194711 2007-10-04 14:07 0000 security bugs in <=dev-java/sun-j[dk,re]-1.6.0.02 / <=dev-java/sun-j[dk,re]-1.5.0.12 / <=dev-java/sun-j[dk,re]-1.4.2.15 (CVE-2007-{5232,5237,5238,5239,5240,5273,5274,5689}) 2008-04-17 23:44:43 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED ? [glsa] P2 major --- 178962 198644 215614 1 craig@gentoo.org security@gentoo.org bernd@linx.net chainsaw@gentoo.org java@gentoo.org craig@gentoo.org 2007-10-04 14:07:09 0000 Hi, the bug reports can be found at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1 Affected Versions: * JDK and JRE 6 Update 2 and earlier * JDK and JRE 5.0 Update 12 and earlier * SDK and JRE 1.4.2_15 and earlier * SDK and JRE 1.3.1_20 and earlier JDK: dev-java/sun-jdk-1.5.0.13 is in portage, but it's keyworded, we should stabilize it ASAP and mask 1.5.0.12. The same applies to 1.6.0.02/1.6.0.03. 1.4.2.16 is not in portage yet, should be added and then 1.4.2.15 should be masked, too. JRE: For dev-java/sun-jre there are only vulnerable versions in portage. We need the new ones and then the old ones should be masked. betelgeuse@gentoo.org 2007-10-04 14:27:06 0000 amd64: sun-jdk-1.5.0.13 sun-jdk-1.6.0.03 sun-jre-bin-1.5.0.13 sun-jre-bin-1.6.0.03 emul-linux-x86-java-1.5.0.13 emul-linux-x86-java-1.6.0.03 x86: sun-jdk-1.4.2.16 sun-jdk-1.5.0.13 sun-jdk-1.6.0.03 sun-jre-bin-1.4.2.16 sun-jre-bin-1.5.0.13 sun-jre-bin-1.6.0.03 fauli@gentoo.org 2007-10-04 18:47:03 0000 x86 stable carlo@gentoo.org 2007-10-04 23:11:42 0000 Don't miss app-emulation/emul-linux-x86-java in the GLSA. Also the three month old bug 185256 didn't got a GLSA yet... wltjr@gentoo.org 2007-10-12 00:35:05 0000 amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps chithanh@cs.tu-berlin.de 2007-10-19 14:42:59 0000 (In reply to comment #4) > amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps maybe you could also mark virtual/jdk-1.6.0 stable while you are at it? wltjr@gentoo.org 2007-10-19 14:56:54 0000 virtual/jdk-1.6.0 stable on amd64, thanks for mentioning repoman didn't catch it, and I forgot about it :) rbu@gentoo.org 2007-10-24 01:12:11 0000 New vulnerability that should be mentioned in a GLSA. A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. .. This issue is addressed in the following releases (for Windows, Solaris, and Linux): * JDK and JRE 6 Update 3 or later * JDK and JRE 5.0 Update 13 or later * SDK and JRE 1.4.2_16 or later http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1 rbu@gentoo.org 2007-10-24 01:12:33 0000 amd64, is there anything left to do for you? caster@gentoo.org 2007-11-03 15:59:37 0000 amd64 was done long ago. Just the emul-linux-x86-java-1.4 stabling in bug 178962 and a GLSA on this could superseed and finally close all those open bugs on sun and emul stuff pending just glsa. wolf31o2@gentoo.org 2007-11-06 23:44:12 0000 OK. I now have everything done for amd64... pva@gentoo.org 2008-02-25 10:42:44 0000 This bug does not affect 2008.0 snapshot, removing release@ from CC. rbu@gentoo.org 2008-04-01 16:55:16 0000 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1 rbu@gentoo.org 2008-04-17 23:44:43 0000 GLSA 200804-20, sorry for the long delay.