor methods in JDK 8u release

The methods monitorEnter, monitorExit and tryMonitorEnter on sun.misc.Unsafe are marked as deprecated in JDK 8u60 and will be removed in a future release. These methods are not used within the JDK itself and are very rarely used outside of the JDK.

See 8069302.

Area: hotspot/jfr
Synopsis: Extract JFR recording from the core file using SA

DumpJFR is a Serviceability Agent based tool that can be used to extract Java Flight Recorder(JFR) data from the core files and live Hotspot processes. DumpJFR can be used in one of the following methods:

  • Attach DumpJFR to a live process:

    java -cp $JAVA_HOME/lib/sa-jdi.jar sun.jvm.hotspot.tools.DumpJFR <pid>
     
  • Attach DumpJFR to a core file:

    java -cp $JAVA_HOME/lib/sa-jdi.jar sun.jvm.hotspot.tools.DumpJFR <java> <core>

DumpJFR tool dumps the JFR data to a file called recording.jfr in the current working folder.

See 8065301(not public).

Area: tools/javac
Synopsis: Local variables named 'enum' lead to spurious compiler crashes

The javac parser is incorrectly parsing local variables with name 'enum'; this results in spurious failures when a program containing such local variables is compiled with a 'source' flag corresponding to a release in which the enum construct is not available (such as '-source 1.4').

See 8069181.

 




Java SE 8u51 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u51 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u51 b31

 

Please note that fixes from prior BPR (8u45 b37) are included in this BPR.



Java™ SE Development Kit 8, Update 51 (JDK 8u51)

The full version string for this update release is 1.8.0_51-b16 (where "b" means "build"). The version number is 8u51.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2015d

JDK 8u51 contains IANA time zone data version 2015d. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u51 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_51
7 1.7.0_85
6 1.6.0_101

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u51) will expire with the release of the next critical patch update scheduled for October 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u51) on November 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes


Operating system's restricted environment (Native Sandbox)

JDK 8u51 introduced the following changes to Native Sandbox:

  • Native sandbox is available on Windows platform only.

  • Native sandbox can be enabled or disabled through Java Control Panel->Advanced settings->Enable the operating system's restricted environment (native sandbox) or by setting deployment.security.use.native.sandbox property to true in deployment.properties file.

    Native sandbox is disabled by default.

  • When native sandbox is enabled, the sandbox applets or web-start applications will run in a restricted environment, that is provided by the operating system. This will not affect the all-permission applications and they will continue to run as before.

  • Native sandbox will be disabled for applications included the in Exception Site List (ESL) or when Deployment Rule Set (DRS) is used.

  • Sandbox applets deployed with HTML applet tag which includes all-permissions JAR files from the Class-Path manifest attribute, will run in native sandbox.

    In such cases, a special warning dialog will display, informing the user that the applet may not work properly, when such an applet tries to access the all-permission JAR files.

  • Custom preloader will be disabled in certain cases when native sandbox is enabled:

    • Custom preloader will be disabled when sandbox applets or web-start applications are initializing and the default preloader will be used instead. After application is initialized, Java VM restarts with native sandbox enabled and the custom preloader will be used.
    • For all-permission applications, custom preloader will be disabled if it is located in the JNLP file with sandbox permission, until user agrees to run application from the Security Dialog, which grants unrestricted access (privileged) to application.

Bug Fixes


This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 8u51 Bug Fixes page.

The following are some of the notable bug fixes included in this release:

Area: security-libs/java.security
Synopsis: Add new Comodo roots to root CAs

Four new root certificates have been added for Commodo:

1. COMODO ECC Certification Authority
    alias: comodoeccca
    DN: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, 
    ST=Greater Manchester, C=GB

2. COMODO RSA Certification Authority
    alias: comodorsaca
    DN: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, 
    ST=Greater Manchester, C=GB

3. USERTrust ECC Certification Authority
    alias: usertrusteccca
    DN: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, 
    L=Jersey City, ST=New Jersey, C=US

4. USERTrust RSA Certification Authority
    alias: usertrustrsaca
    DN: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, 
    L=Jersey City, ST=New Jersey, C=US

See JDK-8077997(not public).

Area: security-libs/java.security
Synopsis: Add new GlobalSign roots to root CAs

Two root certificates have been added for GlobalSign:

1. GlobalSign ECC Root CA - R4
   alias: globalsigneccrootcar4
   DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4

2. GlobalSign ECC Root CA - R5
   alias: globalsigneccrootcar5
   DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5

See JDK-8077995 (not public).

Area: security-libs/java.security
Synopsis: Add Actalis to root CAs

Added one new root certificate:

Actalis Authentication Root CA
   alias: actalisauthenticationrootca
   DN: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, 
   L=Milan, C=IT 

See JDK-8077903 (not public).

Area: security-libs/java.security
Synopsis: Add new Entrust ECC root

Added one new root certificate:

Entrust Root Certification Authority - EC1
  alias: entrustrootcaec1
  DN: CN=Entrust Root Certification Authority - EC1, 
  OU="(c) 2012 Entrust, Inc. - for authorized use only", 
  OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US

See JDK-8073286 (not public)

Area: security-libs/java.security
Synopsis: Remove old Valicert Class 1 and 2 Policy roots

Removed two root certificates with 1024-bit keys:

  1. ValiCert Class 1 Policy Validation Authority
      alias: secomvalicertclass1ca
      DN: EMAILADDRESS=info@xxxxxxxxxxxx, CN=http://www.valicert.com/, 
      OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", 
      L=ValiCert Validation Network

  2. ValiCert Class 2 Policy Validation Authority
      alias: valicertclass2ca
      DN: EMAILADDRESS=info@xxxxxxxxxxxx, CN=http://www.valicert.com/, 
      OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", 
      L=ValiCert Validation Network

See JDK-8077886 (not public).

Area: security-libs/java.security
Synopsis: Remove old Thawte roots

Removed two root certificates with 1024-bit keys:

1. Thawte Server CA
    alias: thawteserverca
    DN: EMAILADDRESS=server-certs@xxxxxxxxxx, CN=Thawte Server CA, 
    OU=Certification Services Division, O=Thawte Consulting cc, 
    L=Cape Town, ST=Western Cape, C=ZA

2. Thawte Personal Freemail CA
    alias: thawtepersonalfreemailca
    DN: EMAILADDRESS=personal-freemail@xxxxxxxxxx, 
    CN=Thawte Personal Freemail CA, OU=Certification Services Division, 
    O=Thawte Consulting, L=Cape Town, ST=Western Cape, C=ZA

See JDK-8074423 (not public).

