What is a Java Specification

This page highlights the changes that will affect end users with each release of Java. For more information about the changes, see the release notes for each release.
»Java release dates


Java 8 Update 291 (8u291)

Key release features
  • IANA time zone data of versions 2020e, 2020f, 2021a.
    JDK 8u291 contains IANA time zone data of versions 2020e, 2020f, 2021a. For more information, see Timezone Data Versions in the JRE Software.
  • More information: New system and security features to control the creation of remote objects through the integrated JNDI RMI and LDAP implementations of the JDK
    : This system and security property can be used to specify a serial filter to control the set of object factory classes that are allowed to instantiate objects from object references that are returned by naming / directory systems. The factory class named by the reference instance is compared with this filter when the remote reference is recreated. The filter property supports the pattern-based filter syntax with the format specified by JEP 290. This property applies equally to the integrated provider implementations of JNDI / RMI and JNDI / LDAP. The default value allows any object factory class specified in the reference to re-create the referenced object.
    JDK-8244473 (not public)
  • More information: The standard Java version is not updated for a double-click JAR execution
    If the PATH environment variable contains a record that was configured by Oracle JDK installers from newer releases, the Oracle JRE installer adds the path to the directory containing the Java commands (, and) to the PATH environment variable this data set. Previously, the Oracle JRE installer ignored changes made to the PATH environment variable by Oracle JDK installers from newer releases and did not correctly update the value of the PATH environment variable. For more technical information, see the following CSR: https://bugs.openjdk.java.net/browse/JDK-8259858
    See JDK-8259215
  • More information: Deactivate TLS 1.0 and 1.1
    TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer considered secure and have been replaced by more secure and modern versions (TLS 1.2 and 1.3).
    These versions have now been disabled by default. If problems arise, you can reactivate the versions at your own risk by removing "TLSv1" and / or "TLSv1.1" from the security property in the configuration file.
    See JDK-8202343
  • More information: Disable TLS 1.0 and 1.1 for Java plug-in applets and Java Web Start applications
    TLS 1.0 and 1.1 have been deactivated. These protocols are not used by default by Java plug-in applets and Java Web Start applications. If problems arise, there is an option to re-enable the protocols through the Java Control Panel.
    JDK-8255892 (not public)
Keep JDK up to date

Oracle recommends updating the JDK with every critical patch update (CPU). Use the Security Baseline page to determine the current version for each release family.

Critical patch updates that fix security vulnerabilities are announced one year in advance under Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u291) after the next critical patch update. This is planned for July 20, 2021.

Java SE subscription customers who manage JRE updates / installations for a large number of desktops should consider using the Java Advanced Management Console (AMC).

For systems that cannot access the Oracle server, this JRE (version 8u291) will expire on August 20, 2021 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version. For more information, see Expiration Date for 23.1.2 JRE im Deployment Guide for Java Platform, Standard Edition.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u291 Bug Fixes page.

»8u291 release notes


Java 8 Update 281 (8u281)

Key release features
  • IANA Data 2020d
    JDK 8u281 contains version 2020d of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: Added "groupname" option to key pair generation keytool
    A new option has been added to so that users can specify a named group when generating a keypair. Example: generates an EC key pair using the curve. Since there can be multiple curves of the same size, it is preferred to use the option over the option.
    See JDK-8213400
  • New feature: Apache Santuario Library update to version 2.1.4
    The Apache Santuario Library has been updated to version 2.1.4. The new system property was introduced accordingly.
    This new system property determines the pool size of the internal cache that is used when processing the XML signatures. The function corresponds to the system property used in Apache Santuario and has the same default value (20).
    See JDK-8231507
  • New feature: Support for certificate_authorities extension
    The "certificate_authorities" extension is an optional extension introduced in TLS 1.3. This specifies the Certificate Authorities (CAs) that an endpoint supports. The receiving endpoint must take this into account when selecting the certificate.
    See JDK-8206925
  • More information: Properties.loadFromXML changed to conform to specification
    The implementation of the method has been changed to conform to its specification. In particular, the underlying XML parser implementation now rejects non-compliant XML documents by throwing an exception, as specified in the method.
    See JDK-8213325
  • More information: US / Pacific-New-Zone name removed as part of tzdata2020b
    As part of the JDK update on tzdata2020b, the long outdated files named and were removed. As a result, the zone declared in the data file named "US / Pacific-New" can no longer be used.
    See JDK-8254177
Keep JDK up to date

Oracle recommends updating the JDK with every critical patch update (CPU). Use the Security Baseline page to determine the current version for each release family.

Critical patch updates that fix security vulnerabilities are announced one year in advance under Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u281) after the next critical patch update. This is planned for April 20, 2021.

Java SE subscription customers who manage JRE updates / installations for a large number of desktops should consider using the Java Advanced Management Console (AMC).

For systems that cannot access Oracle Server, this JRE (version 8u281) will expire on May 15, 2021 based on an alternative procedure. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version. For more information, see Expiration Date for 23.1.2 JRE im Deployment Guide for Java Platform, Standard Edition.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u281 Bug Fixes page.

