Bug 198644 - dev-java/ibm-jdk-bin <= 1.5.0.5a and <=1.4.2.9 (and ibm-jre-bin) affected by recent Sun JDK security bugs
Bug#: 198644 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: caster@gentoo.org
Component: Vulnerabilities
URL:  http://www-128.ibm.com/developerworks/java/jdk/alerts/
Summary: dev-java/ibm-jdk-bin <= 1.5.0.5a and <=1.4.2.9 (and ibm-jre-bin) affected by recent Sun JDK security bugs
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2007-11-10 11:20 0000
Description:   Opened: 2007-11-10 11:20 0000 
From the changelog of ibm-jdk-bin 1.5.0.6:

asdev-20070928  125917  IZ05366 c       N/A     Sun security fixes 6608640 and
6609269
asdev-20070921  125434  IZ04780 c       N/A     Sun Security fix 6605149
asdev-20070915  124940  -       c       N/A     X509Factory does not use
SecurityManager
audev-20070914  125019  IZ04776 c       N/A     Sun Security WebRev Bundles
Announcement September 08, 2007
asdev-20070914  125019  IZ04776 c       N/A     Sun Security WebRev Bundles
Announcement September 08, 2007

You can get the full changelog by going to the download page from here
(unfortunately requires registration)
http://www-128.ibm.com/developerworks/java/jdk/linux/download.html
Didn't find any IBM security advisories, but maybe they exist too.

------- Comment #1 From Vlastimil Babka (Caster) 2007-11-11 00:02:34 0000 ------- 
Arches, please stabilize:

dev-java/ibm-jdk-bin-1.5.0.6
dev-java/ibm-jre-bin-1.5.0.6

The distfiles are as usual available via scp from d.g.o/~caster/tmp/

------- Comment #2 From Dawid Węgliński 2007-11-11 15:01:47 0000 ------- 
x86 stable

------- Comment #3 From Markus Rothe 2007-11-12 19:36:14 0000 ------- 
ppc64 stable

------- Comment #4 From Alex Howells 2007-11-14 15:42:39 0000 ------- 
stable on amd64

------- Comment #5 From Tobias Scherbaum 2007-11-18 18:23:37 0000 ------- 
ppc stable

------- Comment #6 From Vlastimil Babka (Caster) 2007-11-23 21:43:39 0000 ------- 
So I found the security alerts url today, and know that 1.4.2.9 is also
affected, and the fixed 1.4.2.10 is not yet available so we have to wait.

------- Comment #7 From Vlastimil Babka (Caster) 2008-02-26 16:35:16 0000 ------- 
Hm looks like 1.4.2.10 was finally released month ago, so bumped.
Arches, please stabilize:

dev-java/ibm-jdk-bin-1.4.2.10
dev-java/ibm-jre-bin-1.4.2.10

The distfiles will be as usual available via scp from d.g.o/~caster/tmp/

Pretty sure this does not affect release...

------- Comment #8 From Robert Buchholz 2008-02-26 16:40:44 0000 ------- 
Adding release just to make sure.

------- Comment #9 From Christian Faulhammer 2008-02-27 09:16:04 0000 ------- 
IBMJava2-SDK-1.4.2-10.0.tgz is missing, Vlastimil.

/me will never ever touch the IBM interface again.

------- Comment #10 From Sune Kloppenborg Jeppesen 2008-02-27 09:20:37 0000 ------- 
Back to ebuild to get this fixed.

------- Comment #11 From Christian Faulhammer 2008-02-27 09:35:33 0000 ------- 
(In reply to comment #10)
> Back to ebuild to get this fixed.

 Not needed, really...masochistic people could get the tarball themselves (and
ppc, amd64, ppc64 are complete, by the way).

------- Comment #12 From Sune Kloppenborg Jeppesen 2008-02-27 09:37:45 0000 ------- 
Ahh ok. Thx.

------- Comment #13 From Vlastimil Babka (Caster) 2008-02-27 21:58:16 0000 ------- 
Sorry, my upload rate sucks, had to interrupt it and forgot to resume. It's all
there now.

------- Comment #14 From Christian Faulhammer 2008-02-28 08:31:45 0000 ------- 
x86 stable

------- Comment #15 From Brent Baude 2008-02-29 02:17:08 0000 ------- 
Pretty sure this is good for ppc64 now, heh, ping if not...stuck in releng work

------- Comment #16 From Tobias Scherbaum 2008-03-05 21:09:20 0000 ------- 
1.4.2.10 stable for ppc

------- Comment #17 From Peter Weller 2008-03-10 08:58:54 0000 ------- 
amd64 stable

------- Comment #18 From Peter Weller 2008-03-10 16:12:44 0000 ------- 
And now I've done ibm-jre-bin too!

------- Comment #19 From Peter Volkov 2008-03-10 18:09:04 0000 ------- 
Fixed in release snapshot.

------- Comment #20 From Robert Buchholz 2008-04-05 22:14:26 0000 ------- 
Yeah, sure, glsa with other ibm bugs :-)

------- Comment #21 From Robert Buchholz 2008-06-26 13:07:07 0000 ------- 
GLSA 200806-11