Update Release Notes
Changes in 1.6.0_15 (6u15)
The full internal version number for this update release is 1.6.0_15-b03 (where "b" means "build"). The external version number is 6u15.
6u15 contains Olson time zone data version 2009i. For more information, refer toTimezone Data Versions in the JRE Software .
6u15 specifies the following security baselines for use with Java Plug-in technology:
| JRE Family Version | Java SESecurity Baseline | Java SE for BusinessSecurity Baseline |
|---|---|---|
| 5.0 | 1.5.0_20 | 1.5.0_20 |
| 1.4.2 | 1.4.2_19 | 1.4.2_22 |
For more information about the security baseline, seeDeploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer .
Root Certificates are included in this release.
- Added one new root certificate and removed 3 root certificates from Entrust. (Refer to6805338.)
- Added three new root certificates from Keynectis. (Refer to6845457.)
- Added three new root certificates from Quovadis. (Refer to6846473.)
This update release includes the following new entry to the Blacklist:
- JNLPAppletLauncher
Note: Users should install JDK and JRE 6 Update 15 or later on systems running JDK and JRE 5.0 and SDK and JRE 1.4.2 to take advantage of this blacklist feature. For more information see theBlacklist Jar Feature section in the 6u14 Release Notes.
Java ™ Virtual Machine Tool Interface (JVM TI) breakpoints are reliable only when either the Parallel Scavenge garbage collector (-XX:+UseParallelGC) or the Parallel Compacting garbage collector (-XX:+UseParallelOldGC) is used.
When other collectors are used, breakpoints may stop functioning, and JVM TI object tags may become unusable after a full GC operation is performed. Java ™ Debug Interface (JDI) ThreadReferences have an embedded thread ID that depends on JVM TI object tags, thus the embedded thread ID may change unexpectedly. This may cause confusion in thread based JDI events.
Note that the Serial garbage collector (-XX:+UseSerialGC) is vulnerable to this problem and is selected by default on some platforms. The work around is to explicitly select the Parallel Scavenge collector using the command line option-XX:+UseParallelGC.
(Refer to6862295.)
This release contains fixes for one or more security vulnerabilities.
Bug fixes for vulnerabilities are listed in the following table.
| BugId | Category | Subcategory | Description |
|---|---|---|---|
| 6656610 | java | accessibility | AccessibleResourceBundle.getContents exposes mutable static (findbugs) |
| 6656586 | java | classes_awt | Cursor.predefined is protected static mutable (findbugs) |
| 6805231 | java | classes_awt | Security Warning Icon is missing in Windows 2000 Prof from Jdk build 6u12 |
| 6818787 | java | classes_awt | It is possible to reposition the security icon too far from the border of the window on X11 |
| 6823373 | java | classes_awt | [ZDI-CAN-460] Java Web Start JPEG header parsing needs more scruity |
| 6660539 | java | classes_beans | Introspector cache mutable static |
| 6777487 | java | classes_beans | Encoder allows reading private variables with certain names |
| 6801071 | java | classes_net | Remote sites can compromise user privacy and possibly hijack web session |
| 6801497 | java | classes_net | Proxy is assumed to be immutable but is non-final |
| 6657695 | java | classes_security | AbstractSaslImpl.logger is a static mutable (findbugs) |
| 6824440 | java | classes_security | XML Signature HMAC issue |
| 6657625 | java | classes_sound | RmfFileReader/StandardMidiFileWriter.types are public mutable statics (findbugs) |
| 6738524 | java | classes_sound | JDK13Services allows read access to system properties from untrusted code |
| 6777448 | java | classes_sound | JDK13Services.getProviders creates instances with full privileges |
| 6588003 | java | classes_swing | LayoutQueue mutable statics |
| 6660049 | java | classes_swing | Synth Region.uiToRegionMap/lowerCaseNameMap are mutable statics |
| 6849518 | java | classes_swing | NPE is thrown in jemmy library since 6u15 b01 at javax.swing.plaf.synth.SynthContext.isSubregion() |
| 6656625 | java | imageio | ImageReaderSpi.STANDARD_INPUT_TYPE/ImageWriterSpi.STANDARD_OUTPUT_TYPE are mutable static (findbugs) |
| 6657133 | java | imageio | Mutable statics in imageio plugins (findbugs) |
| 6830335 | java | jar | Java JAR Pack200 Decompression Integer Overflow Vulnerability |
| 6755840 | java_plugin | plugin | Version selection allows old zip and certificate handling to be exploited |
| 6848964 | javawebstart | general | TCK jnlp test jnlp_file/appletDesc/index.html#misc fails with NPE starting 6u15 b01 |
| 6862844 | javawebstart | other | java web start ActiveX control security problem caused by ATL PROP_ENTRY macro |
| 6845701 | jaxp | parse | Xerces2 Java XML library infinite loop with malformed XML input |
| 6813167 | jax-ws | other | 6u14 JAX-WS audit mutable static bugs |
| 6736293 | jmx | classes | OpenType checks can be bypassed through finalizer resurrection |
| 6657619 | jndi | dns | DnsContext.debug is public static mutable (findbugs) |
Other bug fixes are listed in the following table.
| BugId | Category | Subcategory | Description |
|---|---|---|---|
| 6786503 | hotspot | garbage_collector | Overflow list performance can be improved |
| 6787254 | hotspot | garbage_collector | Work queue capacity can be increased substantially on some platforms |
| 6805338 | java | classes_security | Add 1 new Entrust root CA cert and remove 3 others with 1024 bit keys |
| 6845457 | java | classes_security | Add root certs for Keynectis CA |
| 6846473 | java | classes_security | Add QuoVadis root CA certs to the JRE |
| 6848984 | java | classes_util_i18n | (tz) Support tzdata2009i |
| 6851214 | java | classes_util_i18n | (tz) New Jordan rule creates a failure for SimpleTimeZone parsing post tzdata2009h |
| 6845077 | java | install | silent JDK should install JRE/Java DB silently |
| 6846531 | javawebstart | other | REGRESSION application from ocie.net does not work with 6.0_14 |
| 6461727 | jce | pkcs11_csp | TripleDES KeyGenerators in SunPKCS11 and SunJCE do not agree on key length |