»8u281 release notes


Java 8 Update 271 (8u271)

Key release features
  • IANA Data 2020a
    JDK 8u271 contains version 2020a of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: Weak name curves disabled by default in TLS, CertPath and signed JAR
    Weakly named curves are disabled by default by adding them to the following security properties:, and. Since 47 weakly named curves have to be deactivated, it would be too time-consuming to add individual named curves to each property. Therefore, the new safety property has been implemented, in which the named curves can be listed that are common to all properties. To use the new property in the properties, prepend the keyword to the full property name. Users can still add individual named curves to properties regardless of this new property. No other properties can be included in the properties.
    See JDK-8233228
  • New feature: Support for cross-realm Kerberos referrals (RFC 6806)
    The Kerberos client was supplemented by support for canonicalization of the principal name and cross-realm referrals in accordance with the RFC 6806 protocol extension.
    With this new feature, the Kerberos client can use more dynamic environment configurations and does not necessarily have to know (in advance) how to reach the realm of a target principal (user or service).
    See JDK-8223172
  • Removed feature: Java plug-in will be removed from JDK 8u for Linux, Solaris, and MacOS platforms
    NPAPI is considered a vulnerable plug-in that has been disabled in many browsers. The Java plug-in, which is based on NPAPI, is not currently supported by any browsers on Linux, Solaris and MacOS platforms.
    As of 8u271, the part of the Java plug-in that is responsible for integration and interaction with a browser (in particular the libnpjp2 library) and an associated artifact are no longer created. They are then no longer part of the JRE distribution on Linux, Solaris and MacOS platforms.
    JDK-8240210 (not public)
  • More information: Property added to control which LDAP authentication mechanisms are allowed for authentication over "Clear" connections
    The new environment property has been added to control which LDAP authentication mechanisms are allowed for sending credentials over -LDAP connections (i.e. connections that are not secured with TLS). An LDAP connection is a connection that is opened with the schema or opened with the schema and then upgraded to TLS with a STARTTLS extension process.
    JDK-8237990 (not public)
Keep JDK up to date

Oracle recommends updating the JDK with every critical patch update (CPU). On the following "Security Baseline" page, you can determine the current version for each release family.

Critical patch updates that fix security vulnerabilities are announced one year in advance under Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u271) after the next critical patch update. This is planned for January 19, 2021.

Java SE subscription customers who manage JRE updates / installations for a large number of desktops should consider using the Java Advanced Management Console (AMC).

For systems that cannot access Oracle servers, this JRE (version 8u271) will expire on February 20, 2021 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version. For more information, see Expiration Date for 23.1.2 JRE in the Deployment Guide for Java Platform, Standard Edition.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u271 bug fixes page.

»8u271 release notes


Java 8 Update 261 (8u261)

Key release features
  • IANA Data 2020a
    JDK 8u261 contains version 2020a of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: Windows Visual Studio Library (DLL) and JDK / JRE dependency changes at runtime
    As part of ongoing maintenance, the Microsoft Visual Studio 2017 tool chain is used to develop JDK 7 and JDK 8 for Windows. JDK 8u261 was developed in the CPU from July 2020 with Visual Studio 2017. With the release of the CPU in October 2020, JDK 7u281 changes to Visual Studio 2017.
    JDK-8246783 (not public)
  • New feature: JEP 332 Transport Layer Security (TLS) 1.3
    JDK 8u261 includes an implementation of the Transport Layer Security (TLS) 1.3 specification (RFC 8446). For more details, including a list of supported features, see the Java Secure Socket Extension (JSSE) Reference Manual and JEP 332.
    See JDK-814252
  • New feature: New system properties for configuring the TLS signature schemes
    Two new system properties have been added to adapt the TLS signature schemes in JDK.
    was added for the TLS client side and for the server side.
    See JDK-8242141
  • New feature: Negotiated Finite Field Diffie-Hellman ephemeral parameters for TLS
    The JDK SunJSSE implementation now supports the TLS FFDHE mechanism defined in RFC 7919. If a server cannot process the TLS extension or the named groups in the extension, applications can either adapt the supported group names or deactivate the FFDHE mechanisms by setting the system property to "false".
    See JDK-8140436
Keep JDK up to date

Oracle recommends updating the JDK with every critical patch update (CPU). On the following "Security Baseline" page, you can determine the current version for each release family.

Critical patch updates that fix security vulnerabilities are announced one year in advance under Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u261) after the next critical patch update. This is planned for October 13, 2020.

Java SE subscription customers who manage JRE updates / installations for a large number of desktops should consider using the Java Advanced Management Console (AMC).

For systems that cannot access the Oracle server, this JRE (version 8u261) will expire on November 13, 2020 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version. For more information, see Expiration Date for 23.1.2 JRE in the Deployment Guide for Java Platform, Standard Edition.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u261 Bug Fixes page.

»8u261 Release Notes


Java 8 Update 251 (8u251)

Key release features
  • IANA Data 2019c
    JDK 8u251 contains version 2019c of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: New support for PKCS # 1 v2.2 algorithms, including RSASSA-PSS signature
    The providers SunRsaSign and SunJCE now support additional algorithms that are defined in PKCS # 1 v2.2, including RSASSA-PSS signature and OAEP with FIPS 180-4 digest algorithms. New constructors and methods have been added to the relevant JCA / JCE classes under packages and to support additional RSASSA-PSS parameters.
    See JDK-8146293
  • More information: WebEngine limits JavaScript method calls for certain classes
    JavaScript programs that are executed in the context of a web page loaded with WebEngine can communicate with Java objects that have been passed by the application to the JavaScript program. JavaScript programs that reference java.lang.Class objects are now limited to the following methods:


    Methods cannot be called on the following classes:


    JDK-8236798 (not public)
  • More information: New Oracle-specific JDK 8 update system property for fallback to legacy Base64 encoding format
    In Oracle JDK 8u231, the Apache Santuario libraries have been upgraded to v2.1.3.This upgrade introduced an issue where the base64 encoded XML signature resulted in or appended to the encoded output. This behavior change was made in the Apache Santuario codebase to comply with RFC 2045. The Santuario team has kept its libraries compliant with RFC 2045.
    See JDK-8236645
Keep JDK up to date

Oracle recommends updating the JDK with every critical patch update (CPU). On the following "Security Baseline" page, you can determine the current version for each release family.

