Changelog:
Java(TM) SE Development Kit 6, Update 37 (JDK 6u37)
The full version string for this update release is 1.6.0_37-b06 (where "b" means "build") and the version number is 6u37.
Olson Data 2012c
JDK 6u37 contains Olson time zone data version 2012c. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baselines
The security baselines for the Java Runtime Environment (JRE) at the time of the release of JDK 6u37 are specified in the following table:
JRE Family Version JRE Security Baseline(Full Version String)
6 1.6.0_37
5.0 1.5.0_38
1.4.2 1.4.2_40
For more information about security baselines, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.
Blacklist Entries
This update release includes the following new entries to the Blacklist:
Cisco AnyConnect Secure Mobility Client
Note: For more information, see Blacklist Jar Feature documentation.
Bug Fixes
This release contains fixes for security vulnerabilities. For more information, see Oracle Java SE Critical Patch Update Advisory.
The following table lists some of the notable bug fixes included in this release:
Bug ID Category Sub_Category Description
7183263 java_deployment security Regression: crossdomain.xml with dtd does not work
7195301 java classese_security XML Signature DOM implementation should not use instanceof to determine type of Node
Java(TM) SE Development Kit 6, Update 35 (JDK 6u35)
The full version string for this update release is 1.6.0_35-b10 (where "b" means
"build") and the version number is 6u35.
JDK Demos and Samples remain the same as in JDK 6u34
The vulnerabilities addressed by this security release do not affect the demos
and samples code. Therefore there is no need to update Demos and Samples as long
as the JDK itself is updated to 6u35.
Olson Data 2012c
JDK 6u35 contains Olson time zone data version 2012c. For more information,
refer to Timezone Data Versions in the JRE
Bug Fixes
This release contains a security-in-depth fix. For more information, see Oracle
Security Alert for CVE-2012-4681.
Java(TM) SE Development Kit 6, Update 34 (JDK 6u34)
The full version string for this update release is 1.6.0_34-b04 (where "b" means
"build") and the version number is 6u34.
Olson Data 2012c
JDK 6u34 contains Olson time zone data version 2012c. For more information,
refer to Timezone Data Versions in the JRE Software.
Bug Fixes
Notable Bug Fixes in JDK 6u34
Bug Id Category Sub_Category Description
7162955 hotspot attach Attach api on Solaris, too many
open files
7100757 hotspot compiler2 The BitSet.nextSetBit() produces
incorrect result in 32bit VM on
Sparc
7108221 hotspot compiler2 Backport to jdk6 Hotspot defaults
for AMD Bulldozer processor
7167142 hotspot runtime_arguments Issue warning when finding a
.hotspotrc or .hotspot_compiler
file that isn't used
6941923 hotspot runtime_logging RFE: Handling large log files
produced by long running Java
Applications
7059899 hotspot runtime_system Stack overflows in Java code cause
64-bit JVMs to exit due to SIGSEGV
7145587 hotspot runtime_system Stack overflows in Java code cause
64-bit JVMs to exit due to
SIGSEGV (solaris sparc)
7177216 java char_encodings native2ascii changes file
permissions of input file
7027300 java classes_2d Unsynchronized HashMap access
causes endless loop
7183251 java classes_2d Netbeans editor renders text
wrong on JDK 7u6 build 17
6707273 java classes_awt TrayIcon does not support 8-bit
alpha channel in Windows XP
7145980 java classes_awt Dispose method of window.java
takes long
6521014 java classes_net IOException thrown when Socket
tries to bind to an local IPv6
address on SuSE Linux
6543428 java classes_net BindException when binding to a
link-local address on Windows
6886436 java classes_net Lightwight HTTP Container
(com.sun.* package) is unstable
7118373 java classes_nio (se) Potential leak file descriptor
when deregistrating at around
the same time as an async close
7093090 java classes_security Reduce synchronization in
java.security.Policy.getPolicyNoCheck
7152564 java classes_security Improve CodeSource.matchLocation
(CodeSource) performance
7165725 java classes_swing JAVA6 HTML PARSER CANNOT PARSE
MULTIPLE SCRIPT TAGS IN A LINE
CORRECTLY
7071826 java classes_util UUID.randomUUID() race condition
7144488 java classes_util (coll) Infinite recursion for
some equals tests in Collections
7133138 java classes_util_i18n Improve io performance around
timezone lookups
7149608 java classes_util_i18n (tz): Default TZ detection fails
on linux when symbolic links to
non default location used.
