# HG changeset patch # User Andrew John Hughes # Date 1372383955 -3600 # Node ID ad1e410826c55b6c57aba4d2c1dd553dbff83f8f # Parent 04d2a30a17cf9d6cfad0088da584f7706dc0d0f6 Update NEWS with security fixes & updates from 7u25. 2013-06-27 Andrew John Hughes * NEWS: Add latest security fixes and other changes found in 7u25. diff -r 04d2a30a17cf -r ad1e410826c5 ChangeLog --- a/ChangeLog Fri Jun 28 02:33:43 2013 +0100 +++ b/ChangeLog Fri Jun 28 02:45:55 2013 +0100 @@ -1,3 +1,8 @@ +2013-06-27 Andrew John Hughes + + * NEWS: Add latest security fixes and other + changes found in 7u25. + 2013-06-27 Andrew John Hughes * Makefile.am, diff -r 04d2a30a17cf -r ad1e410826c5 NEWS --- a/NEWS Fri Jun 28 02:33:43 2013 +0100 +++ b/NEWS Fri Jun 28 02:45:55 2013 +0100 @@ -12,6 +12,132 @@ New in release 2.2.9 (2013-06-XX): +* New features + - PR1378: Add AArch64 support to Zero +* Security fixes + - S6741606, CVE-2013-2407: Integrate Apache Santuario + - S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls + - S7170730, CVE-2013-2451: Improve Windows network stack support. + - S8000638, CVE-2013-2450: Improve deserialization + - S8000642, CVE-2013-2446: Better handling of objects for transportation + - S8001032: Restrict object access + - S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers + - S8001034, CVE-2013-1500: Memory management improvements + - S8001038, CVE-2013-2444: Resourcefully handle resources + - S8001043: Clarify definition restrictions + - S8001308: Update display of applet windows + - S8001309: Better handling of annotation interfaces + - S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost + - S8001330, CVE-2013-2443: Improve on checking order + - S8003703, CVE-2013-2412: Update RMI connection dialog box + - S8004288, CVE-2013-2449: (fs) Files.probeContentType problems + - S8004584: Augment applet contextualization + - S8005007: Better glyph processing + - S8006328, CVE-2013-2448: Improve robustness of sound classes + - S8006611: Improve scripting + - S8007467: Improve robustness of JMX internal APIs + - S8007471: Improve MBean notifications + - S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes + - S8007925: Improve cmsStageAllocLabV2ToV4curves + - S8007926: Improve cmsPipelineDup + - S8007927: Improve cmsAllocProfileSequenceDescription + - S8007929: Improve CurvesAlloc + - S8008120, CVE-2013-2457: Improve JMX class checking + - S8008124, CVE-2013-2453: Better compliance testing + - S8008128: Better API coherence for JMX + - S8008132, CVE-2013-2456: Better serialization support + - S8008585: Better JMX data handling + - S8008593: Better URLClassLoader resource management + - S8008603: Improve provision of JMX providers + - S8008607: Better input checking in JMX + - S8008611: Better handling of annotations in JMX + - S8008615: Improve robustness of JMX internal APIs + - S8008623: Better handling of MBeanServers + - S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606 + - S8008982: Adjust JMX for underlying interface changes + - S8009004: Better implementation of RMI connections + - S8009008: Better manage management-api + - S8009013: Better handling of T2K glyphs + - S8009034: Improve resulting notifications in JMX + - S8009038: Improve JMX notification support + - S8009057, CVE-2013-2448: Improve MIDI event handling + - S8009067: Improve storing keys in KeyStore + - S8009071, CVE-2013-2459: Improve shape handling + - S8009235: Improve handling of TSA data + - S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change + - S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields + - S8009654: Improve stability of cmsnamed + - S8010209, CVE-2013-2460: Better provision of factories + - S8011243, CVE-2013-2470: Improve ImagingLib + - S8011248, CVE-2013-2471: Better Component Rasters + - S8011253, CVE-2013-2472: Better Short Component Rasters + - S8011257, CVE-2013-2473: Better Byte Component Rasters + - S8012375, CVE-2013-1571: Improve Javadoc framing + - S8012421: Better positioning of PairPositioning + - S8012438, CVE-2013-2463: Better image validation + - S8012597, CVE-2013-2465: Better image channel verification + - S8012601, CVE-2013-2469: Better validation of image layouts + - S8014281, CVE-2013-2461: Better checking of XML signature + - S8015997: Additional improvement in Javadoc