Java Runtime Environment (32-bit) 歷史舊版本 Page2

更新時間：2017-07-19
更新細節：

What's new in this version:

IANA DATA 2017b:
- JDK 8u141 contains IANA time zone data version 2017b

CERTIFICATE CHANGES:
- Let's Encrypt certificates added to root CAs. One new root certificate has been added

NEW FEATURES:
security-libs/java.security. Improved algorithm constraints checking:
- With the need to restrict weak algorithms usage in situations where they are most vulnerable, additional features have been added when configuring the jdk.certpath.disabledAlgorithms and jdk.jar.disabledAlgorithms security properties in the java.security file.
- jdk.certpath.disabledAlgorithms: The certpath property has seen the most change. Previously it was limited to two Constraint types; either a full disabling of an algorithm by name or a full disabling of an algorithm by the key size when checking certificates, certificate chains, and certificate signatures. This creates configurations that are absolute and lack flexibility in their usage. Three new Constraints were added to give more flexibility in allowing and rejecting certificates.
- "jdkCA" examines the certificate chain termination with regard to the cacerts file. In the case of "SHA1 jdkCA". SHA1's usage is checked through the certificate chain, but the chain must terminate at a marked trust anchor in the cacerts keystore to be rejected. This is useful for organizations that have their own private CA that trust using SHA1 with their trust anchor, but want to block certificate chains anchored by a public CA from using SHA1.
- "denyAfter" checks if the given date is before the current date or the PKIXParameter date. In the case of "SHA1 denyAfter 2018-01-01", before 2018 a certificate with SHA1 can be used, but after that date, the certificate is rejected. This can be used for a policy across an organization that is phasing out an algorithm with a drop-dead date. For signed JAR files, the date is compared against the TSA timestamp. The date is specified in GMT.

"usage" examines the specified algorithm for a specified usage. This can be used when disabling an algorithm for all usages is not practical. There are three usages that can be specified:
- TLSServer' restricts the algorithm in TLS server certificate chains when server authentication is performed as a client
- TLSClient' restricts the algorithm in TLS client certificate chains when client authentication is performed as a server
- SignedJAR' restricts the algorithms in certificates in signed JAR files. The usage type follows the keyword and more than one usage type can be specified with a whitespace delimiter
- For example, "SHA1 usage TLSServer TLSClient" would disallow SHA1 certificates for TLSServer and TLSClient operations, but SignedJars would be allowed
- All of these constraints can be combined to constrain an algorithm when delimited by '&'. For example, to disable SHA1 certificate chains that terminate at marked trust anchors only for TLSServer operations, the constraint would be "SHA1 jdkCA & usage TLSServer"
- jdk.jar.disabledAlgorithms: One additional constraint was added to this .jar property to restrict JAR manifest algorithms
- "denyAfter" checks algorithm constraints on manifest digest algorithms inside a signed JAR file. The date given in the constraint is compared against the TSA timestamp on the signed JAR file. If there is no timestamp or the timestamp is on or after the specified date, the signed JAR file is treated as unsigned. If the timestamp is before the specified date, the .jar will operate as a signed JAR file. The syntax for restricting SHA1 in JAR files signed after January 1st 2018 is: "SHA1 denyAfter 2018-01-01". The syntax is the same as that for the certpath property, however certificate checking will not be performed by this property

CHANGES:
core-svc/java.lang.management. JMX Diagnostic improvements:
- com.sun.management.HotSpotDiagnostic::dumpHeap API is modified to throw IllegalArgumentException if the supplied file name does not end with “.hprof” suffix. Existing applications which do not provide a file name ending with the “.hprof” extension will fail with IllegalArgumentException. In that case, applications can either choose to handle the exception or restore old behavior by setting system property 'jdk.management.heapdump.allowAnyFileSuffix' to true.

