java

JDK 8u461 Release Notes

Java Development Kit 8 Release Notes

Java SE 8u461 Bundled Patch Release (BPR) - Bug Fixes and Updates

The following sections summarize changes made in all Java SE 8u461 BPR. Bug fixes and any other changes are listed below in date order, most current BPR first. Note that bug fixes in the previous BPR are also included in the current BPR.

 

Changes in Java SE 8u461 b32

Bug Fixes

Release date: July 15, 2025
BugId Category Subcategory Summary
JDK-8360926 (not public) install install JDK8 RPM installer installs with an error message
JDK-8355072 (not public) install install [OL9] java on systemd environments: /etc/rc.d/init.d/jexec' lacks a native systemd unit file

Java™ SE Development Kit 8, Update 461 (JDK 8u461)

Release date: July 15, 2025

The full version string for this update release is 1.8.0_461-b11 (where "b" means "build"). The version number is 8u461. This JDK conforms to version 8.6 of the Java SE Specification (JSR 337 MR 6 2024-07-02).

 

IANA TZ Data 2025b

JDK 8u461 contains IANA time zone data 2025b which contains the following changes since the previous update.

  • New zone for Aysén Region in Chile which moves from -04/-03 to -03.

For more information, refer to Timezone Data Versions in the JRE Software.

 

Security Baselines

The security baselines for the Java Runtime at the time of the release of JDK 8u461 are specified in the following table:

Java Family Version Security Baseline (Full Version String)
81.8.0_461-b11

 

Keeping the JDK up to Date

Oracle recommends that the JDK is updated with each Critical Patch Update. In order to determine if a release is the latest, the Security Baseline page can be used to determine which is the latest version for each release family.

Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Bulletins. It is not recommended that this JDK (version 8u461) be used after the next critical patch update scheduled for October 21, 2025.

Java Management Service, available to all users, can help you find vulnerable Java versions in your systems. Java SE Subscribers and customers running in Oracle Cloud can use Java Management Service to update Java Runtimes and to do further security reviews like identifying potentially vulnerable third party libraries used by your Java programs. Existing Java Management Service user click here to log in to your dashboard. The Java Management Service Documentation provides a list of features available to everyone and those available only to customers. Learn more about using Java Management Service to monitor and secure your Java Installations.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u461) on 2025-11-21. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see 23.1.2 JRE Expiration Date in the Java Platform, Standard Edition Deployment Guide.

 

Removed Features and Options

security-libs/java.security
 Removed Baltimore CyberTrust Root Certificate After Expiry Date (JDK-8303770)

The following expired root certificate has been removed from the cacerts keystore:

+ alias name "baltimorecybertrustca [jdk]"

  Distinguished Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

security-libs/java.security
 Removed Two Camerfirma Root Certificates (JDK-8350498)

The following root certificates, which are terminated and no longer in use, have been removed from the cacerts keystore:

+ alias name "camerfirmachamberscommerceca [jdk]"

  Distinguished Name: CN=Chambers of Commerce Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU

+ alias name "camerfirmachambersignca [jdk]"
  Distinguished Name: CN=Global Chambersign Root - 2008, O=AC Camerfirma S.A., SERIALNUMBER=A82743287, L=Madrid (see current address at www.camerfirma.com/address), C=EU

 

Other Notes

security-libs/java.security
 Added 4 New Root Certificates from Sectigo Limited (JDK-8359170)

The following root certificates have been added to the cacerts truststore:

+ Sectigo Limited

  + sectigocodesignroote46
    DN: CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB

+ Sectigo Limited
  + sectigocodesignrootr46
    DN: CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB

+ Sectigo Limited
  + sectigotlsroote46
    DN: CN=Sectigo Public Server Authentication Root E46, O=Sectigo Limited, C=GB

+ Sectigo Limited
  + sectigotlsrootr46
    DN: CN=Sectigo Public Server Authentication Root R46, O=Sectigo Limited, C=GB

install/install
 Sign oracle.com JDK RPM Packages with OL9 Signing Key (JDK-8351906 (not public))

The oracle.com JDK RPM packages meant to be downloaded directly to the target system, now are signed with the OL9 signing key instead of the OL8 signing key. The RPM packages hosted on YUM repositories remain signed with the appropriate key for the target repository.

install/uninstall
 The Java Uninstall Tool Will Repair the Windows Registry (JDK-8343761 (not public))

There are some scenarios where upgrading from a JRE version 8u361 or below to a newer JRE version of Java 8 may break some of the Windows registry keys for the Java Runtime Environment. The Java Uninstall Tool will repair such situations, regardless if a JRE is selected for uninstall or not.

client-libs/2d
 Usage of FreeType Library on Linux and Solaris Platforms (JDK-8350323 (not public))

The latest Gnome update installs the Cantarell font, an OpenType font with CFF2 table, as the default in the latest Red Hat, SLES, and Solaris platforms. However, the T2K rendering engine used in JDK 8 does not support OpenType CFF2 fonts. As a result, when using the GTK look and feel, none of the text renders with the Cantarell font.

Starting from JDK 8u461, the Java runtime utilizes the FreeType library installed on the end-user’s system to render certain fonts, such as Cantarell. Due to this modification, installing libfreetype.so.6 may be necessary.

core-libs/javax.naming
 Update Default Value of com.sun.jndi.ldap.object.trustSerialData System Property (JDK-8290367)

In this release, the JDK implementation of the LDAP provider no longer supports deserialization of Java objects by default:

  • The default value of the com.sun.jndi.ldap.object.trustSerialData system property has been updated to false.

