| Summary: | dev-java/blackdown-{jdk|jre} probably affected by GLSA 200705-23 | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Stefan Cornelius (RETIRED) <dercorny> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | java, mlspamcb |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.gentoo.org/security/en/glsa/glsa-200705-23.xml | ||
| Whiteboard: | B2 [upstream] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 215614 | ||
|
Description
Stefan Cornelius (RETIRED)
2007-06-21 21:27:38 UTC
(In reply to comment #0) > http://www.gentoo.org/security/en/glsa/glsa-200705-23.xml > > hlieberman pointed out that blackdown is probably affected by GLSA 200705-23. > > java, please provide new ebuilds if possible (i guess its not). if not, we need > to find another solution here. > blackdown upstream has been long dead. Maybe just make it ~arch only? The stuff that needs =virtual/jdk-1.4* will just pull in ibm-jdk-bin for amd64 and sun-jdk for x86. I will post an RFC to gentoo-java mailing list. Yup, it's affected. It's also affected by any vulnerability that affects sun-jdk-1.4.2.10 since it's just relicensed that. But I don't remember any that wasn't about browser applets and we already masked nsplugin flag. This one is different. Upstream seems dead though. Let's summarize why we keep blackdown around. - x86 - because it's not fetch restricted, while sun-jdk and others are - amd64 - ditto, also provides the only 64bit nsplugin (although now use.masked), and the only alternative jdk here is ibm-jdk-bin-1.4 which on some system has font issues. Although that's less of problem because for running stuff one can almost always use sun-jdk-1.5/1.6 Masking it now for this vulnerability seems pointless at least until the alternatives are also fixed (they are vulnerable too but at least have live upstream). Unless there are some other vulnerabilities too. Maybe we could somehow restrict blackdown-jdk to be used only for building (gen-1 packages and some gen-2 need 1.4) and not running stuff. Compiling sources is unlikely to exploit vulnerabilities. (In reply to comment #2) > > Maybe we could somehow restrict blackdown-jdk to be used only for building > (gen-1 packages and some gen-2 need 1.4) and not running stuff. Compiling > sources is unlikely to exploit vulnerabilities. > Or just fix the four cases cases where it's needed: http://article.gmane.org/gmane.linux.gentoo.java/1689 (In reply to comment #3) > > Or just fix the four cases cases where it's needed: > http://article.gmane.org/gmane.linux.gentoo.java/1689 > Ah yes gen 1 stuff. Well we have stabilization weekend coming up. One year passed, where are we with removing or restricting Blackdown? What is left holding this back? (In reply to comment #5) > One year passed, where are we with removing or restricting Blackdown? What is > left holding this back? > *ping* To day i had issues with blackdown demolishing a nepomuk update for kde-4.3.1 upstream is a japanese site parking, it seems dead..... GLSA 200911-02 |
