Java SE Development Kit 17, 17 0.10 Release Notes

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. A new JDK implementation specific system property to control caching for HTTP NTLM connection is introduced. Caching for HTTP NTLM connection remains enabled java 7 certifications by default, so if the property is not explicitly specified, there will be no behavior change. A new JDK implementation specific system property to control caching for HTTP SPNEGO (Negotiate/Kerberos) connections is introduced.

• Native Image is extensively tested and supported for use in production, but is not a conformant implementation of the Java Platform.
• This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in the lib/security/cacerts keystore.
• Please note that fixes from prior BPR (7u141 b33) are included in this version.
• Specifically, your environment is supported only if you follow the Microsoft guidelines when dealing with multiple runtimes.
• For a more complete list of the bug fixes included in this release, see the JDK 7u151 Bug Fixes page.

Caching for HTTP SPNEGO connections remains enabled by default, so if the property is not explicitly specified, there will be no behavior change. Multiple constraints can be combined to constrain an algorithm when delimited by ‘&’. For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is “SHA1 jdkCA & usage TLSServer”. Due to the more rigorous procedure of reading a keystore content, some keystores (particularly, those created with old versions of the JDK or with a JDK from other vendors) might need to be regenerated. New public attributes, RMIConnectorServer.CREDENTIALS_FILTER_PATTERN and RMIConnectorServer.SERIAL_FILTER_PATTERN have been added to RMIConnectorServer.java.

Java™ SE Development Kit 7, Update 281 (JDK 7u

The Deployment Toolkit API installLatestJRE() and installJRE(requestedVersion) methods from deployJava.js and the install() method from dtjava.js no longer install the JRE. If a user’s version of Java is below the security baseline, it redirects the user to java.com to get an updated JRE. To avoid this situation, please increase the CodeCache size by using the JVM option, ReservedCodeCacheSize. The default maximum size of the CodeCache on most of the platforms is 48M.

For a more complete list of the bug fixes included in this release, see the JDK 7u321 Bug Fixes page. For a more complete list of the bug fixes included in this release, see the JDK 7u331 Bug Fixes page. For a more complete list of the bug fixes included in this release, see the JDK 7u351 Bug Fixes page.

RI Binaries under the Oracle Binary Code License

The list of disabled algorithms is controlled via a new security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files. The keytool and jarsigner tools have been updated to warn users when weak cryptographic algorithms are used in keys, certificates, and signed JARs before they are disabled. The weak algorithms are set in the jdk.security.legacyAlgorithms security property in the java.security configuration file.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u161) on February 16, 2018. For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u171) on May 17, 2018. For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 7u181) on August 17, 2018.

Java SE 7 Advanced

For .exe programs, embedded double quotes are allowed and are encoded so they are passed to Windows as literal quotes. The restrictions are enforced if there is a security manager and the jdk.lang.Process.allowAmbiguousCommands property is “false” or there is no security manager and property is not “false”. Runtime.exec and ProcessBuilder have been updated in this release to tighten the constraints on the quoting of arguments to processes created by these APIs. The changes may impact applications on Microsoft Windows that are deployed with a security manager. The changes have no impact on applications that are run without a security manager. New checks have been added to ensure that trust anchors are CA certificates and contain proper extensions.