security-libs/javax.net.ssl. Custom HostnameVerifier enables SNI extension:
- Earlier releases of JDK 8 Updates didn't always send the Server Name Indication (SNI) extension in the TLS ClientHello phase if a custom hostname verifier was used. This verifier is set via the setHostnameVerifier(HostnameVerifier v) method in HttpsURLConnection. The fix ensures the Server Name is now sent in the ClientHello body.

xml/jax-ws. Tighter secure checks on processing WSDL files by wsimport tool:

The wsimport tool has been changed to disallow DTDs in Web Service descriptions, specifically:
- DOCTYPE declaration is disallowed in documents
- External general entities are not included by default
- External parameter entities are not included by default
- External DTDs are completely ignored

To restore the previous behavior:
- Set the System property com.sun.xml.internal.ws.disableXmlSecurity to true
- Use the wsimport tool command line option –disableXmlSecurity
- NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided via a Patch release post July CPU

BUG FIXES:
- JFileChooser with Windows look and feel crashes on win 10
- Race Condition in java.lang.reflect.WeakCache
- java.nio.Bits.unaligned() doesn't return true on ppc
- After updating to Java8u131, the bind to rmiregistry is rejected by registryFilter even though registryFilter is set
- sun.management.LazyCompositeData.isTypeMatched() fail for composite types with items of ArrayType
- SafePointNode::_replaced_nodes breaks with irreducible loops
- NPE when JavaFX loads default stylesheet or font families if CCL is null
- WebEngine.getDocument().getDocumentURI() no longer returns null for loading a String of HTML
- Failed to load RSA private key from pkcs12
- Improved algorithm constraints checking
- Custom HostnameVerifier disables SNI extension

更新時間：2017-04-18
更新細節：

What's new in this version:

CHANGES:
MD5 added to jdk.jar.disabledAlgorithms Security property:
This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:
- Applets or Web Start Applications
- Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.
- The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.
- To check if a weak algorithm or key was used to sign a JAR file, one can use the jarsigner binary that ships with this JDK. Running "jarsigner -verify" on a JAR file signed with a weak algorithm or key will print more information about the disabled algorithm or key.

New system property to control caching for HTTP SPNEGO connection:
- A new JDK implementation specific system property to control caching for HTTP SPNEGO (Negotiate/Kerberos) connections is introduced. Caching for HTTP SPNEGO connections remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.
- When connecting to an HTTP server that uses SPNEGO to negotiate authentication, and when connection and authentication with the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP server using SPNEGO usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP SPNEGO (Negotiate/Kerberos) protocol in order to force requesting new authentication with each new request to the server.

With this change, we now provide a new system property that allows control of the caching policy for HTTP SPNEGO connections. If jdk.spnego.cache is defined and evaluates to false, then all caching will be disabled for HTTP SPNEGO connections. Setting this system property to false may, however, result in undesirable side effects:
- Performance of HTTP SPNEGO connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
- Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.

New system property to control caching for HTTP NTLM connection:
- A new JDK implementation specific system property to control caching for HTTP NTLM connection is introduced. Caching for HTTP NTLM connection remains enabled by default, so if the property is not explicitly specified, there will be no behavior change.
- On some platforms, the HTTP NTLM implementation in the JDK can support transparent authentication, where the system user credentials are used at system level. When transparent authentication is not available or unsuccessful, the JDK only supports getting credentials from a global authenticator. If connection to the server is successful, the authentication information will then be cached and reused for further connections to the same server. In addition, connecting to an HTTP NTLM server usually involves keeping the underlying connection alive and reusing it for further requests to the same server. In some applications, it may be desirable to disable all caching for the HTTP NTLM protocol in order to force requesting new authentication with each new requests to the server.

With this change, we now provide a new system property that allows control of the caching policy for HTTP NTLM connections. If jdk.ntlm.cache is defined and evaluates to false, then all caching will be disabled for HTTP NTLM connections. Setting this system property to false may, however, result in undesirable side effects:
- Performance of HTTP NTLM connections may be severely impacted as the connection will need to be re-authenticated with each new request, requiring several communication exchanges with the server.
- Credentials will need to be obtained again for each new request, which, depending on whether transparent authentication is available or not, and depending on the global Authenticator implementation, may result in a popup asking the user for credentials for every new request.

