Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 186277
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Vlastimil Babka (Caster) <caster@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 186277 depends on: Show dependency tree
Bug 186277 blocks: 215614

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-07-22 21:57 0000 
At least on my x86, the testcases found at $URL are crashing it similarly to
Sun JDK (bug 178851, I think IBM licenses most of their code anyway).

I'm bumping to 1.4.2.9 which I found to be released and that has it apparently
fixed (safe java exception about bad ICC data instead of crash). But we'll need
to wait for update of the 1.5 slot.

------- Comment #1 From Vlastimil Babka (Caster) 2007-07-22 22:10:09 0000 ------- 
Arches please stabilize:
dev-java/ibm-jdk-bin-1.4.2.9
dev-java/ibm-jre-bin-1.4.2.9

Sorry to amd64 which just stabilized 1.4.2.8 before I found out about the new
one :)
You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with
IBM accounts.

------- Comment #2 From Christian Faulhammer 2007-07-23 07:48:37 0000 ------- 
(In reply to comment #1)
> You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with
> IBM accounts.

 To be honest: This type of download restriction is a fucking piece of shit and
I just hate it.  If I ever meet the responsible person I will hit him/her hard
in the face.

x86 stable

------- Comment #3 From Markus Rothe 2007-07-25 05:27:04 0000 ------- 
ppc64 stable

------- Comment #4 From Tobias Scherbaum 2007-07-27 22:56:02 0000 ------- 
ppc stable

------- Comment #5 From Steve Dibb 2007-08-12 14:36:40 0000 ------- 
amd64 stable

------- Comment #6 From Vlastimil Babka (Caster) 2007-08-21 10:13:08 0000 ------- 
OK, so IBM released 1.5.0.5a which is just security fixes and apparently fixes
this one vulnerability.

Added to tree, arches please stabilize:
dev-java/ibm-jdk-bin-1.5.0.5a
dev-java/ibm-jre-bin-1.5.0.5a

Note that jre SLOT 1.5 was not stable yet, but 1) 1.5.0.5 was there in ~arch
for two months and 1.5.0.5a is only security fix (according to changelog) and
2) jre is just a subset of jdk which is stable, so I think there's no need to
wait 30 days.
You can get the distfiles again per comment 1. (i'm still uploading tho so you
might have to wait if you are too fast :)

------- Comment #7 From Christian Faulhammer 2007-08-21 18:04:41 0000 ------- 
x86 stable

------- Comment #8 From Tobias Scherbaum 2007-08-22 16:00:47 0000 ------- 
ppc stable

------- Comment #9 From Markus Rothe 2007-08-29 10:11:18 0000 ------- 
ppc64 stable

------- Comment #10 From Steve Dibb 2007-09-08 01:23:13 0000 ------- 
amd64 stable

------- Comment #11 From Vlastimil Babka (Caster) 2007-09-08 01:46:56 0000 ------- 
Which was last arch.

------- Comment #12 From Matt Drew 2007-09-09 22:23:48 0000 ------- 
I'll vote yes - the linked URL is talking about exploitable buffer overflows.

------- Comment #13 From Pierre-Yves Rofes 2007-09-12 08:37:10 0000 ------- 
voting yes too, maybe combined with the sun jdk/jre draft.

------- Comment #14 From Robert Buchholz 2008-06-26 13:06:55 0000 ------- 
GLSA 200806-11
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug