New in version 8 Update 5

April 23rd, 2014
  • New Features and Changes:
  • The frequency of some security dialogs has been reduced on systems that run the same RIA multiple times. See 8029649. Using "*" in Caller-Allowable-Codebase Attribute.
  • If a stand-alone asterisk (*) is specified as the value for the Caller-Allowable-Codebase attribute, then calls from JavaScript code to RIA will show a security warning, and users have the choice to allow the call or block the call.
  • Bug Fixes:
  • This release contains fixes for security vulnerabilities.

New in version 7 Update 51 (January 15th, 2014)

  • JavaFX Release Notes:
  • JavaFX is now part of JDK. JDK 7u51 release includes JavaFX version 2.2.51.
  • New Features and Changes:
  • Jarsigner updated to encourage timestamping
  • Timestamping for a signed jar is now strongly recommended. The Jarsigner tool will print out an informational warning at signing or verifying when timestamp is missing.
  • Changes to Security Slider:
  • The following changes to Security Slider were included in this release(7u51)
  • Block Self-Signed and Unsigned applets on High Security Setting
  • Require Permissions Attribute for High Security Setting
  • Warn users of missing Permissions Attributes for Medium Security Setting
  • Change in Default Socket Permissions:
  • The default socket permissions assigned to all code including untrusted code have been changed in this release. Previously, all code was able to bind any socket type to any port number greater than or equal to 1024. It is still possible to bind sockets to the ephemeral port range on each system. The exact range of ephemeral ports varies from one operating system to another, but it is typically in the high range (such as from 49152 to 65535). The new restriction is that binding sockets outside of the ephemeral range now requires an explicit permission in the system security policy.
  • Most applications using client tcp sockets and a security manager will not see any problem, as these typically bind to ephemeral ports anyway. Applications using datagram sockets or server tcp sockets (and a security manager) may encounter security exceptions where none were seen before. If this occurs, users should review whether the port number being requested is expected, and if this is the case, a socket permission grant can be added to the local security policy, to resolve the issue.
  • Change in JAXP Xalan Extension Functions:
  • In JDK 7u51, a change has been made in JAXP Xalan Extension functions to always use the default DOM implementation when Security Manager is present. This change affects the NodeSet created by DOM Document.
  • Before this change, the DOM implementation is located through the DOM factory lookup process. With this change, when security is enabled, the lookup process is skipped and the default DOM implementation is used.
  • This change will only affect those applications that use a 3rd party DOM implementation. In general, the NodeSet structure is expected to be compatible with that of the JDK default implementation.
  • Bug fixes:
  • Thread contention in the method Beans.IsDesignTime()
  • (tz) Support tzdata2013h
  • Memory leak when GCNotifier uses create_from_platform_dependent_str()
  • Certificate based DRS rule does not work when main jar is in nested resource block or extension
  • Deadlock in caching code launching application with a large number of jars (~100).
  • Properly configured LiveConnect Applets must work even on JREs below the baseline by default
  • ESL not working for JNLP applications without an href
  • Applets don't get loaded and the Firefox crashes under Mac OS X
  • liveconnect dialog is showing the publisher unknown
  • Warning message appears in all the jar files not only the main jar file
  • REGRESSION:NPE exception throws when Java Web start apps fails with no logging
  • com.sun.corba.se.** should be on restricted package list
  • serial version of com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl changed in 7u45
  • ORB.init fails with SecurityException if properties select the JDK default ORB
  • Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement
  • XML readers share the same entity expansion counter
  • Revise fix for XML readers share the same entity expansion counter

New in version 7 Update 45 (October 25th, 2013)

