Getting Started

Java^TM 2, Standard Edition 5.0 update 15
for SCO^Ž UNIX^Ž Operating Systems

This release of Java 2 Standard Edition contains:

the Java 2 Runtime Environment, which allows SCO UNIX end users to run Java applets and applications on SCO UNIX operating systems
the Java 2 Software Development Kit (J2SDK), which enables SCO UNIX OEMs, ISVs, and end users to develop Java applets and applications that conform to the Java 2 Core API
the Java 2 Plugin for the Mozilla browsers released for UnixWare 7.1.4 and OpenServer 6.0.0.

J2SE 5.0 for SCO UNIX is a full implementation of the Sun Microsystems^TM Java 2 Platform - the technology and environment described in the Sun^TM specifications of the Java 2 Platform, Standard Edition, 5.0, update 15. (The "update 15" indicates the patch level of the Sun J2SE that J2SE 5.0 for SCO UNIX corresponds to.)

Changes in This Release

J2SE 5.0, update 15

J2SE 5.0, update 15 for SCO UNIX encompasses the changes and security fixes from Sun's J2SE 5.0, updates 10 through 15. In addition the timezone changes for Western Australia (Perth) released as a patch for J2SE 5.0, update 09 and J2SE 1.4.2.13 and earlier have been encorporated into this release.
Automatic update of the /usr/java and /usr/java2 symbolic links to the installation of this J2SE release has changed. Please see the "Installations Location and Multiple Java Versions" subsection of these J2SE 5.0, update 15 Release Notes and the "Multiple Java 2 SE Releases" section of this Getting Started document for complete details.
The J2SE 5.0, update 15 release supercedes the J2SE 5.0, update 09 previously released on the SCO Support web site.

Sun Alert ID Description

233321 Two security vulnerabilities in the Java Runtime Environment Virtual Machine may independently allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet.

233322 A security vulnerability in the Java Runtime Environment (JRE) with the processing of XSLT transformations may allow an untrusted applet or application that is downloaded from a website to elevate its privileges. For example, an applet may read certain unauthorized URL resources (such as some files and web pages) or potentially execute arbitrary code. This vulnerability may also be exploited to create a Denial-of-Service (DoS) condition by causing the JRE to crash.

233324 A security vulnerability in the Java Plug-in may allow an applet that is downloaded from a website to bypass the same origin policy and leverage this flaw to execute local applications that are accessible to the user running the untrusted applet.

233325 A vulnerability in the Java Runtime Environment image parsing library may allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet.

Two vulnerabilities in the color management library may allow an untrusted applet or application or applet to cause the Java Runtime Environment to crash, which is a type of Denial of Service (DoS).

233326 A vulnerability in the Java Runtime Environment may allow JavaScript code that is downloaded by a browser to make connections to network services on the system that the browser runs on, through Java APIs. This may allow files (that are accessible through these network services) or vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

200040
(103112) A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

201519
(103079) A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

200041
(103078) A vulnerability in the Java Runtime Environment (JRE) may allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

A second vulnerability in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

200162
(103072) A vulnerability in the Java Runtime Environment may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by requesting the user of the application or applet to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system. To exploit this vulnerability, the application or applet has to successfully persuade the user to drag and drop the file.

200837
(103071) When an untrusted applet or application displays a window, the Java Runtime Environment includes a warning banner inside the window to indicate that the applet or application is untrusted. A defect in the Java Runtime Environment may allow an untrusted applet or application that is downloaded from a malicious website to display a window that exceeds the size of a user's screen so that the warning banner is not visible to the user.

200392
(103024) A vulnerability in the font parsing code in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

200599
(102997) The Java Secure Socket Extension (JSSE) that is included in various releases of the Java Runtime Environment does not correctly process SSL/TLS handshake requests. This vulnerability may be exploited to create a Denial of Service (DoS) condition to the system as a whole on a server that listens for SSL/TLS connections using JSSE for SSL/TLS support.