New version of VisualVM:
- VisualVM 1.3.9 was released on October 4th, 2016 and has been integrated into 8u131

BUG FIXES:
Correction of IllegalArgumentException from TLS handshake:
- A recent issue from the JDK-8173783 fix can cause issue for some TLS servers. The problem originates from an IllegalArgumentException thrown by the TLS handshaker code: java.lang.IllegalArgumentException: System property jdk.tls.namedGroups(null) contains no supported elliptic curves. The issue can arise when the server doesn't have elliptic curve cryptography support to handle an elliptic curve name extension field (if present). Users are advised to upgrade to this release. By default, JDK 7 Updates and later JDK families ship with the SunEC security provider which provides elliptic curve cryptography support. Those releases should not be impacted unless security providers are modified

更新時間：2017-01-18
更新細節：

更新時間：2016-10-18
更新細節：

What's new in this version:

CHANGES:

security-libs/java.security:
- SunPKCS11 Provider no longer offering SecureRandom by default
- SecureRandom.PKCS11 from the SunPKCS11 Provider is disabled by default on Solaris because the native PKCS11 implementation has poor performance and is not recommended. If your application requires SecureRandom.PKCS11, you can re-enable it by removing "SecureRandom" from the disabledMechanisms list in conf/security/sunpkcs11-solaris.cfg
- Performance improvements have also been made in the java.security.SecureRandom class. Improvements in the JDK implementation have allowed for synchronization to be removed from the java.security.SecureRandom.nextBytes(byte[] bytes) method.