Area: security-libs/java.security
Synopsis: Remove more old Verisign, Equifax, and Thawte roots

Removed five root certificates with 1024-bit keys:

1. Verisign Class 3 Public Primary Certification Authority - G2
    alias: verisignclass3g2ca
    DN: OU=VeriSign Trust Network, 
    OU="(c) 1998 VeriSign, Inc. - For authorized use only", 
    OU=Class 3 Public Primary Certification Authority - G2, 
    O="VeriSign, Inc.", C=US

2. Thawte Premium Server CA
    alias: thawtepremiumserverca
    DN: EMAILADDRESS=premium-server@xxxxxxxxxx, CN=Thawte Premium Server CA, 
    OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, 
    ST=Western Cape, C=ZA

3. Equifax Secure Certificate Authority
    alias: equifaxsecureca
    DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US

4. Equifax Secure eBusiness CA-1
    alias: equifaxsecureebusinessca1
    DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US

5. Equifax Secure Global eBusiness CA-1,
    alias: equifaxsecureglobalebusinessca1
    DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

See JDK-8076202 (not public).

Area: security-libs/java.security
Synopsis: Remove TrustCenter CA roots from cacerts

Removed three root certificates:

1. TC TrustCenter Universal CA I
    alias: trustcenteruniversalcai
    DN: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, 
    O=TC TrustCenter GmbH, C=DE

2. TC TrustCenter Class 2 CA II
    alias: trustcenterclass2caii
    DN: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, 
    O=TC TrustCenter GmbH, C=DE

3. TC TrustCenter Class 4 CA II
    alias: trustcenterclass4caii
    DN: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, 
    O=TC TrustCenter GmbH, C=DE

See JDK-8072958 (not public).

Area: security-libs/javax.net.ssl
Synopsis: Deprecate RC4 in SunJSSE provider

RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list.

See JDK-8074006 (not public).

Area: security-libs/javax.net.ssl
Synopsis: Prohibit RC4 cipher suites

RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods.

See JDK-8077109 (not public).

Area: security-libs/javax.net.ssl
Synopsis: Improved certification checking

With this fix, JSSE endpoint identification does not perform reverse name lookup for IP addresses by default in JDK.

If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks.

See JDK-8067695 (not public).

Known Issues


Area: deploy/plugin
Synopsis: Java issue with Firefox 38, long delay with MyD loading

Java Plugin is unable to obtain proxy settings from Firefox 38 due to a bug in Mozilla framework. It may cause a long delay during RIA start up or can even cause start up failures. See the related issue:

https://bugzilla.mozilla.org/show_bug.cgi?id=1165286

According to Mozilla, Firefox 39 will contain a fix for this problem.

Workarounds:

  • Use another supported browser
  • Downgrade browser to Firefox 37
  • Specify proxy settings in JCP (NOT in "Browser settings")

See JDK-8081459 (not public).

 


Java SE 8u45 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u45 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u45 b37

 

Bug Fixes

BugId Category Subcategory Description
8085965 hotspot gc VM hangs in C2Compiler
8075210 hotspot gc Refactor strong root processing in order to allow G1 to evolve separately from GenCollectedHeap
8074037 hotspot gc Refactor the G1GCPhaseTime logging to make it easier to add new phases
8061630 hotspot gc G1 iterates over JNIHandles two times
8067655 hotspot gc Clean up G1 remembered set oop iteration
8051837 hotspot gc Remove temporary G1UseParallelRSetUpdating and G1UseParallelRSetScanning flags
8072384 core-libs java.net Setting IP_TOS on java.net sockets not working on unix

Changes in Java SE 8u45 b36

 

Bug Fixes

BugId Category Subcategory Description
8072999 deploy webstart DRS certificate based rule does not match with Java WS Application compressed by pack200
8076220
(Confidential)
deploy plugin If checksum rule is specified drs tries to calculate checksum for folder (DRS1.2)
8069161 deploy plugin Slow cache performance since JRE 7u06
8072619
(Confidential)
deploy plugin OutOfMemoryError in Java Plugin for IE
8076189
(Confidential)
install install Update Makefiles to Roll a .dmg File for the .pkg Installer
8080288
(Confidential)
deploy plugin Applet failed to reload after "javaws -uninstall"
8072676 client-libs javax.swing [macosx] Jtree icon painted over label when scrollbars present in window
8079223 deploy   unnecessary performance degradation caused by fix to JDK-8052111
8077155 core-libs java.net LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection

Changes in Java SE 8u45 b33

 

Bug Fixes

BugId Category Subcategory Description
8073072
(Confidential)
deploy plugin 8u25-b31/8u31-b32 fails to evaluate proxy pac file for some URLs
8073008 client-libs java.awt press-and-hold input method for accented characters works incorrectly on OS X

Changes in Java SE 8u45 b32

 

Please note that fixes from prior BPR (8u40 b32) are included in this BPR.



Java™ SE Development Kit 8, Update 45 (JDK 8u45)

The full version string for this update release is 1.8.0_45-b14 (where "b" means "build") except for Windows, where the version string is 1.8.0_45-b15. The version number is 8u45.

IANA Data 2015a

JDK 8u45 contains IANA time zone data version 2015a. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u45 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_45
7 1.7.0_79
6 1.6.0_95
5.0 1.5.0_85

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u45) will expire with the release of the next critical patch update scheduled for July 14, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u45) on August 14, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Blacklist Entries

A new blacklist entry is included in this release.

For more details on the entry, see the related Cisco Security Advisory.

Bug Fixes


This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 8u45 Bug Fixes page.

The following are some of the notable bug fixes included in this release:

Area: tools/jar
Synopsis: Improve jar file handling

Starting with JDK 8u45 release, the jar tool no longer allows the leading slash "/" and ".." (dot-dot) path component in zip entry file name when creating new and/or extracting from zip and jar file. If needed, the new command line option "-P" should be used explicitly to preserve the dot-dot and/or absolute path component.

See 8064601 (not public).

Area: deploy/webstart
Synopsis: jnlp app with nested "resource" section fails with NPE on load in jre8u40

A jnlp application, with nested <resources> tags within a <java> or <j2se> tag, can throw an NPE. The issue is now fixed. The <resources> tag should be used only if the <java> is actually used.

See 8072631 (not public).

Known Issues


Area: core-libs/jdk.nashorn
Synopsis: Finally blocks inlined incorrectly.

