Gentoo Full Text Bug Listing

Description:

Opened: 2007-10-04 14:07 0000

Hi, the bug reports can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

Affected Versions:
    * JDK and JRE 6 Update 2 and earlier
    * JDK and JRE 5.0 Update 12 and earlier
    * SDK and JRE 1.4.2_15 and earlier
    * SDK and JRE 1.3.1_20 and earlier

JDK:
dev-java/sun-jdk-1.5.0.13 is in portage, but it's keyworded, we should
stabilize it ASAP and mask 1.5.0.12. The same applies to 1.6.0.02/1.6.0.03.

1.4.2.16 is not in portage yet, should be added and then 1.4.2.15 should be
masked, too.

JRE:
For dev-java/sun-jre there are only vulnerable versions in portage. We need the
new ones and then the old ones should be masked.

------- Comment #1 From Petteri Räty 2007-10-04 14:27:06 0000 -------

amd64:
sun-jdk-1.5.0.13
sun-jdk-1.6.0.03
sun-jre-bin-1.5.0.13
sun-jre-bin-1.6.0.03
emul-linux-x86-java-1.5.0.13
emul-linux-x86-java-1.6.0.03
x86:
sun-jdk-1.4.2.16
sun-jdk-1.5.0.13
sun-jdk-1.6.0.03
sun-jre-bin-1.4.2.16
sun-jre-bin-1.5.0.13
sun-jre-bin-1.6.0.03

------- Comment #3 From Carsten Lohrke 2007-10-04 23:11:42 0000 -------

Don't miss app-emulation/emul-linux-x86-java in the GLSA. Also the three month
old bug 185256 didn't got a GLSA yet...

------- Comment #4 From William L. Thomson Jr. (RETIRED) 2007-10-12 00:35:05 0000 -------

amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps

------- Comment #5 From Chí-Thanh Christopher Nguyễn 2007-10-19 14:42:59 0000 -------

(In reply to comment #4)
> amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps

maybe you could also mark virtual/jdk-1.6.0 stable while you are at it?

------- Comment #6 From William L. Thomson Jr. (RETIRED) 2007-10-19 14:56:54 0000 -------

virtual/jdk-1.6.0 stable on amd64, thanks for mentioning repoman didn't catch
it, and I forgot about it :)

------- Comment #7 From Robert Buchholz 2007-10-24 01:12:11 0000 -------

New vulnerability that should be mentioned in a GLSA.

A vulnerability in the Virtual Machine of the Java Runtime Environment may
allow an untrusted applet to elevate its privileges. For example, an applet may
grant itself permissions to read and write local files or execute local
applications that are accessible to the user running the untrusted applet.

..
This issue is addressed in the following releases (for Windows, Solaris, and
Linux):

    * JDK and JRE 6 Update 3 or later
    * JDK and JRE 5.0 Update 13 or later
    * SDK and JRE 1.4.2_16 or later

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1

------- Comment #8 From Robert Buchholz 2007-10-24 01:12:33 0000 -------

amd64, is there anything left to do for you?

------- Comment #9 From Vlastimil Babka (Caster) 2007-11-03 15:59:37 0000 -------

amd64 was done long ago.
Just the emul-linux-x86-java-1.4 stabling in bug 178962 and a GLSA on this
could superseed and finally close all those open bugs on sun and emul stuff
pending just glsa.

------- Comment #10 From Chris Gianelloni (RETIRED) 2007-11-06 23:44:12 0000 -------

OK.  I now have everything done for amd64...

------- Comment #11 From Peter Volkov 2008-02-25 10:42:44 0000 -------

This bug does not affect 2008.0 snapshot, removing release@ from CC.

------- Comment #13 From Robert Buchholz 2008-04-17 23:44:43 0000 -------

GLSA 200804-20, sorry for the long delay.

Bug#: 194711	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: All	Status: RESOLVED	Severity: major	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: craig@gentoo.org
Component: Vulnerabilities
URL:
Summary: security bugs in <=dev-java/sun-j[dk,re]-1.6.0.02 / <=dev-java/sun-j[dk,re]-1.5.0.12 / <=dev-java/sun-j[dk,re]-1.4.2.15 (CVE-2007-{5232,5237,5238,5239,5240,5273,5274,5689})
Keywords:
Status Whiteboard: ? [glsa]
Opened: 2007-10-04 14:07 0000