Oracle has released update 51 for version 7.0 of both the Java Standard Edition development kit and runtime environment. It is a regular and planned update, which should fix about 150 problems, including 36 security problems. In addition, a change has been made in the operation of the time and date. More information can be found on our front page, these are the release notes:
New Features and Changes
Jarsigner updated to encourage timestamping
Timestamping for a signed jar is now strongly recommended. The Jarsigner tool will print out an informational warning at signing or verifying when timestamp is missing. For more information, see Signing JAR Files. see 8023338.
Changes to Security Slider:
The following changes to Security Slider were included in this release(7u51):
- Block Self-Signed and Unsigned applets on High Security Setting
- Require Permissions Attribute for High Security Setting
- Warn users of missing Permissions Attributes for Medium Security Setting
For more information, see Java Control Panel documentation.
Prompt users to clear previously remembered decisions:
In JDK 7u51, users are given an option to restore the security prompts, for any prompts that were hidden prior to installing the latest release. For more information, see Install Documentation for Windows. It is recommended that users restore security prompts after every 30 days to ensure better protection.
Note: This option is offered only during Auto update on Mac OS.
Exception Site List:
The Exception Site List feature allows end users to run Java applets and Java Web Start applications that do not meet the latest security requirements. Rich Internet Applications that are hosted on a site in the exception site list are allowed to run with the applicable security prompts. For more information, see Exception Site List documentation.
Change in Default Socket Permissions
The default socket permissions assigned to all code including untrusted code have been changed in this release. Previously, all code was able to bind any socket type to any port number greater than or equal to 1024. It is still possible to bind sockets to the ephemeral port range on each system. The exact range of ephemeral ports varies from one operating system to another, but it is typically in the high range (such as from 49152 to 65535). The new restriction is that binding sockets outside of the ephemeral range now requires an explicit permission in the system security policy.
Most applications using client tcp sockets and a security manager will not see any problem, as these typically bind to ephemeral ports anyway. Applications using datagram sockets or server tcp sockets (and a security manager) may encounter security exceptions where none were seen before. If this occurs, users should review whether the port number being requested is expected, and if this is the case, a socket permission grant can be added to the local security policy, to resolve the issue. See 8011786 (not public).
Change in JAXP Xalan Extension Functions
In JDK 7u51, a change has been made in JAXP Xalan Extension functions to always use the default DOM implementation when Security Manager is present. This change affects the NodeSet created by DOM Document.
Before this change, the DOM implementation is located through the DOM factory lookup process. With this change, when security is enabled, the lookup process is skipped and the default DOM implementation is used.
This change will only affect those applications that use a 3rd party DOM implementation. In general, the NodeSet structure is expected to be compatible with that of the JDK default implementation.
This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.
For a list of bug fixes included in this release, see JDK 7u51 Bug Fixes page.
The following are some of the notable bug fixes in this release:
Synopsis: Clarify jar verifications
|Version number||7 update 51|
|Operating systems||Windows 7, Java, Windows XP, macOS, Solaris, Windows Server 2003, Windows Vista, Windows Server 2008, Windows Server 2012, Windows 8|