./lang/openjdk8, Open-source implementation of the Java Platform, Standard Edition

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 1.8.121nb2, Package name: openjdk8-1.8.121nb2, Maintainer: pkgsrc-users

Open-source implementation of the Java Platform, Standard Edition.

This package is NOT certified to be compatible with any Java standard.
Use at own risk.

Mandatory trademark notice:
"OpenJDK is a trademark or registered trademark of Oracle America,
Inc. in the United States and other countries."

Required to run:
[graphics/freetype2] [archivers/unzip] [archivers/zip] [fonts/dejavu-ttf] [fonts/fontconfig] [x11/libXtst] [x11/Xrender]

Required to build:
[print/cups] [pkgtools/x11-links] [x11/renderproto] [x11/xproto] [x11/recordproto] [x11/libXp] [x11/printproto] [security/mozilla-rootcerts] [pkgtools/cwrappers]

Package options: jdk-hotspot-vm, jre-jce, x11

Master sites: (Expand)

Version history: (Expand)

CVS history: (Expand)

   2017-02-12 07:26:18 by Ryo ONODERA | Files touched by this commit (1451)
Log message:
Recursive revbump from fonts/harfbuzz
   2017-02-06 14:56:14 by Thomas Klausner | Files touched by this commit (1452)
Log message:
Recursive bump for harfbuzz's new graphite2 dependency.
   2017-02-04 02:16:30 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 1.8.121

http://www.oracle.com/technetwork/java/ … 15208.html

Improved protection for JNDI remote class loading
Remote class loading via JNDI object factories stored in naming and directory \ 
services is disabled by default. To enable remote class loading by the RMI \ 
Registry or COS Naming service provider, set the following system property to \ 
the string "true", as appropriate:


JDK-8158997 (not public)

jarsigner -verbose -verify should print the algorithms used to sign the jar
The jarsigner tool has been enhanced to show details of the algorithms and keys \ 
used to generate a signed JAR file and will also provide an indication if any of \ 
them are considered weak.

Specifically, when "jarsigner -verify -verbose filename.jar" is \ 
called, a separate section is printed out showing information of the signature \ 
and timestamp (if it exists) inside the signed JAR file, even if it is treated \ 
as unsigned for various reasons. If any algorithm or key used is considered \ 
weak, as specified in the Security property, jdk.jar.disabledAlgorithms, it will \ 
be labeled with "(weak)".

For example:

- Signed by "CN=weak_signer"
   Digest algorithm: MD2 (weak)
   Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
 Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
   Timestamp digest algorithm: SHA-256
   Timestamp signature algorithm: SHA256withRSA, 2048-bit key

See JDK-8163304

New Features

Serialization Filter Configuration
Serialization Filtering introduces a new mechanism which allows incoming streams \ 
of object-serialization data to be filtered in order to improve both security \ 
and robustness. Every ObjectInputStream applies a filter, if configured, to the \ 
stream contents during deserialization. Filters are set using either a system \ 
property or a configured security property. The value of the \ 
"jdk.serialFilter" patterns are described in JEP 290 Serialization \ 
Filtering and in <JRE>/lib/security/java.security. Filter actions are \ 
logged to the 'java.io.serialization' logger, if enabled.
See JDK-8155760

RMI Better constraint checking
RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 \ 
Serialization Filtering to improve service robustness.
RMI Registry and DGC implement built-in white-list filters for the typical \ 
classes expected to be used with each service.
Additional filter patterns can be configured using either a system property or a \ 
security property. The "sun.rmi.registry.registryFilter" and \ 
"sun.rmi.transport.dgcFilter" property pattern syntax is described in \ 
JEP 290 and in <JRE>/lib/security/java.security.
JDK-8156802 (not public)