Critical patch updates that fix security vulnerabilities are announced one year in advance under Critical Patch Updates, Security Alerts and Bulletins. It is not recommended to use this JDK (version 8u251) after the next critical patch update. This is planned for July 14, 2020.

For systems that cannot access the Oracle server, this JRE (version 8u251) will expire on August 14, 2020 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version. For more information, see Expiration Date for 23.1.2 JRE in the Deployment Guide for Java Platform, Standard Edition.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u251 Bug Fixes page.

»8u251 Release Notes


Java 8 Update 241 (8u241)

Key release features
  • IANA Data 2019c
    JDK 8u241 contains version 2019c of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: Allow restriction of SASL mechanisms
    The security property with which you can deactivate SASL mechanisms has been added. Any deactivated mechanism is ignored if it is specified in the argument of or the argument of. By default, this security property is empty. This means that no mechanisms are deactivated out-of-the-box.
    See JDK-8200400
  • New feature: Upgrade from SunPKCS11 provider with support for PKCS # 11 v2.40
    The SunPKCS11 provider has been updated to support PKCS # 11 v2.40. This version supports more algorithms, such as the AES / GCM / NoPadding cipher, DSA signatures with SHA-2 message digests and RSASSA-PSS signatures, if the corresponding PKCS11 mechanisms are supported by the underlying PKCS11 library.
    See JDK-8080462
  • More information: New exams for trust anchor certificates
    New checks have been added to ensure trust anchors are CA certificates and contain proper extensions. Certificate chains used in TLS and signed code are validated with trust anchors. Trust anchor certificates must contain a base constraint extension with the cA field set to "true". Also, the keyCertSign bit must be set if they have a key usage extension.
    JDK-8230318 (not public)
  • More information: Exact match required for trusted TLS server certificate
    A TLS server certificate must exactly match a trustworthy certificate in the client in order to be classified as trustworthy when a TLS connection is established.
    JDK-8227758 (not public)
  • More information: LuxTrust Global Root 2 certificate added
    The LuxTrust Root Certificate has been added to the Cacerts Truststore
    See JDK-8232019
  • More information: 4 Amazon root CA certificates added
    Amazon root certificate has been added to the Cacerts truststore
    See JDK-8233223
  • Bug fixes: OpenType CFF font support
    Previously, Oracle JDK 8 did not include OpenType CFF (OTF) fonts in the standard logical fonts (such as Dialog and SansSerif). As a result, glyphs were missing when rendering text. In the worst case (if only CFF fonts were installed in the system) a Java exception could be thrown.
    Several Linux distributions were affected by this problem because they required CFF fonts for some languages ​​(as is often the case with Chinese, Japanese, and Korean).
    Oracle JDK 8 now uses these CFF fonts and this problem has been resolved.
    See JDK-8209672
  • Bug fixes: Better processing of serial filters
    The system property can only be set on the command line. If the filter was not set on the command line, it can be set with. Setting with has no effect.
    JDK-8231422 (not public)
Java expiration date

The expiration date for 8u241 is April 14, 2020. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access the Oracle server, this JRE (version 8u241) will expire on May 14, 2020 based on an alternative procedure. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u241 Bug Fixes page.

»8u241 release notes


Java 8 Update 231 (8u231)

Key release features
  • IANA Data 2019b
    JDK 8u231 contains version 2019b of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: New system property "jdk.jceks.iterationCount"
    A new system property has been introduced to control the iteration count value for the keystore. The default value remains at 200000, but values ​​between 10000 and 5000000 can be specified. The name of the new system property is and the specified value should be an integer within the allowable range. The default value is used when a parsing error occurs.
    JDK-8223269 (not public)
  • New feature: New security events for Java Flight Recorder (JFR)
    Four new JFR events have been added in the security library area. These events are disabled by default and can be enabled through the JFR configuration files or through standard JFR options.
    See JDK-8148188
  • Removed features and options: Removed T2K rasterizer and ICU layout engine from JavaFX
    The T2K rasterizer and ICU layout engine have been removed from JavaFX.
    See JDK-8187147
  • Other notes: [Client Libraries and JavaFX] GTK3 is now used as the standard on Linux / Unix
    Newer versions of Linux, Solaris, and other Unix-like desktop environments use GTK3. GTK2 is still supported.
    Previously, the older GTK2 libraries were loaded by default in the JDK. In this release, however, the GTK3 libraries are loaded by default. The loading process is usually triggered by using Swing's GTK look and feel.
    The old behavior can be restored by using the following system property:
    See JDK-8222496
  • Other notes: Remove obsolete NIST-EC curves from the TLS standard algorithms
    This change removes obsolete NIST EC curves from the default named groups used during TLS negotiation. The following curves are removed: sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1 and secp256k1.
    To activate these curves again, use the system property. The property contains a comma-separated list of quotes enabled named groups in order of preference. Example:

    JDK-8228825 (not public)
Java expiration date

The expiration date for 8u231 is January 14th, 2020. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access the Oracle server, this JRE (version 8u231) will expire on February 14, 2020 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u231 bug fixes page.

