Changelog:
7.0.72: http://www.oracle.com/technetwork/java/javase/7u72-relnotes-2296190.html
Instructions to disable SSL v3.0 in Oracle JDK and JRE
Oracle recommends that users and developers disable use of the SSLv3 protocol. Please follow the Instructions to disable SSL v3.0 in Oracle JDK and JRE.
Change in javax.smartcardio.Card.disconnect(boolean reset) method behavior
Prior to the JDK 8u20 and JDK 7u72 releases, the javax.smartcardio.Card.disconnect(boolean reset) method had inverted logic for the 'reset' boolean value passed to it. The card was reset upon a disconnect if false was passed to it and vice versa. Starting with JDK 7u72 and JDK 8u20, the correct behavior as per API documentation has been implemented.
In order to provide backwards compatibility to users who rely on the old behavior, a new system property has been introduced. The following command-line option can be used to enforce the old broken behavior:
-Dsun.security.smartcardio.invertCardReset=true
This property is set by default for 7u72 and later JDK 7 update releases. By default, no behavioral change will be noticed in this area for JDK 7 update releases.
Also the following command-line option can be used to enforce the new correct behavior:
-Dsun.security.smartcardio.invertCardReset=false
This is default for 8u20 and later JDK 8 update releases. In future Java releases, the property will be ignored/disabled and default disconnect method behavior will be as specified by API.
Bug Fixes
This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.
For a list of bug fixes included in this release, see JDK 7u72 Bug Fixes page.
Area: security-libs/javax.net.ssl
Synopsis: Decrease the preference mode of RC4 in the enabled cipher suite list
This fix decreases the preference of RC4 based cipher suites in the default enabled cipher suite list of SunJSSE provider.
See JDK-8043832 (not public).
From: http://www.oracle.com/technetwork/java/javase/2col/7u72-bugfixes-2298229.html
Bug Id Category Subcategory Description
8036022 client-libs 2d D3D: rendering with XOR composite causes InternalError.
8019623 client-libs java.awt Lack of synchronization in AppContext.getAppContext()
8024061 client-libs java.awt Exception thrown when drag and drop between two components is executed quickly
8028617 client-libs java.awt Dvorak keyboard mapping not honored when ctrl key pressed
8016545 client-libs java.beans java.beans.XMLEncoder.writeObject output is wrong
8036819 client-libs javax.accessibility JAB: mneumonics not read for textboxes
8036983 client-libs javax.accessibility JAB:Multiselection Ctrl+CursorUp/Down and ActivateDescenderPropertyChanged event
8028616 client-libs javax.swing Htmleditorkit parser doesn't handle leading slash (/)
8032872 client-libs javax.swing [macosx] Cannot select from JComboBox in a JWindow
8032874 client-libs javax.swing ArrayIndexOutOfBoundsException in JTable while clearing data in JTable
8032878 client-libs javax.swing Editable combos in table do not behave as expected
8041451 core-libs javax.naming com.sun.jndi.ldap.Connection:ReadTimeout should abandon ldap request
8042857 core-libs javax.naming 14 stuck threads waiting for notification on LDAPRequest
7142035 core-svc java.lang.instrument assert in j.l.instrument agents during shutdown when daemon thread is running
8028623 core-svc tools SA: hash codes in SymbolTable mismatching java_lang_String::hash_code for extended characters.
8028619 deploy deployment_toolkit Display issue of java control panel in ko and ja locale
8031490 deploy deployment_toolkit Broken Java SE 7 jnlp samples (app2 and app3)
8038463 deploy deployment_toolkit Java Control Panel doesn't display correctly in high resolution
8025051 globalization locale-data Update resource files for TimeZone display names
8039298 hotspot compiler C2: assert(base == NULL || t_adr->isa_rawptr() || !phase->type(base)->higher_equal(TypePtr::NULL_PTR)) failed: NULL+offs not RAW address?