7167359 java classes_util_i18n (tz) SEGV on solaris if TZ
variable not set
7141852 java compiler 1.6 v30 no longer compiles
particular interface inheritance
hierarchy
7158412 java install JRE installer does not delete
its installation files from the
user's Application Data folder
7148584 java jar Jar tools fails to generate
manifest correctly when boundary
condition hit
7175845 java jar "jar uf" changes file permissions
unexpectedly
7070619 java localization locale issue for keytool with
pt_BR
7168110 java serviceability Misleading jstack error message
7063183 java_deployment general AIOB exception in the
RemoveCommentReader
7063790 java_deployment general SunAutoProxyHandlerTest hangs
7119269 java_deployment general Tune URLUtils
7173533 java_deployment general Discoverer 10g olap is slower
when using java 1.6 than with 1.5
7175548 java_deployment security Regression: Fix 7110690 breaks
crossdomain functionality for
applets running on 6u33-b03 (FCS/GA)
6670362 jgss krb5plugin HTTP/SPNEGO should work across
realms
7067974 jgss krb5plugin multiple ETYPE-INFO-ENTRY with
same etype and different salt
7155051 jndi dns DNS provider may return incorrect
results
7157903 jsse runtime JSSE client sockets are very slow
7166570 jsse runtime JSSE certificate validation has
started to fail for certificate
chains
Changes since sun-jdk6-6.0.31
- samples & demo directoryes dropped
- 3DNow Prefetch Instruction Support
- Adjust allocation prefetching for T4
- assert(VM_Version::supports_sse2()) failed: must support
- Remove hotspot assertion due to Solaris 8 kstat "unimplemented".
- ARM: SEGV on panda with linaro 3.1.1 running specjvm2008
- make the string table size configurable
- Parallel CMS fails to properly mark reference objects
- GarbageCollectorMXBean#getLastGcInfo leaks native memory
- C-heap growth issue in ThreadService::find_deadlocks_at_safepoint
- Memory leak in inferencing verifier (libverify.so)
- SA cannot open core files larger than 2GB on Linux 32-bit
- Introspector.getBeanInfo() should release some resources in timely manner
- File.setWritable() / File.canWrite() not behaving as expected
- CookieManager does not store cookies if url is read before setting cookie manager
- (so) Socket adapter need to implement sendUrgentData
- (so) Socket adpator is not synchronized on channel state
- (so) Suppress creation of SocketImpl in SocketAdaptor's constructor
- Cannot decode PublicKey (Provider SunPKCS11, curve prime256v1)
- Gervill for 6uXX (2): make Gervill the default synthesizer
- Problem with timezone in a SimpleDateFormat
- Properties.loadFromXML fails with ClassCastException
- compiler generates bad code when translating conditional expressions
- IncompatibleClassChangeError with unreferenced local class with subclass
- 32-bit JRE silent install fails on WINDOWS 2008 SERVER 64-bit under System account
- installation fails by SMS under System Account
- Separate demos from the bundles on Windows, Solaris and Linux
- DT fails to register with Chrome
- uninstall of JRE 7 with JRE 6 on the machine left 10.0.0 deployment registry key behind
- IE9 prompts to disable Java plugin because of slow start up
- Redirection of registry keys not happening correctly with old plugin
- old-plugin liveconnect missing SecureCookiePermission
- Java Plugin does not evaluate automatic proxy files correctly on Linux: always picks first proxy
- 20ms latency always observed for LiveConnect round-trip in IE
- revisit IE LiveConnect performance fix to address applet hang issue found by Citigroup
- Java Web Start 10.1.* is considerably slower than Web Start 1.4.2, using getresource() repeatedly
- Compilation of StarOffice wordml XSLT filter via XSLTC throws exception
- JDK6u18 XSLT regression: xsl:copy-of failing to copy generated attributes
- Cipher.doFinal(ByteBuffer,ByteBuffer) fails to process when in.remaining() == 0
- (was 7011759 Bug Cloned - 6u16: Recovering buffer manager read stream underflow from protocols are
- Regular unexplained npe's from corba libs after system has been running for days
- GSSAPI/SPNEGO does not work with server using MIT Kerberos library
- Incorrect SSLEngine debug output
- Npe occurs in abstractprocessor.readfromnextstructure
- SAAJ does not set correct namespace prefix and namespace URI for attributes in some circumstances.