»8u231 release notes


Java 8 Update 221 (8u221)

Key release features
  • IANA Data 2018i
    JDK 8u221 contains version 2018i of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: Windows Server 2019 is correctly identified by Windows operating system detection for hotspots
    Prior to this fix, Windows Server 2019 was recognized as "Windows Server 2016" which created incorrect values ​​in the system property and file.
    See JDK-8211106
  • Removed features and options: Two DocuSign Root CA Certificates have been removed
    Two DocuSign Root CA certificates have expired and have been removed from the keystore:
    • Alias ​​name "certplusclass2primaryca [jdk]"
      Distinguished Name: CN = Class 2 Primary CA, O = Certplus, C = FR
    • Alias ​​name "certplusclass3pprimaryca [jdk]"
      Distinguished Name: CN = Class 3P Primary CA, O = Certplus, C = FR
    See JDK-8223499
  • Removed features and options: Two Comodo Root CA certificates have been removed
    Two Comodo Root CA certificates have expired and have been removed from the keystore:
    • Alias ​​"utnuserfirstclientauthemailca [jdk]"
      Distinguished Name: CN = UTN-USERFirst-Client Authentication and Email, OU = http: //www.usertrust.com, O = The USERTRUST Network, L = Salt Lake City, ST = UT, C = US
    • Alias ​​"utnuserfirsthardwareca [jdk]"
      Distinguished Name: CN = UTN-USERFirst-Hardware, OU = http: //www.usertrust.com, O = The USERTRUST Network, L = Salt Lake City, ST = UT, C = US
    See JDK-8222136
  • Removed features and options: The T-Systems Deutsche Telekom Root CA 2 certificate has been removed
    The T-Systems Deutsche Telekom Root CA 2 certificate has expired and has been removed from the keystore:
    • Alias ​​name "deutschetelekomrootca2 [jdk]"
      Distinguished Name: CN = Deutsche Telekom Root CA 2, OU = T-TeleSec Trust Center, O = Deutsche Telekom AG, C = DE
    See JDK-8222137
  • Other notes: Workaround for installing Java Access Bridge
    There is a risk that Java Access Bridge functionality will be interrupted when installing Java on a Windows system that is running an already installed version of Java and an instance of JAWS. After the restart, the file may be missing in the system directory () for 64-bit Java products or in the system directory () used by WOW64 for 32-bit Java products.
    The interruption of the Java Access Bridge functionality can be prevented with the following workarounds:
    • Stop JAWS before running the Java installer.
    • Uninstall the existing JREs before installing a new version of Java.
    • Uninstall the existing JREs after installing the new version of Java and restarting the computer.
    The workarounds are designed to avoid having to uninstall existing JREs from the Java installer while JAWS is running.
    JDK-8223293 (not public)
Java expiration date

The expiration date for 8u221 is October 15, 2019. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access the Oracle server, this JRE (version 8u221) will expire on November 15, 2019 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see Oracle Critical Patch Update. For a list of the bug fixes included in this release, see the JDK 8u221 bug fixes page.

»8u221 release notes


Java 8 Update 211 (8u211)

Key release features
  • IANA Data 2018g
    JDK 8u211 contains version 2018g of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: New Japanese Era Square Characters Support
    The code point U + 32FF has been reserved by the Unicode Consortium for the representation of square characters for the new era of Japan, which begins in May 2019. Relevant methods in the class return the same properties as the existing characters for the Japanese era (example: U + 337E for "Meizi"). For more details on the code point, see http://blog.unicode.org/2018/09/new-japanese-era.html.
    See JDK-8211398
  • Modification: GlobalSign R6 Root Certificate added
    The following root certificate has been added to the OpenJDK Cacerts truststore:
    • GlobalSign
      • globalsignrootcar6
        DN: CN = GlobalSign, O = GlobalSign, OU = GlobalSign Root CA - R6

    JDK-8216577 (not public)
  • Modification: TLS server certificates anchored through Symantec root are no longer trusted
    TLS server certificates issued by Symantec are no longer trusted by the JDK. This is in line with similar plans recently announced by Google, Mozilla, Apple and Microsoft. The list of affected certificates includes certificates from brands such as GeoTrust, Thawte, and VeriSign that have been managed by Symantec.
    All TLS server certificates issued up to and including April 16, 2019 remain valid until their expiration date. Certificates issued after this date will be rejected. Please visit the DigiCert Support page for information on how to replace your Symantec certificates with a DigiCert certificate (DigiCert took over the validation and issuance of all Symantec website security SSL / TLS certificates on December 1, 2017).
    This policy does not apply to TLS server certificates issued by one of the two Apple-managed subordinate certificate authorities listed below. These will continue to be trusted as long as they were issued on or before December 31, 2019.
    See JDK-8207258
  • Modification: Name of the new Japanese era
    The placeholder name "" for the Japanese era beginning May 1, 2019 has been replaced with the name "" announced by the Japanese government. Applications that use the wildcard name to get the new era singleton () will no longer work.
    See JDK-8205432
  • Modification: New Japanese Era support in java.time.chrono.JapaneseEra
    The JapaneseEra class and its methods were explained to accommodate future Japanese eras. This includes, for example, the way in which singleton instances are defined, the associated integer values ​​of the era, etc.
    See JDK-8212941
Java expiration date

The expiration date for 8u211 is July 16, 2019. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access the Oracle server, this JRE (version 8u211) will expire on August 16, 2019 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a list of the bug fixes included in this release, see the JDK 8u211 bug fixes page.

»8u211 release notes


Java 8 Update 201 (8u201)

Key release features
  • IANA Data 2018e
    JDK 8u201 contains version 2018e of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • Modification: TLS cipher suites "anon" and "NULL" are deactivated
    The TLS cipher suites "anon" and "NULL" have been added to the security property and are now disabled by default.
    See JDK-8211883
  • Modification: jarsigner indicates when a timestamp expires
    The tool now shows more information on the validity period of a JAR with a time stamp. New warning and error messages are displayed when a time stamp has expired or has expired within a year.
    See JDK-8191438
Java expiration date

The expiry date for 8u201 is April 16, 2019. Java will expire as soon as a new release with improved security becomes available.For systems that cannot access Oracle Server, this JRE (version 8u201) will expire on May 16, 2019 based on an alternative procedure. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a list of the bug fixes included in this release, see the JDK 8u201 bug fixes page.

