First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 252416
Alias:
Product:
Component:
Status: ASSIGNED
Resolution:
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Vlastimil Babka (Caster) <caster@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 252416 depends on: 233652 Show dependency tree
Bug 252416 blocks: 215614 287490

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-12-24 18:44 0000 
There is no advisory from IBM I know of, but the changelog of 1.5.0.9 contains
several security mentionments:

wsdev-20081119  143565  IZ37676 c       N/A     Sun Security Fix 6767668
asdev-20081030  143026  -       c       N/A     Sun Security Defects
asdev-20081029  142959  -       c       N/A     Sun Security Defects
audev-20081028  142130  IZ35743 c       N/A     Sun Security Defects
asdev-20081028  142130  IZ35743 c       N/A     Sun Security Defects
asdev-20081028  142691  IZ35744 c       N/A     Sun Security Defects
wsdev-20081028  142130  IZ35743 c       N/A     Sun Security Defects
asdevplug-20081028      142130  IZ35743 c       N/A     Sun Security Defects
asdev-20080813  139180  IZ29053 c       6332953 Sun Security fix 6332953

------- Comment #1 From Vlastimil Babka (Caster) 2008-12-24 18:45:38 0000 ------- 
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.9. Distfiles as usual
via ssh d.g.o/~caster/tmp

------- Comment #2 From Markus Meier 2008-12-25 10:18:23 0000 ------- 
amd64/x86 stable

------- Comment #3 From Tobias Scherbaum 2008-12-29 18:26:05 0000 ------- 
ppc stable

------- Comment #4 From Brent Baude 2009-01-06 17:07:17 0000 ------- 
ppc64 done

------- Comment #5 From Vlastimil Babka (Caster) 2009-01-14 09:11:39 0000 ------- 
Alerts appeared on ibm's $URL. Good that we done 1.5.0.9 - it's fixed. For 1.4
and 1.6 there are not yet releases, as usual :/

------- Comment #6 From Raphael Marichez 2009-02-27 22:56:07 0000 ------- 
Due to impacts like DoS, privilege escalation and remote execution of arbitrary
code, i set the bug to B3.

I would vote for a GLSA because of the numerous possible attack vectors and the
very wide usage of Java.

------- Comment #7 From Vlastimil Babka (Caster) 2009-03-29 23:12:02 0000 ------- 
ppc/ppc64 please stabilize ibm-jdk-bin-1.6.0.4 distfiles are being uploaded as
usual (comment 1)

------- Comment #8 From Brent Baude 2009-03-30 16:00:37 0000 ------- 
ppc and ppc64 done

------- Comment #9 From Vlastimil Babka (Caster) 2009-04-02 11:44:48 0000 ------- 
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.4.2.13. Distfiles as
usual.

------- Comment #10 From Joe Jezak 2009-04-02 22:13:54 0000 ------- 
Marked 1.4.2.13 ppc/ppc64 stable.

------- Comment #11 From Joe Jezak 2009-04-03 12:58:32 0000 ------- 
Removing ppc/ppc64 CC's (sorry for the bugspam).

------- Comment #12 From Markus Meier 2009-04-04 13:54:52 0000 ------- 
amd64/x86 stable, all arches done.

------- Comment #13 From Vlastimil Babka (Caster) 2009-04-05 18:37:47 0000 ------- 
All's left is GLSA then, covering also bug 233652

------- Comment #14 From Vlastimil Babka (Caster) 2009-04-21 19:13:13 0000 ------- 
(In reply to comment #10)
> Marked 1.4.2.13 ppc/ppc64 stable.
> 

You forgot ibm-jre-bin, please do.

------- Comment #15 From Vlastimil Babka (Caster) 2009-04-21 19:18:38 0000 ------- 
Also please note that the distfiles of 1.6 were meanwhile changed upstream and
redigested (bug 265760) so take care not to redigest with the old ones - remove
DISTDIR/ibm-java-*6.0-4.0* or use FEATURES=assume-digests etc...

------- Comment #16 From Vlastimil Babka (Caster) 2009-04-22 13:03:48 0000 ------- 
So, apparently 1.5.0.9 was not fixed, IBM released a security update, which I
bumped as 1.5.0.9-r1. They didn't care to rename the versions distfiles though.
To prevent users from renaming distfiles of the fixed version (in order to
coexist with the old version), the old ebuild was updated to expect old
distfiles to be renamed to .old.tgz.

So, please stabilize 1.5.0.9-r1, you need to download new distfiles from usual
place and rename or replace the old distfiles. Take care also about comment 15.
Sorry that their naming schemes suck.

------- Comment #17 From Brent Baude 2009-04-22 14:30:25 0000 ------- 
ppc and ppc64 done

------- Comment #18 From Markus Meier 2009-05-01 14:21:29 0000 ------- 
amd64/x86 stable, all arches done.

------- Comment #19 From Stefan Behte 2009-08-08 22:45:56 0000 ------- 
Remote passive execution of arbitrary code is B2.
Added to already existing glsa.
First Last Prev Next    No search results available      Search page      Enter new bug