186277 2007-07-22 21:57 0000 dev-java/{ibm-jdk-bin|ibm-jre-bin}-{1.4.2.8|1.5.0.5} affected by GLSA 200705-23 2008-06-26 13:06:55 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://scary.beasts.org/security/CESA-2006-004.html B4? [glsa] P2 minor --- 215614 1 caster@gentoo.org security@gentoo.org java@gentoo.org caster@gentoo.org 2007-07-22 21:57:36 0000 At least on my x86, the testcases found at $URL are crashing it similarly to Sun JDK (bug 178851, I think IBM licenses most of their code anyway). I'm bumping to 1.4.2.9 which I found to be released and that has it apparently fixed (safe java exception about bad ICC data instead of crash). But we'll need to wait for update of the 1.5 slot. caster@gentoo.org 2007-07-22 22:10:09 0000 Arches please stabilize: dev-java/ibm-jdk-bin-1.4.2.9 dev-java/ibm-jre-bin-1.4.2.9 Sorry to amd64 which just stabilized 1.4.2.8 before I found out about the new one :) You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with IBM accounts. fauli@gentoo.org 2007-07-23 07:48:37 0000 (In reply to comment #1) > You can get the distfiles via ssh from d.g.o/~caster/tmp to avoid hassle with > IBM accounts. To be honest: This type of download restriction is a fucking piece of shit and I just hate it. If I ever meet the responsible person I will hit him/her hard in the face. x86 stable corsair@gentoo.org 2007-07-25 05:27:04 0000 ppc64 stable dertobi123@gentoo.org 2007-07-27 22:56:02 0000 ppc stable beandog@gentoo.org 2007-08-12 14:36:40 0000 amd64 stable caster@gentoo.org 2007-08-21 10:13:08 0000 OK, so IBM released 1.5.0.5a which is just security fixes and apparently fixes this one vulnerability. Added to tree, arches please stabilize: dev-java/ibm-jdk-bin-1.5.0.5a dev-java/ibm-jre-bin-1.5.0.5a Note that jre SLOT 1.5 was not stable yet, but 1) 1.5.0.5 was there in ~arch for two months and 1.5.0.5a is only security fix (according to changelog) and 2) jre is just a subset of jdk which is stable, so I think there's no need to wait 30 days. You can get the distfiles again per comment 1. (i'm still uploading tho so you might have to wait if you are too fast :) fauli@gentoo.org 2007-08-21 18:04:41 0000 x86 stable dertobi123@gentoo.org 2007-08-22 16:00:47 0000 ppc stable corsair@gentoo.org 2007-08-29 10:11:18 0000 ppc64 stable beandog@gentoo.org 2007-09-08 01:23:13 0000 amd64 stable caster@gentoo.org 2007-09-08 01:46:56 0000 Which was last arch. aetius@gentoo.org 2007-09-09 22:23:48 0000 I'll vote yes - the linked URL is talking about exploitable buffer overflows. py@gentoo.org 2007-09-12 08:37:10 0000 voting yes too, maybe combined with the sun jdk/jre draft. rbu@gentoo.org 2008-06-26 13:06:55 0000 GLSA 200806-11