Software update: Sun Java 5.0 update 20

Sun has already released the twentieth update to Java Standard Edition 5.0, for both the development kit and the runtime environment. The version designation has been fixed at 5.0 update 20 and the exact version number has been moved to 1.5.0_20-b02. The developers have improved the security of several components and fixed a list of bugs. The list of changes for this twentieth update is as follows:

Changes in 1.5.0_20

The full internal version number for this update release is 1.5.0_20-b02 (where “b” means “build”). The external version number is 5.0u20.

OlsonData 2009i
This release contains Olson time zone data version 2009i. For more information, refer to Timezone Data Versions in the JRE Software.

Security Baseline
This update release specifies the following security baseline:
JRE Family Version 1.4.2
Java SE Security Baseline 1.4.2_19
Java SE for Business Security Baseline 1.4.2_22

In December, 2008, Java SE 1.4.2 reached its end of service life with the release of 1.4.2_19. Future revisions of Java SE 1.4.2 (1.4.2_20 and above) include the Access Only option and are available to Java SE for Business subscribers.

For more information about the security baseline, see Deploying Java Applets With Family JRE Versions in Java Plug-in for Internet Explorer.

Root Certificates

Root Certificates are included in this release.

• Added one new root certificate and removed 3 root certificates from Entrust. (Refer to 6805338.)
• Added three new root certificates from Keynectis. (Refer to 6845457.)
• Added three new root certificates from Quovadis. (Refer to 6846473.)

Bug Fixes
This release contains fixes for one or more security vulnerabilities. For more information, please see Sun Alerts 263408, 263409, 263488, 263489, and 264648.

Bug fixes for vulnerabilities are listed in the following table.

• java – accessibility – AccessibleResourceBundle.getContents exposes mutable static (findbugs)
• java – classes_awt – Cursor.predefined is protected static mutable (findbugs)
• java – classes_beans – Introspector cache mutable static
• java – classes_lang – 3Y Race condition in reflection checks
• java – classes_net – Remote sites can compromise user privacy and possibly hijack web session
• java – classes_net – Proxy is assumed to be immutable but is non-final
• java – classes_security – Security issues in the Provider class
• java – classes_security – Fix for 6406003 can be circumvented
• java – classes_security – Provider deserialization still has problems
• java – classes_security – AbstractSaslImpl.logger is a static mutable (findbugs)
• java – classes_sound – RmfFileReader/StandardMidiFileWriter.types are public mutable statics (findbugs)
• java – classes_sound – JDK13Services allows read access to system properties from untrusted code
• java – classes_sound – JDK13Services.getProviders creates instances with full privileges
• java – classes_swing – LayoutQueue mutable statics
• java – classes_swing – Synth Region.uiToRegionMap/lowerCaseNameMap are mutable statics
• java – imageio – ImageReaderSpi.STANDARD_INPUT_TYPE/ImageWriterSpi.STANDARD_OUTPUT_TYPE are mutable static (findbugs)
• java – imageio – Mutable statics in imageio plugins (findbugs)
• java – jar – Java JAR Pack200 Decompression Integer Overflow Vulnerability
• javawebstart – other – java web start ActiveX control security problem caused by ATL PROP_ENTRY macro
• jaxp – parse – Xerces2 Java XML library infinite loop with malformed XML input
• jndi – dns – DnsContext.debug is public static mutable (findbugs)

Other bug fixes are listed in the following table.

• java – classes_2d – font files not deleted upon exit
• java – classes_security – Add 1 new Entrust root CA cert and remove 3 others with 1024 bit keys
• java – classes_security – Add root certs for Keynectis CA
• java – classes_security – Add QuoVadis root CA certs to the JRE
• java – classes_util_i18n – (tz) Support tzdata2009i
• java – classes_util_i18n – (tz) New Jordan rule creates a failure for SimpleTimeZone parsing post tzdata2009h