First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 194711
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Stefan Behte <craig@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 194711 depends on: 178962 Show dependency tree
Bug 194711 blocks: 198644 215614

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-10-04 14:07 0000 
Hi, the bug reports can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

Affected Versions:
    * JDK and JRE 6 Update 2 and earlier
    * JDK and JRE 5.0 Update 12 and earlier
    * SDK and JRE 1.4.2_15 and earlier
    * SDK and JRE 1.3.1_20 and earlier

JDK:
dev-java/sun-jdk-1.5.0.13 is in portage, but it's keyworded, we should
stabilize it ASAP and mask 1.5.0.12. The same applies to 1.6.0.02/1.6.0.03.

1.4.2.16 is not in portage yet, should be added and then 1.4.2.15 should be
masked, too.

JRE:
For dev-java/sun-jre there are only vulnerable versions in portage. We need the
new ones and then the old ones should be masked.

------- Comment #1 From Petteri Räty 2007-10-04 14:27:06 0000 ------- 
amd64:
sun-jdk-1.5.0.13
sun-jdk-1.6.0.03
sun-jre-bin-1.5.0.13
sun-jre-bin-1.6.0.03
emul-linux-x86-java-1.5.0.13
emul-linux-x86-java-1.6.0.03
x86:
sun-jdk-1.4.2.16
sun-jdk-1.5.0.13
sun-jdk-1.6.0.03
sun-jre-bin-1.4.2.16
sun-jre-bin-1.5.0.13
sun-jre-bin-1.6.0.03

------- Comment #2 From Christian Faulhammer 2007-10-04 18:47:03 0000 ------- 
x86 stable

------- Comment #3 From Carsten Lohrke 2007-10-04 23:11:42 0000 ------- 
Don't miss app-emulation/emul-linux-x86-java in the GLSA. Also the three month
old bug 185256 didn't got a GLSA yet...

------- Comment #4 From William L. Thomson Jr. (RETIRED) 2007-10-12 00:35:05 0000 ------- 
amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps

------- Comment #5 From Chí-Thanh Christopher Nguyễn 2007-10-19 14:42:59 0000 ------- 
(In reply to comment #4)
> amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps

maybe you could also mark virtual/jdk-1.6.0 stable while you are at it?

------- Comment #6 From William L. Thomson Jr. (RETIRED) 2007-10-19 14:56:54 0000 ------- 
virtual/jdk-1.6.0 stable on amd64, thanks for mentioning repoman didn't catch
it, and I forgot about it :)

------- Comment #7 From Robert Buchholz 2007-10-24 01:12:11 0000 ------- 
New vulnerability that should be mentioned in a GLSA.

A vulnerability in the Virtual Machine of the Java Runtime Environment may
allow an untrusted applet to elevate its privileges. For example, an applet may
grant itself permissions to read and write local files or execute local
applications that are accessible to the user running the untrusted applet.

..
This issue is addressed in the following releases (for Windows, Solaris, and
Linux):

    * JDK and JRE 6 Update 3 or later
    * JDK and JRE 5.0 Update 13 or later
    * SDK and JRE 1.4.2_16 or later

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1

------- Comment #8 From Robert Buchholz 2007-10-24 01:12:33 0000 ------- 
amd64, is there anything left to do for you?

------- Comment #9 From Vlastimil Babka (Caster) 2007-11-03 15:59:37 0000 ------- 
amd64 was done long ago.
Just the emul-linux-x86-java-1.4 stabling in bug 178962 and a GLSA on this
could superseed and finally close all those open bugs on sun and emul stuff
pending just glsa.

------- Comment #10 From Chris Gianelloni (RETIRED) 2007-11-06 23:44:12 0000 ------- 
OK.  I now have everything done for amd64...

------- Comment #11 From Peter Volkov 2008-02-25 10:42:44 0000 ------- 
This bug does not affect 2008.0 snapshot, removing release@ from CC.

------- Comment #12 From Robert Buchholz 2008-04-01 16:55:16 0000 ------- 
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1

------- Comment #13 From Robert Buchholz 2008-04-17 23:44:43 0000 ------- 
GLSA 200804-20, sorry for the long delay.
First Last Prev Next    No search results available      Search page      Enter new bug