Log message:
Update to 1.8.121
Changelog:
http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html
core-libs/javax.naming
Improved protection for JNDI remote class loading
Remote class loading via JNDI object factories stored in naming and directory \
services is disabled by default. To enable remote class loading by the RMI \
Registry or COS Naming service provider, set the following system property to \
the string "true", as appropriate:
com.sun.jndi.rmi.object.trustURLCodebase
com.sun.jndi.cosnaming.object.trustURLCodebase
JDK-8158997 (not public)
security-libs/java.security
jarsigner -verbose -verify should print the algorithms used to sign the jar
The jarsigner tool has been enhanced to show details of the algorithms and keys \
used to generate a signed JAR file and will also provide an indication if any of \
them are considered weak.
Specifically, when "jarsigner -verify -verbose filename.jar" is \
called, a separate section is printed out showing information of the signature \
and timestamp (if it exists) inside the signed JAR file, even if it is treated \
as unsigned for various reasons. If any algorithm or key used is considered \
weak, as specified in the Security property, jdk.jar.disabledAlgorithms, it will \
be labeled with "(weak)".
For example:
- Signed by "CN=weak_signer"
Digest algorithm: MD2 (weak)
Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
See JDK-8163304
New Features
core-libs/java.io:serialization
Serialization Filter Configuration
Serialization Filtering introduces a new mechanism which allows incoming streams \
of object-serialization data to be filtered in order to improve both security \
and robustness. Every ObjectInputStream applies a filter, if configured, to the \
stream contents during deserialization. Filters are set using either a system \
property or a configured security property. The value of the \
"jdk.serialFilter" patterns are described in JEP 290 Serialization \
Filtering and in <JRE>/lib/security/java.security. Filter actions are \
logged to the 'java.io.serialization' logger, if enabled.
See JDK-8155760
core-libs/java.rmi
RMI Better constraint checking
RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 \
Serialization Filtering to improve service robustness.
RMI Registry and DGC implement built-in white-list filters for the typical \
classes expected to be used with each service.
Additional filter patterns can be configured using either a system property or a \
security property. The "sun.rmi.registry.registryFilter" and \
"sun.rmi.transport.dgcFilter" property pattern syntax is described in \
JEP 290 and in <JRE>/lib/security/java.security.
JDK-8156802 (not public)
security-libs
Add mechanism to allow non-default root CAs to not be subject to algorithm \
restrictions
*New certpath constraint: jdkCA*
In the java.security file, an additional constraint named "jdkCA" is \
added to the jdk.certpath.disabledAlgorithms property. This constraint prohibits \
the specified algorithm only if the algorithm is used in a certificate chain \
that terminates at a marked trust anchor in the lib/security/cacerts keystore. \
If the jdkCA constraint is not set, then all chains using the specified \
algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm \
expression.
Example: To apply this constraint to SHA-1 certificates, include the following: \
SHA1 jdkCA
See JDK-8140422
Changes
tools/javadoc(tool)
New --allow-script-in-comments option for javadoc
The javadoc tool will now reject any occurrences of JavaScript code in the \
javadoc documentation comments and command-line options, unless the command-line \
option, --allow-script-in-comments is specified.
With the --allow-script-in-comments option, the javadoc tool will preserve \
JavaScript code in documentation comments and command-line options. An error \
will be given by the javadoc tool if JavaScript code is found and the \
command-line option is not set.
JDK-8138725 (not public)
security-libs/javax.xml.crypto
Increase the minimum key length to 1024 for XML Signatures
The secure validation mode of the XML Signature implementation has been enhanced \
to restrict RSA and DSA keys less than 1024 bits by default as they are no \
longer secure enough for digital signatures. Additionally, a new security \
property named jdk.xml.dsig.SecureValidationPolicy has been added to the \
java.security file and can be used to control the different restrictions \
enforced when the secure validation mode is enabled.
The secure validation mode is enabled either by setting the xml signature \
property org.jcp.xml.dsig.secureValidation to true with the \
javax.xml.crypto.XMLCryptoContext.setProperty method, or by running the code \
with a SecurityManager.
If an XML Signature is generated or validated with a weak RSA or DSA key, an \
XMLSignatureException will be thrown with the message, "RSA keys less than \
1024 bits are forbidden when secure validation is enabled" or "DSA \
keys less than 1024 bits are forbidden when secure validation is enabled."
