Monday, January 23, 2017

8u121 Update Release Notes

8u121 Update Release Notes

January 17, 2017



Java™ SE Development Kit 8, Update 121 (JDK 8u121)

The full version string for this update release is 1.8.0_121-b13 (where "b" means "build"). The version number is 8u121.

IANA Data 2016i

JDK 8u121 contains IANA time zone data version 2016i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baselines

The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u121 are specified in the following table:
JRE Family VersionJRE Security Baseline
(Full Version String)
81.8.0_121-b13
71.7.0_131-b12
61.6.0_141-b12

JRE Expiration Date

The JRE expires whenever a new release with security vulnerability fixes becomes available. Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin. This JRE (version 8u121) will expire with the release of the next critical patch update scheduled for April 18, 2017.
For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u121) on May 18, 2017. After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version. For more information, see JRE Expiration Date.


Notes


core-libs/javax.naming
Improved protection for JNDI remote class loading
Remote class loading via JNDI object factories stored in naming and directory services is disabled by default. To enable remote class loading by the RMI Registry or COS Naming service provider, set the following system property to the string "true", as appropriate:
com.sun.jndi.rmi.object.trustURLCodebase
    com.sun.jndi.cosnaming.object.trustURLCodebase
JDK-8158997 (not public)


security-libs/java.security
jarsigner -verbose -verify should print the algorithms used to sign the jar
The jarsigner tool has been enhanced to show details of the algorithms and keys used to generate a signed JAR file and will also provide an indication if any of them are considered weak.

Specifically, when "jarsigner -verify -verbose filename.jar" is called, a separate section is printed out showing information of the signature and timestamp (if it exists) inside the signed JAR file, even if it is treated as unsigned for various reasons. If any algorithm or key used is considered weak, as specified in the Security property, jdk.jar.disabledAlgorithms, it will be labeled with "(weak)".

For example:
- Signed by "CN=weak_signer"
   Digest algorithm: MD2 (weak) 
   Signature algorithm: MD2withRSA (weak), 512-bit key (weak)
 Timestamped by "CN=strong_tsa" on Mon Sep 26 08:59:39 CST 2016
   Timestamp digest algorithm: SHA-256 
   Timestamp signature algorithm: SHA256withRSA, 2048-bit key 
See JDK-8163304 


New Features


core-libs/java.io:serialization
Serialization Filter Configuration
Serialization Filtering introduces a new mechanism which allows incoming streams of object-serialization data to be filtered in order to improve both security and robustness. Every ObjectInputStream applies a filter, if configured, to the stream contents during deserialization. Filters are set using either a system property or a configured security property. The value of the "jdk.serialFilter" patterns are described in JEP 290 Serialization Filtering and in /lib/security/java.security. Filter actions are logged to the 'java.io.serialization' logger, if enabled. 
See JDK-8155760


core-libs/java.rmi
RMI Better constraint checking
RMI Registry and Distributed Garbage Collection use the mechanisms of JEP 290 Serialization Filtering to improve service robustness.
RMI Registry and DGC implement built-in white-list filters for the typical classes expected to be used with each service.
Additional filter patterns can be configured using either a system property or a security property. The "sun.rmi.registry.registryFilter" and "sun.rmi.transport.dgcFilter" property pattern syntax is described in JEP 290 and in /lib/security/java.security.
JDK-8156802 (not public)


security-libs
Add mechanism to allow non-default root CAs to not be subject to algorithm restrictions
*New certpath constraint: jdkCA*
In the java.security file, an additional constraint named "jdkCA" is added to thejdk.certpath.disabledAlgorithms property. This constraint prohibits the specified algorithm only if the algorithm is used in a certificate chain that terminates at a marked trust anchor in thelib/security/cacerts keystore. If the jdkCA constraint is not set, then all chains using the specified algorithm are restricted. jdkCA may only be used once in a DisabledAlgorithm expression.

Example: To apply this constraint to SHA-1 certificates, include the following: SHA1 jdkCA
See JDK-8140422


Changes


security-libs/javax.xml.crypto
Increase the minimum key length to 1024 for XML Signatures
The secure validation mode of the XML Signature implementation has been enhanced to restrict RSA and DSA keys less than 1024 bits by default as they are no longer secure enough for digital signatures. Additionally, a new security property namedjdk.xml.dsig.SecureValidationPolicy has been added to the java.security file and can be used to control the different restrictions enforced when the secure validation mode is enabled.

The secure validation mode is enabled either by setting the xml signature propertyorg.jcp.xml.dsig.secureValidation to true with thejavax.xml.crypto.XMLCryptoContext.setProperty method, or by running the code with aSecurityManager.