201551
(102995) A security vulnerability in the Java Runtime Environment Applet Class Loader may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on the local host, as if it were loaded from the system that the applet is running on. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to.

201348
(102958) A defect in the Javadoc tool in various releases of the JDK may lead to the generation of HTML documentation pages which contain a potential cross-site scripting (XSS) vulnerability. This may allow a remote user to gain access to cookies from the website that hosts the generated documentation.

200856
(102934) A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.

200074
(102760) A buffer overflow vulnerability in processing GIF images in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the untrusted applet.
For more information see:

http://www.zerodayinitiative.com/advisories/ZDI-07-005.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0234

Security fixes that have recently been announced by Sun, but have been released in earlier releases, have been added to the securiy fix list in the J2SE 5.0, update 9 changes.

Sun Alert ID	Description
233321	Two security vulnerabilities in the Java Runtime Environment Virtual Machine may independently allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet.
233322	A security vulnerability in the Java Runtime Environment (JRE) with the processing of XSLT transformations may allow an untrusted applet or application that is downloaded from a website to elevate its privileges. For example, an applet may read certain unauthorized URL resources (such as some files and web pages) or potentially execute arbitrary code. This vulnerability may also be exploited to create a Denial-of-Service (DoS) condition by causing the JRE to crash.
233324	A security vulnerability in the Java Plug-in may allow an applet that is downloaded from a website to bypass the same origin policy and leverage this flaw to execute local applications that are accessible to the user running the untrusted applet.
233325	A vulnerability in the Java Runtime Environment image parsing library may allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet. Two vulnerabilities in the color management library may allow an untrusted applet or application or applet to cause the Java Runtime Environment to crash, which is a type of Denial of Service (DoS).
233326	A vulnerability in the Java Runtime Environment may allow JavaScript code that is downloaded by a browser to make connections to network services on the system that the browser runs on, through Java APIs. This may allow files (that are accessible through these network services) or vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.
200040 (103112)	A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
201519 (103079)	A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.
200041 (103078)	A vulnerability in the Java Runtime Environment (JRE) may allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. A second vulnerability in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.
200162 (103072)	A vulnerability in the Java Runtime Environment may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by requesting the user of the application or applet to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system. To exploit this vulnerability, the application or applet has to successfully persuade the user to drag and drop the file.
200837 (103071)	When an untrusted applet or application displays a window, the Java Runtime Environment includes a warning banner inside the window to indicate that the applet or application is untrusted. A defect in the Java Runtime Environment may allow an untrusted applet or application that is downloaded from a malicious website to display a window that exceeds the size of a user's screen so that the warning banner is not visible to the user.
200392 (103024)	A vulnerability in the font parsing code in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
200599 (102997)	The Java Secure Socket Extension (JSSE) that is included in various releases of the Java Runtime Environment does not correctly process SSL/TLS handshake requests. This vulnerability may be exploited to create a Denial of Service (DoS) condition to the system as a whole on a server that listens for SSL/TLS connections using JSSE for SSL/TLS support.
201551 (102995)	A security vulnerability in the Java Runtime Environment Applet Class Loader may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on the local host, as if it were loaded from the system that the applet is running on. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to.
201348 (102958)	A defect in the Javadoc tool in various releases of the JDK may lead to the generation of HTML documentation pages which contain a potential cross-site scripting (XSS) vulnerability. This may allow a remote user to gain access to cookies from the website that hosts the generated documentation.
200856 (102934)	A buffer overflow vulnerability in the image parsing code in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. A second vulnerability may allow an untrusted applet or application to cause the Java Virtual Machine to hang.
200074 (102760)	A buffer overflow vulnerability in processing GIF images in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the untrusted applet. For more information see: http://www.zerodayinitiative.com/advisories/ZDI-07-005.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0234

J2SE 5.0, update 09d

This release of J2SE 5.0, update 09d, in the OpenServer 6.0.0, Maintenance Pack 3, contains a fix to restore execution permission to the javap command and removes the javasoap package from the Java 5.0 component. Any pieces of the former javasoap package that are needed by Tomcat are now installed with Tomcat.

