http://sunsolve.sun.com/search/document.do?assetkey=1-26-102731-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 Fixed with 1.4.2.13/1.5.0.09. There's already an new update available, though. Who knows what Sun announces later...
Let's get the following things stable then: =sun-{jdk,jre-bin}-1.5.09* =sun-[jdk,jre-bin}-1.4.13*
I tested the following packages: dev-java/sun-jdk-1.4.2.13 dev-java/sun-jdk-1.5.0.09 dev-java/sun-jre-bin-1.4.2.13 dev-java/sun-jre-bin-1.5.0.09 all emerge on x86, pass collision test and work. Please note: A Notice: pre-stripped files found: /var/tmp/portage/sun-jdk-1.4.2.13/image/opt/sun-jdk-1.4.2.13/bin/java /var/tmp/portage/sun-jdk-1.4.2.13/image/opt/sun-jdk-1.4.2.13/bin/javac .... QA Notice: pre-stripped files found: /var/tmp/portage/sun-jre-bin-1.4.2.13/image/opt/sun-jre-bin-1.4.2.13/bin/java /var/tmp/portage/sun-jre-bin-1.4.2.13/image/opt/sun-jre-bin-1.4.2.13/bin/keytool ... Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.4 i686) ================================================================= System uname: 2.6.18.4 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Wed, 20 Dec 2006 18:30:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
(In reply to comment #2) > > Please note: > A Notice: pre-stripped files found: Nothing we can do as Sun only has binary releases for these versions. GPL comes hopefully with 1.7.
x86 done
Merry Christmas :)
amd64 done. GLSA?
Removed the vulnerable versions, and removed amd64 keyword (added by mistake) from 1.4.2.13. We forgot about app-emulation/emul-linux-x86-java... 1.5.0.08 is in fact sun-jdk, but if I read the links correctly, the fixed versions are in fact >=1.5.0.08, not 1.5.0.09? What's worse - blackdown-jdk-1.4.2.03 is IIRC just relicensed sun-jdk so it's probably also vulnerable. But we can't kill the only 1.4 JDK for amd64 yet... emul-linux-x86-java-1.4* is also blackdown-jdk, although it could probably be changed to sun.
(In reply to comment #6) > amd64 done. > > GLSA? > according to http://sunsolve.sun.com/search/document.do?assetkey=1-26-102729-1 it's a A2 -> GLSA. Thanks Malcolm
> We forgot about app-emulation/emul-linux-x86-java... 1.5.0.08 is in fact > sun-jdk, but if I read the links correctly, the fixed versions are in fact > >=1.5.0.08, not 1.5.0.09? thanks, this will be handled on bug 159547 > What's worse - blackdown-jdk-1.4.2.03 is IIRC just relicensed sun-jdk so it's > probably also vulnerable. But we can't kill the only 1.4 JDK for amd64 yet... > emul-linux-x86-java-1.4* is also blackdown-jdk, although it could probably be > changed to sun. right, bug 161835
dev-java/sun-jdk-1.5.0.10 and dev-java/sun-jre-bin-1.5.0.10 build, pass collision test, and work on amd64. emerge --info: Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19-gentoo-r4 x86_64) ================================================================= System uname: 2.6.19-gentoo-r4 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz Gentoo Base System version 1.12.8 Last Sync: Fri, 19 Jan 2007 15:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=nocona" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /lib/modules /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -pipe -march=nocona" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict prelink sandbox sfperms strict userpriv usersandbox" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo" LINGUAS="en en_US" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi aiglx alsa alsa_cards_hda-intel alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol arts berkdb bitmap-fonts cairo cdda cddb cdinstall cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd exif fam firefox flac fortran gdbm gif gnome gpm gstreamer gtk gtk2 hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics ipv6 isdnlog jack java5 jce jikes jpeg kde kernel_linux lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_text ldap libg++ linguas_en linguas_en_US lirc lirc_devices_streamzap mad mikmod mozbranding mp3 mpeg ncurses nls nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl srvdir ssl symlink tcpd theora truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_i810 video_cards_i945 video_cards_vesa vorbis x264 xml xorg xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
GLSA 200601-15, thanks everybody.
(In reply to comment #11) > GLSA 200601-15, thanks everybody. > 200701-15 of course