8038925 hotspot gc Java with G1 crashes in dump_instance_fields using jmap or jcmd without fullgc
8019324 hotspot runtime assert(_f2 == 0 || _f2 == f2) failed: illegal field change
8031290 hotspot runtime Adjust call to getisax() for additional words returned
8033696 hotspot runtime "assert(thread != NULL) failed: just checking" due to Thread::current() and JNI pthread interaction
8051012 hotspot runtime Regression in verifier for <init> method call from inside of a branch
8021804 security-libs java.security Certpath validation fails if validity period of root cert does not include validity period of intermediate cert
8050158 security-libs javax.net.ssl Introduce system property to maintain RC4 preference order
7047033 security-libs javax.smartcardio (smartcardio) Card.disconnect(boolean reset) does not reset when reset is true
7195480 security-libs javax.smartcardio javax.smartcardio does not detect cards on Mac OS X
8039319 security-libs javax.smartcardio (smartcardio) Card.transmitControlCommand() does not work on Mac OS X
8043507 security-libs javax.smartcardio (smartcardio) javax.smartcardio.CardTerminals.list() fails on MacOSX
8046343 security-libs javax.smartcardio (smartcardio) CardTerminal.connect('direct') does not work on MacOSX
8049250 security-libs javax.smartcardio (smartcardio) Need a flag to invert the Card.disconnect(reset) argument
8036709 tools jar Java 7 jarsigner displays warning about cert policy tree
8033113 xml jax-ws wsimport fails on WSDL:header parameter name customization
8029837 xml jaxp NPE seen in XMLDocumentFragmentScannerImpl.setProperty since 7u40b33
7.0.71:
From: http://www.oracle.com/technetwork/java/javase/2col/7u71-bugfixes-2298226.html
Bug Id Category Subcategory Description
8032788 client-libs java.awt ImageIcon constructor throws an NPE and hangs when passed a null String parameter
8057184 client-libs javax.swing JCK8's api/javax_swing/JDesktopPane/descriptions.html#getset failed with GTKLookAndFeel on Linux and Solaris run v.s. JDK8+
8001105 core-libs java.lang.invoke findVirtual of Object[].clone produces internal error
8031502 core-libs java.lang.invoke JSR292: IncompatibleClassChangeError in LambdaForm for CharSequence.toString() method handle type converter
8027821 deploy For signed jars without manifest "Permissions", there is still security warning dialog before Application Error (Or blocked) Dialog.
8054904 deploy webstart Webstart cache path error for Java >= 7u65
8032883 deploy plugin java.lang.UnsupportedClassVersionError occurs while accessing an applet
8036620 deploy plugin JAR file is downloaded on DownloadService.removeResource, if it is not in Deployment Cache
8040786 deploy plugin Text is truncated in JavaScript to Java security warning dialog on OS X
8043478 deploy plugin Oracle Linux 5.x: Expired JRE disabled in the browser automatically and no native dialog prompting for the JRE update
8025726 deploy webstart Certificate rule in DRS does not work for Java Web Start app when caching is turned off
8051891 deploy webstart SWT cannot load native look&feel
8050485 hotspot runtime super() in a try block in a ctor may need to cause VerifyError
8027686 install Fail to install on MacOS 10.10
7160837 security-libs javax.crypto DigestOutputStream does not turn off digest calculation when "close()" is called
8028627 security-libs javax.crypto Unsynchronized code path from javax.crypto.Cipher to the WeakHashMap used by JceSecurity to store codebase mappings
8012026 client-libs java.awt [macosx] Component.getMousePosition() does not work in an applet on MacOS
8032078 client-libs java.awt [macosx] CPlatformWindow.setWindowState throws RuntimeException, if windowState=ICONIFIED:MAXIMIZED_BOTH
8032961 client-libs java.awt A JTextField of an applet loses the abillity to receive the focus under certain circumstances.
