Navigation:
Browse pkgsrc
(this page)
New packages:Log Message:
Update to 8.0.60
Changelog:
From: https://www.java.com/en/download/faq/release_changes.xml
Java 8 Update 60 (8u60)
Release Highlights
IANA Data 2015e
JDK 8u60 contains IANA time zone data version 2015e. For more information, \
refer to Timezone Data Versions in the JRE Software.
Bug Fix: dns_lookup_realm should be false by default
The dns_lookup_realm setting in Kerberos' krb5.conf file is by default \
false. See 8080637.
Bug Fix: Disable RC4 cipher suites
RC4-based TLS ciphersuites (e.g. TLS_RSA_WITH_RC4_128_SHA) are now \
considered compromised and should no longer be used (see RFC 7465). Accordingly, \
RC4-based TLS ciphersuites have been deactivated by default in the Oracle JSSE \
implementation by adding "RC4" to \
"jdk.tls.disabledAlgorithms" security property, and by removing them \
from the default enabled ciphersuites list. These cipher suites can be \
reactivated by removing "RC4" form \
"jdk.tls.disabledAlgorithms" security property in the java.security \
file or by dynamically calling Security.setProperty(), and also readding them to \
the enabled ciphersuite list using the \
SSLSocket/SSLEngine.setEnabledCipherSuites() methods. You can also use the \
-Djava.security.properties command line option to override the \
jdk.tls.disabledAlgorithms security property. For example:
java -Djava.security.properties=my.java.security ...
where my.java.security is a file containing the property without RC4:
jdk.tls.disabledAlgorithms=SSLv3
Even with this option set from commandline, the RC4 based ciphersuites need \
to be re-added to the enabled ciphersuite list by using the \
SSLSocket/SSLEngine.setEnabledCipherSuites() methods. See 8076221.
Bug Fix: Support keystore type detection for JKS and PKCS12 keystores
Keystore Compatibility Mode: To aid interoperability, the Java keystore type \
JKS now supports keystore compatibility mode by default. This mode enables JKS \
keystores to access both JKS and PKCS12 file formats. To disable keystore \
compatibility mode set the Security property keystore.type.compat to the string \
value false. See 8062552.
Bug Fix: Deprecate Unsafe monitor methods in JDK 8u release
The methods monitorEnter, monitorExit and tryMonitorEnter on sun.misc.Unsafe \
are marked as deprecated in JDK 8u60 and will be removed in a future release. \
These methods are not used within the JDK itself and are very rarely used \
outside of the JDK. See 8069302.
Bug Fix: Extract JFR recording from the core file using SA
DumpJFR is a Serviceability Agent based tool that can be used to extract \
Java Flight Recorder(JFR) data from the core files and live Hotspot processes. \
DumpJFR can be used in one of the following methods:
Attach DumpJFR to a live process:
java -cp $JAVA_HOME/lib/sa-jdi.jar sun.jvm.hotspot.tools.DumpJFR <pid>
Attach DumpJFR to a core file:
java -cp $JAVA_HOME/lib/sa-jdi.jar sun.jvm.hotspot.tools.DumpJFR \
<java> <core>
DumpJFR tool dumps the JFR data to a file called recording.jfr in the \
current working folder. See 8065301 (not public).
Bug Fix: Local variables named 'enum' lead to spurious compiler crashes
The javac parser is incorrectly parsing local variables with name 'enum'; \
this results in spurious failures when a program containing such local variables \
is compiled with a 'source' flag corresponding to a release in which the enum \
construct is not available (such as '-source 1.4'). See 8069181.
Java Development Kit for ARM Release 8u60
This release includes Java Development Kit for ARM Release 8u60 (JDK 8u60 for \
ARM). For ARM device support information, see JDK for ARM Downloads page. For \
system requirements, installation instructions and troubleshooting tips, see \
Installation Instructions page.
Limitation: Native Memory Tracking support is limited in JDK for ARM. The java \
command line option XX:NativeMemoryTracking=detail is not supported for ARM \
targets (an error message is displayed to user). Instead, use the following \
option:
XX:NativeMemoryTracking=summary
Documentation Updates due to Nashorn Enhancements
JDK 8u60 includes new enhancements to Nashorn. As a result the following \
documentation changes should be read in conjunction with the current Nashorn \
documentation:
Addition: In the previous section, we mentioned that every JavaScript object \
when exposed to Java APIs implements the java.util.Map interface. This is true \
even for JavaScript arrays. However, this behavior is often not desired or \
expected when the Java code expects JSON-parsed objects. Java libraries that \
manipulate JSON-parsed objects usually expect arrays to expose the \
java.util.List interface instead. If you need to expose your JavaScript objects \
so that arrays are exposed as lists and not maps, you can use the \
Java.asJSONCompatible(obj) function, where obj is the root of your JSON object \
tree.
Correction: The caution mentioned at the end of Mapping Data Types section, \
is no longer applicable. Nashorn ensures that internal JavaScript strings are \
converted to java.lang.String when exposed externally.