Changes:
[Olson Data 2011g]
Java SE 6u29 contains Olson time zone data version 2011g. For more information,
refer to Timezone Data Versions in the JRE Software .
[Skipped Version Number]
Release Java SE 6u29 follows release Java SE 6u27. There is no publicly
available Java SE 6u28 release. Oracle used release version 6u28 for an internal
build, which was not necessary once the fixes delivered on Java SE 6u29 were
released.
[Blacklist Entries]
This update release includes the following new entries to the Blacklist:
* Cisco AnyConnect Mobility Client
* Microsoft UAG Client
[RMI Registry Issue]
A bug in the rmiregistry command included in this release may cause unintended
exceptions to be thrown when an RMI server attempts to bind an exported object
which includes codebase annotations using the "file:" URL scheme. The RMI
servers most likely to be effected are those which are invoked only by RMI
clients executing on the same host as the server.
RMI annotates codebase information as part of the serialized state of a remote
object reference to assist RMI clients in loading the required classes and
interfaces associated with the object at runtime. Exported objects which are
looked up in the RMI registry and invoked by RMI clients running on hosts other
than the server are usually annotated with codebase URL schemes, such as
"http:" or "ftp:" and these should continue to work correctly.
As a workaround, RMI servers can set the java.rmi.server.codebase property to
use codebase URLs other than the "file:" scheme for the objects they export.
[Bug Fixes]
This release contains fixes for security vulnerabilities. For more information,
please see Oracle Java SE Critical Patch Update advisory.
Highlights
This update release contains important enhancements for java applications:
* improved performance and stability
* Certification for Firefox 5
Olson Data 2011g
Java SE 6 Update 26
* Olson Data 2011g
* Bug fixes
This release contains fixes for security vulnerabilities. For more
information, please see Oracle Java SE Critical Patch Update advisory:
http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html
Java SE 6 Update 25
* Olson Data 2011b
* Java Hotspot VM 20
* Performance Improvement to BigDecimal
* Performance Improvement to java.util.logging.LogRecord
* Bug Fixes
Changes in 1.6.0_20 (6u20)
* OlsonData 2010b
* A Java Network Launch Protocol (JNLP) file without a codebase parameter, such
as the following, will no longer work with the Java SE 6 update 20 release.
<jnlp spec="0.2 1.0" href="draw.jnlp">
This means that developers must specify the codebase parameter in a JNLP file.
See the following example:
<jnlp spec="0.2 1.0"
codebase="http://java.sun.com/javase/technologies/desktop/javawebstart/apps/"
href="draw.jnlp">
* This release contains fixes for security vulnerabilities.
For more information, please see Oracle Security Alert for CVE-2010-0886
Changes in 1.6.0_19 (6u19)
* OlsonData 2010b
* Root Certificates
* Ensuring Application and Applet Security when Mixing Signed and Unsigned Code
* Interim Fix for the Transport Layer Security (TLS) Man-in-the-Middle Attack
* Bug Fixes
Changes in 1.6.0_18 (6u18)
* OlsonData 2009s
* VisualVM 1.2
* Java DB 10.5.3.0
* Performance Improvements
* Deployment Updates
* JSR-173 StAX 1.2 API Upgrade
* Bug Fixes
6u17 contains Olson time zone data version 2009m. For more information, refer to Timezone Data Versions in the JRE Software .