Nashorn has known issues where it incorrectly compiles try/finally constructs. For more information on this issue and a workaround, see Try/finally compilation issues wiki page.

See 8067139.

 


Java SE 8u40 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u40 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u40 b32

 

Please note that fixes from prior BPR (8u31 b33) are included in this BPR.

Bug Fixes

BugId Category Subcategory Description
8071897 deploy webstart JRE 8U25 and 8u31 b32 cannot launch Java Web Start with proxy pac but works fine for 7u67
8066436
(Confidential)
client-libs java.awt Minimize can cause window to disappear on osx



Java™ SE Development Kit 8, Update 40 (JDK 8u40)

The full version string for this update release is 1.8.0_40-b26 (where "b" means "build") except for OS X, where the version string is 1.8.0_40-b27. The version number is 8u40.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2014j

JDK 8u40 contains IANA time zone data version 2014j. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u40 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_31
7 1.7.0_75
6 1.6.0_91
5.0 1.5.0_81

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u40) will expire with the release of the next critical patch update scheduled for April 14, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u40) on May 14, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes


Java Packager Tool Enhancements

JDK 8u40 release contains the following enhancements to the Java Packager:


Deprecated APIs

The endorsed-standards override mechanism and the extension mechanism are deprecated and may be removed in a future release. There are no runtime changes. Existing applications using the 'endorsed-standards override' or 'extension' mechanisms are recommended to migrate away from using these mechanisms. To help identify any existing uses of these mechanisms, the -XX:+CheckEndorsedAndExtDirs command-line option is available. It will fail if any of the following conditions is true:

  • -Djava.endorsed.dirs or -Djava.ext.dirs system property is set to alter the default location; or
  • ${java.home}/lib/endorsed directory exists; or
  • ${java.home}/lib/ext contains any JAR files excluding the ones that JDK ships or
  • any platform-specific system-wide extension directory contains any JAR files.

The -XX:+CheckEndorsedAndExtDirs command-line option is supported in JDK 8u40 and later releases.

Multiple JRE Launcher feature Deprecated

The Launch-Time JRE Version Selection or the Multiple JRE Launcher feature is deprecated in JDK 8u40. Visit http://openjdk.java.net/jeps/231 for further information. Applications that require specific Java versions deployed using this feature must switch to alternate deployment solutions such as Java WebStart.

JJS Tool Page Differences

The Japanese version of the jjs help page is different from the English version. Some of the unsupported options have been removed from the English version of the jjs tool page. The Japanese version of document will be updated in future.

See 8062100 (not public).

For other jjs tool page changes, see Tools Enhancements in JDK 8.

Java SE Tools Updated

Java SE tools have been updated. See Tools Enhancements in JDK 8 for details.

Change in default values for G1HeapWastePercent and G1MixedGCLiveThresholdPercent

The default value for G1HeapWastePercent was changed from 10 to 5 to reduce the need for full GCs. For the same reason the default value for G1MixedGCLiveThresholdPercent was changed from 65 to 85.

Nashorn Enhancements

The new jdk.nashorn.api.scripting.ClassFilter interface enables you to restrict access to specified Java classes from scripts run by a Nashorn script engine. See Restricting Script Access to Specified Java Classes in the Nashorn User's Guide and 8043717 (not public) for more information.

The Nashorn compiler now has static type inference capabilities for local variables and expressions. While _javascript_ is hard to analyze statically, Nashorn is able to generate code optimized for specific types.

Nashorn now supports optimistic typing, which complements static type inference. For types that can't be statically inferred, Nashorn will make optimistic assumptions and gradually deoptimize when assumptions turn out to be wrong. To activate this feature use the --optimistic-types=true option. See Nashorn Architecture and Performance Improvements for more information.

Function.prototype.bind and Function.prototype.call are enhanced to work on everything that can be invoked in Nashorn, such as POJO methods, instances of @FunctionalInterface classes.

Issues with Third party's JCE Providers

The fix for JDK-8023069 (in JDK 8u20) updated both the SunJSSE and and SunJCE providers, including some internal interfaces.

Some third party JCE providers (such as RSA JSAFE) are using some sun.* internal interfaces, and therefore will not work with the updated SunJSSE provider. Such providers will need to be updated in order for them to work with the updated SunJSSE provider.

If you have been impacted by this issue, contact your JCE vendor for an update.

See 8058731.

Re-enabled Encryptions in Solaris Crypto Framework

If you are using Solaris 10, a change was made to re-enable operations with MD5, SHA1, and SHA2 through the Solaris Crypto Framework. If you experience a CloneNotSupportedException or PKCS11 error CKR_SAVED_STATE_INVALID message with JDK 8u40, you should verify and apply the below patches or newer versions of them:

  • 150531-02 on sparc
  • 150636-01 on x86
Troubleshooting Guide Updates for NMT, JMC, and JFR

The Native Memory Tracking (NMT) is a Java Hotspot VM feature that tracks internal memory usage for a HotSpot JVM. Native Memory Tracking can be used to monitor VM internal memory allocations and diagnose VM memory leaks.

VM enhancements page is updated with NMT features. See Java Virtual Machine Enhancements in Java SE 8.

Troubleshooting Guide is updated with NMT features. See Native Memory Tracking.

Troubleshooting Guide is also updated with content for Troubleshooting using Java Mission Control, Debug Memory Leaks using Java Flight Recorder (JFR), and Troubleshooting Performance Issues using JFR.

JavaFX Enhancements

Starting with JDK 8u40 release, JavaFX controls are enhanced to support assistive technologies, meaning that JavaFX controls are now accessible. In addition, a public API is provided to allow developers to write their own accessible controls.

Accessibility support is provided on Windows and Mac OS X platforms and includes:

  • Support for reading JavaFX controls by a screen reader
  • JavaFX controls are traversable using the keyboard
  • Support for a special high-contrast mode that makes controls more visible to users.

See 8043344 (not public).

JDK 8u40 release includes new JavaFX UI controls; a spinner control, formatted-text support, and a standard set of alert dialogs.

See 8043350 (not public).

Commercial Features

  • Application Class Data Sharing (AppCDS):

    Application Class Data Sharing (AppCDS) extends CDS (see Class Data Sharing) to enable you to place classes from the standard extensions directories and the application class path in the shared archive. This is an experimental feature and not licensed for commercial use. See the -XX:+UseAppCDS option in the java launcher tool page.