JDK-8140353 (not public)
docs/release_notes
Restrict certificates with DSA keys less than 1024 bits.
DSA keys less than 1024 bits are not strong enough and should be restricted in \
certification path building and validation. Accordingly, DSA keys less than 1024 \
bits have been deactivated by default by adding "DSA keySize < \
1024" to the "jdk.certpath.disabledAlgorithms" security property. \
Applications can update this restriction in the security property \
("jdk.certpath.disabledAlgorithms") and permit smaller key sizes if \
really needed (for example, "DSA keySize < 768").
JDK-8139565 (not public)
security-libs
More checks added to DER encoding parsing code
More checks are added to the DER encoding parsing code to catch various encoding \
errors. In addition, signatures which contain constructed inparsing. Note that \
signatures generated using JDK default providers are not affected by this \
change.
JDK-8168714 (not public)
core-libs/java.net
Additional access restrictions for URLClassLoader.newInstance
Class loaders created by the java.net.URLClasslasses from a list of given URLs. \
If the calling code does not have access to one or more of the URLs and the URL \
artifacts that can be accessed do not contain the required class, then a \
ClassNotFoundException, or similar, will be thrown. Previously, a Sege can be \
disabled by setting the jdk.net.URLClassPath.disableRestrictedPermissions system \
property.
JDK-8151934 (not public)
core-libs/java.util.logging
A new configurable property in logging.properties \
java.util.logging.FileHandler.maxLocks
A new "java.util.logging.FileHandler.maxLocks" configurable property \
is added to java.util.logging.FileHandler.
This new logging property can be defined in the logging configuration file and \
makes it possible to configure the maximum number of concurrent log file locks a \
FileHandler can handle. The default value is 100.
In a highly concurrent environment where multiple (more than 101) standalone \
client applications are using the JDK Logging API with FileHandler \
simultaneously, it may happen that the default limit of 100 is reached, \
resulting in a failure to acquire FileHandler file locks and causing an IO \
Exception to be thrown. In such a case, the new logging property can be used to \
increase the maximum number of locks before deploying the application.
If not overridden, the default value of maxLocks (100) remains unchanged. See \
java.util.logging.LogManager and java.util.logging.FileHandler API documentation \
for more details.
See JDK-8153955
Bug Fixes
The following are some of the notable bug fixes included in this release:
client-libs/javax.swing
Trackpad scrolling of text on OS X 10.12 Sierra is very fast
The MouseWheelEvent.getWheelRotation() method returned rounded native NSEvent \
deltaX/Y events on Mac OS X. The latest macOS Sierra 10.12 produces very small \
NSEvent deltaX/Y values so rounding and summing them leads to the huge value \
returned from the MouseWheelEvent.getWheelRotation(). The JDK-8166591 fix \
accumulates NSEvent deltaX/Y and the MouseWheelEvent.getWheelRotation() method \
returns non-zero values only when the accumulated value exceeds a threshold and \
zero value. This is compliant with the MouseWheelEvent.getWheelRotation() \
specification \
(https://docs.oracle.com/javase/8/docs/api/java/awt/event/MouseWheelEvent.html#getWheelRotation):
"Returns the number of "clicks" the mouse wheel was rotated, as \
an integer. A partial rotation may occur if the mouse supports a high-resolution \
wheel. In this case, the method returns zero until a full "click" has \
been accumulated."
For the precise wheel rotation values, use the \
MouseWheelEvent.getPreciseWheelRotation() method instead.
See JDK-8166591
This release also contains fixes for security vulnerabilities described in the \
Oracle Java SE Critical Patch Update Advisory. For a more complete list of the \
bug fixes included in this release, see the JDK 8u121 Bug Fixes page.
Known Issues
deploy/packager
javapackager and fx:deploy bundle the whole JDK instead of JRE
There is a known bug in the Java Packager for Mac where the entire JDK may be \
bundled with the application bundle resulting in an unusually large bundle. The \
work around is to use the bundler option -Bruntime option. For example: \
-Bruntime=JavaAppletPlugin.plugin sets where the JavaAppletPlugin.plugin for the \
desired JRE to bundle is located in the current directory.
See JDK-8166835
install/install
Java Installation will fail for non-admin users with UAC off
The Java installation on Windows will fail without warning or prompting, for \
non-admin users with User Access Control (UAC) disabled. The installer will \
leave a directory, jds<number>.tmp, in the %TEMP% directory.
JDK-8161460 (not public)
|