Log Message:
Update to 1.8.121

Changelog:
http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html

core-libs/javax.naming
Improved protection for JNDI remote class loading
Remote class loading via JNDI object factories stored in naming and directory \ 
services is disabled by default. To enable remote class loading by the RMI \ 
Registry or COS Naming service provider, set the following system property to \ 
the string "true", as appropriate:

    com.sun.jndi.rmi.object.trustURLCodebase
    com.sun.jndi.cosnaming.object.trustURLCodebase

JDK-8158997 (not public)

security-libs/java.security
jarsigner -verbose -verify should print the algorithms used to sign the jar
The jarsigner tool has been enhanced to show details of the algorithms and keys \ 
used to generate a signed JAR file and will also provide an indication if any of \ 
them are considered weak.

Specifically, when "jarsigner -verify -verbose filename.jar" is \ 
called, a separate section is printed out showing information of the signature \ 
and timestamp (if it exists) inside the signed JAR file, even if it is treated \ 
as unsigned for various reasons. If any algorithm or key used is considered \ 
weak, as specified in the Security property, jdk.jar.disabledAlgorithms, it will \ 
be labeled with "(weak)".

For example:

- Signed by "CN=weak_signer"
   Digest algorithm: MD2 (weak)
   Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
 Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
   Timestamp digest algorithm: SHA-256
   Timestamp signature algorithm: SHA256withRSA, 2048-bit key

See JDK-8163304

New Features

core-libs/java.io:serialization
Serialization Filter Configuration
Serialization Filtering introduces a new mechanism which allows incoming streams \ 
of object-serialization data to be filtered in order to improve both security \ 
and robustness. Every ObjectInputStream applies a filter, if configured, to the \ 
stream contents during deserialization. Filters are set using either a system \ 
property or a configured security property. The value of the \ 
"jdk.serialFilter" patterns are described in JEP 290 Serialization \ 
Filtering and in <JRE>/lib/security/java.security. Filter actions are \ 
logged to the 'java.io.serialization' logger, if enabled.
See JDK-8155760

core-libs/java.rmi
RMI Better constraint checking
RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 \ 
Serialization Filtering to improve service robustness.
RMI Registry and DGC implement built-in white-list filters for the typical \ 
classes expected to be used with each service.
Additional filter patterns can be configured using either a system property or a \ 
security property. The "sun.rmi.registry.registryFilter" and \ 
"sun.rmi.transport.dgcFilter" property pattern syntax is described in \ 
JEP 290 and in <JRE>/lib/security/java.security.
JDK-8156802 (not public)

security-libs
Add mechanism to allow non-default root CAs to not be subject to algorithm \ 
restrictions

*New certpath constraint: jdkCA*
In the java.security file, an additional constraint named "jdkCA" is \ 
added to the jdk.certpath.disabledAlgorithms property. This constraint prohibits \ 
the specified algorithm only if the algorithm is used in a certificate chain \ 
that terminates at a marked trust anchor in the lib/security/cacerts keystore. \ 
If the jdkCA constraint is not set, then all chains using the specified \ 
algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm \ 
expression.

Example: To apply this constraint to SHA-1 certificates, include the following: \ 
SHA1 jdkCA
See JDK-8140422

Changes

tools/javadoc(tool)
New --allow-script-in-comments option for javadoc
The javadoc tool will now reject any occurrences of JavaScript code in the \ 
javadoc documentation comments and command-line options, unless the command-line \ 
option, --allow-script-in-comments is specified.

With the --allow-script-in-comments option, the javadoc tool will preserve \ 
JavaScript code in documentation comments and command-line options. An error \ 
will be given by the javadoc tool if JavaScript code is found and the \ 
command-line option is not set.
JDK-8138725 (not public)

security-libs/javax.xml.crypto
Increase the minimum key length to 1024 for XML Signatures
The secure validation mode of the XML Signature implementation has been enhanced \ 
to restrict RSA and DSA keys less than 1024 bits by default as they are no \ 
longer secure enough for digital signatures. Additionally, a new security \ 
property named jdk.xml.dsig.SecureValidationPolicy has been added to the \ 
java.security file and can be used to control the different restrictions \ 
enforced when the secure validation mode is enabled.

The secure validation mode is enabled either by setting the xml signature \ 
property org.jcp.xml.dsig.secureValidation to true with the \ 
javax.xml.crypto.XMLCryptoContext.setProperty method, or by running the code \ 
with a SecurityManager.

