Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 186277 - dev-java/{ibm-jdk-bin|ibm-jre-bin}-{1.4.2.8|1.5.0.5} affected by GLSA 200705-23
Summary: dev-java/{ibm-jdk-bin|ibm-jre-bin}-{1.4.2.8|1.5.0.5} affected by GLSA 200705-23
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://scary.beasts.org/security/CESA...
Whiteboard: B4? [glsa]
Keywords:
Depends on:
Blocks: java-security
  Show dependency tree
 
Reported: 2007-07-22 21:57 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2008-06-26 13:06 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-07-22 21:57:36 UTC
At least on my x86, the testcases found at $URL are crashing it similarly to Sun JDK (bug 178851, I think IBM licenses most of their code anyway).

I'm bumping to 1.4.2.9 which I found to be released and that has it apparently fixed (safe java exception about bad ICC data instead of crash). But we'll need to wait for update of the 1.5 slot.
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-07-22 22:10:09 UTC
Arches please stabilize:
dev-java/ibm-jdk-bin-1.4.2.9
dev-java/ibm-jre-bin-1.4.2.9

Sorry to amd64 which just stabilized 1.4.2.8 before I found out about the new one :)
You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with IBM accounts.
Comment 2 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-23 07:48:37 UTC
(In reply to comment #1)
> You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with
> IBM accounts.

 To be honest: This type of download restriction is a fucking piece of shit and
I just hate it.  If I ever meet the responsible person I will hit him/her hard
in the face.

x86 stable
Comment 3 Markus Rothe (RETIRED) gentoo-dev 2007-07-25 05:27:04 UTC
ppc64 stable
Comment 4 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-27 22:56:02 UTC
ppc stable
Comment 5 Steve Dibb (RETIRED) gentoo-dev 2007-08-12 14:36:40 UTC
amd64 stable
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-08-21 10:13:08 UTC
OK, so IBM released 1.5.0.5a which is just security fixes and apparently fixes this one vulnerability.

Added to tree, arches please stabilize:
dev-java/ibm-jdk-bin-1.5.0.5a
dev-java/ibm-jre-bin-1.5.0.5a

Note that jre SLOT 1.5 was not stable yet, but 1) 1.5.0.5 was there in ~arch for two months and 1.5.0.5a is only security fix (according to changelog) and 2) jre is just a subset of jdk which is stable, so I think there's no need to wait 30 days.
You can get the distfiles again per comment 1. (i'm still uploading tho so you might have to wait if you are too fast :)

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-21 18:04:41 UTC
x86 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-22 16:00:47 UTC
ppc stable
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-08-29 10:11:18 UTC
ppc64 stable
Comment 10 Steve Dibb (RETIRED) gentoo-dev 2007-09-08 01:23:13 UTC
amd64 stable
Comment 11 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-09-08 01:46:56 UTC
Which was last arch.
Comment 12 Matt Drew (RETIRED) gentoo-dev 2007-09-09 22:23:48 UTC
I'll vote yes - the linked URL is talking about exploitable buffer overflows.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-12 08:37:10 UTC
voting yes too, maybe combined with the sun jdk/jre draft.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2008-06-26 13:06:55 UTC
GLSA 200806-11