The Blackdown project's JDK and JRE for the x86 and AMD64 platforms is vulnerable to the same privilege escalation bug that affects Sun JDK/JRE < 1.4.2_08. Reproducible: Didn't try Steps to Reproduce: Please refer to reference security notice on Blackdown project's site.
A new version which fixes the vulnerability, 1.4.2-02, has been released by blackdown.org.
Java please bump. This is similar to bug #96092.
bumped too ~arch haven't had time todo more then a basic test
From Blackdown : Affected : Blackdown J2SE 1.4.2-01 and earlier 1.4 releases. 1.3.1 release are not affected. Target KEYWORDS : blackdown-jdk-1.4.2.02 : x86 sparc amd64 blackdown-jre-1.4.2.02 : x86 sparc amd64
blackdown-jdk-1.4.2.02 is currently failing digest checks on the file from the mirrors. I don't know if the mirror is wrong or the digest is wrong.
digest md5 is the same as on http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2005-02. txt and all the mirrors i tried have the file with that md5
It was on amd64 (sorry, I didn't realize blackdown came in 64-bit versions) and is now fixed.
Blackdown never release 1.4.2* for sparc. Is there a workaround for 1.4.1?
stable on amd64 and x86
I sent an email off to Blackdown asking about a newer version of the JRE/JDK for Linux/SPARC and the response was "1.4.2-02 for SPARC is mostly ready but there's one show-stopping bug holding it up.". So its possible there may be something soon, but not sure when.
We should issue a temporary GLSA with the current fixed versions which says 1.4 on sparc is vulnerable, then issue an update when the sparc version is released.
GLSA 200506-14 Keeping open (enhancement scope) to remember to update the GLSA when sparc is fixed.
# emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.02" These are the packages that I would merge, in order: Calculating dependencies !!! All ebuilds that could satisfy ">=dev-java/blackdown-jre-1.4.2.02" have been masked. !!! One of the following masked packages is required to complete your request: - dev-java/blackdown-jre-1.4.2.02 (masked by: -* keyword) For more information, see MASKED PACKAGES section in the emerge man page or section 2.2 "Software Availability" in the Gentoo Handbook. http://www.gentoo.org/security/en/glsa/glsa-200506-14.xml
Jan, please mark jre asap.
keyworded x86 & amd64
Thx Thomas, back to enhancement, waiting for fixed Sparc version.
Any news with the Sparc version?
No.
Any news on a sparc version?
You should check www.blackdown.org, and the answer is no. Note that the current stable profile (2006.0/2.4) has java masked entirely, so when the previous ones are gone it can be safely nuked.
(In reply to comment #20) > You should check www.blackdown.org, and the answer is no. > Note that the current stable profile (2006.0/2.4) has java masked entirely, so > when the previous ones are gone it can be safely nuked. > When do you plan on removing the previous ones?
When 2006.1 ships
Jason any news on this one?
We'll deprecate the 2005.1 profile later today, send a mail with a 30-day warning period and nuke java keywords/old profiles then.
the sparc cleanup is done, removed all java-dependant keywords from ebuilds and nuked the old profiles. feel free to call us back if you feel nostalgic or something ;)
So ... do we even need a GLSA update on this now that sparc has been purged? Close it?
Thanks Matt. indeed the policy doesn't talk about this configuration in which a package has been removed for the unpatched architecture. I think no GLSA nor GLSA-update is needed to be sent. And the note in GLSA 200506-14 is still true: "Note to SPARC users: There is no stable secure Blackdown Java for the SPARC architecture. Affected users should remove the package until a SPARC package is released. " So I close that bug (finally :) ) . Feel free to reopen if you disagree.