Security Baseline
6u17 specifies the following security baselines for use with Java Plug-in technology:
JRE Family Version Java SE
Security Baseline Java SE for Business
Security Baseline 6 1.6.0_17 1.6.0_17
5.0 1.5.0_22 1.5.0_22
1.4.2 1.4.2_19 1.4.2_24
Root Certificates
Root Certificates are included in this release.
* Added one new root certificate for SECOM. (Refer to 6872579.)
* Added one new root certificate for GlobalSign. (Refer to 6860447.)
Bug Fixes
This release contains fixes for one or more security vulnerabilities.
For more information, please see Sun Alerts 269868, 269869, 269870,
270474, 270475, and 270476.
Bug fixes for vulnerabilities are listed in the following table.
BugId Category Subcategory Description 6631533 java classes_2d ICC_Profile allows detecting if some files exist
6815780 java classes_2d TrueType font parsing crash when stressing Sun Bug 6751322 test case
6822057 java classes_2d X11 and Win32GraphicsDevice don't clone arrays returned from getConfigurations()
6862969 java classes_2d JPEG JFIF Decoder issue
6862970 java classes_2d Image Color Profile parsing issue
6872357 java classes_2d JRE AWT setDifflCM vulnerable to Stack Overflow
6872358 java classes_2d JRE AWT setBytePixels vulnerable to Heap Overflow
6664512 java classes_awt Component and [Default]KeyboardFocusManager pass security sensitive objects to loggers
6636650 java classes_lang (cl) Resurrected ClassLoaders can still have children
6861062 java classes_security Disable MD2 in certificate chain validation
6863503 java classes_security SECURITY: MessageDigest.isEqual introduces timing attack vulnerabilities
6864911 java classes_security ASN.1/DER input stream parser needs more work
6854303 java classes_sound Sun Java HsbParser.getSoundBank Stack Buffer Overflow Vulnerability
6657026 java classes_swing Numerous static security flaws in Swing (findbugs)
6657138 java classes_swing Mutable statics in Windows PL&F (findbugs)
6824265 java classes_util_i18n (tz) TimeZone.getTimeZone allows probing local filesystem
6632445 java imageio DoS from parsing BMPs with UNC ICC links
6862968 java imageio JPEG Image Writer quantization problem
6874643 java imageio ImageI/O JPEG is vulnerable to Heap Overflow
6869694 java install java update malfunctioning
6869752 java_deployment deployment_toolkit Deployment Toolkit plugin "launch" method vulnerable to exploits
6872824 javawebstart general arbitary code execution using java web start
6870531 javawebstart other REGRESSION:have problem to run JNLP app and applets with signed Jar files
Other bug fixes are listed in the following table.
BugId Category Subcategory Description 6842999 hotspot runtime_system Update hotspot windows os_win32 for windows 2008 R2
6804454 java classes_2d RFE: Provide a way to control the printing dpi resolution from MSIE browser print. See also 6801859
6813208 java classes_awt pageDialog throws NPE from applet
6825342 java classes_awt Security warning may change Z-order of top-level
6843003 java classes_lang Windows Server 2008 R2 system recognition
6860447 java classes_security Add GlobalSign R3 Root certificate to the JDK
6872579 java classes_security Add SECOM Root CA 2 to JDK
6880110 java classes_util_i18n (tz) Support tzdata2009m
6814140 java classes_util_logging deadlock due to synchronized demandLogger() code that locks ServerLogManager
6879614 jaxp parse com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl failing to parse xml document
Changes in 1.6.0_16 (6u16)
6u16 contains Olson time zone data version 2009i.
Bug Fixes
6862295 hotspot jvmti JDWP threadid changes during debugging session (leading to ignored breakpoints)
Changes in 1.6.0_15 (6u15)
Root Certificates
Root Certificates are included in this release.
* Added one new root certificate and removed 3 root certificates from Entrust. (Refer to 6805338.)
* Added three new root certificates from Keynectis. (Refer to 6845457.)
* Added three new root certificates from Quovadis. (Refer to 6846473.)
Blacklist Entries
This update release includes the following new entry to the Blacklist:
* JNLPAppletLauncher (See Sun Alert 263490 .)