BUG FIXES:
- client-libs 2d GraphicsDevice.getConfigurations() is slow taking 3 or more seconds
- client-libs 2d Xrender: Class cast exception in 2D code running an AWT regression test
- client-libs 2d java/awt/Window/WindowsLeak/WindowsLeak.java fails
- client-libs 2d Wrong glyph is displayed for a derived font
- client-libs 2d [win10] Some unicode characters do not display any more after upgrading to Windows 10
- client-libs 2d ClassCastException: sun.font.CompositeFont cannot be cast to PhysicalFont
- client-libs 2d CCE: sun.java2d.NullSurfaceData cannot be cast to sun.java2d.opengl.OGLSurfaceData
- client-libs java.awt java.awt.SplashScreen.getSize() returns incorrect size for high dpi splash screens
- client-libs java.awt:i18n Caps Lock doesn't work as expected when using Pinyin Simplified input method
- client-libs javax.accessibility [macosx] sun.lwawt.macosx.CAccessible leaks
- client-libs javax.accessibility Uninitialised memory in WinAccessBridge.cpp:1128
- client-libs javax.accessibility Jaws reads wrong values from comboboxes when no element is selected
- client-libs javax.swing Selection in JList is drawn with wrong colors in Nimbus L&F
- client-libs javax.swing javax.swing.text.html.parser.Parser parseScript incorrectly optimized
- client-libs javax.swing JComboBox prevents wheel mouse scrolling of JScrollPane
- client-libs javax.swing Personalized Windows Font Size is not taken into account in Java8u102
- client-libs javax.swing JEditorPane.createEditorKitForContentType throws NPE after 6882559
- core-libs java.lang Annotations with lambda expressions has parameter result in wrong behavior.
- core-libs java.lang.invoke MHs.Lookup.findConstructor returns handles for array classes
- core-libs java.nio (se) Selector.select(long) uses wrong timeout after EINTR (lnx)
- core-libs javax.naming LDAP "follow" throws ClassCastException with Java 8
- core-libs javax.naming com.sun.jndi.ldap.SimpleClientId produces wrong hash code
- core-libs javax.naming Non-synchronized access to shared members of com.sun.jndi.ldap.pool.Pool
- core-libs javax.script ReferenceError in 1.8.0_72
- core-libs jdk.nashorn streamline input parameter of Nashorn scripting $EXEC function
- core-libs jdk.nashorn "ant test" fails to complete on Windows when run under cygwin shell
- core-libs jdk.nashorn Negative lookahead in RegEx breaks backreference
- core-libs jdk.nashorn Simplify Nashorn's Context class loader handling
- core-libs jdk.nashorn Nashorn shebang argument handling is broken
- core-libs jdk.nashorn Regression: two tests fail on Windows with "ant test" target
- core-libs jdk.nashorn fix Nashorn shebang argument handling on Mac/Linux
- core-libs jdk.nashorn arguments are handled differently in apply for JS functions and AbstractJSObjects
- core-libs jdk.nashorn Parsing issue with automatic semicolon insertion
- core-libs jdk.nashorn Script stack trace should display function names
- core-libs jdk.nashorn JSON.stringify does not work on ScriptObjectMirror objects
- core-libs jdk.nashorn Callback parameter of any JS builtin implementation should accept any Callable
- core-libs jdk.nashorn TypeError when a java.util.Comparator object is invoked as a function
- core-libs jdk.nashorn AccessControlException is thrown on public Java class access if "script app loader" is set to null
- core-svc Tests in com/sun/jdi fails intermittently with "jdb input stream closed prematurely"
- core-svc debugger com/sun/jdi/OptionTest.java test times out again
- deploy [macosx] Java Control Panel unable to perform tasks requiring admin privileges
- deploy [macos] JVM continuously throw a NullPointerException on new MacOS 10.12
- deploy javafx FXUIToolkit.showFileChooser() fails when jre is below 7u21
- deploy javafx FXUIToolkit.showSandboxSecurityDialog fails when running jre below 7u21
- deploy javafx FXUIToolkit.showMessageDialog() fails when running jre below 7u55
- deploy webstart Add a URL scheme handler to reliably launch .jnlp files - Mac registration part
- deploy webstart Change JavawsLauncher.app to use NSTask or execv
- deploy webstart Desktop shortcut is not updated after JNLP is changed in deployment cache
- deploy webstart Allow always checkbox in security dialog when jnlp location is unknown
- deploy webstart Signed JWS application unexpectedly asks for permission to open a socket
- hotspot compiler Math.pow yields different results upon repeated calls
- hotspot compiler Need to bailout cleanly if creation of stubs fails when codecache is out of space
- hotspot compiler CastII/ConvI2L for a range check is prematurely eliminated
- hotspot compiler PPC64: unaligned Unsafe.getInt can lead to the generation of illegal instructions
- hotspot compiler Partially initialized string object created by C2's string concat optimization may escape
- hotspot gc G1: UseSHM in combination with a G1HeapRegionSize > os::large_page_size() falls back to use small pages
- hotspot gc Confusing message in "Current rem set statistics"
- hotspot gc allocating heap with UseLargePages and HugeTLBFS may trash existing memory mappings (linux)
- hotspot gc Long response times with G1 and StringDeduplication
- hotspot gc Test gc/ergonomics/TestDynamicNumberOfGCThreads.java fails
- hotspot jvmti Crash in Method::checked_resolve_jmethod_id(_jmethodID*)
- hotspot jvmti Fix for JDK-8147451 failed: Crash in Method::checked_resolve_jmethod_id(_jmethodID*)
- hotspot runtime Null ProtectionDomain in JVM can cause NPE because principals field is not initialized to an empty array
- hotspot runtime vm/mlvm/anonloader/stress/byteMutation failed with: assert(index >=0 && index < _length) failed: symbol index overflow
- hotspot runtime ConstantPool::release_C_heap_structures not run in some circumstances