8032669 client-libs javax.swing Mouse release not being delivered to Swing component in 7u45
7122142 core-libs java.lang (ann) Race condition between isAnnotationPresent and getAnnotations
8005232 core-libs java.lang (JEP-149) Class Instance size reduction
7185456 core-libs java.lang.reflect (ann) Optimize Annotation handling in java/sun.reflect.* code for small number of annotationsC
8015421 core-libs java.net NegativeArraySizeException occurs in ChunkedOutputStream() with Integer.MAX_VALUE
8021372 core-libs java.net NetworkInterface.getNetworkInterfaces() returns duplicate hardware address
8009764 deploy webstart Java Web Start app run on Java SE 8 b79 shows "trust level" SecurityExceptions
7094099 deploy plugin DropDown List of JComboBox detached
6653795 hotspot compiler C2 intrinsic for Unsafe.getAddress performs pointer sign extension on 32-bit systems
8027359 xml jaxp XML parser returns incorrect parsing results
8032909 xml jaxp XSLT string-length returns incorrect length when string includes complementary chars
Changelog:
7.0.67: http://www.oracle.com/technetwork/java/javase/7u67-relnotes-2251330.html
Bug Fixes
The following bug fix is included in this release:
Area: deploy/plugin
Synopsis: regression - java_arguments not accepted after update to 7u65
The regression is addressed in this release.
See 8050875.
7.0.65: http://www.oracle.com/technetwork/java/javase/7u65-relnotes-2229169.html
IANA Data 2014c
JDK 7u65 contains IANA time zone data version 2014c. For more information, refer to Timezone Data Versions in the JRE Software.
New Features and Changes
New Java Control Panel option to disable sponsors
Currently, to disable sponsor offers at the time of installation, the user can de-select the option during installation or can pass SPONSORS=0 as a commandline option.
In this release, a new Java Control Panel(JCP) option to disable sponsors is available. To use this option, go to JCP's "Advanced" tab, and check or uncheck "Suppress sponsor offers when updating Java".
This option is applicable to 32 and 64 bit Windows operating systems.
New JAXP processing limit property - maxElementDepth
A new property, maxElementDepth, is added to provide applications the ability to set limit on maximum element depth in an xml file that they parse. This may be helpful for applications that may use too much resources when processing an xml file with excessive element depth.
Name: http://java.sun.com/xml/jaxp/properties/maxElementDepth
Definition: Limit the maximum element depth
Value: A positive integer. 0 is treated as no limit. Negative numbers are treated as 0.
Defaule value: 0
System property: jdk.xml.maxElementDepth
For more details, see Processing Limits from JAXP tutorial trail.
See 8031541 (not public).
Bug Fixes
This release contains fixes for security vulnerabilities. For more information, see Oracle Critical Patch Update Advisory.
For a list of bug fixes included in this release, see JDK 7u65 Bug Fixes page.
The following are some of the notable bug fixes in this release:
Area: client-libs/AWT
Synopsis: Using RMI from a restricted environment may cause a NullPointerException.
If an application uses RMI and runs in a restricted environment (ie. Java Plugin, Java Web Start), it may not work. In particular, if you run a UI from an RMI callback, a NullPointerException is likely to be thrown.
See 8019274.
Area: other-libs/corba
Synopsis: org.omg.CORBA.ORBSingletonClass loading no longer uses context class loader
The system property org.omg.CORBA.ORBSingletonClass is used to configure the system-wide/singleton ORB. The handling of this system property was changed in the 7u55 release to require that the system wide/singleton ORB be visible to the system class loader.
In this release, the handling of this system property has been reverted to match the behavior found in JDK versions prior to 7u55 release, i.e. the singleton ORB is once again located using the thread context class loader of the first thread, to call the no-argument ORB.init method. The change is made to support applications which depend on this behavior.
Note that this change is applicable to 8u20, 7u65, 6u85 and 5.0u75 releases. For JDK 9, the new behavior, where the system wide/singleton ORB needs to be visible to the system class loader, will continue.
See 8046603.
Known Issues
Area: xml/jax-ws
Synopsis: JAF initialization in SAAJ clashing with the one in javax.mail
After initialization of SAAJ components, the javax.mail library may fail to work under certain circumstances, which in turn could break the javax.mail's JAF setup.