The transparent deserialization of Java objects from an LDAP context will now require an explicit opt-in. Applications that rely on reconstruction of Java objects or RMI stubs from the LDAP attributes would need to set the com.sun.jndi.ldap.object.trustSerialData system property to true.

security-libs/jdk.security
 Jarsigner Should Print a Warning If an Entry Is Removed (JDK-8309841)

If an entry is removed from a signed JAR file, there is no mechanism to detect that it has been removed using the JarFile API, since the getJarEntry method returns null as if the entry had never existed. With this change, the jarsigner -verify command analyzes the signature files and if some sections do not have matching file entries, it prints out the following warning: "This JAR contains signed entries for files that do not exist". Users can further find out the names of these entries by adding the -verbose option to the command.

xml/javax.xml.parsers
 Change DOM Parser to Not Resolve EntityReference and Add Text Node with DocumentBuilderFactory.setExpandEntityReferences(false) (JDK-8206132)

The implementation of the ExpandEntityReferences feature was changed to comply with the specification of the DocumentBuilderFactory.setExpandEntityReferences method. Now, when the method is set to false and encounters an entity reference, a DOM parser created by the DocumentBuilderFactory adds the EntityReference node to the DOM tree without the expanded Text node. Before the change, the implementation incorrectly added both nodes.

With the change, the DOM parser no longer reads and resolves entity references when the feature ExpandEntityReferences is set to false. For applications that intend to avoid resolving entity references, it will work as expected.

This change also affects the DOM Load and Save parser. The entities parameter is aligned with the ExpandEntityReferences feature, so that setting the entities parameter to true is equivalent to setting ExpandEntityReferences to false. In the following code snippet, the document will contain EntityReference nodes but not expanded Text nodes:

        LSParser domParser = domImplementationLS.createLSParser(MODE_SYNCHRONOUS, null);

        domParser.getDomConfig().setParameter("entities", true);
        LSInput src = domImplementationLS.createLSInput();
        src.setStringData(source);
        Document document = domParser.parse(src);

Because the references are not resolved, the resulting string will contain entity references without the text when the document is serialized:

        LSSerializer lsSerializer = domImplementationLS.createLSSerializer();

        lsSerializer.getDomConfig().setParameter("format-pretty-print", true);
        String result = lsSerializer.writeToString(document);

 

Bug Fixes

This release also contains fixes for security vulnerabilities described in the Oracle Critical Patch Update.

The following table lists the bug fixes included in the JDK 8u461 release:

# BugId Component Summary
1JDK-8348600client-libs/java.awtUpdate PipeWire to 1.3.81
2JDK-8348598client-libs/java.awtUpdate Libpng to 1.6.47
3JDK-8286204client-libs/javax.accessibility[Accessibility,macOS,VoiceOver] VoiceOver reads the spinner value 10 as 1 when user iterates to 10 for the first time on macOS
4JDK-8347911client-libs/javax.imageioLimit the length of inflated text chunks
5JDK-8224267client-libs/javax.swingJOptionPane message string with 5000+ newlines produces StackOverflowError
6JDK-8318915core-libs/java.mathEnhance checks in BigDecimal.toPlainString()
7JDK-8344589core-libs/java.util:i18nUpdate IANA Language Subtag Registry to Version 2024-11-19
8JDK-7102969core-libs/java.util:i18ncurrency.properties supercede not working correctly
9JDK-8356096core-libs/java.util:i18nISO 4217 Amendment 179 Update
10JDK-8299858core-svc/java.lang.management[Metrics] Swap memory limit reported incorrectly when too large
11JDK-8300659core-svc/java.lang.managementRefactor TestMemoryAwareness to use WhiteBox api for host values
12JDK-8297173core-svc/java.lang.managementusageTicks and totalTicks should be volatile to ensure that different threads get the latest ticks
13JDK-8356750deploy/deployment_toolkitJava 8 About Dialog in JCP shows http://www.java.com instead of https://www.java.com
14JDK-8138922hotspot/compilerStubCodeDesc constructor publishes partially-constructed objects on StubCodeDesc::_list
15JDK-8149918hotspot/compilerCPUIDBrandString stub is generated on demand
16JDK-8182169hotspot/gcArrayAllocator should take MEMFLAGS as regular parameter
17JDK-8176571hotspot/gcFine bitmaps should be allocated as belonging to mtGC, not mtInternal
18JDK-8055818hotspot/gcRemove PRAGMA_FORMAT_MUTE_WARNINGS_FOR_GCC from g1BlockOffsetTable.cpp
19JDK-8287007hotspot/runtime[cgroups] Consistently use stringStream throughout parsing code
20JDK-8224193hotspot/runtimestringStream should not use Resource Area
21JDK-8037842hotspot/runtimeFailing to allocate MethodCounters and MDO causes a serious performance drop
22JDK-8152849hotspot/runtimeshare/vm/runtime/mutex.cpp:1161 assert(((uintptr_t(_owner))|(uintptr_t(_LockWord.FullWord))|(uintptr_t(_EntryList))|(uintptr_t(_WaitSet))|(uintptr_t(_OnDeck))) == 0) failed
23JDK-8339148hotspot/runtimeMake os::Linux::active_processor_count() public
24JDK-8300645hotspot/runtimeHandle julong values in logging of GET_CONTAINER_INFO macros