If an XML Signature is generated or validated with a weak RSA or DSA key, an \ 
XMLSignatureException will be thrown with the message, "RSA keys less than \ 
1024 bits are forbidden when secure validation is enabled" or "DSA \ 
keys less than 1024 bits are forbidden when secure validation is enabled."
JDK-8140353 (not public)

docs/release_notes
Restrict certificates with DSA keys less than 1024 bits.
DSA keys less than 1024 bits are not strong enough and should be restricted in \ 
certification path building and validation. Accordingly, DSA keys less than 1024 \ 
bits have been deactivated by default by adding "DSA keySize < \ 
1024" to the "jdk.certpath.disabledAlgorithms" security property. \ 
Applications can update this restriction in the security property \ 
("jdk.certpath.disabledAlgorithms") and permit smaller key sizes if \ 
really needed (for example, "DSA keySize < 768").
JDK-8139565 (not public)

security-libs
More checks added to DER encoding parsing code
More checks are added to the DER encoding parsing code to catch various encoding \ 
errors. In addition, signatures which contain constructed inparsing. Note that \ 
signatures generated using JDK default providers are not affected by this \ 
change.
JDK-8168714 (not public)

core-libs/java.net
Additional access restrictions for URLClassLoader.newInstance
Class loaders created by the java.net.URLClasslasses from a list of given URLs. \ 
If the calling code does not have access to one or more of the URLs and the URL \ 
artifacts that can be accessed do not contain the required class, then a \ 
ClassNotFoundException, or similar, will be thrown. Previously, a Sege can be \ 
disabled by setting the jdk.net.URLClassPath.disableRestrictedPermissions system \ 
property.
JDK-8151934 (not public)

core-libs/java.util.logging
A new configurable property in logging.properties \ 
java.util.logging.FileHandler.maxLocks
A new "java.util.logging.FileHandler.maxLocks" configurable property \ 
is added to java.util.logging.FileHandler.

This new logging property can be defined in the logging configuration file and \ 
makes it possible to configure the maximum number of concurrent log file locks a \ 
FileHandler can handle. The default value is 100.

In a highly concurrent environment where multiple (more than 101) standalone \ 
client applications are using the JDK Logging API with FileHandler \ 
simultaneously, it may happen that the default limit of 100 is reached, \ 
resulting in a failure to acquire FileHandler file locks and causing an IO \ 
Exception to be thrown. In such a case, the new logging property can be used to \ 
increase the maximum number of locks before deploying the application.

If not overridden, the default value of maxLocks (100) remains unchanged. See \ 
java.util.logging.LogManager and java.util.logging.FileHandler API documentation \ 
for more details.
See JDK-8153955

Bug Fixes

The following are some of the notable bug fixes included in this release:

client-libs/javax.swing
Trackpad scrolling of text on OS X 10.12 Sierra is very fast
The MouseWheelEvent.getWheelRotation() method returned rounded native NSEvent \ 
deltaX/Y events on Mac OS X. The latest macOS Sierra 10.12 produces very small \ 
NSEvent deltaX/Y values so rounding and summing them leads to the huge value \ 
returned from the MouseWheelEvent.getWheelRotation(). The JDK-8166591 fix \ 
accumulates NSEvent deltaX/Y and the MouseWheelEvent.getWheelRotation() method \ 
returns non-zero values only when the accumulated value exceeds a threshold and \ 
zero value. This is compliant with the MouseWheelEvent.getWheelRotation() \ 
specification \ 
(https://docs.oracle.com/javase/8/docs/api/java/awt/event/MouseWheelEvent.html#getWheelRotation):

"Returns the number of "clicks" the mouse wheel was rotated, as \ 
an integer. A partial rotation may occur if the mouse supports a high-resolution \ 
wheel. In this case, the method returns zero until a full "click" has \ 
been accumulated."

For the precise wheel rotation values, use the \ 
MouseWheelEvent.getPreciseWheelRotation() method instead.
See JDK-8166591

This release also contains fixes for security vulnerabilities described in the \ 
Oracle Java SE Critical Patch Update Advisory. For a more complete list of the \ 
bug fixes included in this release, see the JDK 8u121 Bug Fixes page.

Known Issues

deploy/packager
javapackager and fx:deploy bundle the whole JDK instead of JRE
There is a known bug in the Java Packager for Mac where the entire JDK may be \ 
bundled with the application bundle resulting in an unusually large bundle. The \ 
work around is to use the bundler option -Bruntime option. For example: \ 
-Bruntime=JavaAppletPlugin.plugin sets where the JavaAppletPlugin.plugin for the \ 
desired JRE to bundle is located in the current directory.
See JDK-8166835

install/install
Java Installation will fail for non-admin users with UAC off
The Java installation on Windows will fail without warning or prompting, for \ 
non-admin users with User Access Control (UAC) disabled. The installer will \ 
leave a directory, jds<number>.tmp, in the %TEMP% directory.
JDK-8161460 (not public)