Note: Users should install JDK and JRE 6 Update 15 or later on systems running JDK and JRE 5.0 and SDK and JRE 1.4.2 to take advantage of this blacklist feature. For more information see the Blacklist Jar Feature section in the 6u14 Release Notes.
Debug Issue
Java ™ Virtual Machine Tool Interface (JVM TI) breakpoints are reliable only when either the Parallel Scavenge garbage collector (-XX:+UseParallelGC) or the Parallel Compacting garbage collector (-XX:+UseParallelOldGC) is used.
When other collectors are used, breakpoints may stop functioning, and JVM TI object tags may become unusable after a full GC operation is performed. Java ™ Debug Interface (JDI) ThreadReferences have an embedded thread ID that depends on JVM TI object tags, thus the embedded thread ID may change unexpectedly. This may cause confusion in thread based JDI events.
Note that the Serial garbage collector (-XX:+UseSerialGC) is vulnerable to this problem and is selected by default on some platforms. The work around is to explicitly select the Parallel Scavenge collector using the command line option -XX:+UseParallelGC.
(Refer to 6862295.)
Bug Fixes
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 263408 , 263409 , 263428 , 263429 , 263488 , 263489 , and 264648.
Bug fixes for vulnerabilities are listed in the following table.
BugId Category Subcategory Description 6656610 java accessibility AccessibleResourceBundle.getContents exposes mutable static (findbugs)
6656586 java classes_awt Cursor.predefined is protected static mutable (findbugs)
6805231 java classes_awt Security Warning Icon is missing in Windows 2000 Prof from Jdk build 6u12
6818787 java classes_awt It is possible to reposition the security icon too far from the border of the window on X11
6823373 java classes_awt [ZDI-CAN-460] Java Web Start JPEG header parsing needs more scruity
6660539 java classes_beans Introspector cache mutable static
6777487 java classes_beans Encoder allows reading private variables with certain names
6801071 java classes_net Remote sites can compromise user privacy and possibly hijack web session
6801497 java classes_net Proxy is assumed to be immutable but is non-final
6657695 java classes_security AbstractSaslImpl.logger is a static mutable (findbugs)
6824440 java classes_security XML Signature HMAC issue
6657625 java classes_sound RmfFileReader/StandardMidiFileWriter.types are public mutable statics (findbugs)
6738524 java classes_sound JDK13Services allows read access to system properties from untrusted code
6777448 java classes_sound JDK13Services.getProviders creates instances with full privileges
6588003 java classes_swing LayoutQueue mutable statics
6660049 java classes_swing Synth Region.uiToRegionMap/lowerCaseNameMap are mutable statics
6849518 java classes_swing NPE is thrown in jemmy library since 6u15 b01 at javax.swing.plaf.synth.SynthContext.isSubregion()
6656625 java imageio ImageReaderSpi.STANDARD_INPUT_TYPE/ImageWriterSpi.STANDARD_OUTPUT_TYPE are mutable static (findbugs)
6657133 java imageio Mutable statics in imageio plugins (findbugs)
6830335 java jar Java JAR Pack200 Decompression Integer Overflow Vulnerability
6755840 java_plugin plugin Version selection allows old zip and certificate handling to be exploited
6848964 javawebstart general TCK jnlp test jnlp_file/appletDesc/index.html#misc fails with NPE starting 6u15 b01
6862844 javawebstart other java web start ActiveX control security problem caused by ATL PROP_ENTRY macro
6845701 jaxp parse Xerces2 Java XML library infinite loop with malformed XML input
6813167 jax-ws other 6u14 JAX-WS audit mutable static bugs
6736293 jmx classes OpenType checks can be bypassed through finalizer resurrection
6657619 jndi dns DnsContext.debug is public static mutable (findbugs)
Other bug fixes are listed in the following table.
