Subject: CVS commit: pkgsrc/lang/sun-jre6
From: David Brownlee
Date: 2009-08-23 00:39:57
Message id: 20090822223957.37147175D0@cvs.netbsd.org

Log Message:
Updated lang/sun-jre6 to 6.0.16

Changes in 1.6.0_16 (6u16)

6u16 contains Olson time zone data version 2009i.

Bug Fixes

6862295 	hotspot 	jvmti 	JDWP threadid changes during debugging session (leading \ 
to ignored breakpoints)

Changes in 1.6.0_15 (6u15)

Root Certificates

Root Certificates are included in this release.

* Added one new root certificate and removed 3 root certificates from Entrust. \ 
(Refer to 6805338.)
* Added three new root certificates from Keynectis. (Refer to 6845457.)
* Added three new root certificates from Quovadis. (Refer to 6846473.)

Blacklist Entries

This update release includes the following new entry to the Blacklist:

* JNLPAppletLauncher (See Sun Alert 263490 .)

Note: Users should install JDK and JRE 6 Update 15 or later on systems running \ 
JDK and JRE 5.0 and SDK and JRE 1.4.2 to take advantage of this blacklist \ 
feature. For more information see the Blacklist Jar Feature section in the 6u14 \ 
Release Notes.

Debug Issue

Java ™ Virtual Machine Tool Interface (JVM TI) breakpoints are reliable \ 
only when either the Parallel Scavenge garbage collector (-XX:+UseParallelGC) or \ 
the Parallel Compacting garbage collector (-XX:+UseParallelOldGC) is used.

When other collectors are used, breakpoints may stop functioning, and JVM TI \ 
object tags may become unusable after a full GC operation is performed. Java \ 
™ Debug Interface (JDI) ThreadReferences have an embedded thread ID that \ 
depends on JVM TI object tags, thus the embedded thread ID may change \ 
unexpectedly. This may cause confusion in thread based JDI events.

Note that the Serial garbage collector (-XX:+UseSerialGC) is vulnerable to this \ 
problem and is selected by default on some platforms. The work around is to \ 
explicitly select the Parallel Scavenge collector using the command line option \ 
-XX:+UseParallelGC.

(Refer to 6862295.)
Bug Fixes

This release contains fixes for one or more security vulnerabilities. For more \ 
information, please see Sun Alerts 263408 , 263409 , 263428 , 263429 , 263488 , \ 
263489 , and 264648.

Bug fixes for vulnerabilities are listed in the following table.
BugId 	Category 	Subcategory 	Description 6656610 	java 	accessibility \ 
	AccessibleResourceBundle.getContents exposes mutable static (findbugs)
6656586 	java 	classes_awt 	Cursor.predefined is protected static mutable (findbugs)
6805231 	java 	classes_awt 	Security Warning Icon is missing in Windows 2000 \ 
Prof from Jdk build 6u12
6818787 	java 	classes_awt 	It is possible to reposition the security icon too \ 
far from the border of the window on X11
6823373 	java 	classes_awt 	[ZDI-CAN-460] Java Web Start JPEG header parsing \ 
needs more scruity
6660539 	java 	classes_beans 	Introspector cache mutable static
6777487 	java 	classes_beans 	Encoder allows reading private variables with \ 
certain names
6801071 	java 	classes_net 	Remote sites can compromise user privacy and \ 
possibly hijack web session
6801497 	java 	classes_net 	Proxy is assumed to be immutable but is non-final
6657695 	java 	classes_security 	AbstractSaslImpl.logger is a static mutable \ 
(findbugs)
6824440 	java 	classes_security 	XML Signature HMAC issue
6657625 	java 	classes_sound 	RmfFileReader/StandardMidiFileWriter.types are \ 
public mutable statics (findbugs)
6738524 	java 	classes_sound 	JDK13Services allows read access to system \ 
properties from untrusted code
6777448 	java 	classes_sound 	JDK13Services.getProviders creates instances with \ 
full privileges
6588003 	java 	classes_swing 	LayoutQueue mutable statics
6660049 	java 	classes_swing 	Synth Region.uiToRegionMap/lowerCaseNameMap are \ 
mutable statics
6849518 	java 	classes_swing 	NPE is thrown in jemmy library since 6u15 b01 at \ 
javax.swing.plaf.synth.SynthContext.isSubregion()
6656625 	java 	imageio \ 
	ImageReaderSpi.STANDARD_INPUT_TYPE/ImageWriterSpi.STANDARD_OUTPUT_TYPE are \ 
mutable static (findbugs)
6657133 	java 	imageio 	Mutable statics in imageio plugins (findbugs)
6830335 	java 	jar 	Java JAR Pack200 Decompression Integer Overflow Vulnerability
6755840 	java_plugin 	plugin 	Version selection allows old zip and certificate \ 
handling to be exploited
6848964 	javawebstart 	general 	TCK jnlp test \ 
jnlp_file/appletDesc/index.html#misc fails with NPE starting 6u15 b01
6862844 	javawebstart 	other 	java web start ActiveX control security problem \ 
caused by ATL PROP_ENTRY macro
6845701 	jaxp 	parse 	Xerces2 Java XML library infinite loop with malformed XML input
6813167 	jax-ws 	other 	6u14 JAX-WS audit mutable static bugs
6736293 	jmx 	classes 	OpenType checks can be bypassed through finalizer resurrection
6657619 	jndi 	dns 	DnsContext.debug is public static mutable (findbugs)

Other bug fixes are listed in the following table.
BugId 	Category 	Subcategory 	Description 6786503 	hotspot 	garbage_collector \ 
	Overflow list performance can be improved
6787254 	hotspot 	garbage_collector 	Work queue capacity can be increased \ 
substantially on some platforms
6805338 	java 	classes_security 	Add 1 new Entrust root CA cert and remove 3 \ 
others with 1024 bit keys
6845457 	java 	classes_security 	Add root certs for Keynectis CA
6846473 	java 	classes_security 	Add QuoVadis root CA certs to the JRE
6848984 	java 	classes_util_i18n 	(tz) Support tzdata2009i
6851214 	java 	classes_util_i18n 	(tz) New Jordan rule creates a failure for \ 
SimpleTimeZone parsing post tzdata2009h
6845077 	java 	install 	silent JDK should install JRE/Java DB silently
6846531 	javawebstart 	other 	REGRESSION application from ocie.net does not work \ 
with 6.0_14
6461727 	jce 	pkcs11_csp 	TripleDES KeyGenerators in SunPKCS11 and SunJCE do not \ 
agree on key length

Files:
RevisionActionfile
1.23modifypkgsrc/lang/sun-jre6/Makefile
1.17modifypkgsrc/lang/sun-jre6/PLIST.linux-i386
1.11modifypkgsrc/lang/sun-jre6/distinfo