  • Cooperative Memory Management:

    Starting with JDK 8u40, the notion of "memory pressure" has been added to the JDK. Memory pressure is a property that represents the total memory usage (RAM) on the system. The higher the memory pressure, the closer the system is to running out of memory.  This is an experimental feature and not licensed for commercial use.

    As a reaction to increased memory pressure, the JDK will try to reduce its memory usage. This is mainly done by reducing the Java heap size. The actions the JDK will take to reduce memory usage may lead to reduced performance. This is an intentional choice.

    The pressure level is provided by the application through a JMX MXBean using a scale from 0 (no pressure) to 10 (almost out of memory). To enable this feature, the jdk.management.cmm.SystemResourcePressureMXBean should be registered. The memory pressure is then set using the "MemoryPressure" attribute.

    A new command line flag -XX:MemoryRestriction that takes one of the arguments 'none', 'low', 'medium', or 'high', is also available. This flag will set the initial pressure in the JDK and will work also in cases where the MXBean is not registered.

    Cooperative Memory Management requires the G1 GC (-XX:+UseG1GC). This feature is not compatible with the flag -XX:+ExplicitGCInvokesConcurrent.

  • New Commercial Flags:

    Two new VM options are now available for commercial license holders:

    • -XX:+ResourceManagement
    • -XX:ResourceManagementSampleInterval=value (milliseconds)

    For more information, see Java Launcher documentation.

  • Java Flight Recorder(JFR) Enhancements

    It is now possible to enable Java Flight Recorder at runtime. For details, see the Java Flight Recorder Runtime Guide at http://docs.oracle.com/javacomponents/jmc-5-5/jfr-runtime-guide/index.html.

  • New MSI Installer Documentation:

    The Microsoft Windows Installer (MSI) Enterprise JRE Installer Guide is available at https://docs.oracle.com/javacomponents/msi-jre8/install-guide. The MSI Enterprise JRE Installer requires a commercial license for use in production. To learn more about commercial features and how to enable them, visit http://www.oracle.com/technetwork/java/javaseproducts.


Bug Fixes


For a list of bug fixes included in this release, see JDK 8u40 Bug Fixes page.

The following are some of the notable bug fixes included in JDK 8u40 release:

Area: core-svc
Synopsis: Default and static interface methods in JDI, JDWP and JDB

Since JDK 8 it is possible to have directly executable static and default methods in interfaces. These methods are not executable via JDWP or JDI and therefore can not be properly debugged. See JDK 8 Compatibility Guide for more details.

See 8042123.

Area: install
Synopsis: Java Access Bridge can be enabled from Control panel for 32 bit JREs.

Previously the "Enable Java Access Bridge" check box got removed from the Java Control Panel with 64 bit JRE uninstall even when 32 bit JRE was still present on the system.

Starting with JDK 8u40 release, the "Enable Java Access Bridge" checkbox is retained, at Control Panel -> Ease of Access -> Ease of Access Center -> Use the computer without a display, if a 32 bit jre is present. So, a user can enable Java Access bridge via control panel for 32 bit JREs.

See 8030124.

Area: client-libs
Synopsis: Modernizing the JavaFX Media Stack on Mac OS X

An AVFoundation based player platform is added to JavaFX media. The old QTKit based platform is now removable for Mac App Store compatibility.

See 8043697 (not public).

Area: deploy/plugin
Synopsis: Missing DOM APIs

In JDK 8u40 release, the old plugin DOM APIs were inadvertently removed. If an applet requires the use of com.sun.java.browser.dom.DOMService to communicate with the browser, then users may need to update their applet to use netscape._javascript_.JSObject or continue using JDK 8 Update 31.

This issue has been resolved in build 26 and new 8u40 installers have been posted. If you are experiencing this problem, download and run the updated JDK 8u40 installers.

See 8074564.

Area: client-libs/java.awt
Synopsis: Mac 10.10: Application run with splash screen has focus issues

Applications started through webstart or standalone applications, which use splash screen, cannot get keyboard focus.

Workaround: Launch javaws using the -Xnosplash option.

This issue has been resolved in build 27 and a new 8u40 installer has been posted. If you are experiencing this problem, download and run the updated JDK 8u40 installer.

See 8074668.

Known Issues


JDK

Area: hotspot/gc
Synopsis: Performance degradation on G1 on Solaris when large pages are requested

When using G1 on Solaris where large pages are requested, the VM does not always use large pages when it could. This may result in significant throughput degradation, particularly on the Solaris x64 platform.

See 8058354.

Area: hotspot/compiler
Synopsis: Nondeterministic arithmetic when converting long strings to integers and performing OSR

For JRE 6 and above, when performing OSR on loops with huge stride and/or initial values, in a very rare case the tiered/server compilers can produce non-canonical loop shapes that can produce nondeterministic answers, when answers should be deterministic.

Workaround: Launch Java using the -XX:-UseOnStackReplacement flag.

See 8072753.

JavaFX

Area: Control
Synopsis: Behavior and access of Control#getUserAgentStylesheet method changed in 8u40.

In JDK 8u40, the getUserAgentStylesheet() method moved from the Control class to the Region superclass.

The method was promoted from protected to public, which preserves binary compatibility, but breaks source compatibility for subclasses of Control that override this method. The solution is to make the overridden method public in the subclass of Control.

The semantics of the method are also changed such that any CSS that is applied from CSS files imported via the getUserAgentStylesheet() method is only applied to the Region in which it is a user agent stylesheet. Previously, a CSS file imported in this way could make changes throughout the application user interface, which could result in unintended style clobbering. This is no longer possible from JDK 8u40 onwards, and applications which might have been relying on this unintended behavior, may see differences in styling as a result.

See RT-38640.

Area: Control
Synopsis: PopupControl$CSSBridge changed to extend Pane in 8u40.

In JDK 8u40, the object inheritance hierarchy of the protected javafx.scene.control.PopupControl$CSSBridge inner class has changed in an incompatible manner. Prior to JDK 8u40, PopupControl$CSSBridge extended from Group and now it extends from Pane.

This is primarily an internal class for custom PopupControls such as Tooltip, but it is possible that a third-party control might subclass this class. Such applications that subclass PopupControl$CSSBridge might be affected if they were calling or overriding methods in Group that are not in Pane.

See RT-33696.

