Sun heeft alweer de twintigste update voor Java Standard Edition 5.0 uitgebracht, zowel voor de development kit als voor de runtime environment. De versieaanduiding is vastgesteld op 5.0 update 20 en het exacte versienummer is op 1.5.0_20-b02 komen te liggen. De ontwikkelaars hebben de beveiliging van verschillende onderdelen verbeterd en een lijstje met bugs verholpen. De lijst met veranderingen voor deze twintigste update ziet er als volgt uit:
Changes in 1.5.0_20
The full internal version number for this update release is 1.5.0_20-b02 (where "b" means "build"). The external version number is 5.0u20.
OlsonData 2009i
This release contains Olson time zone data version 2009i. For more information, refer to Timezone Data Versions in the JRE Software.
Security Baseline
This update release specifies the following security baseline:
JRE Family Version 1.4.2
Java SE Security Baseline 1.4.2_19
Java SE for Business Security Baseline 1.4.2_22
In December, 2008, Java SE 1.4.2 reached its end of service life with the release of 1.4.2_19. Future revisions of Java SE 1.4.2 (1.4.2_20 and above) include the Access Only option and are available to Java SE for Business subscribers.
For more information about the security baseline, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.
Root Certificates
Root Certificates are included in this release.Bug Fixes
- Added one new root certificate and removed 3 root certificates from Entrust. (Refer to 6805338.)
- Added three new root certificates from Keynectis. (Refer to 6845457.)
- Added three new root certificates from Quovadis. (Refer to 6846473.)
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 263408, 263409, 263488, 263489, and 264648.
Bug fixes for vulnerabilities are listed in the following table.Other bug fixes are listed in the following table.
- java - accessibility - AccessibleResourceBundle.getContents exposes mutable static (findbugs)
- java - classes_awt - Cursor.predefined is protected static mutable (findbugs)
- java - classes_beans - Introspector cache mutable static
- java - classes_lang - 3Y Race condition in reflection checks
- java - classes_net - Remote sites can compromise user privacy and possibly hijack web session
- java - classes_net - Proxy is assumed to be immutable but is non-final
- java - classes_security - Security issues in the Provider class
- java - classes_security - Fix for 6406003 can be circumvented
- java - classes_security - Provider deserialization still has problems
- java - classes_security - AbstractSaslImpl.logger is a static mutable (findbugs)
- java - classes_sound - RmfFileReader/StandardMidiFileWriter.types are public mutable statics (findbugs)
- java - classes_sound - JDK13Services allows read access to system properties from untrusted code
- java - classes_sound - JDK13Services.getProviders creates instances with full privileges
- java - classes_swing - LayoutQueue mutable statics
- java - classes_swing - Synth Region.uiToRegionMap/lowerCaseNameMap are mutable statics
- java - imageio - ImageReaderSpi.STANDARD_INPUT_TYPE/ImageWriterSpi.STANDARD_OUTPUT_TYPE are mutable static (findbugs)
- java - imageio - Mutable statics in imageio plugins (findbugs)
- java - jar - Java JAR Pack200 Decompression Integer Overflow Vulnerability
- javawebstart - other - java web start ActiveX control security problem caused by ATL PROP_ENTRY macro
- jaxp - parse - Xerces2 Java XML library infinite loop with malformed XML input
- jndi - dns - DnsContext.debug is public static mutable (findbugs)
- java - classes_2d - font files not deleted upon exit
- java - classes_security - Add 1 new Entrust root CA cert and remove 3 others with 1024 bit keys
- java - classes_security - Add root certs for Keynectis CA
- java - classes_security - Add QuoVadis root CA certs to the JRE
- java - classes_util_i18n - (tz) Support tzdata2009i
- java - classes_util_i18n - (tz) New Jordan rule creates a failure for SimpleTimeZone parsing post tzdata2009h