- hotspot runtime Convert an assert in ClassLoaderData to a guarantee
- hotspot runtime Zero: Better byte behaviour
- hotspot runtime SIGSEGV: Metadata::mark_on_stack
- infrastructure release_eng 8u112 template file need to be updated
- install install jdk 8u71 fails to install with no error message
- install install ent msi does not have double-click support
- javafx application-lifecycle Passing objects between JavaScript (JavaFX / WebKit) and Java causes a memory leak
- javafx base SortedList wrapping a FilteredList causes AIOOBE
- javafx controls TreeTableView's selectedItems reports include null items.
- javafx controls [TreeTableView] graphic property of TreeItem is still visible after collapsing tree
- javafx controls Enhance CustomColorDialog to have flexibility to hide 'Opacity', 'Use' and 'Save' Button
- javafx graphics Scene content shows too large on Retina display, when a regular screen attached
- javafx graphics Print jobs do not finish when using a page range
- javafx graphics javafx print jobs take 60 times longer than javax.print
- javafx graphics Generated temp files (+JXF...temp) for custom fonts not deleted on exit.
- javafx graphics changes to compile under Visual Studio 14.0
- javafx graphics Crash while running imported/w3c/canvas/2d.gradient.interpolate.overlap2.html
- javafx graphics ContextMenu shown at wrong position on Windows10 with Extended Screen
- javafx graphics Revert fix for JDK-8150181 to push it with the correct commit message
- javafx graphics JavaFX Path drawing appears to leak native memory
- javafx web Javascript Timing Events stop work on system clock changes at past
- javafx web WebView Tooltip position no longer changes in 8u60
- javafx web WebView can't alert from a timer
- javafx web Debug build is not working after new WebKit upgrade
- javafx web NullPointer exception in WebView
- javafx web SQL Server Reporting Services in WebViews shows 401
- javafx web [WebView] Icon font doesn't work if single page application will be loaded from jar
- javafx web Need to document that JavaScript to Java bindings use weak references
- javafx web Update to newer version of WebKit
- javafx web DRT crash at fast/css-generated-content/initial-letter-basic.html
- javafx web Update java-wrappers for WebKit generated classes following WebKit update
- javafx web Linux: Javascript Timing Events stop work on system clock changes at past
- javafx web Linux: libjfxwebkit.so has hard-coded path
- javafx web Char value is set as integer, not as character
- javafx web Add timestamp to WebView Keyboard Event
- javafx web Can't get file size with javascript
- javafx web the JVM for our Swing application crashes, once we login into our application server
- javafx web WebView cannot render CSS background image with SVG data
- javafx web Char value is returned as integer, not as character
- javafx web Test Case Failure in CallBackTest
- javafx web WebView can't alert from a timer
- javafx web jvm crash at javafx com.sun.webkit.WebPage.twkPrePaint (GFlag + Heap verification)
- javafx web Implement overridePreference() for DRT framework
- javafx web [WebView] Unable to tile SVG image using css background property
- javafx web WebEngine doesn't handle html5 color picker
- javafx web Assertion fails with https://html-online.com/editor/
- javafx web [Win] Timer functionality is broken after JDK-8089563
- javafx web [OS X] Compilation Issue in WebPage.cpp
- javafx web Fix compilation warnings in WebCore and JavaScriptCore
- javafx web EOFException in GZIPInputStream.readUByte while browsing
- javafx web [WebView] WebView can't display social network icons on wellsfargo.com
- javafx web General sibling selector is broken for selected input boxes in WebView
- javafx web Website weibo.com cannot be loaded
- javafx web JavaFX browser can get stuck in an infinite loop when calling path.getTotalLength()
- javafx web [Windows] JavaFX crash in WebPage.twkOpen in 8u112 when closing WebView while debugging
- javafx web Loading "https://www.windyty.com" with JavaFX WebView crashes JVM.
- other-libs corba NullPointerException in IIOPInputStream.inputClassFields
- security-libs java.security New fix for memory leak in ProtectionDomain cache
- security-libs java.security SecureRandom.nextBytes() hurts performance with small size requests
- security-libs java.security Print size of DH keysize when errors are encountered
- security-libs java.security Some methods of java.security.Security require more permissions, than necessary
- security-libs javax.crypto Ucrypto config file cannot be read when -Dfile.encoding=UTF-16 is set
- security-libs javax.crypto Improve jurisdiction policy file signing exception
- security-libs javax.crypto:pkcs11 KeyStore.load() throws an IOException with a wrong cause in case of wrong password
- security-libs javax.crypto:pkcs11 LoadKeystore.java test is failing
- security-libs javax.net.ssl Hot lock on BulkCipher.isAvailable
- security-libs javax.net.ssl Make handling of 3rd party providers more stable
- security-libs javax.security The fix for 8050402 was partially committed
- security-libs org.ietf.jgss:krb5 Relax response flags checking in sun.security.krb5.KrbKdcRep.check.
- security-libs org.ietf.jgss:krb5 Semicolon is not recognized as comment starting character (Kerberos)
- tools Native2ascii doesn't close one of the streams it opens
- tools javac Incorrect class file created when passing lambda in inner class constructor
- tools launcher Showing incorrect result while passing specific argument in the Java launcher tools
- xml jaxp Issue in XMLScanner: EXPECTED_SQUARE_BRACKET_TO_CLOSE_INTERNAL_SUBSET when skipping large DOCTYPE section with CRLF at wrong place