If an XML Signature is generated or validated with a weak RSA or DSA key, an XMLSignatureException will be thrown with the message, "RSA keys less than 1024 bits are forbidden when secure validation is enabled" or "DSA keys less than 1024 bits are forbidden when secure validation is enabled."
JDK-8140353 (not public)


docs/release_notes
Restrict certificates with DSA keys less than 1024 bits.
DSA keys less than 1024 bits are not strong enough and should be restricted in certification path building and validation. Accordingly, DSA keys less than 1024 bits have been deactivated by default by adding "DSA keySize < 1024" to the "jdk.certpath.disabledAlgorithms" security property. Applications can update this restriction in the security property ("jdk.certpath.disabledAlgorithms") and permit smaller key sizes if really needed (for example, "DSA keySize < 768").
JDK-8139565 (not public)


security-libs
More checks added to DER encoding parsing code
More checks are added to the DER encoding parsing code to catch various encoding errors. In addition, signatures which contain constructed indefinite length encoding will now lead to IOException during parsing. Note that signatures generated using JDK default providers are not affected by this change.
JDK-8168714 (not public)


core-libs/java.net
Additional access restrictions for URLClassLoader.newInstance
Class loaders created by the java.net.URLClassLoader.newInstance methods can be used to load classes from a list of given URLs. If the calling code does not have access to one or more of the URLs and the URL artifacts that can be accessed do not contain the required class, then a ClassNotFoundException, or similar, will be thrown. Previously, a SecurityException would have been thrown when access to a URL was denied. If required to revert to the old behavior, this change can be disabled by setting thejdk.net.URLClassPath.disableRestrictedPermissions system property.
JDK-8151934 (not public)


core-libs/java.util.logging
A new configurable property in logging.properties java.util.logging.FileHandler.maxLocks
A new "java.util.logging.FileHandler.maxLocks" configurable property is added tojava.util.logging.FileHandler

This new logging property can be defined in the logging configuration file and makes it possible to configure the maximum number of concurrent log file locks a FileHandler can handle. The default value is 100. 

In a highly concurrent environment where multiple (more than 101) standalone client applications are using the JDK Logging API with FileHandler simultaneously, it may happen that the default limit of 100 is reached, resulting in a failure to acquire FileHandler file locks and causing an IO Exception to be thrown. In such a case, the new logging property can be used to increase the maximum number of locks before deploying the application. 

If not overridden, the default value of maxLocks (100) remains unchanged. Seejava.util.logging.LogManager and java.util.logging.FileHandler API documentation for more details. 
See JDK-8153955
 
 

Bug Fixes


The following are some of the notable bug fixes included in this release: 

client-libs/javax.swing
Trackpad scrolling of text on OS X 10.12 Sierra is very fast
The MouseWheelEvent.getWheelRotation() method returned rounded native NSEvent deltaX/Y events on Mac OS X. The latest macOS Sierra 10.12 produces very small NSEvent deltaX/Y values so rounding and summing them leads to the huge value returned from theMouseWheelEvent.getWheelRotation(). The JDK-8166591 fix accumulates NSEvent deltaX/Y and the MouseWheelEvent.getWheelRotation() method returns non-zero values only when the accumulated value exceeds a threshold and zero value. This is compliant with theMouseWheelEvent.getWheelRotation() specification(https://docs.oracle.com/javase/8/docs/api/java/awt/event/MouseWheelEvent.html#getWheelRotation):

"Returns the number of "clicks" the mouse wheel was rotated, as an integer. A partial rotation may occur if the mouse supports a high-resolution wheel. In this case, the method returns zero until a full "click" has been accumulated."

For the precise wheel rotation values, use the MouseWheelEvent.getPreciseWheelRotation()method instead.
See JDK-8166591

This release also contains fixes for security vulnerabilities described in the Oracle Java SE Critical Patch Update Advisory. For a more complete list of the bug fixes included in this release, see theJDK 8u121 Bug Fixes page.


Known Issues


deploy/packager
javapackager and fx:deploy bundle the whole JDK instead of JRE
There is a known bug in the Java Packager for Mac where the entire JDK may be bundled with the application bundle resulting in an unusually large bundle. The work around is to use the bundler option -Bruntime option. For example: -Bruntime=JavaAppletPlugin.plugin sets where theJavaAppletPlugin.plugin for the desired JRE to bundle is located in the current directory.
See JDK-8166835

install/install
Java Installation will fail for non-admin users with UAC off
The Java installation on Windows will fail without warning or prompting, for non-admin users with User Access Control (UAC) disabled. The installer will leave a directory, jds<number>.tmp, in the %TEMP% directory.
JDK-8161460 (not public)




- wong chee tat :)

Town councils must set aside 14% of conservancy fees for lift replacement

Town councils must set aside 14% of conservancy fees for lift replacement
Posted 23 Jan 2017 12:08 Updated 23 Jan 2017 19:11

SINGAPORE: Starting April this year, all town councils will have to set aside at least 14 per cent of their service and conservancy charges (S&CC) collected from residents, as well as Government grants, for lift replacement.