J2SE 5.0, update 09b

This web-release of J2SE 5.0, update 09b, contains a fix to avoid a bug on SCO platforms in the parallel garbage collection routines encountered when running JBoss on "server class" systems. This update is a minimum requirment for the SCO Me Inc. Mobility Server on OpenServer 6.0.0.

J2SE 5.0, update 09

J2SE 5.0, update 09 for SCO UNIX is a significant update to the J2SE 5.0 product. It encompasses Sun's updates 07, 08 and 09 and contains the following fixes or enhancements:

Daylight Savings Time timezone changes that go into effect in 2007.
Additional Root CA certificates have been added to the cacerts file.
A problem with embedded Java JVM initialization within a threaded application has been corrected.
Several security issues have been resolved including the publicly announced issues listed below. In addition, security issues resolved in Sun's preliminary J2SE 5.0, update 10 release currently in development have been incorporated in this SCO product release.

The J2SE 5.0, update 09 release supercedes the J2SE 5.0, update 06 previously released on the SCO Support web site.

Sun Alert ID Description

102760 A buffer overflow vulnerability in processing GIF images in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. (Fix from J2SE 5.0, update 10 released in SCO's J2SE 5.0, update 09 release.)

102732 Two vulnerabilities in the Java Runtime Environment may allow an untrusted applet to access data in other applets.

102731 Two vulnerabilities related to serialization in the Java Runtime Environment may independently allow an untrusted applet or application to elevate its previleges.

102729 Two buffer overflow vulneribilities in the JRE may independently allow an untrusted applet to elevate its previleges. For example, an applet may grant itself permissions to read and write a local file or execute local applications that are accessible to the user running the untrusted applet.

102662 A security vulnerability in the JRE Swing library may allow an untrusted applet to access data in other applets.

102686 The JRE and Java Secure Socket Extension (JSSE) may verify incorrect RSA PKCS #1 v1.5 signatures if the RSA public key exponent is 3. This may allow applets or applications that are signed by forged signing certificates and websites with forged web server certificates to be verified as valid.
For more information see:

http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

Sun Alert ID	Description
102760	A buffer overflow vulnerability in processing GIF images in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. (Fix from J2SE 5.0, update 10 released in SCO's J2SE 5.0, update 09 release.)
102732	Two vulnerabilities in the Java Runtime Environment may allow an untrusted applet to access data in other applets.
102731	Two vulnerabilities related to serialization in the Java Runtime Environment may independently allow an untrusted applet or application to elevate its previleges.
102729	Two buffer overflow vulneribilities in the JRE may independently allow an untrusted applet to elevate its previleges. For example, an applet may grant itself permissions to read and write a local file or execute local applications that are accessible to the user running the untrusted applet.
102662	A security vulnerability in the JRE Swing library may allow an untrusted applet to access data in other applets.
102686	The JRE and Java Secure Socket Extension (JSSE) may verify incorrect RSA PKCS #1 v1.5 signatures if the RSA public key exponent is 3. This may allow applets or applications that are signed by forged signing certificates and websites with forged web server certificates to be verified as valid. For more information see: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

J2SE 5.0, update 06

J2SE 5.0, update 06, was the initial J2SE 5.0 product release on SCO UNIX platforms.
J2SE 5.0 for SCO UNIX is a major new release compared to the previous J2SE 1.4.2 for SCO UNIX.

System Requirements and Supported Platforms

Supported SCO UNIX platforms:

SCO OpenServer^TM Release 6.0.0 operating system
UnixWare^Ž 7.1.4 operating system

J2SE 5.0 for SCO UNIX is not supported on older versions of the supported operating systems, such as SCO OpenServer Release 5.0.x or UnixWare 7 Release 7.1.3 or earlier, nor is it available for older operating systems, such as the SCO UnixWare 2 operating system.

