Subject: CVS commit: pkgsrc/lang/sun-jre6
From: David Brownlee
Date: 2009-11-22 20:27:21
Message id: 20091122192721.95B2C175DD@cvs.netbsd.org

Log Message:
Updated lang/sun-jre6 to 6.0.17

6u17 contains Olson time zone data version 2009m. For more information, refer to \ 
Timezone Data Versions in the JRE Software .

Security Baseline

6u17 specifies the following security baselines for use with Java Plug-in technology:
JRE Family Version 	Java SE
Security Baseline 	Java SE for Business
Security Baseline 6 	1.6.0_17 	1.6.0_17
5.0 	1.5.0_22 	1.5.0_22
1.4.2 	1.4.2_19 	1.4.2_24

Root Certificates

Root Certificates are included in this release.

    * Added one new root certificate for SECOM. (Refer to 6872579.)
    * Added one new root certificate for GlobalSign. (Refer to 6860447.)

Bug Fixes

This release contains fixes for one or more security vulnerabilities.
For more information, please see Sun Alerts 269868, 269869, 269870,
270474, 270475, and 270476.

Bug fixes for vulnerabilities are listed in the following table.
	BugId 	Category 	Subcategory 	Description 6631533 	java 	classes_2d \ 
	ICC_Profile allows detecting if some files exist
6815780 	java 	classes_2d 	TrueType font parsing crash when stressing Sun Bug \ 
6751322 test case
6822057 	java 	classes_2d 	X11 and Win32GraphicsDevice don't clone arrays \ 
returned from getConfigurations()
6862969 	java 	classes_2d 	JPEG JFIF Decoder issue
6862970 	java 	classes_2d 	Image Color Profile parsing issue
6872357 	java 	classes_2d 	JRE AWT setDifflCM vulnerable to Stack Overflow
6872358 	java 	classes_2d 	JRE AWT setBytePixels vulnerable to Heap Overflow
6664512 	java 	classes_awt 	Component and [Default]KeyboardFocusManager pass \ 
security sensitive objects to loggers
6636650 	java 	classes_lang 	(cl) Resurrected ClassLoaders can still have children
6861062 	java 	classes_security 	Disable MD2 in certificate chain validation
6863503 	java 	classes_security 	SECURITY: MessageDigest.isEqual introduces \ 
timing attack vulnerabilities
6864911 	java 	classes_security 	ASN.1/DER input stream parser needs more work
6854303 	java 	classes_sound 	Sun Java HsbParser.getSoundBank Stack Buffer \ 
Overflow Vulnerability
6657026 	java 	classes_swing 	Numerous static security flaws in Swing (findbugs)
6657138 	java 	classes_swing 	Mutable statics in Windows PL&F (findbugs)
6824265 	java 	classes_util_i18n 	(tz) TimeZone.getTimeZone allows probing local \ 
filesystem
6632445 	java 	imageio 	DoS from parsing BMPs with UNC ICC links
6862968 	java 	imageio 	JPEG Image Writer quantization problem
6874643 	java 	imageio 	ImageI/O JPEG is vulnerable to Heap Overflow
6869694 	java 	install 	java update malfunctioning
6869752 	java_deployment 	deployment_toolkit 	Deployment Toolkit plugin \ 
"launch" method vulnerable to exploits
6872824 	javawebstart 	general 	arbitary code execution using java web start
6870531 	javawebstart 	other 	REGRESSION:have problem to run JNLP app and \ 
applets with signed Jar files

Other bug fixes are listed in the following table.
	BugId 	Category 	Subcategory 	Description 6842999 	hotspot 	runtime_system \ 
	Update hotspot windows os_win32 for windows 2008 R2
6804454 	java 	classes_2d 	RFE: Provide a way to control the printing dpi \ 
resolution from MSIE browser print. See also 6801859
6813208 	java 	classes_awt 	pageDialog throws NPE from applet
6825342 	java 	classes_awt 	Security warning may change Z-order of top-level
6843003 	java 	classes_lang 	Windows Server 2008 R2 system recognition
6860447 	java 	classes_security 	Add GlobalSign R3 Root certificate to the JDK
6872579 	java 	classes_security 	Add SECOM Root CA 2 to JDK
6880110 	java 	classes_util_i18n 	(tz) Support tzdata2009m
6814140 	java 	classes_util_logging 	deadlock due to synchronized demandLogger() \ 
code that locks ServerLogManager
6879614 	jaxp 	parse \ 
	com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl failing to parse \ 
xml document

Files:
RevisionActionfile
1.24modifypkgsrc/lang/sun-jre6/Makefile
1.12modifypkgsrc/lang/sun-jre6/distinfo