자바 8 Java SDK - JDK 8u31 업데이트 Update Release

자바 8 Java SDK - JDK 8u31 업데이트 Update Release

이번 자바 버전에는 보안문제로 인해 SSLv3를 사용하지 않도록 한 업데이트 내용이 가장 핵심입니다.

Java™ SE Development Kit 8, Update 31 (JDK 8u31)

The full version string for this update release is 1.8.0_31-b13 (where "b" means "build").
The version number is 8u31.

New Features and Changes

* IANA Data 2014j

JDK 8u31 contains IANA time zone data version 2014j.
For more information, refer to Timezone Data Versions in the JRE Software.

* Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 8u31 are specified in the following table:
JRE Family Version     JRE Security Baseline
(Full Version String)
8     1.8.0_31
7     1.7.0_75
6     1.6.0_91
5.0     1.5.0_81

For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

* JRE Expiration Date
The JRE expires whenever a new release with security vulnerability fixes becomes available.
Critical patch updates, which contain security vulnerability fixes, are announced one year in advance on Critical Patch Updates, Security Alerts and Third Party Bulletin.
This JRE (version 8u31) will expire with the release of the next critical patch update scheduled for April 14, 2015.

For systems unable to reach the Oracle Servers, a secondary mechanism expires this JRE (version 8u31) on May 14, 2015.
After either condition is met (new release becoming available or expiration date reached), the JRE will provide additional warnings and reminders to users to update to the newer version.
For more information, see JRE Expiration Date.

New Features and Changes

* SSLv3 is disabled by default

Starting with JDK 8u31 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security file.

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

It should be noted that SSLv3 is obsolete and should no longer be used.

* Changes to Java Control Panel

Starting with JDK 8u31 release, SSLv3 protocol is removed from Java Control Panel Advanced options.

If the user needs to use SSLv3 for applications, re-enable it manually as follows:

Enable SSLv3 protocol on JRE level: as described in the previous section.
Enable SSLv3 protocol on deploy level: edit the deployment.properties file and add the following:

deployment.security.SSLv3=true

* Bug Fixes

This release contains fixes for security vulnerabilities.
For more information, see Oracle Critical Patch Update Advisory.

For a list of bug fixes included in this release, see JDK 8u31 Bug Fixes page.