When applying GLSA advisories on this system, glsa-check attempts to downgrade an unaffected version of sun-jdk : # glsa-check -p 200705-23 Checking GLSA 200705-23 The following updates will be performed for this GLSA: dev-java/sun-jdk-1.5.0.15 (1.6.0.05) According to glsa-check -d 200705-23 , the installed version is not affected by this GLSA: # glsa-check -d 200705-23 GLSA 200705-23: Sun JDK/JRE: Multiple vulnerabilities ============================================================================ Synopsis: Multiple vulnerabilities have been identified in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE). Announced on: May 31, 2007 Last revised on: October 02, 2007: 03 Affected package: dev-java/sun-jre-bin Affected archs: All Vulnerable: <1.6.0.01 Unaffected: >=~1.5.0.11 >=~1.4.2.14 >=1.6.0.01 >=~1.4.2.15 >=~1.5.0.12 Reproducible: Always Expected Results: Since sun-jdk-1.6.0.05 seems to be not affected by the GLSA, glsa-check should not attempt to apply it.
I have same behaviour with this GLSA on my system but occurs with the "200804-20" one. #glsa-check -p affected Checking GLSA 200804-20 The following updates will be performed for this GLSA: dev-java/sun-jdk-1.6.0.05 (1.5.0.16) The sun-jdk package is uptodate because in version 1.5.0.16 while 1.5.0.15 is required by this GLSA.: #emerge -pv "<dev-java/sun-jdk-1.6.0" These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] dev-java/sun-jdk-1.5.0.16 USE="alsa -X -doc -examples -jce (-nsplugin) -odbc" 0 kB
I have similar issue too. I have the latest amd64-stable sun-jdk 1.5, 1.6 and blackdown 1.4.2. No emul-linux-x86-java. My system should not be affected by the GLSA but still: # glsa-check -t all This system is affected by the following GLSAs: 200804-20 Letting glsa-check apply the fix results in a unneeded downgrade: # glsa-check -p 200804-20 Checking GLSA 200804-20 The following updates will be performed for this GLSA: dev-java/sun-jdk-1.6.0.05 (1.6.0.07) Running any of the emerges suggested by "glsa-check -d" either results in a new package being installed or a reemerge of an installed one (the latest 1.6 in all cases).
I'm also on amd64 arch. I have no lib sun-jre-bin or emul-linux-x86-java installed.
I just commited an updated GLSA 200804-20 which adds the 1.5.0.16 versions as unaffected. Due to bug 106677 we are unfortunately not able to deal with slotted packages in a better way. I also updated GLSA 200705-23 with the latest versions. Please reopen the bug when there are any issues left after the updates have propagated to the rsync mirrors and you have resynced your trees.