Bug 233652 - dev-java/ibm-jdk-bin and ibm-jre-bin: multiple vulnerabilities
Bug#: 233652 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: ASSIGNED Severity: normal Priority: P2
Resolution:  Assigned To: security@gentoo.org Reported By: caster@gentoo.org
Component: Vulnerabilities
URL:  http://www.ibm.com/developerworks/java/jdk/alerts/
Summary: dev-java/ibm-jdk-bin and ibm-jre-bin: multiple vulnerabilities
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2008-08-01 22:23 0000
Description:   Opened: 2008-08-01 22:23 0000 
As usual, bugs in Sun JDK are likely to affect other vendors also due to shared
classes etc, and updatess come after a while after Sun updates. The IBM JDK
1.5.0.8 update I noticed today mentions the following security stuff in
changelog (which you probably can't access without login to IBM site):

asdev-20080626  136205  IZ24898 c       N/A     Sun Security Bulletin 150_16
jsdev-20080613  134284  IZ24844 c       6581221 Sun Security fixes 6450319
6557220 6581221 6607339 6661918
xs2dev-20080613 134284  IZ24844 c       6581221 Sun Security fixes 6450319
6557220 6581221 6607339 6661918

Some of the fix numbers are mentioned in Sun advisories in bug 231337. Not sure
if all apply to IBM and are fixed in this version. Seems IBM didn't release own
advisory yet. I'll at least put the new version in tree and ask for stabling.
There are no updates for slots 1.6 and 1.4 yet.

------- Comment #1 From Robert Buchholz 2008-08-02 12:06:56 0000 ------- 
Thanks for following this up, please cc arches as yo push updates.

------- Comment #2 From Vlastimil Babka (Caster) 2008-08-03 21:54:05 0000 ------- 
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.8. Distfiles as usual
via ssh d.g.o/~caster/tmp

------- Comment #3 From Markus Meier 2008-08-06 19:21:29 0000 ------- 
amd64/x86 stable

------- Comment #4 From Markus Rothe 2008-08-07 18:28:52 0000 ------- 
ppc64 stable

------- Comment #5 From Tobias Scherbaum 2008-08-19 21:12:47 0000 ------- 
ppc stable for 1.5.0.8

------- Comment #6 From Vlastimil Babka (Caster) 2008-09-09 04:52:50 0000 ------- 
Bah, instead of the other slots they released 1.5.0.8a which has "Sun Security
fix 6332953" which is probably this vuln:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238965-1

So please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.8a. Distfiles as usual.

------- Comment #7 From Brent Baude 2008-09-10 13:37:32 0000 ------- 
ppc and ppc64 stable

------- Comment #8 From Kenneth Prugh 2008-09-10 15:49:26 0000 ------- 
amd64 stable

------- Comment #9 From Markus Meier 2008-09-12 22:17:12 0000 ------- 
x86 stable, all arches done for 1.5

------- Comment #10 From Vlastimil Babka (Caster) 2008-09-16 07:45:40 0000 ------- 
So, IBM finally released alerts (in $URL) and a fixed 1.6 which I'm gonna
update. No 1.4 yet.

------- Comment #11 From Vlastimil Babka (Caster) 2008-09-16 09:52:58 0000 ------- 
ppc/ppc64 please stabilize (other arches don't have any 1.6 stable yet)

dev-java/ibm-jdk-bin-1.6.0.2

distfiles as usual

------- Comment #12 From Vlastimil Babka (Caster) 2008-09-16 09:53:48 0000 ------- 
(In reply to comment #11)
> ppc/ppc64 please stabilize (other arches don't have any 1.6 stable yet)
> dev-java/ibm-jdk-bin-1.6.0.2

actually adding arches to CC, sorry...

------- Comment #13 From Markus Rothe 2008-09-17 15:14:07 0000 ------- 
ppc/ppc64 stable

------- Comment #14 From Vlastimil Babka (Caster) 2008-10-11 17:16:33 0000 ------- 
Please stabilize the finally released 1.4.2.12 (jdk and jre), as usual.

------- Comment #15 From Vlastimil Babka (Caster) 2008-10-11 17:51:31 0000 ------- 
Turns out in bug 240384 that I've used old distfiles for the javacomm optional
stuff in 1.6, so ppc/ppc64 please stabilize also ibm-jdk-bin-1.6.0.2-r1 thanks.

------- Comment #16 From Markus Meier 2008-10-12 15:12:31 0000 ------- 
amd64/x86 stable

------- Comment #17 From Markus Rothe 2008-10-14 08:17:29 0000 ------- 
1.6.0.2-r1 stable on ppc/ppc64.

------- Comment #18 From Vlastimil Babka (Caster) 2008-10-14 18:51:32 0000 ------- 
(In reply to comment #17)
> 1.6.0.2-r1 stable on ppc/ppc64.

Please do also 1.4.2.12 (jdk and jre) see comment 14, sorry for confusion.

------- Comment #19 From Markus Rothe 2008-10-15 07:47:38 0000 ------- 
whoops.. 1.4.2.12 (jdk and jre) stable on ppc/ppc64, too.

------- Comment #20 From Vlastimil Babka (Caster) 2008-10-18 22:04:02 0000 ------- 
all done except glsa

------- Comment #21 From Robert Buchholz 2008-10-19 20:40:35 0000 ------- 
request filed, thanks caster.

------- Comment #22 From Vlastimil Babka (Caster) 2009-01-14 09:15:27 0000 ------- 
Looks officially obsoleted/additive to bug 252416 now.