更新時間：2016-10-18
更新細節：

更新時間：2016-07-20
更新細節：

What's new in this version:

Enhancements:
- Internal package sun.invoke.anon has been removed
- New property jdk.lang.processReaperUseDefaultStackSize
- Implemented performance improvements for BigInteger.montgomeryMultiply

Changes:
- MSCAPI KeyStore can handle same-named certificates
- Modify requirements on Authority Key Identifier extension field during X509 certificate chain building
- Providing more granular levels for GC verification
- Removed PICL warning message
- Improved exception handling for bad LDAP referral replies

Bug Fixes:
- Fix to resolve "Unable to process PreMasterSecret, may be too big" issue

更新時間：2016-04-19
更新細節：

What's new in this version:

Notable bug fixes included in this release:
- SHA224 removed from the default support list if SunMSCAPI enabled
- SunJSSE allows SHA224 as an available signature and hash algorithm for TLS 1.2 connections. However, the current implementation of SunMSCAPI does not yet support SHA224. This can cause problems if SHA224 and SunMSCAPI private keys are used at the same time.
- To mitigate the problem, we remove SHA224 from the default support list if SunMSCAPI is enabled.
- New JVM Options added: ExitOnOutOfMemory and CrashOnOutOfMemory

Two new JVM flags have been added:
- ExitOnOutOfMemory - When you enable this option, the JVM exits on the first occurrence of an out-of-memory error. It can be used if you prefer restarting an instance of the JVM rather than handling out of memory errors.
- CrashOnOutOfMemoryError - If this option is enabled, when an out-of-memory error occurs, the JVM crashes and produces text and binary crash files (if core files are enabled).

更新時間：2016-03-23
更新細節：

What's new in this version:

IANA Data 2016a:
- JDK 8u77 contains IANA time zone data version 2016a.

Security Baselines:
- The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u77 is 1.8.0_77.

JRE Expiration Date:
- This JRE (version 8u77) will expire with the release of the next critical patch update scheduled for April 19, 2016.

Notes:
- This Security Alert (8u77) is based off the earlier 8u74 PSU release. All users of earlier JDK 8 releases should update to this release.

Bug Fixes:
- This Security Alert addresses CVE-2016-0636, a vulnerability affecting Java SE running in web browsers on desktops. This vulnerability is not applicable to Java deployments, typically in servers or standalone desktop applications, that load and run only trusted code. It also does not affect Oracle server-based software. This vulnerability may be remotely exploitable without authentication (i.e., may be exploited over a network without the need for a username and password). To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user's system.
- Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

更新時間：2016-02-06
更新細節：

更新時間：2016-01-20
更新細節：