 



Java SE 8u31 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u31 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u31 b33

 

Bug Fixes

BugId Category Subcategory Description
8062032
(Confidential)
deploy plugin Client certificate authentication issues with TLS 1.2 and browser keystore
8068283 client-libs java.awt Mac OS Incompatibility between JDK 6 and 8 regarding input method handling
8037417 deploy   javaws fails to launch app with empty href in jnlp file if Application-Library-Allowable-Codebase is used
8063047
(Confidential)
deploy webstart Need jnlp information from cached webstart application
8062375
(Confidential)
deploy webstart Warning message doesn't contain additional info: "Launched from downloaded JNLP file" when launched from shortcut or cache viewer
8037471 deploy deployment_toolkit The warning message displays the app name and publisher as "UNKNOWN" if cache is disabled

Changes in Java SE 8u31 b32

 

Bug Fixes

BugId Category Subcategory Description
8065858
(Confidential)
deploy plugin Applet doesn't load after upgrade to JDK 8u25

Changes in Java SE 8u31 b31

 

Please note that fixes from prior BPR (8u25 b32) are included in this BPR.

Bug Fixes

BugId Category Subcategory Description
8061648 deploy webstart JavaWS fails with proxy autoconfig due to missing "dnsResolve"



Java™ SE Development Kit 8, Update 31 (JDK 8u31)

The full version string for this update release is 1.8.0_31-b13 (where "b" means "build"). The version number is 8u31.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2014j

JDK 8u31 contains IANA time zone data version 2014j. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u31 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_31
7 1.7.0_75
6 1.6.0_91
5.0 1.5.0_81

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u31) will expire with the release of the next critical patch update scheduled for April 14, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u31) on May 14, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes


SSLv3 is disabled by default

Starting with JDK 8u31 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security file.

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

It should be noted that SSLv3 is obsolete and should no longer be used.

Changes to Java Control Panel

Starting with JDK 8u31 release, SSLv3 protocol is removed from Java Control Panel Advanced options.

If the user needs to use SSLv3 for applications, re-enable it manually as follows:

  • Enable SSLv3 protocol on JRE level: as described in the previous section.
  • Enable SSLv3 protocol on deploy level: edit the deployment.properties file and add the following:

    deployment.security.SSLv3=true

Bug Fixes


This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 8u31 Bug Fixes page.


Java SE 8u25 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u25 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u25 b32

 

Bug Fixes

BugId Category Subcategory Description
8061643 deploy webstart JavaWS fails with proxy autoconfig due to missing "resolve" permission

Changes in Java SE 8u25 b31

 

Please note that fixes from prior BPR (8u20 b32) are included in this BPR.



Red Triangle Java™ SE Development Kit 8, Update 25 (JDK 8u25)

The full version string for this update release is 1.8.0_25-b17 (where "b" means "build") except for Windows, where the version string is 1.8.0_25-b18 . The version number is 8u25.

IANA Data 2014c

JDK 8u25 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u25 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_25
7 1.7.0_71
6 1.6.0_85
5.0 1.5.0_75

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u25) will expire with the release of the next critical patch update scheduled for January 20, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u25) on February 20, 2015. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Instructions to disable SSL v3.0 in Oracle JDK and JRE

Oracle recommends that users and developers disable use of the SSLv3 protocol. Please follow the Instructions to disable SSL v3.0 in Oracle JDK and JRE.

Unsafe Server Certificate Change in SSL/TLS Renegotiations Not Allowed.

Starting with JDK 8u25, unsafe server certificate change in SSL/TLS renegotiations is not allowed by default. Server certificate change in an SSL/TLS renegotiation may be unsafe and should be restricted:

  • if endpoint identification is not enabled in an SSL/TLS handshaking; and
  • if the previous handshake is a session-resumption abbreviated initial handshake; and
  • the identities represented by both certificates (in previous handshake and this handshake) cannot be regraded as the same.

If unsafe server certificate change is really required, please set the system property, jdk.tls.allowUnsafeServerCertChange, to "true" before JSSE is initialized. Note that this would re-establish the unsafe server certificate change issue.

Bug Fixes


This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 8u25 Bug Fixes page.

The following are some of the notable bug fixes in this release:

Area: security-libs/javax.net.ssl
Synopsis: Decrease the preference mode of RC4 in the enabled cipher suite list

This fix decreases the preference of RC4 based cipher suites in the default enabled cipher suite list of SunJSSE provider.

See 8043200 (not public).

Area: client-libs
Synopsis: JRE 8u20 crashes while using Japanese IM on Windows

The VM crashes while using Swing controls when some Japanese or Chinese characters are input on Windows platform. The issue is now fixed.

See 8058858 (not public).


Java SE 8u20 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u20 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u20 b32

 

Bug Fixes

BugId Category Subcategory Description
8047288 client-libs java.awt [macosx] Endless loop in EDT on Mac

Changes in Java SE 8u20 b31

 

Please note that fixes from prior BPR (8u11 b31) are included in this BPR.

Bug Fixes

BugId Category Subcategory Description
8029837 xml jaxp NPE seen in XMLDocumentFragmentScannerImpl.setProperty since 7u40b33
8051012 hotspot runtime Regression in verifier for <init> method call from inside of a branch


Red Triangle Java™ SE Development Kit 8, Update 20 (JDK 8u20)

The full version string for this update release is 1.8.0_20-b26 (where "b" means "build"). The version number is 8u20.

Highlights

This update release contains several enhancements and changes including the following:

IANA Data 2014c

JDK 8u20 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u20 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_11
7 1.7.0_65
6 1.6.0_81
5.0 1.5.0_71

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u20) will expire with the release of the next critical patch update scheduled for October 14, 2014.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u20) on November 14, 2014. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Java Mission Control

This JDK release includes Java Mission Control (JMC) version 5.4. For more information, see JMC 5.4 Release Notes.

Advanced Management Console (AMC) 1.0

Advanced Management Console (AMC) 1.0 is a commercial product available for Java users who license Java SE Advanced or Java SE Suite. AMC is downloaded separately from the JDK and is available to customers from My Oracle Support (MOS) or can be downloaded from OTN for trial purposes.

A primary benefit of Advanced Management Console is the ability to learn which applications are being run in the enterprise as well as the JREs that are being used. Additional information, such as the location of the application, vendor, permission level, number of JAR files and extensions, and number of times the application has been run is also provided. Information from Java Usage Tracker is collected by the AMC Collector, stored in the AMC database and displayed in the AMC UI.

Deployment rules can be created directly from this information and packaged into rule sets. The guided rule creation and packaging support greatly simplifies developing Deployment Rule Sets. The AMC UI can also be used to determine which rules and rule sets an application matches, helping system administrators understand the impact of installing a particular rule set prior to physically testing it in user environments.