Add mechanism to allow non-default root CAs to not be subject to algorithm \ 

*New certpath constraint: jdkCA*
In the java.security file, an additional constraint named "jdkCA" is \ 
added to the jdk.certpath.disabledAlgorithms property. This constraint prohibits \ 
the specified algorithm only if the algorithm is used in a certificate chain \ 
that terminates at a marked trust anchor in the lib/security/cacerts keystore. \ 
If the jdkCA constraint is not set, then all chains using the specified \ 
algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm \ 

Example: To apply this constraint to SHA-1 certificates, include the following: \ 
SHA1 jdkCA
See JDK-8140422


New --allow-script-in-comments option for javadoc
The javadoc tool will now reject any occurrences of JavaScript code in the \ 
javadoc documentation comments and command-line options, unless the command-line \ 
option, --allow-script-in-comments is specified.

With the --allow-script-in-comments option, the javadoc tool will preserve \ 
JavaScript code in documentation comments and command-line options. An error \ 
will be given by the javadoc tool if JavaScript code is found and the \ 
command-line option is not set.
JDK-8138725 (not public)

Increase the minimum key length to 1024 for XML Signatures
The secure validation mode of the XML Signature implementation has been enhanced \ 
to restrict RSA and DSA keys less than 1024 bits by default as they are no \ 
longer secure enough for digital signatures. Additionally, a new security \ 
property named jdk.xml.dsig.SecureValidationPolicy has been added to the \ 
java.security file and can be used to control the different restrictions \ 
enforced when the secure validation mode is enabled.

The secure validation mode is enabled either by setting the xml signature \ 
property org.jcp.xml.dsig.secureValidation to true with the \ 
javax.xml.crypto.XMLCryptoContext.setProperty method, or by running the code \ 
with a SecurityManager.

If an XML Signature is generated or validated with a weak RSA or DSA key, an \ 
XMLSignatureException will be thrown with the message, "RSA keys less than \ 
1024 bits are forbidden when secure validation is enabled" or "DSA \ 
keys less than 1024 bits are forbidden when secure validation is enabled."
JDK-8140353 (not public)

Restrict certificates with DSA keys less than 1024 bits.
DSA keys less than 1024 bits are not strong enough and should be restricted in \ 
certification path building and validation. Accordingly, DSA keys less than 1024 \ 
bits have been deactivated by default by adding "DSA keySize < \ 
1024" to the "jdk.certpath.disabledAlgorithms" security property. \ 
Applications can update this restriction in the security property \ 
("jdk.certpath.disabledAlgorithms") and permit smaller key sizes if \ 
really needed (for example, "DSA keySize < 768").
JDK-8139565 (not public)

More checks added to DER encoding parsing code
More checks are added to the DER encoding parsing code to catch various encoding \ 
errors. In addition, signatures which contain constructed inparsing. Note that \ 
signatures generated using JDK default providers are not affected by this \ 
JDK-8168714 (not public)

Additional access restrictions for URLClassLoader.newInstance
Class loaders created by the java.net.URLClasslasses from a list of given URLs. \ 
If the calling code does not have access to one or more of the URLs and the URL \ 
artifacts that can be accessed do not contain the required class, then a \ 
ClassNotFoundException, or similar, will be thrown. Previously, a Sege can be \ 
disabled by setting the jdk.net.URLClassPath.disableRestrictedPermissions system \ 
JDK-8151934 (not public)

A new configurable property in logging.properties \ 
A new "java.util.logging.FileHandler.maxLocks" configurable property \ 
is added to java.util.logging.FileHandler.

This new logging property can be defined in the logging configuration file and \ 
makes it possible to configure the maximum number of concurrent log file locks a \ 
FileHandler can handle. The default value is 100.

In a highly concurrent environment where multiple (more than 101) standalone \ 
client applications are using the JDK Logging API with FileHandler \ 
simultaneously, it may happen that the default limit of 100 is reached, \ 
resulting in a failure to acquire FileHandler file locks and causing an IO \ 
Exception to be thrown. In such a case, the new logging property can be used to \ 
increase the maximum number of locks before deploying the application.