»8u201 release notes


Java 8 Update 191 (8u191)

Key release features
  • IANA Data 2018e
    JDK 8u191 contains version 2018e of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • Modification: Central file system directory for file usagetracker.properties changed
    In Windows, the file system directory for the file has been moved from to.
    No change was made to the file path for Linux, Solaris, or macOS. JDK-8204901 (not public)
  • Modification: All DES-TLS cipher suites deactivated
    DES-based TLS cipher suites are considered obsolete and may no longer be used. DES-based cipher suites have been disabled by default in the SunJSSE implementation by adding the ID "DES" to the security property. These cipher suites can be reactivated by removing "DES" from the security property in the java.security file or by calling the method dynamically. In both cases, the DES-based cipher suites must be added to the list of activated cipher suites after reactivating DES via the method or.
    Note that DES40_CBC (but not all DES) suites were disabled via the security property prior to this change.
    See JDK-8208350
  • Modification: Several Symantec root CAs have been removed
    The following Symantec root certificates are no longer in use and have been removed:
    • Symantec
      • equifaxsecureca
        DN: OU = Equifax Secure Certificate Authority, O = Equifax, C = US
      • equifaxsecureglobalebusinessca1
        DN: CN = Equifax Secure Global eBusiness CA-1, O = Equifax Secure Inc., C = US
      • equifaxsecureebusinessca1
        DN: CN = Equifax Secure eBusiness CA-1, O = Equifax Secure Inc., C = US
      • verisignclass1g3ca
        DN: CN = VeriSign Class 1 Public Primary Certification Authority - G3, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", OU = VeriSign Trust Network, O = "VeriSign, Inc.", C = US
      • verisignclass2g3ca
        DN: CN = VeriSign Class 2 Public Primary Certification Authority - G3, OU = "(c) 1999 VeriSign, Inc. - For authorized use only", OU = VeriSign Trust Network, O = "VeriSign, Inc.", C = US
      • verisignclass1g2ca
        DN: OU = VeriSign Trust Network, OU = "(c) 1998 VeriSign, Inc. - For authorized use only", OU = Class 1 Public Primary Certification Authority - G2, O = "VeriSign, Inc.", C = US
      • verisignclass1ca
        DN: OU = Class 1 Public Primary Certification Authority, O = "VeriSign, Inc.", C = US

    See JDK-8191031
  • Modification: Baltimore Cybertrust Code Signing CA has been removed
    The following Baltimore CyberTrust Code Signing Root Certificate is no longer in use and has been removed:
    • baltimorecodesigningca
      DN: CN = Baltimore CyberTrust Code Signing Root, OU = CyberTrust, O = Baltimore, C = IE

    See JDK-8189949
  • Bug fix: LDAPS communication failure
    Application code using LDAPS with a socket connection timeout <= 0 (the default) and running on the July 2018 CPU (8u181, 7u191, and 6u201) may encounter an exception when connecting.
    The topmost frames from the exception stack traces of applications experiencing such problems can look like this:



    The problem has been resolved and the fix will be made available in the following releases:
    See JDK-8211107
Java expiration date

The expiration date for 8u191 is January 15, 2019. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access Oracle servers, this JRE (version 8u191) will expire on February 15, 2019 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a list of the bug fixes included in this release, see the JDK 8u191 Bug Fixes page.

»8u191 release notes


Java 8 Update 181 (8u181)

Key release features
  • IANA Data 2018e
    JDK 8u181 contains version 2018e of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • Removed feature: Java DB has been removed
    Java DB (also known as Apache Derby) has been removed in this release.
    It is recommended that you download the latest version of Apache Derby directly from the Apache project here:
    https://db.apache.org/derby
    JDK-8197871 (not public)
  • Modification: Improved LDAP support
    Endpoint identification has been enabled for LDAPS connections.
    To improve the robustness of LDAPS connections (secure LDAP over TLS), endpoint identification algorithms have been activated by default.
    Note that some applications that previously successfully connected to an LDAPS server may no longer be able to do so. If necessary, these applications can disable endpoint identification with a new system property:.
    Define (or set) this system property to disable endpoint identification algorithms.
    JDK-8200666 (not public)
  • Modification: Better stack walking
    New access checks have been added during the object creation phase of deserialization. Ordinary uses of deserialization should not be affected. However, this can affect reflective frameworks that use JDK internal APIs. If necessary, the new checks can be deactivated by setting the system setting to "true". To do this, you need to add the argument to the Java command line.
    JDK-8197925 (not public)
  • Bug fix: JVM crash on G1 GC
    A "class" that was classified as unreachable in the concurrent marking of G1 can be looked up in. The associated fields for or can be saved in a root or another accessible object so that the object is live again. When a "class" is restored in this way, the SATB part of G1 must be notified of this. Otherwise this "class" will be erroneously unloaded during the remarking phase of the concurrent marking.
    See JDK-8187577
  • Bug fix: Better stability with older NUMA libraries (-XX + UseNuma)
    A fix in JDK 8 Update 152 has led to a regression that could cause the HotSpot JVM to crash when booting if the UseNUMA flag is used on Linux systems with libnuma versions prior to 2.0.9. This problem has been resolved.
    See JDK-8198794
Java expiration date

The expiration date for 8u181 is October 16, 2018. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access the Oracle server, this JRE (version 8u181) will expire on November 16, 2018 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a list of the bug fixes included in this release, see the Bug Fixes for JDK 8u181 page.

