Summary: | dev-java/sun-jdk-1.4.2.10 should go stable, privilege escalation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | dragonheart, java, wolf31o2 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1 | ||
Whiteboard: | A2 [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Carsten Lohrke (RETIRED)
2006-02-08 10:42:14 UTC
x86, you know what to do :) stable on x86. Java, is any other Java flavor affected by this? from ref url: "The fifth, sixth, and seventh issues are addressed in the following releases: JDK and JRE 5.0 Update 6 and later" does that equate to version sun-jdk-1.5.0.06? Seems to be by the filename and following the prompts on the sun website. need dev-java/sun-jdk >= 1.5.0.06 stable I assume 1.5.0.06-r2 (In reply to comment #5) > need dev-java/sun-jdk >= 1.5.0.06 stable I assume 1.5.0.06-r2 > We can't stablilize any 1.5 JDKs currently. They are all package.mask'd because they cause serious problems: http://www.gentoo.org/proj/en/java/tiger-faq.xml Additionally, sun-jdk is slotted in such a way that all version in slot 1.5 are in ~arch currently. As Josh says: none of the 1.5.x JDKs can be marked stable, whether they are from Sun, JRockit, IBM or any other vendor, on _any_ platform. Stabilizing a 1.5 JDK will lead to massive breakage for our users. Leave the packages in ~arch until our migration is complete and they can be safely stabilized. Unsecure versions of 1.5 should of course be removed from ~arch, and replaced with secure ones. (In reply to comment #5) > need dev-java/sun-jdk >= 1.5.0.06 stable I assume 1.5.0.06-r2 > sun-jdk-1.4.2.10 fixes this as well, but is already stable, so I did not mention it (probably should be noted in a GLSA, though). Since we have no stable Java 5 version, we don't need to mark .06 stable. Thanks Carsten, Josh, Karl. GLSA 200602-07 Thanks everybody. |