Correction: The statement in the section Mapping Data Types, that mentions \
"For example, arrays must be explicitly converted,..." is not correct. \
Arrays are automatically converted to Java array types, such as java.util.List, \
java.util.Collection, java.util.Queue and java.util.Deque and so on.
Changes in Deployment Rule Set v1.2
JDK 8u60 implements Deployment Rule Set (DRS) 1.2, which includes the following \
changes:
Add "checksum" element as sub element of "id" which can \
allow unsigned jars to be identified by the SHA-256 checksum of the uncompressed \
form of a jar:
The "checksum" element will match only unsigned jars, and the \
given hash will be compared only against the uncompressed form of the jar.
The "checksum" element (similar to "certificate" \
element) has two arguments "hash" and "algorithm", however, \
unlike "certificate" element, the only supported value for \
"algorithm" is "SHA-256". Any other value provided will be \
ignored.
Allow "message" element to apply to all rule types, where \
previously it only applied to a block rule:
In a run rule, a message sub element will cause a message dialog to be \
displayed where without a run rule, the default behavior would be to show \
certificate or unsigned dialog. The message will be displayed in the message \
dialog.
In a default rule, the message will only be displayed if the default \
action is to block. In such a case the message will be included in the block \
dialog.
Echo "customer" blocks in the Java Console, trace files, and Java \
Usage Tracker records.
Previous to DRS 1.2, "customer" elements could be included \
(with any sub-elements) in the ruleset.xml file. This element and all its sub \
elements are ignored. In DRS 1.2, the elements are still functionally ignored. \
However:
When parsing the ruleset.xml file, all "customer" blocks \
will be echoed to the Java Console and deployment trace file (if Console and \
Tracing are enabled).
When using a rule, all "customer" records included within \
that rule will be added to the Java Usage Tracker (JUT) record (if JUT is \
enabled).
As a result of the above changes, the DTD for DRS 1.2 is as follows:
<!ELEMENT ruleset (rule*)>
<!ATTRIBUTE ruleset href CDATA #IMPLIED>
<!ATTRIBUTE ruleset version CDATA #REQUIRED>
<!ELEMENT rule (id, action)>
<!ELEMENT id (certificate?) (checksum?) >
<!ATTRIBUTE id title CDATA #IMPLIED>
<!ATTRIBUTE id location CDATA #IMPLIED>
<!ELEMENT certificate EMPTY>
<!ATTLIST certificate algorithm CDATA #IMPLIED>
<!ATTLIST certificate hash CDATA #REQUIRED>
<!ELEMENT checksum EMPTY>
<!ATTLIST checksum algorithm CDATA #IMPLIED>
<!ATTLIST checksum hash CDATA #REQUIRED>
<!ELEMENT action (message?)>
<!ATTRIBUTE permission (run | block | default) #REQUIRED>
<!ATTRIBUTE version CDATA #IMPLIED>
<!ATTRIBUTE force (true|false) "false">
<!ELEMENT message (#PCDATA)>
<!ATTLIST message locale CDATA #IMPLIED>
Java Expiration Date
The expiration date for 8u60 is October 20, 2015. Java expires whenever a new \
release with security vulnerability fixes becomes available. For systems unable \
to reach the Oracle Servers, a secondary mechanism expires this JRE (version \
8u60) on November 20, 2015. After either condition is met (new release becoming \
available or expiration date reached), Java will provide additional warnings and \
reminders to users to update to the newer version.
Bug Fixes
For a list of bug fixes included in this release, see JDK 8u60 Bug Fixes page.
Java 8 Update 51 (8u51)
Release Highlights
IANA Data 2015d
JDK 8u51 contains IANA time zone data version 2015d. For more information, \
refer to Timezone Data Versions in the JRE Software.
Bug Fix: Add new Comodo roots to root CAs
Four new root certificates have been added for Commodo:
COMODO ECC Certification Authority
alias: comodoeccca
DN: CN=COMODO ECC Certification Authority, O=COMODO CA Limited, \
L=Salford, ST=Greater Manchester, C=GB
COMODO RSA Certification Authority
alias: comodorsaca
DN: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, \
L=Salford, ST=Greater Manchester, C=GB
USERTrust ECC Certification Authority
alias: usertrusteccca
DN: CN=USERTrust ECC Certification Authority, O=The USERTRUST Network, \
L=Jersey City, ST=New Jersey, C=US
USERTrust RSA Certification Authority
alias: usertrustrsaca
DN: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, \
L=Jersey City, ST=New Jersey, C=US
See JDK-8077997 (not public).
Bug Fix: Add new GlobalSign roots to root CAs
Two root certificates have been added for GlobalSign:
GlobalSign ECC Root CA - R4
alias: globalsigneccrootcar4
DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R4
GlobalSign ECC Root CA - R5
alias: globalsigneccrootcar5
DN: CN=GlobalSign, O=GlobalSign, OU=GlobalSign ECC Root CA - R5
See JDK-8077995 (not public).
Bug Fix: Add Actalis to root CAs
Added one new root certificate:
Actalis Authentication Root CA
alias: actalisauthenticationrootca
DN: CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, \
L=Milan, C=IT
See JDK-8077903 (not public).