The J2SE 5.0 is identical for all supported platforms, and everything in these release notes applies to all supported platforms.

Pkg/Cmpnt Name	Required Software	Approx. Size	Contains
`j2jre150`	UW 7.1.4	72 MB	Runtime Support: `java`, the Java virtual machine interpreter (JVM); the "client" and "server" dynamic compilers; Java Foundation Classes (JFC) & Swing Package; and basic API libraries: language support, I/O, AWT, networking, utilities, images, media, math, compression, and security. Distributed applications and database access: Remote Method Invocation (RMI); JavaBeans^TM (component object model); JDBC^TM (database access); Internationalization tools; Security tools; Java IDL tools.
`j2sdk150`	j2jre150	41 MB	Development Tools: `appletviewer`, the Java Applet Viewer; `javac`, the Java Compiler; `jdb`, the command-line Java debugger; `javah`, the C Header and Stub File Generator for native methods; `javap`, the Java Class File Disassembler; `javadoc`, the JAVA API Documentation Generator; `jar`, the Java Archive (JAR) tool; and assorted other commands used in Java development; class libraries used in Java development; header files used in native code development. Also Java demo applets and applications; demos of Swing functionality; Java Plugin demos; native method demos.
`j2plg150`	j2jre150	0.5 MB	Java 2 Plugin for Mozilla browser 1.7.x on UnixWare 7.1.4 and OpenServer 6.0.0.

`j2se150`	OSR 6.0.0	116 MB	In additional to the Runtime Support, Development Tools and Java Plugin software in the UnixWare packages above, the OpenServer 6.0.0 product contains the additional Java Communications API (javaxcomm) software whose JNI runtime or JAR files must be installed in the J2SE 5.0 product repository.

Note: Where one J2SE 5.0 package requires another J2SE 5.0 package, the version numbers of the packages must be the same. The Java 2 SDK package, version 1.5.0.06 requires the Java 2 Runtime, version 1.5.0.06.

Multiple Java 2 SE Releases

Multiple major versions of J2SE can co-exist on your SCO UNIX platform. The installation is to a version specific directory in /opt.

J2SE 1.3.1 ==> /opt/java2-1.3.1
J2SE 1.4.2 ==> /opt/java2-1.4.2
J2SE 5.0 ==> /opt/java2-1.5.0

Updates to each major version of J2SE install in the same base directory.

Prior to the synchronized release of J2SE 1.3.1_22, 1.4.2_17 and 5.0 update 15, the installation of the JRE piece for each of these major point releases would automatically symbolicly link /usr/java and /usr/java2 to point to the "newly" installed JRE directory. Starting with these synchronized J2SE releases, the symbolic links will only be updated if the JRE being installed is a later J2SE version than the current symbolic links.

For example, if prior to installation of J2SE 1.4.2_17, the symbolic links were:

/usr/java ==> /opt/java2-1.3.1
/usr/java2 ==> /opt/java2-1.5.0

Following the installation of J2SE 1.4.2_17, the links would be:

/usr/java ==> /opt/java2-1.4.2
/usr/java2 ==> /opt/java2-1.5.0

Removal of the J2SE 1.4.7_17, will attempt to restore the pre-installation links, if and only if an executable /opt/java2-1.3.1/bin/java still exists on the system.

System administrators can and should readjust these symbolic links as needed by their specific system and software requirements.

Other software released by SCO for your SCO UNIX platform as well as third party applications that use Java, may require a specifc J2SE major version. That software may either reference the J2SE of interest through:

an environement variable such as JAVA_HOME that points to /usr/java or directly to the installation directory /opt/java2-1.x.x.
an absolute command path, either /usr/java/bin/command or /opt/java2-1.x.x/bin/command.

Caution: Before removing earlier/other major versions of J2SE on your system, be certain that other installed software does not require that version. For example, the Apache-Tomcat product released on UnixWare 7.1.4 and OpenServer 6.0.0 have been configured, tested and certified with J2SE 1.4.2. Removal of that JRE will result in Tomcat failing to start.