»8u181 release notes


Java 8 Update 171 (8u171)

Key release features
  • IANA Data 2018c
    JDK 8u171 contains version 2018c of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: Improved KeyStore mechanisms
    A new security feature with the name has been introduced. If this filter is configured, the JCEKS-KeyStore uses it when deserializing the encrypted key object stored in SecretKeyEntry. If the filter is not configured or its result is UNDECIDED (e.g. none of the patterns match), the filter configured by is used.
    If the system property is also specified, it replaces the security property value defined here.
    The filter pattern uses the same format as. The standard pattern allows and, but rejects all other types.
    Customers who have stored a SecretKey that is not serialized to the types above will need to change the filter so that the key can be extracted.
    JDK-8189997 (not public)
  • New feature: System property for deactivating tracking for the last JRE use
    A new system property has been introduced to disable tracking for the last JRE use for a started VM. This property can be set with or on the command line. After this system property has been set, tracking for the last JRE usage will be disabled regardless of the property value set in.
    JDK-8192039 (not public)
  • Note: CipherOutputStream usage
    The specification has been clarified to indicate that BadPaddingException and other exceptions thrown by unsuccessful integrity checks during decryption are caught with this class. These exceptions will not be thrown again. So the customer is not informed that integrity checks were unsuccessful. Because of this behavior, this class may not be suitable for use with decryption in the authenticated operating mode (e.g. GCM) if the application requires an explicit notification in the event of unsuccessful authentication. These applications can use the Cipher API as a direct alternative to this class.
    JDK-8182362 (not public)
  • Modification: Additional TeliaSonera root certificate
    "TeliaSonera Root CA v1" has been added to the keystore.
    JDK-8190851 (not public)
  • Modification: XML signatures signed with EC keys with less than 224 bits have been deactivated
    To improve the SSL / TLS connection strength, 3DES cipher suites have been deactivated in the SSL / TLS connections in JDK via the security property.
    JDK-8175075 (not public)
  • Bug fix: Server-side HTTP tunneling for RMI connections has been disabled
    Server-side HTTP tunneling for RMI connections is disabled by default in this release. This behavior can be reversed by setting the runtime property to. Note: Do not confuse this with the property that the client-side HTTP tunneling is deactivated and set to by default.
    JDK-8193833 (not public)
Java expiration date

The expiration date for 8u171 is July 17, 2018. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access the Oracle server, this JRE (version 8u171) will expire on August 17, 2018 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a more detailed list of the bug fixes included in this release, see the Bug Fixes for JDK 8u171 page.

»8u171 release notes


Java 8 Update 161 (8u161)

Key release features
  • IANA Data 2017c
    JDK 8u161 contains version 2017c of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • New feature: Support for a DHE size of up to 8192 bits and a DSA size of up to 3072 bits
    The JDK security providers now offer support for generating DiffieHellman and DSA parameters with a size of up to 3072 bits, for precalculated DiffieHellman parameters with up to 8192 bits, and for precomputed DSA parameters with up to 3072 bits Bit.
    See JDK-8072452
  • New feature: Negotiated Finite Field Diffie-Hellman ephemeral parameters for TLS
    The JDK SunJSSE implementation now supports the TLS FFDHE mechanism defined in RFC 7919. If a server cannot process the TLS extension or the named groups in the extension, applications can either adapt the supported group names or deactivate the FFDHE mechanisms by setting the system property to.
    See JDK-8140436
  • New feature: Add additional IDL stub type checks to the org.omg.CORBA.ORBstring_to_object method
    Applications that call either explicitly or implicitly and want to preserve the integrity of the IDL stub type involved in the call flow must specify an additional IDL stub type check. This feature is optional and is not enabled by default.
    To use the additional type check, the list of permitted IDL interface class names of the IDL stub classes is configured using one of the following methods:
    • By specifying the security property in the file in Java SE 9 or in Java SE 8 and earlier versions.
    • By specifying the system property with the list of classes. When the system property is set, its value overrides the corresponding property in the configuration.

    If the com.sun.CORBA.ORBIorTypeCheckRegistryFilter property is not set, type checking is performed only on a set of class names of the IDL interface types that correspond to the built-in IDL stub classes.
    JDK-8160104 (not public)
  • Modification: RSA public key validation
    In 8u16, the RSA implementation in the SunRsaSign provider rejects all RSA public keys that have an exponent that is not in the permissible range defined by PKCS # 1 version 2.2. This change affects JSSE connections as well as applications that rely on JCE.
    JDK-8174756 (not public)
  • Modification: Restriction of Diffie-Hellman keys with less than 1024 bits
    Diffie-Hellman keys with less than 1024 bits are considered too weak in practice and should be restricted by default in SSL / TLS / DTLS connections. Accordingly, Diffie-Hellman keys less than 1024 bits have been disabled by default by adding "DH keySize <1024" to the jdk.tls.disabledAlgorithms security property in the java.security file. Administrators can update the security property ("jdk.tls.disabledAlgorithms") and allow smaller key sizes (e.g. by setting "DH keySize <768"). However, this is not recommended.
    JDK-8148108 (not public)
  • Modification: Default key size for providers is updated
    With this change, JDK providers are updated so that instead of 1024 bits, 2048 bits is used as the default key size for DSA when applications have initialized the objects and not explicitly with a key size.
    If compatibility problems arise, existing applications can determine the algorithm and the desired default key size for the system property introduced in JDK-8181048.
    JDK-8178466 (not public)
Java expiration date

The expiration date for 8u161 is April 17th, 2018. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access Oracle Server, this JRE (version 8u161) will expire on May 17, 2018 based on an alternative procedure. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a list of the bug fixes included in this release, see the JDK 8u161 Bug Fixes page.