framing +* Bug fixes + - S7053526: Upgrade JDK 8 to use Little CMS 2.4 + - S7124347: [macosx] java.lang.InternalError: not implemented yet on call Graphics2D.drawRenderedImage + - S7142091: [macosx] RFE: Refactoring of peer initialization/disposing + - S7142596: RMI JPRT tests are failing + - S7150345: [macosx] Can't type into applets + - S7151434: java -jar -XX crashes java launcher + - S7156191: [macosx] Can't type into applet demos in Pivot + - S7156194: [macosx] Can't type non-ASCII characters into applets + - S7171223: Building ExtensionSubtables.cpp should use -fno-strict-aliasing + - S7174718: [macosx] Regression in 7u6 b12: PopupFactory leaks DefaultFrames. + - S7188114: (launcher) need an alternate command line parser for Windows + - S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node + - S7198570: (tz) Support tzdata2012f + - S7199143: RFE: OCSP revocation checker should provide possibility to specify connection timeout + - S8001161: mac: EmbeddedFrame doesn't become active window + - S8002070: Remove the stack search for a resource bundle for Logger to use + - S8002225: (tz) Support tzdata2012i + - S8005932: Java 7 on mac os x only provides text clipboard formats + - S8006120: Provide "Server JRE" for 7u train + - S8006417: JComboBox.showPopup(), hidePopup() fails in JRE 1.7 on OS X + - S8006536: [launcher] removes trailing slashes on arguments + - S8009165: Fix for 8006435 needs revision + - S8009217: REGRESSION: test com/sun/org/apache/xml/internal/security/transforms/ClassLoaderTest.java fails to compile since 7u21b03 + - S8009463: Regression test test\java\lang\Runtime\exec\ArgWithSpaceAndFinalBackslash.java failing. + - S8009610: Blacklist certificate used with malware. + - S8009987: (tz) Support tzdata2013b + - S8009996: tests javax/management/mxbean/MiscTest.java and javax/management/mxbean/StandardMBeanOverrideTest.java fail + - S8010009: [macosx] Unable type into online word games on MacOSX + - S8010118: Annotate jdk caller sensitive methods with @sun.reflect.CallerSensitive + - S8010213: Some api/javax_net/SocketFactory tests fail in 7u25 nightly build + - S8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod + - S8010727: WLS fails to add a logger with "" in its own LogManager subclass instance + - S8010939: Deadlock in LogManager + - S8011139: (reflect) Revise checking in getEnclosingClass + - S8011154: java/awt/Frame/ShapeNotSetSometimes/ShapeNotSetSometimes.java failed since 7u25b03 on windows + - S8011313: OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined + - S8011557: Improve reflection utility classes + - S8011806: 7u25-b05 hotspot fastdebug build failure + - S8011990: TEST_BUG: java/util/logging/bundlesearch/ResourceBundleSearchTest.java fails on Windows + - S8011992: java/awt/image/mlib/MlibOpsTest.java failed since jdk7u25b05 + - S8012112: java/awt/image/mlib/MlibOpsTest.java fails on sparc solaris + - S8012243: about 30% regression on specjvm2008.serial on 7u25 comparing 7u21 + - S8012330: [macosx] Sometimes the applet showing the modal dialog itself loses the ability to gain focus + - S8012453: (process) Runtime.exec(String) fails if command contains spaces [win] + - S8012617: ArrayIndexOutOfBoundsException with some fonts using LineBreakMeasurer + - S8012933: Test closed/java/awt/Dialog/DialogAnotherThread/JaWSTest.java fails since jdk 7u25 b07 + - S8013196: TimeZone.getDefault() throws NPE due to sun.awt.AppContext.getAppContext() + - S8013228: Create new system properties to control allowable OCSP clock skew and CRL connection timeout + - S8013380: Removal of stack walk to find resource bundle breaks Glassfish startup + - S8014205: Most of the Swing dialogs are blank on one win7 MUI + - S8014423: [macosx] The scrollbar's block increment performs incorrectly + - S8014427: REGRESSION: closed/javax/imageio/plugins/bmp/Write3ByteBgrTest.java fails since 7u25 b09 + - S8014618: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement + - S8014676: Java debugger may fail to run + - S8014718: Netbeans IDE begins to throw a lot exceptions since 7u25 b10 + - S8014745: Provide a switch to allow stack walk search of resource bundle + - S8014968: OCSP and CRL connection timeout is set to four hours by default + New in release 2.2.8 (2013-04-30): * Security fixes