  • General Changes:
  • New Date/Time Capability:
  • The java.util.TimeZone.setDefault(TimeZone) method has been changed to throw aSecurityException if the method is called by any code with which the security manager'scheckPermission call denies PropertyPermission("user.timezone", "write"). The new system property jdk.util.TimeZone.allowSetDefault (a boolean) is provided so that the compatible behavior can be enabled. The property will be evaluated only once when thejava.util.TimeZone class is loaded and initialized.
  • Security Changes:
  • LiveConnect:
  • This release introduces a new warning when web pages initiate LiveConnect calls into an RIA without being properly signed/configured. Planned for the future, Java SE 7 Upate 51, January 2014 will introduce a requirement that all RIAs distributed publicly be signed by a valid certificate and contain a new Permissions attribute. These changes only affect Applet & Web Start applications (Rich Internet Applications). They do not affect other areas, such as: server-side, embedded, or client. Read more in the blog LiveConnect changes in 7u45.
  • Protections Against Unauthorized Redistribution of Java Applications:
  • Starting with 7u45, application developers can specify new JAR manifest file attributes:
  • Application-Name: This attribute provides a secure title for your RIA.
  • Caller-Allowable-Codebase: This attribute specifies the codebase/locations from which JavaScript is allowed to call Applet classes.
  • JavaScript to Java calls will be allowed without any security dialog prompt only if:
  • JAR is signed by a trusted CA, has the Caller-Allowable-Codebase manifest entry and JavaScript runs on the domain that matches it.
  • JAR is unsigned and JavaScript calls happens from the same domain as the JAR location.
  • The JavaScript to Java (LiveConnect) security dialog prompt is shown once per AppletclassLoader instance.
  • Application-Library-Allowable-Codebase: If the JNLP file or HTML page is in a different location than the JAR file, the Application-Library-Allowable-Codebase attribute identifies the locations from which your RIA can be expected to be started.
  • If the attribute is not present or if the attribute and location do not match, then the location of the JNLP file or HTML page is displayed in the security prompt shown to the user.
  • Note that the RIA can still be started in any of the above cases.
  • Developers can refer to JAR File Manifest Attributes for more information.
  • Restore Security Prompts:
  • A new button is available in the Java Control Panel (JCP) to clear previously remembered trust decisions. A trust decision occurs when the user has selected the Do not show this again option in a security prompt. To show prompts that were previously hidden, click Restore Security Prompts. When asked to confirm the selection, click Restore All. The next time an application is started, the security prompt for that application is shown.
  • See Restore Security Prompts under the Security section of the Java Control Panel.
  • JAXP Changes:
  • Starting from JDK 7u45, the following new processing limits are added to the JAXPFEATURE_SECURE_PROCESSING feature.
  • totalEntitySizeLimit
  • maxGeneralEntitySizeLimit
  • maxParameterEntitySizeLimit

New in version 7 Update 40 (September 11th, 2013)

  • Retina Display support on Mac OS X
  • Retina screens will now display content correctly. Previously rendering had been blurry. See 8000629.
  • Deployment Rule Set
  • Deployment rule set allows a desktop administrator to control the level of Java client compatibility and default prompts across an organization.
  • For a summary of this feature, see Deployment Rule Set documentation.
  • Option to disable the "JRE out of date" warning
  • Starting from 7u40, a new deployment property deployment.expiration.check.enabled is available. This property can be used to disable the "JRE out of date" warning.
  • When the installed JRE (7u10 or later), falls below the security baseline or passes it's built-in expiration date, an additional warning is shown to users to update their installed JRE to the latest version. For businesses that manage the update process centrally, users attempting to update their JRE individually, may cause problems.
  • To suppress this specific warning message, add the following entry in the deployment properties file: deployment.expiration.check.enabled=false
  • For more information, see Deployment Configuration File and Properties.
  • New Security Warnings for Unsigned and Self-Signed Applications
  • New warnings are added in the dialogs for Unsigned and Self-Signed applications.
  • From the dialogs for Unsigned and Self-Signed applets, "Remember this decision" option has been removed. In addition, the previously remembered decisions for self-signed and unsigned applets will be ignored.
  • For more information, see Security Dialogs.
  • Local Applets return NULL for DocumentBase
  • Beginning with JDK 7u40, an applet's getDocumentBase() method will return NULL when the applet is running from the local file system.
  • If applet needs to load resource, here are the options:
  • If the resource is in the applet's JAR(s), the user should be able to load it with class ClassLoader getResoruceAsStream directly, without needing the codebase information.
  • If the resource is in an arbitrary location, which is not inside the applet's JAR(s), the user must have other ways to get to that location, since it is not part of the applet resource. For example, the user.home java system property, provided their applet has all-permissions.
  • JAXP Security Improvements
  • JDK 7u40 release contains Java API for XML Processing (JAXP) 1.5, which adds the ability to restrict the set of network protocols that may be used to fetch external resources. For more information, see JEP 185: JAXP 1.5: Restrict Fetching of External Resources.
  • Default x.509 Certificates Have Longer Key Length
  • Starting from 7u40, the use of x.509 certificates with RSA keys less than 1024 bits in length is restricted. This restriction is applied via the Java Security property, jdk.certpath.disabledAlgorithms. The default value of jdk.certpath.disabledAlgorithms is now as follows: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
  • In order to avoid the compatibility issue, users who use X.509 certificates with RSA keys less than 1024 bits, are recommended to update their certificates with stronger keys. As a workaround, at their own risk, users can adjust the key size to permit smaller key sizes through the security property jdk.certpath.disabledAlgorithms.
  • For more information, see Java PKI Programmer's Guide or JSSE Reference Guide.