Download and Installation

The J2SE 5.0 product is distributed in one of two packaging formats for the different supported SCO UNIX systems.

Print or save a copy of this "Getting Started" page for later reference.
Download a copy of the current J2SE 5.0 update 15 Release Notes (ReleaseNotes.html)and save, also for later reference.

Select and download the packages you wish to install. Note that the packages are available in two formats:

For UnixWare 7.1.4: compressed/uncompressed pkgadd datastream format.

File Package Version

j2jre150.ds.Z j2jre150 1.5.0.15

j2sdk150.ds j2sdk150 1.5.0.15

j2plg150.ds j2plg150 1.5.0.15

File	Package	Version
j2jre150.ds.Z	`j2jre150`	1.5.0.15
j2sdk150.ds	`j2sdk150`	1.5.0.15
j2plg150.ds	`j2plg150`	1.5.0.15

For OpenServer 6.0.0: custom format package

File Custom Package Custom Version UW Package UW Pkg. Version

OSR6_Java2_150.VOLS.tar j2se150 1.5.0.Oa j2jre150 1.5.0.15

j2sdk150 1.5.0.15

j2plg150 1.5.0.15

javaxcomm 2.0

Download an install any prerequisite packages, runtime, maintenance packs, maintenance supplements, support level supplements as required in the System Requirements and Supported Platforms of this document.
As root, installed the J2SE 5.0 packages that you have downloaded.
Change directory into the directory containing the downloaded package datastreams
cd <download-dir>

On UnixWare 7.1.4:
Install the J2SE 5.0 packages in the following order.
If the package datastreams have been downloaded in compressed format:
zcat j2jre150.ds.Z | pkgadd -d - all

pkgadd -d `pwd`/j2sdk150.ds all
pkgadd -d `pwd`/j2plg150.ds all

If the package datastreams have been uncompressed when downloaded with your browser:
pkgadd -d `pwd`/j2jre150.ds all
pkgadd -d `pwd`/j2sdk150.ds all
pkgadd -d `pwd`/j2plg150.ds all

On OpenServer 6.0.0, having downloaded the single custom format file:
Make a subdirectory and unwind the tar file into that subdirectory.
mkdir JAVA150
cd JAVA150; tar -xf ../OSR6_Java2_150.VOLS.tar

Run the Software Manager with the command:
scoadmin software
or
custom

or double-click on the Software Manager icon in the desktop.
1. Pull down the "Software" menu and select "Install New".
2. When prompted for the host from which to install, choose the local machine and then "Continue".
3. In the "Select Media" menu, pull down the "Media Device" menu. Select "Media Images", then choose "Continue".
4. When prompted for the "Image Directory", enter the directory where you unwound the tar file of the package to be installed and choose "OK".
5. When prompted to select the software to install, the single software package in the directory will by highlighted. You can deselect any of the optional packages that you do not wish to install at this time. Click on "Install".

File	Custom Package	Custom Version	UW Package	UW Pkg. Version
OSR6_Java2_150.VOLS.tar	j2se150	1.5.0.Oa	`j2jre150`	1.5.0.15
`j2sdk150`	1.5.0.15
`j2plg150`	1.5.0.15
`javaxcomm`	2.0

Important Notes

Documentation

Essential information about this product is contained in the Java 2 Standard Edition 5.0, update 15 for SCO UNIX Operating Systems Release Notes which are distributed with the j2jre150 package on UnixWare 7.1.4 and the j2se150 component on Openserver 6.0.0 and installed in /usr/java2. A copy of the Release Notes is available on this download page.

Be sure to read these notes thoroughly before attempting to use the J2SE 5.0. We recommend that you print out or bookmark these notes for later reference.

Licensing

The J2SE 5.0 for SCO UNIX is licensed under the same terms as the host SCO operating system upon which it is installed.