Java Development Kit (64-bit) 歷史舊版本 Page8

更新時間：2021-02-24
更新細節：

What's new in this version:

Fixed:
- CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
- CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
- CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js

更新時間：2021-01-20
更新細節：

更新時間：2021-01-20
更新細節：

What's new in this version:

IANA Data 2020d:
- JDK 15.0.2 contains IANA time zone data version 2020d. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines:
- The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 15.0.2 are specified in the following table:
- 7 - 1.7.0_45
- 6 - 1.6.0_65
- 5.0 - 1.5.0_55

JRE Expiration Date:
- The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 7u45) will expire with the release of the next critical patch update, scheduled for January 14, 2014.
- For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u45) on February 14, 2014. After either condition is met (new release becoming available or expiration date reached), Java will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.

Blacklist Entries:
- This update release includes a blacklist entry for a standalone JavaFX installer.

JavaFX Release Notes:
- JavaFX is now part of JDK. JDK 7u45 release includes JavaFX version 2.2.45.
- JDK for Linux ARM
- A JDK for Linux ARM is also available in this release.

New Features and Changes:
- Protections Against Unauthorized Redistribution of Java Applications
- Starting with 7u45, application developers can specify new JAR manifest file attributes:
- Application-Name: This attribute provides a secure title for your RIA.
- Caller-Allowable-Codebase: This attribute specifies the codebase/locations from which JavaScript is allowed to call Applet classes.
- JavaScript to Java calls will be allowed without any security dialog prompt only if:
- JAR is signed by a trusted CA, has the Caller-Allowable-Codebase manifest entry and JavaScript runs on the domain that matches it.
- JAR is unsigned and JavaScript calls happens from the same domain as the JAR location.
- The JavaScript to Java (LiveConnect) security dialog prompt is shown once per Applet classLoader instance.
- Application-Library-Allowable-Codebase: If the JNLP file or HTML page is in a different location than the JAR file, the Application-Library-Allowable-Codebase attribute identifies the locations from which your RIA can be expected to be started.
- If the attribute is not present or if the attribute and location do not match, then the location of the JNLP file or HTML page is displayed in the security prompt shown to the user.
- Note that the RIA can still be started in any of the above cases.
- Developers can refer to JAR File Manifest Attributes for more information.

Restore Security Prompts:
- A new button is available in the Java Control Panel (JCP) to clear previously remembered trust decisions. A trust decision occurs when the user has selected the Do not show this again option in a security prompt. To show prompts that were previously hidden, click Restore Security Prompts. When asked to confirm the selection, click Restore All. The next time an application is started, the security prompt for that application is shown.
- See Restore Security Prompts under the Security section of the Java Control Panel.

JAXP Changes:
- Starting from JDK 7u45, the following new processing limits are added to the JAXP FEATURE_SECURE_PROCESSING feature.
- totalEntitySizeLimit
- maxGeneralEntitySizeLimit
- maxParameterEntitySizeLimit
- For more information, see the new Processing Limits lesson in the JAXP Tutorial.
- TimeZone.setDefault Change
- The java.util.TimeZone.setDefault(TimeZone) method has been changed to throw a SecurityException if the method is called by any code with which the security manager's checkPermission call denies PropertyPermission("user.timezone", "write"). The new system property jdk.util.TimeZone.allowSetDefault (a boolean) is provided so that the compatible behavior can be enabled. The property will be evaluated only once when the java.util.TimeZone class is loaded and initialized.

Bug-fixes:
- This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory

更新時間：2021-01-12
更新細節：

What's new in this version:

- New: Special placeholders for extended technical info from FLAC: %_flac_md5% and MPEG: %_mpeg_copyright%, %_mpeg_protectection%, %_mpeg_original%, %_mpeg_private%, %_mpeg_emphasis%
- Improved: Speed up reading of tags from huge files
- Improved: Importing of titles for each media from Musicbrainz releases
- Changed: Scripting functions $greater and $longer no longer return true for equal values
- Fixed: Reading of ID3 chunks situated in the end of some lossless files larger than 4GB
- Fixed: Wrong selection of now played file when remove some files from list

更新時間：2020-10-31
更新細節：

更新時間：2020-10-22
更新細節：

What's new in this version:

IANA Data 2020a:
- JDK 15.0.1 contains IANA time zone data version 2020a

New Features:
- Improve Certificate Chain Handling

Other notes:
- Added Property to Control LDAP Authentication Mechanisms Allowed to Authenticate Over Clear Connections
- Added 3 SSL Corporation Root CA Certificates
- Added Entrust Root Certification Authority - G4 certificate
- Enhanced Support of Proxy Class

Bug Fixes:
- Wrong translation for the month of May in ar_JO, ar_LB and ar_SY
- C2: compiler/intrinsics/object/TestClone fails with -XX:+VerifyGraphEdges
- AOT's Linker.java seems to eagerly fail-fast on Windows.
- libgraal can deadlock in -Xcomp mode
- jvmciCompilerToVM.cpp declares jio_printf with "void" return type, should be "int"
- Include microcode revision in features_string on x86
- Make sure {type,obj}ArrayOopDesc accessors check the bounds
- Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets

更新時間：2020-10-21
更新細節：

更新時間：2020-10-21
更新細節：

更新時間：2020-10-01
更新細節：

What's new in this version:

- Freedb lookups switched to gnudb.org by default
- Improved: Reading of rating atom [rate] from mpe4 metadata
- Improved: Now you can sort replacement rules automatically with Transformations editor
- Improved: Added more choices for JPEG files types when inserting covers
- Fixed: New fields didn't added to Vorbis tag in some cases since 6.1.0
- Fixed: User fields order change in tag editor
- List of available fields was expanded
- Updated WavPack support

更新時間：2020-07-24
更新細節：