New in version 7 Update 25 (June 19th, 2013)

  • Oracle today released the June 2013 Critical Patch Update for Java SE. This Critical Patch Update provides 40 new security fixes. 37 of these vulnerabilities are remotely exploitable without authentication.
  • 34 of the fixes brought with this Critical Patch Update address vulnerabilities that only affect client deployments. The highest CVSS Base Score for these client-only fixes is 10.0.
  • 4 of the vulnerabilities fixed in this Critical Patch Update can affect client and server deployments. The most severe of these vulnerabilities has received a CVSS Base Score of 7.5.
  • One of the vulnerabilities fixed in this Critical patch Update affects the Java installer and can only be exploited locally.
  • Finally, one of the fixes included in this Critical Patch Update affects the Javadoc tool and the documents it creates. Some HTML pages that were created by any 1.5 or later versions of the Javadoc tool are vulnerable to frame injection. This means that this vulnerability (CVE-2013-1571, also known as CERT/CC VU#225657) can only be exploited through Javadoc-generated HTML files hosted on a web server. If exploited, this vulnerability can result in granting a malicious attacker the ability to inject frames into a vulnerable web page, thus allowing the attacker to direct unsuspecting users to malicious web pages through their web browsers. This vulnerability has received a CVSS Base Score of 4.3. With the release of this Critical Patch Update, Oracle has fixed the Javadoc tool so that it doesn’t produce vulnerable pages anymore, and additionally produced a utility, the “Java API Documentation Updater Tool,” to fix previously produced (and vulnerable) HTML files. More information about this vulnerability is available on the CERT/CC web site at http://www.kb.cert.org/vuls/id/225657.
  • Oracle recommends that this Critical Patch Update be applied as soon as possible because it includes fixes for a number of severe vulnerabilities. Note that the vulnerabilities fixed in this Critical Patch Update affect various components and, as a result, may not affect the security posture of all Java users in the same way.
  • Desktop users can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version. As a reminder, security fixes delivered through the Critical Patch Update for Java SE are cumulative: in other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.

New in version 7 Update 17 (March 5th, 2013)

  • Serious security vulnerabilities in the browser plug-in were resolved.
  • Due to the severity of these vulnerabilities and the reported exploitation of CVE-2013-1493 "in the wild", Oracle strongly recommends the application of this update as soon as possible.

New in version 7 Update 7 (August 31st, 2012)

  • A serious security issue allowing remote attackers to execute arbitrary code via a crafted applet has been fixed.
  • This issue was reported as CVE-2012-4681.
  • Updating is strongly recommended, as exploits are available.

New in version 7 Update 6 (August 20th, 2012)

  • Full support for Mac OS X and for Linux on ARM has been added.
  • JavaFX is now packaged. Java Access Bridge is now included.
  • An alternative hash function is included.
  • The security warning dialog messages have been modified.
  • Several minor bugs have been fixed.

New in version 7 Update 5 (June 13th, 2012)

  • This version resolves twelve remotely-exploitable security vulnerabilities and improves VM configuration file loading.