If not overridden, the default value of maxLocks (100) remains unchanged. See \ 
java.util.logging.LogManager and java.util.logging.FileHandler API documentation \ 
for more details.
See JDK-8153955

Bug Fixes

The following are some of the notable bug fixes included in this release:

Trackpad scrolling of text on OS X 10.12 Sierra is very fast
The MouseWheelEvent.getWheelRotation() method returned rounded native NSEvent \ 
deltaX/Y events on Mac OS X. The latest macOS Sierra 10.12 produces very small \ 
NSEvent deltaX/Y values so rounding and summing them leads to the huge value \ 
returned from the MouseWheelEvent.getWheelRotation(). The JDK-8166591 fix \ 
accumulates NSEvent deltaX/Y and the MouseWheelEvent.getWheelRotation() method \ 
returns non-zero values only when the accumulated value exceeds a threshold and \ 
zero value. This is compliant with the MouseWheelEvent.getWheelRotation() \ 
specification \ 
(https://docs.oracle.com/javase/8/docs/a … elRotation):

"Returns the number of "clicks" the mouse wheel was rotated, as \ 
an integer. A partial rotation may occur if the mouse supports a high-resolution \ 
wheel. In this case, the method returns zero until a full "click" has \ 
been accumulated."

For the precise wheel rotation values, use the \ 
MouseWheelEvent.getPreciseWheelRotation() method instead.
See JDK-8166591

This release also contains fixes for security vulnerabilities described in the \ 
Oracle Java SE Critical Patch Update Advisory. For a more complete list of the \ 
bug fixes included in this release, see the JDK 8u121 Bug Fixes page.

Known Issues

javapackager and fx:deploy bundle the whole JDK instead of JRE
There is a known bug in the Java Packager for Mac where the entire JDK may be \ 
bundled with the application bundle resulting in an unusually large bundle. The \ 
work around is to use the bundler option -Bruntime option. For example: \ 
-Bruntime=JavaAppletPlugin.plugin sets where the JavaAppletPlugin.plugin for the \ 
desired JRE to bundle is located in the current directory.
See JDK-8166835

Java Installation will fail for non-admin users with UAC off
The Java installation on Windows will fail without warning or prompting, for \ 
non-admin users with User Access Control (UAC) disabled. The installer will \ 
leave a directory, jds<number>.tmp, in the %TEMP% directory.
JDK-8161460 (not public)
   2016-12-16 17:27:23 by Aleksej Saushev | Files touched by this commit (2)
Log message:
Enable OpenJDK 7 and 8 on Linux. Add builtin support.
Tested on openSUSE 11-42.
   2016-12-16 00:56:53 by Joerg Sonnenberger | Files touched by this commit (8)
Log message:
Fix portability issues. Bump revision, since the preprocessor definition
potentially changes the package.
   2016-12-11 16:45:53 by Ryo ONODERA | Files touched by this commit (1)
Log message:
Restore distinfo
   2016-10-27 15:06:42 by Ryo ONODERA | Files touched by this commit (5) | Package updated
Log message:
Update to 1.8.112

* Include a patch from PR pkg/51221

SunPKCS11 Provider no longer offering SecureRandom by default
SecureRandom.PKCS11 from the SunPKCS11 Provider is disabled by default on \ 
Solaris because the native PKCS11 implementation has poor performance and is not \ 
recommended. If your application requires SecureRandom.PKCS11, you can re-enable \ 
it by removing "SecureRandom" from the disabledMechanisms list in \ 

Performance improvements have also been made in the java.security.SecureRandom \ 
class. Improvements in the JDK implementation have allowed for synchronization \ 
to be removed from the java.security.SecureRandom.nextBytes(byte[] bytes) \ 
See JDK-8098581

Fix following security bugs:
   2016-09-20 13:12:23 by Thomas Klausner | Files touched by this commit (7)
Log message:
Recursive bump for cups openssl -> gnutls change.