For a summary of this feature, see Advanced Management Console documentation.

New Features and Changes


New flags added to Java Management API

The flags MinHeapFreeRatio and MaxHeapFreeRatio have been made manageable. This means they can be changed at runtime using the management API in Java. Support for these flags have also been added to the ParallelGC as part of the adaptive size policy.

Java Installer Changes

A new Microsoft Windows Installer (MSI) Enterprise JRE Installer which enables user to install the JRE across the enterprise, is available. See Downloading the Installer section in JRE Installation for Microsoft Windows for more information. The MSI Enterprise JRE Installer is only available as part of Java SE Advanced or Java SE Suite. For information about these commercial products, see Java SE Advanced and Java SE Suite.

The following new configuration parameters are added to support commercial features, for use by Java SE Advanced or Java SE Suite licensees only.

USAGETRACKERCFG=
DEPLOYMENT_RULE_SET=

See Installing With a Configuration File for more information about these and other installer parameters.

The Java Uninstall Tool is integrated with the installer to provide an option to remove older versions of Java from the system. The change is applicable to 32 bit and 64 bit Windows platforms. See Uninstalling the JRE.

JRE Installation Directory

Starting with JDK 8u20 release, the JRE will be installed in a version specific directory. For example:

C:\Program Files\Java\jre1.8.0_20

The version specific directory naming is intentional and it does not indicate that the JRE install is static.

As with the earlier releases, static JRE install is performed only if STATIC=1 option is passed (via command line or config file) by the user.

Existing Java applications that depend on the physical location of the JRE should be updated to reflect the new installation directory format.

Java Control Panel Changes

The Update tab in the Java Control Panel now enables the users to automatically update 64-bit JREs (in addition to 32-bit versions) that are installed on their system.

The Medium security level has been removed. Now only High and Very High levels are available.

Applets that do not conform with the latest security practices can still be authorized to run by including the sites that host them to the Exception Site List.

The exception site list provides users with the option of allowing the same applets that would have been allowed by selecting the Medium option but on a site-by-site basis therefore minimizing the risk of the using more permissive settings.

Java Compiler updated

The javac compiler has been updated to implement definite assignment analysis for blank final field access using "this". See JDK 8 Compatibility Guide for more details.

Change in minimum required Java Version for Java Plugin and Java Webstart

The minimum version of Java required for Java Plugin and Java Webstart is now Java 5. Applets that do not run in Java 5 or later must be ported to a later version of Java to continue to function. Applets written for earlier versions but able to run in at least Java 5 will continue to work.

Change in UsageTracker output formatting

UsageTracker output formatting has been changed to use quoting, to avoid confusion in the log. This may require changes to the way such information is read. The feature can be configured to behave as in previous versions, although the new format is recommended.

See Java Usage Tracker documentation.

Changes to Java Packaging Tools

  • javafxpackager has been renamed to javapackager
  • The "-B" option has been added to the javapackager deploy command to enable you to pass arguments to the bundlers that are used to create self-contained applications. See javapackager (Windows)/(Unix) documentation for information
  • The <fx:bundleArgument> helper parameter argument has been added to JavaFX Ant Task Reference. It enables you to specify an argument (in the <fx:deploy> element) for the bundler that is used to create self-contained applications.

Change in javax.smartcardio.Card.disconnect(boolean reset) method behavior

Prior to the JDK 8u20 and JDK 7u72 releases, the javax.smartcardio.Card.disconnect(boolean reset) method had inverted logic for the 'reset' boolean value passed to it. The card was reset upon a disconnect if false was passed to it and vice versa. Starting with JDK 7u72 and JDK 8u20, the correct behavior as per API documentation has been implemented.

In order to provide backwards compatibility to users who rely on the old behavior, a new system property has been introduced. The following command-line option can be used to enforce the old broken behavior:

-Dsun.security.smartcardio.invertCardReset=true

This property is set by default for 7u72 and later JDK 7 update releases. By default, no behavioral change will be noticed in this area for JDK 7 update releases.

Also the following command-line option can be used to enforce the new correct behavior:

-Dsun.security.smartcardio.invertCardReset=false

This is default for 8u20 and later JDK 8 update releases. In future Java releases, the property will be ignored/disabled and default disconnect method behavior will be as specified by API.

Linux JRE RPM package Name Change

Starting with JDK 8u20, the RPM package name has been changed to include the Java product version.

For example, whereas the rpm name used to be returned simply as "jre", it is now returned as follows:

rpm -qp --qf "%{name}\n" ./jre-8u20-linux-x64.rpm
jre1.8.0_20 

JDK 8 Documentation Updates

New Garbage Collection Tuning Guide added to JDK 8 documentation

The Java HotSpot Virtual Machine Garbage Collection Tuning Guide has been added to the Java SE 8 Developer Guides. This guide describes the garbage collectors included with the Java HotSpot VM and helps you decide which garbage collector can best optimize the performance of your application, especially if it handles large amounts of data (multiple gigabytes), has many threads, and has high transaction rates.

New Deployment Guide

The Java SE Deployment Guide combines information for Java SE and JavaFX deployment into a single guide. This guide provides information about the Java packaging tools, creating self-contained applications, and deploying Java and JavaFX applications that are embedded in a web page or launched from a browser.

Updated Troubleshooting Guide

The Java SE Troubleshooting Guide combines and replaces the Desktop Technologies Troubleshooting Guide and the HotSpot Virtual Machine Troubleshooting Guide, to provide a single location for diagnosing and solving problems that may occur with Java applications created on the Java SE 8 Platform and on Java HotSpot VM. The document introduces the new and improved troubleshooting tools and techniques like Java Mission Control, Java Flight Recordings, and JCMD.

Installation Guide has been updated with changes to Installing With a Configuration File.

Options related to string deduplication have been added to the java command tool page. String deduplication reduces the memory footprint of String objects on the Java heap by taking advantage of the fact that many String objects are identical. Instead of each String object pointing to its own character array, identical String objects can point to and share the same character array. See the option -XX:+UseStringDeduplication for more information.

Bug Fixes

For a list of bug fixes included in this release, see JDK 8u20 Bug Fixes page.

The following are some of the notable bug fixes in this release:

Area: security-libs/org.ietf.jgss:krb5
Synopsis: sun.security.krb5.KdcComm interprets kdc_timeout as msec instead of sec

An interop issue is found between Java and native Kerberos implementation on BSD (including Apple OS X) regarding the kdc_timeout setting in krb5.conf, which Java interprets as milliseconds and BSD as seconds (when no unit is specified). This release adds support for the "s" (seconds) unit. Therefore if the timeout is 5 seconds, Java accepts both "5000" and "5s". Customers concerned about the interop between Java and BSD should use the later format.

