Hi, the bug reports can be found at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1 http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1 Affected Versions: * JDK and JRE 6 Update 2 and earlier * JDK and JRE 5.0 Update 12 and earlier * SDK and JRE 1.4.2_15 and earlier * SDK and JRE 1.3.1_20 and earlier JDK: dev-java/sun-jdk-1.5.0.13 is in portage, but it's keyworded, we should stabilize it ASAP and mask 1.5.0.12. The same applies to 1.6.0.02/1.6.0.03. 1.4.2.16 is not in portage yet, should be added and then 1.4.2.15 should be masked, too. JRE: For dev-java/sun-jre there are only vulnerable versions in portage. We need the new ones and then the old ones should be masked.
amd64: sun-jdk-1.5.0.13 sun-jdk-1.6.0.03 sun-jre-bin-1.5.0.13 sun-jre-bin-1.6.0.03 emul-linux-x86-java-1.5.0.13 emul-linux-x86-java-1.6.0.03 x86: sun-jdk-1.4.2.16 sun-jdk-1.5.0.13 sun-jdk-1.6.0.03 sun-jre-bin-1.4.2.16 sun-jre-bin-1.5.0.13 sun-jre-bin-1.6.0.03
x86 stable
Don't miss app-emulation/emul-linux-x86-java in the GLSA. Also the three month old bug 185256 didn't got a GLSA yet...
amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps
(In reply to comment #4) > amd64 stable, along with java-sdk-docs and sun-jce-bin 1.6.0 deps maybe you could also mark virtual/jdk-1.6.0 stable while you are at it?
virtual/jdk-1.6.0 stable on amd64, thanks for mentioning repoman didn't catch it, and I forgot about it :)
New vulnerability that should be mentioned in a GLSA. A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. .. This issue is addressed in the following releases (for Windows, Solaris, and Linux): * JDK and JRE 6 Update 3 or later * JDK and JRE 5.0 Update 13 or later * SDK and JRE 1.4.2_16 or later http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1
amd64, is there anything left to do for you?
amd64 was done long ago. Just the emul-linux-x86-java-1.4 stabling in bug 178962 and a GLSA on this could superseed and finally close all those open bugs on sun and emul stuff pending just glsa.
OK. I now have everything done for amd64...
This bug does not affect 2008.0 snapshot, removing release@ from CC.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1
GLSA 200804-20, sorry for the long delay.