A possible workaround is to re-add the javax.mail handler before using javax.mail API:
MailcapCommandMap mailMap = (MailcapCommandMap) CommandMap.getDefaultCommandMap();
mailMap.addMailcap("multipart/mixed;;x-java-content-handler=com.sun.mail.handlers.multipart_mixed");
See 8043129.
* PLIST.linux-i386 and PLIST.linux-x86_64 are confirmed.
Changelog: http://www.oracle.com/technetwork/java/javase/7u60-relnotes-2200106.html
Java SE Development Kit 7, Update 60 (JDK 7u60)
The full version string for this update release is 1.7.0_60-b19 (where "b" means "build"). The version number is 7u60.
Highlights
This update release contains several enhancements and changes including the following:
Java Mission Control
New Features and Changes
IANA Data 2014b
JDK 7u60 contains IANA time zone data version 2014b. For more information, refer to Timezone Data Versions in the JRE Software.
JavaFX
This JDK release includes JavaFX version 2.2.60.
Java Mission Control
This JDK release includes Java Mission Control(JMC) version 5.3. For more information, see JMC 5.3 Release Notes.
New Features and Changes
Java ignores deployment.expiration.check.enabled property for first launch
If you have an older version of Java and expiration check is turned off through deployment.properties file, Java may ignore this property for first launch.
To ensure that expiration check is disabled, use the following Java Web Start command:
javaws -userConfig deployment.expiration.check.enabled false
If this property is changed in the deployment.properties file, open the Java Control Panel before starting an application to ensure that the native cache is synchronized with the file. For more information, see Deployment Configuration File and Properties.
New flags added to Java Management API
The flags MinHeapFreeRatio and MaxHeapFreeRatio have been made manageable. This means they can be changed at runtime using the management API in Java. Support for these flags have also been added to the ParallelGC as part of the adaptive size policy.
Bug Fixes
For a list of bug fixes included in this release, see JDK 7u60 Bug Fixes page.
The following are some of the notable bug fixes in this release:
Area: security-libs/java.security
Synopsis: Realm.getRealmsList returns realms list in wrong order
Java does not support the [capaths] section in krb5.conf correctly if there are more then one intermediate realm between the client realm and the server realm.
See 8012615.
Changelog:
JavaFX Release Notes
JavaFX is now part of JDK. JDK 7u55 release includes JavaFX version 2.2.55.
New Features and Changes
The frequency of some security dialogs has been reduced on systems that run the same RIA multiple times.
See 8029649.
Using "*" in Caller-Allowable-Codebase Attribute.
If a stand-alone asterisk (*), or asterisk as part of a top level domain such as (*.org), is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to the RIA will show a security warning. An option to remember the choice is also provided, and if the user selects the option to remember the choice to run the RIA, no further warning messages are shown for the same RIA, when run with JavaScript from the same source.
For more information, see JAR File Manifest Attributes for Security documentation.
See 8033707.
Disabling Sponsor Offers in the Java Installer
During the installation of Java, users may be presented with the option of downloading and installing sponsor offers, such as browser add-ons, or security software. With 7u55 and later releases of Java, sponsor offers can be bypassed entirely by using "SPONSORS=0" as an option, when installing Java via the command line:
Manually download the 32bit online installer for 7u55 to your local machine.
Click the Windows Start Button/Menu. From the available Menu choices, select the 'Search box' and enter the text "command" in it.
A list of matches will appear. Select 'Command Prompt' from the available Programs list.
Navigate to the folder containing the downloaded installer, e.g.:
cd c:\Users\<username>\Downloads
To start the installation, in the Command Prompt window type:
jre-7u55-windows-i586-iftw.exe SPONSORS=0
The option to disable sponsors will persist across all future updates and re-installs of Java.
Note that sponsor offers, and therefore this functionality, is only applicable to online 32bit JRE installers and Auto Update mechanisms for the Windows operating system.
