233652 2008-08-01 22:23 0000 dev-java/ibm-jdk-bin and ibm-jre-bin: multiple vulnerabilities 2009-01-14 09:15:27 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux ASSIGNED http://www.ibm.com/developerworks/java/jdk/alerts/ B2 [glsa] P2 normal --- 231337 215614 239991 240384 252416 1 caster@gentoo.org security@gentoo.org java@gentoo.org caster@gentoo.org 2008-08-01 22:23:43 0000 As usual, bugs in Sun JDK are likely to affect other vendors also due to shared classes etc, and updatess come after a while after Sun updates. The IBM JDK 1.5.0.8 update I noticed today mentions the following security stuff in changelog (which you probably can't access without login to IBM site): asdev-20080626 136205 IZ24898 c N/A Sun Security Bulletin 150_16 jsdev-20080613 134284 IZ24844 c 6581221 Sun Security fixes 6450319 6557220 6581221 6607339 6661918 xs2dev-20080613 134284 IZ24844 c 6581221 Sun Security fixes 6450319 6557220 6581221 6607339 6661918 Some of the fix numbers are mentioned in Sun advisories in bug 231337. Not sure if all apply to IBM and are fixed in this version. Seems IBM didn't release own advisory yet. I'll at least put the new version in tree and ask for stabling. There are no updates for slots 1.6 and 1.4 yet. rbu@gentoo.org 2008-08-02 12:06:56 0000 Thanks for following this up, please cc arches as yo push updates. caster@gentoo.org 2008-08-03 21:54:05 0000 Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.8. Distfiles as usual via ssh d.g.o/~caster/tmp maekke@gentoo.org 2008-08-06 19:21:29 0000 amd64/x86 stable corsair@gentoo.org 2008-08-07 18:28:52 0000 ppc64 stable dertobi123@gentoo.org 2008-08-19 21:12:47 0000 ppc stable for 1.5.0.8 caster@gentoo.org 2008-09-09 04:52:50 0000 Bah, instead of the other slots they released 1.5.0.8a which has "Sun Security fix 6332953" which is probably this vuln: http://sunsolve.sun.com/search/document.do?assetkey=1-66-238965-1 So please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.8a. Distfiles as usual. ranger@gentoo.org 2008-09-10 13:37:32 0000 ppc and ppc64 stable ken69267@gentoo.org 2008-09-10 15:49:26 0000 amd64 stable maekke@gentoo.org 2008-09-12 22:17:12 0000 x86 stable, all arches done for 1.5 caster@gentoo.org 2008-09-16 07:45:40 0000 So, IBM finally released alerts (in $URL) and a fixed 1.6 which I'm gonna update. No 1.4 yet. caster@gentoo.org 2008-09-16 09:52:58 0000 ppc/ppc64 please stabilize (other arches don't have any 1.6 stable yet) dev-java/ibm-jdk-bin-1.6.0.2 distfiles as usual caster@gentoo.org 2008-09-16 09:53:48 0000 (In reply to comment #11) > ppc/ppc64 please stabilize (other arches don't have any 1.6 stable yet) > dev-java/ibm-jdk-bin-1.6.0.2 actually adding arches to CC, sorry... corsair@gentoo.org 2008-09-17 15:14:07 0000 ppc/ppc64 stable caster@gentoo.org 2008-10-11 17:16:33 0000 Please stabilize the finally released 1.4.2.12 (jdk and jre), as usual. caster@gentoo.org 2008-10-11 17:51:31 0000 Turns out in bug 240384 that I've used old distfiles for the javacomm optional stuff in 1.6, so ppc/ppc64 please stabilize also ibm-jdk-bin-1.6.0.2-r1 thanks. maekke@gentoo.org 2008-10-12 15:12:31 0000 amd64/x86 stable corsair@gentoo.org 2008-10-14 08:17:29 0000 1.6.0.2-r1 stable on ppc/ppc64. caster@gentoo.org 2008-10-14 18:51:32 0000 (In reply to comment #17) > 1.6.0.2-r1 stable on ppc/ppc64. Please do also 1.4.2.12 (jdk and jre) see comment 14, sorry for confusion. corsair@gentoo.org 2008-10-15 07:47:38 0000 whoops.. 1.4.2.12 (jdk and jre) stable on ppc/ppc64, too. caster@gentoo.org 2008-10-18 22:04:02 0000 all done except glsa rbu@gentoo.org 2008-10-19 20:40:35 0000 request filed, thanks caster. caster@gentoo.org 2009-01-14 09:15:27 0000 Looks officially obsoleted/additive to bug 252416 now.