»8u161 release notes


Java 8 Update 151 (8u151)

Key release features
  • IANA Data 2017b
    JDK 8u151 contains version 2017b of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • Certificate changes: Revoked Swisscom root certificate "swisscomrootevca2" has been removed
    A Swisscom root certificate has been withdrawn and removed by Swisscom:
    JDK-8186330 (not public)
  • New features New security property to control the cryptography policy
    In this release a new feature is introduced, in which the JCE Jurisdiction Policy files used in the JDK can be controlled with a new security property. In previous releases, the JCE Jurisdiction files had to be downloaded and installed separately so that unlimited cryptography could be used in the JDK. Downloading and installing is no longer required. The new security property can be used to enable unlimited cryptography. If the new security property () is set in the file or was set dynamically via the call before the JCE Framework was initialized, this setting is taken into account. The property is not defined by default. If the property is not defined and the older JCE Jurisdiction files do not exist in the legacy directory, the default encryption level remains at "Limited". To configure the JDK to use unlimited cryptography, set the value to "Unlimited". For more information, see the file that is shipped with this release.

    Note: Solaris recommends that you remove the old SVR4 packages before installing the new JDK updates. If you are performing an SVR4-based upgrade (without uninstalling the old packages) to a JDK release prior to 6u131, 7u121 or 8u111, you must set the new security property in the file.

    The old JCE jurisdiction files remain in

    Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers! at javax.crypto.JceSecurity.loadPolicies (JceSecurity.java:593) at javax.crypto.JceSecurity.setupJurisdictionPolicies (JceSecurity.java:524)

    See JDK-8157561
  • Changes Refactoring existing providers so that they refer to the same constants for default key length values
    Two important changes have been made to address this issue:
    1. A new system property has been introduced that allows users to configure the default key size used by the JDK provider implementations for KeyPairGenerator and AlgorithmParameterGenerator. This property is named "", and the value of this property is a list of entries separated by commas. Each entry consists of an algorithm name (case-insensitive) and the corresponding standard key size (in decimal), separated by ":". Spaces are ignored.

    By default, this property has no value and JDK providers use their own default values. Entries whose algorithm name is not recognized are ignored. If the specified default key size is not an integer that can be parsed, that entry is also ignored.

    1. The DSA-KeyPairGenerator implementation of the SUN provider no longer implements. In applications that convert the DSA-KeyPairGenerator object of the SUN provider to, the system property "" can be specified. If the value of this property is "true", the SUN provider returns a DSA-KeyPairGenerator object that implements the interface. This older implementation uses the same default value as specified by Javadoc in the interface.
    By default, this property has no value and the SUN provider returns a DSA-KeyPairGenerator object that does not implement the interface mentioned above. Therefore, the SUN provider can determine its own provider-specific default value, which is specified in the class or by the system property "" (if specified).
    JDK-8181048 (not public)
Java expiration date

The expiration date for 8u151 is January 16, 2018. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access Oracle servers, this JRE (version 8u151) will expire on February 16, 2018 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a list of the bug fixes included in this release, see the JDK 8u151 Bug Fixes page.

»8u151 release notes


Java 8 Update 144 (8u144)

Key release features
  • IANA Data 2017b
    JDK 8u144 contains version 2017b of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • Bug fix: java.util.zip.ZipFile.getEntry () now always returns the ZipEntry instance with an entry name ending in / for the directory entry.
    As per API documentation for is a directory entry is defined as an entry with an ending name. However, in previous JDK releases, an instance with a non-ending entry name for an existing ZIP directory entry may return if the argument passed does not end in and the ZIP file has a matching ZIP directory entry name entryName + contains. Starting with this release, the name of the instance returned by always ends with for each ZIP directory entry.
    To restore the previous behavior, set the system property to "false".

    This change addresses a regression introduced in JDK 8u141 where checking signed JARs prevented some WebStart applications from loading.
    See JDK-8184993.
Java expiration date

The expiration date for 8u144 is October 17, 2017. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access the Oracle server, this JRE (version 8u144) will expire on November 17, 2017 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. A list of the bug fixes included in this release can be found on the JDK 8u144 Bug Fixes page.

»8u144 release notes


Java 8 Update 141 (8u141)

Key release features
  • IANA Data 2017b
    JDK 8u141 contains version 2017b of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • Certificate changes: New Let's Encrypt certificates have been added to Root CAs.
    A new root certificate has been added:

    JDK-8177539 (not public)
  • JMX diagnostic improvements
    -API was changed to trigger if the specified filename does not end with the suffix "". Existing applications that do not have a file name with the extension "" will not run successfully with the error. In this case, the applications can either process the exception or restore the old behavior by setting the system property "'" to "true".
    JDK-8176055 (not public)
  • Stricter security checks when processing WSDL files by the wsimport tool
    The wsimport tool was changed to not allow DTDs in web service descriptions, in particular:
    • DOCTYPE declaration is not permitted in documents
    • External general entities are not included by default
    • External parameter entities are not included by default
    • External DTDs are completely ignored
    To restore the previous behavior:
    • Set the system property to "true"
    • Use the command line option of the wsimport tool
      NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided via a post-CPU patch release in July
    JDK-8182054 (not public)
  • The user-defined HostnameVerifier interface enables the SNI extension
    Previous releases of the JDK 8 updates did not always send the Server Name Indication (SNI) extension in the TLS ClientHello phase when using custom host name verification. This verification is determined with the method in. With the fix, the server name is now sent in the ClientHello body.
    See JDK-8144566
  • Improved checking of algorithm constraints
    To limit the use of weak algorithms in situations where they are less well protected, additional features have been added in the configuration of the security properties and in the file.

    : The certpath property contains most of the changes. Until now it was limited to two types of constraints: either a complete deactivation of an algorithm by name or a complete deactivation of an algorithm according to key size when checking certificates, certificate chains and certificate signatures. In this way, configurations are created that are absolute and not very flexible in use. Three new constraints have been added for more flexibility when approving and rejecting certificates.