This will be on top of their regular contributions – a minimum of 26 per cent of collections – to the general sinking fund, the Ministry of National Development (MND) said on Monday (Jan 23).

To help cover their costs, the ministry will increase the S&CC operating grants it now gives to the town councils, and also provide additional grants to match part of the town councils’ contributions to their Lift Replacement Fund.

Details of the MND assistance measures will be released separately, it said.

“As our HDB estate infrastructure gets older, more expenditure will be needed for the maintenance and replacement of these infrastructure assets. Town councils must therefore plan ahead and contribute more to their sinking funds to pay for these major expenses,” the ministry said.

Last September, the Housing and Development Board (HDB) said it will launch a new S$450 million Lift Enhancement Programme to help fund the costs of modernising older lifts in public housing estates. All town councils will also have to set up dedicated Lift Replacement Funds, to be carved out from their sinking funds and ring-fenced for future lift replacements.

The announcement came after a spate of well-publicised lift malfunctions last year, including one where an elderly man died and another where an elderly woman’s hand was severed.

In response to media queries on Monday, PAP Town Councils said they support the move to set aside 14 per cent of the S&CC for the lift replacement fund, and that any additional grants are welcomed.

"Expenditures have increased significantly especially in lift maintenance, conservancy, and pest control work," said the coordinating chairman of PAP Town Councils Teo Ho Pin. "Furthermore, as our estates get older, it will require more cyclical maintenance work to be carried out.

"The PAP Town Councils will continue to adopt a prudent approach to provide quality maintenance services to our residents."

- CNA/cy


- wong chee tat :)

McDonald's fourth-quarter US comparable sales fall less than expected

McDonald's fourth-quarter US comparable sales fall less than expected
Posted 23 Jan 2017 21:10 Updated 23 Jan 2017 21:50

REUTERS: McDonald's Corp's U.S. comparable restaurant sales fell less than analysts had expected in the fourth quarter as strong demand for its all-day breakfast brought more people to its restaurants.

The operator of the world's largest fast-food chain posted overall quarterly revenue that beat analysts' expectations.

The company's stock initially rose in premarket trading on Monday, before reversing course to trade down 0.38 percent at US$121.95.

Sales at established McDonald's restaurants in the United States declined 1.3 percent in the three months ended Dec. 31, hurt in part by the high bar set by the debut of the all-day breakfast in October 2015.

Analysts on average were expecting a drop of 1.4 percent, according to research firm Consensus Metrix.

McDonald's comparable international restaurant sales beat expectations due to a strong performance in the UK, China, Japan and certain markets in Latin America.

Sales at international restaurants open at least 13 months rose 2.7 percent, edging past analysts' average estimate of an increase of 2.6 percent.

McDonald's total revenue fell for the tenth straight quarter, mainly due to the sale of restaurants to franchisees as part of the company's turnaround plan started in mid-2015.

That plan by Chief Executive Officer Steve Easterbrook also included the introduction of the all-day breakfast, banning the use of medically important antibiotics in U.S. chicken, and efforts toward faster and friendlier service.

Total revenue fell nearly 5 percent to US$6.03 billion in the latest quarter, beating analysts' average estimate of US$5.99 billion, according to Thomson Reuters I/B/E/S.

The Illinois-based company's net income fell about 1 percent to US$1.19 billion, or US$1.44 per share, a year earlier.

(This version of the story corrects paragraph two and ten to say quarterly revenue beat, not missed, estimates and corrects analysts' estimate in paragraph ten to US$5.99 billion from US$6.34 billion)

(Reporting by Gayathree Ganesan in Bengaluru; Editing by Savio D'Souza)

- Reuters


- wong chee tat :)

Raining



Cold rainy morning


- Pic from Internet



- wong chee tat :)

Breakfast Wrap Chicken Bacon with Spinach


Should I get this for breakfast?



- Pic from MacDonald's Singapore


- wong chee tat :)

McAfee DAT version = 8416 (jan 22nd 2017)

McAfee DAT version = 8416 (jan 22nd 2017)

Link: here ( Select Yes. And it keeps getting updated daily. Region=US)

- wong chee tat :)

Om Mani Padme Hum

Om Mani Padme Hum


- wong chee tat :)

Om Mani Padme Hum

Om Mani Padme Hum


- wong chee tat :)

Om Mani Padme Hum

Om Mani Padme Hum


- wong chee tat :)

Nothing Is Impossible with God


Nothing Is Impossible with God


- Pic from Internet



- wong chee tat :)

Smile


Smile :)


- Pic from Internet


- wong chee tat :)

Blog Updates:

Blog Updates:

Minor updates:

- Update labels on some old posts

Will continue to make minor improvements for this blog!

- wong chee tat :)

鸡啼报喜




- Pic from here


- wong chee tat :)

Monday Again?


Yup, it is Monday again!



- Pic from Internet



- wong chee tat :)

Medicine Master Buddha





- Pic from Internet



- wong chee tat :)