See 8044399.

Area: other-libs/corba
Synopsis: org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader

The system property org.omg.CORBA.ORBSingletonClass is used to configure the system-wide/singleton ORB. The handling of this system property has changed in 7u55 release to require that the system wide/singleton ORB be visible to the system class loader.

In this release the handling of this system property has been changed to match the behavior found in JDK versions prior to 7u55 release, i.e. the singleton ORB is once again located using the thread context class loader of the first thread to call the no-argument ORB.init method. The change was made to support applications which have been designed to depend on this behavior. Note that this change is applicable to 8u20, 7u65, 6u85 and 5.0u75 releases. For JDK 9, the new behavior where the system wide/singleton ORB needs to be visible to the system class loader, will continue.

See 8042789.

Area: core-libs/java.util.collections
Synopsis: Collection.sort defers now defers to List.sort

Previously Collection.sort copied the elements of the list to sort into an array, sorted that array, then updated list, in place, with those elements in the array, and the default method List.sort deferred to Collection.sort. This was a non-optimal arrangement.

From 8u20 release onwards Collection.sort defers to List.sort. This means, for example, existing code that calls Collection.sort with an instance of ArrayList will now use the optimal sort implemented by ArrayList.

See 8032636.

Area: core-libs/java.net
Synopsis: Digest authentication interop issue

With older versions of Apache Tomcat, certain protocol parameters are expected to be surrounded by double quotes(""). This was the behavior in JDK 7, but was corrected in JDK 8 to be compatible with RFC2617. This caused digest authentication interoperability issues.

Setting the networking property http.auth.digest.quoteParameters to true restores the JDK 7 behavior for compatibility with the older versions of Tomcat.

See 8034170(not public).

Area: tools/javac
Synopsis: javac crashes when mixing lambdas and inner classes

Previously the following sample code was making the compiler fail with a NPE:

class LambdaExpressionWithNonExistentIdCrashesJavacTest {
    void foo() {
        bar(()-> {
            new NonExistentClass(){
                public void any() {}
            };
        });

    }

    void bar(Runnable r) {}
}

where the NonExistentClass was an existing but inaccessible class. Starting with JDK 8u20, javac produces an error message indicating correctly that symbol "NonExistentClass" can't be found.

See 8030816.

Area: tools/javac
Synopsis: ElementType.TYPE_USE is introduced in JDK 8 and should be considered a logical superset of ElementType.TYPE and ElementType.ANNOTATION_TYPE. However, the javac command does not currently recognize ElementType.TYPE_USE as a superset.

javac has been corrected to recognize ElementType.TYPE_USE appropriately.

See 8029017.

Area: tools/javac
Synopsis: javac generates incorrect exception table for multi-catch statements inside a lambda

Handling of try-catch with multiple catches inside a lambda has been corrected.

See 8036942.

Area: core-libs/java.lang.reflect
Synopsis: Default methods affect the result of Class.getMethod and Class.getMethods

Class.getMethod and Class.getMethods were not updated with the 8 release to match the new inheritance definition (both may return non-inherited superinterface methods). Starting with JDK 8u20, the implementation has been changed to match defintion. See JDK 8 Compatibility Guide for more details.

See 8046505.

Known Issues


JDK

Area: install
Synopsis: 64 bit JRE Offline Installer is uncompressed

The 64 bit JRE offline installer for Windows was released as an uncompressed binary in 8u20. In its uncompressed state, the binary is 91.68MB in size.

Only the Windows offline 64 bit JRE bundle is impacted. This does not apply to any other JRE/JDK Windows installers (e.g. 32 bit offline, 32 bit online, or any auto-update bundle, 32 bit or 64 bit).

JavaFX

Area: media
Synopsis: [Linux] JavaFX Media does not run on Ubuntu 14.04

The JavaFX Media component in 8u20 requires the following packages which are not shipped with Ubuntu 14.04:

  • libavcodec53
  • libavformat53
  • libavutil51

Ubuntu 14.04 ships with newer, incompatible versions of these packages.

Workaround: install the specific versions of the required packages.

Area: client-libs
Synopsis: JRE 8u20 crashes while using Japanese IM on Windows

The VM crashes while using Swing controls when some Japanese or Chinese characters are input on Windows platform. There is no workaround.

See 8058858 (not public).



Java SE 8u11 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u11 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u11 b31

 

Please note that fixes from prior BPR (8u5 b31) are included in this BPR.

Java™ SE Development Kit 8, Update 11 (JDK 8u11)

The full version string for this update release is 1.8.0_11-b12 (where "b" means "build"). The version number is 8u11.

Highlights

This update release contains the following  enhancements and changes:

IANA Data 2014c

JDK 8u11 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u11 are specified in the following table:

JRE Family Version JRE Security Baseline
(Full Version String)
8 1.8.0_11
7 1.7.0_65
6 1.6.0_81
5.0 1.5.0_71

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u11) will expire with the release of the next critical patch update scheduled for October 14, 2014.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u11) on November 15, 2014. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes


Java Dependency Analysis Tool (jdeps)

A new command-line tool, Java Dependency Analysis Tool (jdeps), is now available that can be used by developers to understand the static dependencies of their applications and libraries. It also provides an -jdkinternals option to find dependencies of any JDK internal APIs that are unsupported and private to JDK implementation.

See jdeps man page and the jdeps Open JDK wiki page.

New Java Control Panel option to disable sponsors

Currently, to disable sponsor offers at the time of installation, the user can deselect the option during installation or can pass SPONSORS=0 as a command line option.

In this release, a new Java Control Panel(JCP) option to disable sponsors is available. To use this option, go to JCP's "Advanced" tab, and check or uncheck "Suppress sponsor offers when updating Java".

This option is applicable to 32 and 64 bit Windows operating systems.

New JAR file attribute - Entry-Point

From this release, a new JAR file attribute, Entry-Point is available. The Entry-Point attribute is used to identify the classes that are allowed to be used as 'entry points' to the RIA. Identifying the entry points helps to prevent unauthorized code from being run when a JAR file has more than one class with a main() method, multiple Applet classes, or multiple JavaFX Application classes. Set this attribute to the fully qualified class name that can be used as the entry point for the RIA. To specify more than one class, separate the classes by a space, for example: Entry-Point: apps.test.TestUI apps.test.TestCLI

If the JAR manifest is signed and the main-class or applet-class entry point specified in the JNLP file or application descriptor differs from the class specified for the Entry-Point attribute, then the RIA is blocked. If the Entry-Point attribute is not present, any class with a main() method, or any Applet or JavaFX Application class in the JAR file can be used to start the RIA.

