Bug 122156

Summary:	dev-java/sun-jdk-1.4.2.10 should go stable, privilege escalation
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	dragonheart, java, wolf31o2
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1
Whiteboard:	A2 [glsa] DerCorny
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2006-02-08 10:42:14 UTC

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102170-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

Comment 1 Stefan Cornelius (RETIRED) gentoo-dev

2006-02-08 10:50:50 UTC

x86, you know what to do :)

Comment 2 Saleem Abdulrasool (RETIRED) gentoo-dev

2006-02-08 13:44:34 UTC

stable on x86.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-02-08 22:14:39 UTC

Java, is any other Java flavor affected by this?

Comment 4 Daniel Black (RETIRED) gentoo-dev

2006-02-09 00:13:27 UTC

from ref url:
"The fifth, sixth, and seventh issues are addressed in the following releases:
JDK and JRE 5.0 Update 6 and later"

does that equate to version sun-jdk-1.5.0.06?

Seems to be by the filename and following the prompts on the sun website.

Comment 5 Daniel Black (RETIRED) gentoo-dev

2006-02-09 12:46:50 UTC

need dev-java/sun-jdk >= 1.5.0.06 stable I assume 1.5.0.06-r2

Comment 6 Josh Nichols (RETIRED) gentoo-dev

2006-02-09 12:53:24 UTC

(In reply to comment #5)
> need dev-java/sun-jdk >= 1.5.0.06 stable I assume 1.5.0.06-r2
> 

We can't stablilize any 1.5 JDKs currently. They are all package.mask'd because they cause serious problems: http://www.gentoo.org/proj/en/java/tiger-faq.xml

Additionally, sun-jdk is slotted in such a way that all version in slot 1.5 are in ~arch currently.

Comment 7 Karl Trygve Kalleberg (RETIRED) gentoo-dev

2006-02-09 12:57:01 UTC

As Josh says: none of the 1.5.x JDKs can be marked stable, whether they are from Sun, JRockit, IBM or any other vendor, on _any_ platform.

Stabilizing a 1.5 JDK will lead to massive breakage for our users. Leave the packages in ~arch until our migration is complete and they can be safely stabilized.

Unsecure versions of 1.5 should of course be removed from ~arch, and replaced with secure ones.

Comment 8 Carsten Lohrke (RETIRED) gentoo-dev

2006-02-09 13:01:04 UTC

(In reply to comment #5)
> need dev-java/sun-jdk >= 1.5.0.06 stable I assume 1.5.0.06-r2
> 

sun-jdk-1.4.2.10 fixes this as well, but is already stable, so I did not mention it (probably should be noted in a GLSA, though). Since we have no stable Java 5 version, we don't need to mark .06 stable.

Comment 9 Daniel Black (RETIRED) gentoo-dev

2006-02-09 13:05:40 UTC

Thanks  Carsten, Josh, Karl.

Comment 10 Stefan Cornelius (RETIRED) gentoo-dev

2006-02-14 18:30:56 UTC

GLSA 200602-07

Thanks everybody.