Bug Fixes
Bug Id Category Sub-Category Description
JDK-7190349 client-libs 2d [macosx] Text (Label) is incorrectly drawn with a rotated g2d
JDK-8013569 client-libs 2d [macosx] JLabel preferred size incorrect on retina displays with non-default font size
JDK-6571600 client-libs java.awt JNI use results in UnsatisfiedLinkError looking for libmawt.so
JDK-8025588 client-libs java.awt [macosx] Frozen AppKit thread in 7u40
JDK-5049299 core-libs java.lang (process) Use posix_spawn, not fork, on S10 to avoid swap exhaustion
JDK-8020191 core-libs java.lang System.getProperty( " os.name " ) returns " Windows NT (unknown) " on Windows 8.1
JDK-8030822 core-libs java.time (tz) Support tzdata2013i
JDK-8019853 core-libs java.util.logging Break logging and AWT circular dependency
JDK-8026474 deploy deployment_toolkit deployJava.js versioncheck doesn't work in IE11
JDK-8028691 deploy plugin loading browser proxy via config script should not trigger JAR download
JDK-8029649 deploy plugin Reduce dialog frequency when app is run multiple times
JDK-8033705 deploy plugin Array out of bounds exception in PluginMain.performSSVValidation
JDK-8033779 deploy plugin JRE 7u51 Plugin Failing to Run Older JRE Version < 1.6.0
JDK-8029922 deploy webstart 32-bit only Java Web Start apps fail to run on 32- and 64-bit JRE configs
JDK-8031579 deploy webstart Spurious Missing Manifest Permissions Attribute Warning When Launching versioned Java Web Start app
JDK-8024830 hotspot compiler SEGV in org.apache.lucene.codecs.compressing.CompressingTermVectorsReader.get
JDK-8035618 other-libs corba:rmi-iiop Four api/org_omg/CORBA TCK tests fail under plugin only
Olson Data 2013h
JavaFX Release Notes
* JavaFX is now part of JDK. JDK 7u51 release includes JavaFX version 2.2.51.
New Features and Changes
* Jarsigner updated to encourage timestamping
* Changes to Security Slider
* Prompt users to clear previously remembered decisions
* Exception Site List
Bug Fixes
This release contains fixes for security vulnerabilities. For more information:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA
while here, convert Solaris support to use pkgsrc emulator framework,
or it is hard to maintain this package.
This release includes important security fixes (CVE-2013-1571) . Oracle strongly
recommends that all Java SE 7 users upgrade to this release.
XXX: I cannot test on Solaris, but want to update for security fix.
XXX: If this change broke Solaris support, please fix, or report it.
Highlights
This update release contains the following enhancements:
Additional Certified System Configurations
Security Feature Enhancements
Olson Data 2012i
JDK 7u10 contains Olson time zone data version 2012i. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 7u10 are specified in the following table:
JRE Family Version JRE Security Baseline
(Full Version String)
7 1.7.0_09
6 1.6.0_37
5.0 1.5.0_38
1.4.2 1.4.2_40
For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.
Additional Certified System Configurations
For JDK 7u10 release, the following additional system configurations have been certified:
Mac OS X 10.8
Windows 8
For more information, refer to Oracle Certified System Configurations page.
Security Feature Enhancements
The JDK 7u10 release includes the following enhancements:
The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.
For more information, see Setting the Level of Security for the Java Client and Java Control Panel.
Bug Fixes
Notable Bug Fixes in JDK 7u10
The following are some of the notable bug fixes included in JDK 7u10.
Area: java command
Description: Wildcard expansion for single entry classpath does not work on Windows platforms.
The Java command and Setting the classpath documents describe how the wildcard character (*) can be used in a classpath element to expand into a list of the .jar files in the associated directory, separated by the classpath separator (;).
This wildcard expansion does not work in a Windows command shell for a single element classpath due to the Microsoft bug described in Wildcard Handling is Broken.
See 7146424.
For a list of other bug fixes included in this release, see JDK 7u10 Bug Fixes page.
