It was found that the MediaTracker implementation created Component instances with unnecessary access privileges. In the new version this component is instantiated in another doPrivileged block which removes all it's permissions. The ImageIcon has a static protected component field whose appContext field is set to null in a privileged block. The source for this class is available in the src.zip of the JDK for both versions. But from a quick look, I can't figure out what the vulnerability is. I'm compaing the rt.jar from the JDK which has debugging information (like source-code line number information) included. The line numbers have changed, maybe a comment added to the code.
FOCUS ON FILEPANE JFILECHOOSER UPDATE
Updated the version strings to update 26. Namely the addition of America/Metlakatla and America/SitkaĪlso not security related. It seems the change is more or less the same as this: rej chokes on these files, because they're big. These are not security related, just updating the time zone data. It works OK, sometimes the algorithm consumes all the memory available, though.įile: rt.jar (the runtime - heart and soul of Java): It then allows you to open these changed files and it does another diff on method level, and yet another on the bytecode level of each changed method. jar, and indicates which files are new, removed, or changed. jars and it does a binary comparison of each of the files in the. And we'll try to figure out what the underlying vulnerability might have been.įor the comparison, I'll be using my rather stale open source project reJ/rejava. Now, I'm going to try something new and analyze the differences between Java 6 update 25 and Java 6 update 26. If you have Java installed and haven't updated your Java yet, do it now. Oracle has released a security update for Java. Blog Update: I mapped some of the CVEs to these results.