New JAXP processing limit property - maxElementDepth

A new property, maxElementDepth, is added to provide applications the ability to set limit on maximum element depth in an xml file that they parse. This may be helpful for applications that may use too much resources when processing an xml file with excessive element depth.

  • Name: http://java.sun.com/xml/jaxp/properties/maxElementDepth
  • Definition: Limit the maximum element depth
  • Value: A positive integer. 0 is treated as no limit. Negative numbers are treated as 0.
  • Defaule value: 0
  • System property: jdk.xml.maxElementDepth

For more details, see Processing Limits from JAXP tutorial trail.

See 8031541 (not public).


Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 8u11 Bug Fixes page.

The following are some of the notable bug fixes in this release:

Area: client-libs/AWT
Synopsis: Using RMI from a restricted environment may cause a NullPointerException.

If an application uses RMI and runs in a restricted environment (ie. Java Plugin, Java Web Start), it may not work. In particular, if you run a UI from an RMI callback, a NullPointerException is likely to be thrown.

See 8019274.

Known Issues


Area: xml/jax-ws
Synopsis: JAF initialization in SAAJ clashing with the one in javax.mail

After initialization of SAAJ components, the javax.mail library may fail to work under certain circumstances, which in turn could break the javax.mail's JAF setup.

A possible workaround is to re-add the javax.mail handler before using javax.mail API:

MailcapCommandMap mailMap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
mailMap.addMailcap("multipart/mixed;;x-java-content-handler=com.sun.mail.handlers.multipart_mixed");


See 8043129.


Java SE 8u5 Advanced - Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u5 Advanced BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in previous BPR are also included in the current BPR.

To determine the version of your JDK software, use the following command:

java -version


Changes in Java SE 8u5 b31

 

Bug Fixes

BugId Category Subcategory Description
8028192
(Confidential)
security-libs java.net.ssl PKCS11 is not working correctly.
8038202
(Confidential)
deploy plugin Inconsistent behavior on systems using Deployment Rule Set


Java™ SE Development Kit 8, Update 5 (JDK 8u5)

The full version string for this update release is 1.8.0_5-b13 (where "b" means "build"). The version number is 8u5.

Highlights

This update release contains enhancements and changes including the following:

Olson Data 2013i

JDK 8u5 contains Olson time zone data version 2013i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u5 are specified in the following table:

JRE Family VersionJRE Security Baseline
(Full Version String)
81.8.0_5
71.7.0_55
61.6.0_75
5.01.5.0_65

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u5) will expire with the release of the next critical patch update scheduled for July 15, 2014.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u5) on August 15, 2014. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

New Features and Changes

The frequency of some security dialogs has been reduced on systems that run the same RIA multiple times.

See 8029649.

Using "*" in Caller-Allowable-Codebase Attribute.

If a stand-alone asterisk (*) is specified as the value for the Caller-Allowable-Codebase attribute, then calls from _javascript_ code to RIA will show a security warning, and users have the choice to allow the call or block the call.

For more information, see JAR File Manifest Attributes for Security documentation.

See 8033707.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 8u5 Bug Fixes page.

The following are some of the notable bug fixes in this release:

Area: deploy/plugin
Synopsis: java plugin compatibility with windows 8.1 / IE 11 enhanced protected mode

Starting in this release Java Plug-in is compatible with Windows Enhanced Protected Mode (EPM) on Windows 8.1 and IE 11. You should no longer see any warning related to EPM when trying to run an applet in Internet Explorer (IE). There is a special case for 64-bit Windows - EPM requires both 32-bit and 64-bit Plug-in installed. Please make sure you have both 32-bit and 64-bit JRE installed, otherwise there will be a warning from IE, but Java Plug-in will still run under EPM.

See JDK-8024903 (not public).

Area: other-libs/corba
Synopsis: Enhanced CORBA initializations

The system property org.omg.CORBA.ORBSingletonClass is used to configure the system-wide/singleton ORB. The handling of this system property has changed to require that the system wide/singleton ORB be visible to the system class loader. This is a change from previous releases where the singleton ORB was located using the thread context class loader of the first thread to call the no-argument ORB.init method. The implication of this change is that the system-wide/singleton ORB needs to be deployed on the class path or in the extension directory.

Applications that bundle their own ORB and only configure the property org.omg.CORBA.ORBClass should not be impacted by this change. The per-application ORB will be located via the thread context class loader of the thread calling the 2-argument ORB.init method as before.

See 8025005 (not public).

Area: xml/jaxp
Synopsis: Custom entities mapping files are no longer loaded with full permission

Legacy code may use the JDK internal API SerializerFactory to create a Serializer. In the process, a custom entity mapping file may be specified through the format parameter. The custom file was then loaded with full permission. As of this release, files that complies with java.util.ResourceBundle format, that is, with a ".properties" extension, will continue to be loaded with full permission. However, any other custom mapping files will require specific file access permission when the program is running with a SecurityManager.

The workaround to any issues caused by lack of permission to using an arbitrary file as the entity mapping file is, either changing the file to a resource bundle, or granting file read permission.

See 8029282 (not public).

Known Issues

Area: Install
Synopsis: Patching of JDK8 SUNWj8* Packages is not Supported on Solaris:

In order to update SunWj8* Solaris pkgs consecutively for JDK 8 family releases, JDK 8u5 must be installed as a base package. For example, SUNWj8* pkgs cannot be patched for JDK 8 to JDK 8u5 updates. Full packages must be downloaded and installed.

The following packages cannot be patched directly from the JDK8 release:

SUNWj8cfg, SUNWj8dev, SUNWj8dmo, SUNWj8jmp, SUNWj8man, SUNWj8rt

Patching support of the above packages will resume in JDK 8u5 and later releases of Java.


JDK 8 Release Notes


The Java Platform, Standard Edition 8 Development Kit (JDK 8) is a feature release of the Java SE platform. It contains new features and enhancements in many functional areas.

See the following links to release information about enhancements, changes, bugs, installation, runtime deployment, and documentation. Release Notes files are located on our website only and are not in the documentation download bundle, unless otherwise noted.

JRE Expiration Date

The expiration date for JRE 8 is 05/15/2014. After this date, Java will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux