198644 2007-11-10 11:20 0000 dev-java/ibm-jdk-bin <= 1.5.0.5a and <=1.4.2.9 (and ibm-jre-bin) affected by recent Sun JDK security bugs 2008-06-26 13:07:07 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www-128.ibm.com/developerworks/java/jdk/alerts/ B2 [glsa] P2 normal --- 194711 215614 1 caster@gentoo.org security@gentoo.org java@gentoo.org caster@gentoo.org 2007-11-10 11:20:44 0000 From the changelog of ibm-jdk-bin 1.5.0.6: asdev-20070928 125917 IZ05366 c N/A Sun security fixes 6608640 and 6609269 asdev-20070921 125434 IZ04780 c N/A Sun Security fix 6605149 asdev-20070915 124940 - c N/A X509Factory does not use SecurityManager audev-20070914 125019 IZ04776 c N/A Sun Security WebRev Bundles Announcement September 08, 2007 asdev-20070914 125019 IZ04776 c N/A Sun Security WebRev Bundles Announcement September 08, 2007 You can get the full changelog by going to the download page from here (unfortunately requires registration) http://www-128.ibm.com/developerworks/java/jdk/linux/download.html Didn't find any IBM security advisories, but maybe they exist too. caster@gentoo.org 2007-11-11 00:02:34 0000 Arches, please stabilize: dev-java/ibm-jdk-bin-1.5.0.6 dev-java/ibm-jre-bin-1.5.0.6 The distfiles are as usual available via scp from d.g.o/~caster/tmp/ cla@gentoo.org 2007-11-11 15:01:47 0000 x86 stable corsair@gentoo.org 2007-11-12 19:36:14 0000 ppc64 stable astinus@gentoo.org 2007-11-14 15:42:39 0000 stable on amd64 dertobi123@gentoo.org 2007-11-18 18:23:37 0000 ppc stable caster@gentoo.org 2007-11-23 21:43:39 0000 So I found the security alerts url today, and know that 1.4.2.9 is also affected, and the fixed 1.4.2.10 is not yet available so we have to wait. caster@gentoo.org 2008-02-26 16:35:16 0000 Hm looks like 1.4.2.10 was finally released month ago, so bumped. Arches, please stabilize: dev-java/ibm-jdk-bin-1.4.2.10 dev-java/ibm-jre-bin-1.4.2.10 The distfiles will be as usual available via scp from d.g.o/~caster/tmp/ Pretty sure this does not affect release... rbu@gentoo.org 2008-02-26 16:40:44 0000 Adding release just to make sure. fauli@gentoo.org 2008-02-27 09:16:04 0000 IBMJava2-SDK-1.4.2-10.0.tgz is missing, Vlastimil. /me will never ever touch the IBM interface again. jaervosz@gentoo.org 2008-02-27 09:20:37 0000 Back to ebuild to get this fixed. fauli@gentoo.org 2008-02-27 09:35:33 0000 (In reply to comment #10) > Back to ebuild to get this fixed. Not needed, really...masochistic people could get the tarball themselves (and ppc, amd64, ppc64 are complete, by the way). jaervosz@gentoo.org 2008-02-27 09:37:45 0000 Ahh ok. Thx. caster@gentoo.org 2008-02-27 21:58:16 0000 Sorry, my upload rate sucks, had to interrupt it and forgot to resume. It's all there now. fauli@gentoo.org 2008-02-28 08:31:45 0000 x86 stable ranger@gentoo.org 2008-02-29 02:17:08 0000 Pretty sure this is good for ppc64 now, heh, ping if not...stuck in releng work dertobi123@gentoo.org 2008-03-05 21:09:20 0000 1.4.2.10 stable for ppc welp@gentoo.org 2008-03-10 08:58:54 0000 amd64 stable welp@gentoo.org 2008-03-10 16:12:44 0000 And now I've done ibm-jre-bin too! pva@gentoo.org 2008-03-10 18:09:04 0000 Fixed in release snapshot. rbu@gentoo.org 2008-04-05 22:14:26 0000 Yeah, sure, glsa with other ibm bugs :-) rbu@gentoo.org 2008-06-26 13:07:07 0000 GLSA 200806-11