Download Java MSI x64 and x86 8.0.1410.15.
For installation with Configuration Manager use:
x86
msiexec.exe /i “jre1.8.0_141.msi” /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No
x64
msiexec.exe /i “jre1.8.0_14164.msi” /qn JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No
For uninstall use:
msiexec /x {<msi ID> (example 26A24AE4-039D-4CA4-87B4-2F64180131F0)} /qn /norestart
New Features
security-libs/java.security
Disable SHA-1 TLS Server Certificates
Any TLS server certificate chain containing an SHA-1 certificate (end-entity or intermediate CA) anchored by a root CA certificate included by default in Oracle’s JDK is now blocked by default. TLS Server certificate chains that are anchored by the enterprise or private CAs are not affected. Only X.509 certificate chains that are validated by the PKIX
implementation of the CertPathValidator
and CertPathBuilder
APIs and the SunX509
and PKIX
implementations of the TrustManagerFactory
API are subject to the restrictions. Third-party implementations of these APIs are directly responsible for enforcing their own restrictions.To implement this restriction and provide more flexibility for configuring your own restrictions, additional features have been added to the jdk.certpath.disabledAlgorithms
and jdk.jar.disabledAlgorithms
Security Properties in the java.security file, as follows:
jdk.certpath.disabledAlgorithms
:Three new constraints have been added to this Security Property:A new constraint namedjdkCA
, that when set, restricts the algorithm if it is used in a certificate chain that is anchored by a trust anchor that is pre-installed in the JDK cacerts keystore. This condition does not apply to certificate chains that are anchored by other certificates, including those that are subsequently added to the cacerts keystore. Also, note that the restriction does not apply to trust anchor certificates, since they are directly trusted.A new constraint nameddenyAfter
, that when set, restricts the algorithm if it is used in a certificate chain after the specified date. The restriction does not apply to trust anchor certificates, since they are directly trusted. Also, code signing certificate chains as used in signed JARs are treated specially as follows:- if the certificate chain is used with a signed JAR that is not timestamped, it will be restricted after the specified date
- if the certificate chain is used with a signed JAR that is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.
usage
, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported:TLSServer
for TLS/SSL server certificate chains,TLSClient
for TLS/SSL client certificate chains, andSignedJAR
for certificate chains used with signed JARs.
Multiple constraints can be combined to constrain an algorithm when delimited by ‘&’. For example, to disable SHA-1 TLS Server certificate chains that are anchored by pre-installed root CAs, the constraint is “SHA1 jdkCA & usage TLSServer”.
jdk.jar.disabledAlgorithms
:A new constraint has been added nameddenyAfter
, that when set, restricts the algorithm if it is used in a signed JAR after the specified date, as follows:- if the JAR is not timestamped, it will be restricted (treated as unsigned) after the specified date
- if the JAR is timestamped, it will not be restricted if it is timestamped before the specified date. If the JAR is timestamped after the specified date, it will be restricted.
Changes
core-svc/java.lang.management
JMX Diagnostic improvements
com.sun.management.HotSpotDiagnostic::dumpHeap API is modified to throw IllegalArgumentException if the supplied file name does not end with “.hprof” suffix. Existing applications which do not provide a file name ending with the “.hprof” extension will fail with IllegalArgumentException. In that case, applications can either choose to handle the exception or restore old behavior by setting system property ‘jdk.management.heapdump.allowAnyFileSuffix’ to true.
Custom HostnameVerifier enables SNI extension
Earlier releases of JDK 8 Updates didn’t always send the Server Name Indication (SNI) extension in the TLS ClientHello phase if a custom hostname verifier was used. This verifier is set via the setHostnameVerifier(HostnameVerifier v) method in HttpsURLConnection. The fix ensures the Server Name is now sent in the ClientHello body.
Tighter secure checks on processing WSDL files by wsimport tool
The wsimport tool has been changed to disallow DTDs in Web Service descriptions, specifically:
- DOCTYPE declaration is disallowed in documents
- External general entities are not included by default
- External parameter entities are not included by default
- External DTDs are completely ignored
To restore the previous behavior:
- Set the System property com.sun.xml.internal.ws.disableXmlSecurity to true
- Use the wsimport tool command line option –disableXmlSecurity
NOTE: JDK 7 and JDK 6 support for this option in wsimport will be provided via a Patch release post-July CPU
Bug Fixes
This release contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory. For a more complete list of the bug fixes included in this release, see the JDK 8u141 Bug Fixes page.