BugId Category Subcategory Description 6786503 hotspot garbage_collector Overflow list performance can be improved
6787254 hotspot garbage_collector Work queue capacity can be increased substantially on some platforms
6805338 java classes_security Add 1 new Entrust root CA cert and remove 3 others with 1024 bit keys
6845457 java classes_security Add root certs for Keynectis CA
6846473 java classes_security Add QuoVadis root CA certs to the JRE
6848984 java classes_util_i18n (tz) Support tzdata2009i
6851214 java classes_util_i18n (tz) New Jordan rule creates a failure for SimpleTimeZone parsing post tzdata2009h
6845077 java install silent JDK should install JRE/Java DB silently
6846531 javawebstart other REGRESSION application from ocie.net does not work with 6.0_14
6461727 jce pkcs11_csp TripleDES KeyGenerators in SunPKCS11 and SunJCE do not agree on key length
This changes the buildlink3.mk files to use an include guard for the
recursive include. The use of BUILDLINK_DEPTH, BUILDLINK_DEPENDS,
BUILDLINK_PACKAGES and BUILDLINK_ORDER is handled by a single new
variable BUILDLINK_TREE. Each buildlink3.mk file adds a pair of
enter/exit marker, which can be used to reconstruct the tree and
to determine first level includes. Avoiding := for large variables
(BUILDLINK_ORDER) speeds up parse time as += has linear complexity.
The include guard reduces system time by avoiding reading files over and
over again. For complex packages this reduces both %user and %sys time to
half of the former time.
Please see the release notes online[1] for the list of fixed bugs.
Also, the license was wrong. There are several differences in all clauses
between the 1.3 and 6 licenses, so add the proper license files.
[1] http://java.sun.com/javase/6/webnotes/ReleaseNotes.html
depend upon to supply the Linux shared libraries already tell the user
this. The JDK packages also depend on the corresponding JRE package,
so they don't need to show the same message -- keep the message with
the JRE packages instead.
the Sun JDK/JRE packages require the "compat" Linux module, so make
that a hard requirement in EMUL_MODULES.linux.
Bump the PKGREVISION for sun-{jdk,jre}{13,14,15,6}.
binary-only packages that require binary "emulation" on the native
operating system. Please see pkgsrc/mk/emulator/README for more
details.
* Teach the plist framework to automatically use any existing
PLIST.${EMUL_PLATFORM} as part of the default PLIST_SRC definition.
* Convert all of the binary-only packages in pkgsrc to use the
emulator framework. Most of them have been tested to install and
deinstall correctly. This involves the following cleanup actions:
* Remove use of custom PLIST code and use PLIST.${EMUL_PLATFORM}
more consistently.
* Simplify packages by using default INSTALL and DEINSTALL scripts
instead of custom INSTALL/DEINSTALL code.
* Remove "SUSE_COMPAT32" and "PKG_OPTIONS.suse" from pkgsrc.
Packages only need to state exactly which emulations they support,
and the framework handles any i386-on-x86_64 or sparc-on-sparc64
uses.
* Remove "USE_NATIVE_LINUX" from pkgsrc. The framework will
automatically detect when the package is installing on Linux.
Specific changes to packages include:
* Bump the PKGREVISIONs for all of the suse100* and suse91* packages
due to changes in the +INSTALL/+DEINSTALL scripts used in all
of the packages.
* Remove pkgsrc/emulators/suse_linux, which is unused by any
packages.
* cad/lc -- remove custom code to create the distinfo file for
all supported platforms; just use "emul-fetch" and "emul-distinfo"
instead.
* lang/Cg-compiler -- install the shared libraries under ${EMULDIR}
instead of ${PREFIX}/lib so that compiled programs will find
the shared libraries.
* mail/thunderbird-bin-nightly -- update to latest binary
distributions for supported platforms.
* multimedia/ns-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
* security/uvscan -- set LD_LIBRARY_PATH explicitly so that
it's not necessary to install library symlinks into
${EMULDIR}/usr/local/lib.
* www/firefox-bin-flash -- update Linux version to 9.0.48 as the
older version is no longer available for interactive fetch.
(true for 1.5, but officially branded as such for 6), so this is called
"sun-j{dk,re}6" rather than "sun-j{dk,re}16".
amd64 support is not currently included, but initial provision exists in
the sun-jre6 package as it was cloned initially from sun-jre15.