    "jdkCA" checks the extension of the certificate chain with regard to the file. With "SHA1 jdkCA". The certificate chain is checked for the use of "SHA1", but to be rejected the chain must end at a marked trust anchor in the Cacerts Keystore. This is useful for organizations with their own private CAs who trust SHA1 use with their own trust anchor, but want to exclude certificate chains with a public CA from using SHA1.

    "denyAfter" checks whether the specified date is before the current date or the PKIX parameter date. With "SHA1 denyAfter 2018-01-01" a certificate with SHA1 before 2018 can be used. After this date, however, the certificate will be rejected. This option is recommended for a cross-organizational policy in which an algorithm is set gradually until the specified end date. In the case of signed JAR files, the date is compared with the TSA time stamp. The date is given in GMT.

    "usage" checks the specified algorithm with regard to a specific usage. This option is recommended when disabling an algorithm for all usage types is impractical. Three types of usage can be specified:

    • "TLSServer" restricts the algorithm in the TLS server certificate chains when server authentication is performed as a client.
    • "TLSClient" restricts the algorithm in the TLS server certificate chains when the client authentication is performed as a server.
    • "SignedJAR" restricts the algorithms in certificates of the signed JAR files. The usage type follows the keyword. Multiple usage types can be specified with a space as a delimiter.
      Example: With "SHA1 usage TLSServer TLSClient", SHA1 certificates are not allowed for TLSServer and TLSClient processes, but SignedJars are allowed

    All of these constraints can be combined using the delimiter "&" to constrain an algorithm. Example: In order to deactivate SHA1 certificate chains that end with marked trust anchors only for TLSServer processes, the constraint must be "SHA1 jdkCA & usage TLSServer".

    : An additional constraint has been added to this property to restrict JAR manifest algorithms.

    "denyAfter" checks algorithm constraints for manifest digest algorithms within a signed JAR file. The date specified in the constraint is compared with the TSA time stamp of the signed JAR file. If there is no timestamp or the timestamp is on or after the specified date, the signed JAR file is treated as unsigned. If the timestamp is before the specified date, the file will be executed as a signed JAR file. Syntax for restricting SHA1 in JAR files signed after January 1, 2018: "SHA1 denyAfter 2018-01-01". The syntax is the same as for the certpath property, but this property does not perform any certificate checking.
    See JDK-8176536.

Java expiration date

The expiration date for 8u141 is October 17, 2017. Java will expire as soon as a new release with improved security becomes available. For systems that cannot access Oracle servers, this JRE (version 8u141) will expire on November 17, 2017 based on an alternative mechanism. If either of the two conditions is met (a new version becomes available / expiration date reached), the JRE will issue further warnings and reminders to prompt users to upgrade to the newer version.

Bug fixes

This release contains fixes to close security vulnerabilities. For more information, see the Oracle Java SE Critical Patch Update Advisory. For a list of the bug fixes included in this release, see the Bug Fixes for JDK 8u141 page.

»8u141 release notes


Java 8 Update 131 (8u131)

Key release features
  • IANA Data 2016j
    JDK 8u131 contains version 2016j of the IANA time zone data. For more information, see Timezone Data Versions in the JRE Software.
  • Bug fix: Introduction of a new model for the arrangement of windows
    The AWT framework used native services on the OS X platform to implement parent / child relationships for windows. This caused negative visual effects, especially in multi-monitor environments. To avoid the disadvantages of this approach, a new window arrangement model was introduced, which is implemented entirely at the JDK level. The following are the basic characteristics of this model:
    • A window is placed above the window directly above it.
    • If a window has several child windows, they are placed on the same level. In addition, the window from the active window chain is arranged above the windows that are sibling to it.
    • The arrangement must not be carried out for windows that are in a minimized state or in transition to a minimized state.
    These rules apply to all frames and dialog boxes in the window hierarchy that contains the currently focused window. See JDK-8169589.
  • Bug fix: Correction of IllegalArgumentException from TLS handshake
    The newly identified issue in fix JDK-8173783 may cause problems with certain TLS servers. The reason for the problem is an IllegalArgumentException thrown by the TLS handshaker code:



    This problem can occur if the server does not support elliptic curve cryptography to handle elliptic curve name expansion fields (if any). It is recommended that users upgrade to this release. JDK 7 updates and later JDK families ship with the SunEC security provider, which provides support for elliptic curve cryptography. These releases are only affected if the security providers are changed. See JDK-8173783.
  • MD5 has been added to the jdk.jar.disabledAlgorithms security property
    This JDK release introduces a new restriction on checking MD5-signed JAR files. If the signed JAR file uses MD5, signature verification ignores the signature and treats the JAR as if it were unsigned. This can potentially occur with the following types of applications that use signed JAR files:
    • Applets or web start applications
    • Standalone or server applications that run with a SecurityManager enabled and configured with a policy file that grants permissions according to the code signers of the JAR file.

    The list of deactivated algorithms is controlled via a new security property in the file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.

    The jarsigner binary that comes with this JDK can be used to check whether a weak algorithm or key was used to sign a JAR file. If "" is run on a JAR file that was signed with a weak algorithm or key, it will return more information about the algorithm or key that has been disabled.

    Example: To check a JAR file named use this command:



    In this example, if the file was signed using a weak signature algorithm such as MD5withRSA, it would output:



    For more details, please use the Verbose option:



    The following would be output: - Signed by "CN = weak_signer" Digest algorithm: MD5 (weak) Signature algorithm: MD5withRSA (weak), 512-bit key (weak) Timestamped by "CN = strong_tsa" on Mon Sep 26 08:59 : 39 CST 2016 Timestamp digest algorithm: SHA-256 Timestamp signature algorithm: SHA256withRSA, 2048-bit key.re-signed with a stronger key size. Alternatively, the restrictions can be reversed by using the applicable weak algorithms or key sizes