Bug Fix: Add new Entrust ECC root
Added one new root certificate:
Entrust Root Certification Authority - EC1
alias: entrustrootcaec1
DN: CN=Entrust Root Certification Authority - EC1, OU="(c) 2012 \
Entrust, Inc. - for authorized use only", OU=See \
www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
See JDK-8073286 (not public).
Bug Fix: Remove old Valicert Class 1 and 2 Policy roots
Removed two root certificates with 1024-bit keys:
ValiCert Class 1 Policy Validation Authority
alias: secomvalicertclass1ca
DN: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, \
OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", \
L=ValiCert Validation Network
ValiCert Class 2 Policy Validation Authority
alias: valicertclass2ca
DN: EMAILADDRESS=info@valicert.com, CN=http://www.valicert.com/, \
OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", \
L=ValiCert Validation Network
See JDK-8077886 (not public).
Bug Fix: Remove old Thawte roots
Removed two root certificates with 1024-bit keys:
Thawte Server CA
alias: thawteserverca
DN: EMAILADDRESS=server-certs@thawte.com, CN=Thawte Server CA, \
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, \
ST=Western Cape, C=ZA
Thawte Personal Freemail CA
alias: thawtepersonalfreemailca
DN: EMAILADDRESS=personal-freemail@thawte.com, CN=Thawte Personal \
Freemail CA, OU=Certification Services Division, O=Thawte Consulting, L=Cape \
Town, ST=Western Cape, C=ZA
See JDK-8074423 (not public).
Bug Fix: Remove more old Verisign, Equifax, and Thawte roots
Removed five root certificates with 1024-bit keys:
Verisign Class 3 Public Primary Certification Authority - G2
alias: verisignclass3g2ca
DN: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For \
authorized use only", OU=Class 3 Public Primary Certification Authority - \
G2, O="VeriSign, Inc.", C=US
Thawte Premium Server CA
alias: thawtepremiumserverca
DN: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, \
OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, \
ST=Western Cape, C=ZA
Equifax Secure Certificate Authority
alias: equifaxsecureca
DN: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Equifax Secure eBusiness CA-1
alias: equifaxsecureebusinessca1
DN: CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US
Equifax Secure Global eBusiness CA-1,
alias: equifaxsecureglobalebusinessca1
DN: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
See JDK-8076202 (not public).
Bug Fix: Remove TrustCenter CA roots from cacerts
Removed three root certificates:
TC TrustCenter Universal CA I
alias: trustcenteruniversalcai
DN: CN=TC TrustCenter Universal CA I, OU=TC TrustCenter Universal CA, \
O=TC TrustCenter GmbH, C=DE
TC TrustCenter Class 2 CA II
alias: trustcenterclass2caii
DN: CN=TC TrustCenter Class 2 CA II, OU=TC TrustCenter Class 2 CA, O=TC \
TrustCenter GmbH, C=DE
TC TrustCenter Class 4 CA II
alias: trustcenterclass4caii
DN: CN=TC TrustCenter Class 4 CA II, OU=TC TrustCenter Class 4 CA, O=TC \
TrustCenter GmbH, C=DE
See JDK-8072958 (not public).
Bug Fix: Deprecate RC4 in SunJSSE provider
RC4 is now considered as a weak cipher. Servers should not select RC4 unless \
there is no other stronger candidate in the client requested cipher suites. A \
new security property, jdk.tls.legacyAlgorithms, is added to define the legacy \
algorithms in Oracle JSSE implementation. RC4 related algorithms are added to \
the legacy algorithms list. See JDK-8074006 (not public).
Bug Fix: Prohibit RC4 cipher suites
RC4 is now considered as a compromised cipher. RC4 cipher suites have been \
removed from both client and server default enabled cipher suite list in Oracle \
JSSE implementation. These cipher suites can still be enabled by \
SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() \
methods. See JDK-8077109 (not public).
Bug Fix: Improved certification checking
With this fix, JSSE endpoint identification does not perform reverse name \
lookup for IP addresses by default in JDK. If an application does need to \
perform reverse name lookup for raw IP addresses in SSL/TLS connections, and \
encounter endpoint identification compatibility issue, System property \
"jdk.tls.trustNameService" can be used to switch on reverse name \
lookup. Note that if the name service is not trustworthy, enabling reverse name \
lookup may be susceptible to MITM attacks. See JDK-8067695 (not public).
Java Expiration Date
The expiration date for 8u51 is October 20, 2015. Java expires whenever a new \
release with security vulnerability fixes becomes available. For systems unable \
to reach the Oracle Servers, a secondary mechanism expires this JRE (version \
8u51) on November 20, 2015. After either condition is met (new release becoming \
available or expiration date reached), Java will provide additional warnings and \
reminders to users to update to the newer version.
Bug Fixes
This release contains fixes for security vulnerabilities. For more information, \
see Oracle Java SE Critical Patch Update Advisory.
For a list of bug fixes included in this release, see JDK 8u51 Bug Fixes page.