Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 198644

Summary: dev-java/ibm-jdk-bin <= 1.5.0.5a and <=1.4.2.9 (and ibm-jre-bin) affected by recent Sun JDK security bugs
Product: Gentoo Security Reporter: Vlastimil Babka (Caster) (RETIRED) <caster>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www-128.ibm.com/developerworks/java/jdk/alerts/
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 194711    
Bug Blocks: 215614    

Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-11-10 11:20:44 UTC 
From the changelog of ibm-jdk-bin 1.5.0.6:

asdev-20070928	125917	IZ05366	c	N/A	Sun security fixes 6608640 and 6609269
asdev-20070921	125434	IZ04780	c	N/A	Sun Security fix 6605149
asdev-20070915	124940	-	c	N/A	X509Factory does not use SecurityManager
audev-20070914	125019	IZ04776	c	N/A	Sun Security WebRev Bundles Announcement September 08, 2007
asdev-20070914	125019	IZ04776	c	N/A	Sun Security WebRev Bundles Announcement September 08, 2007

You can get the full changelog by going to the download page from here (unfortunately requires registration)
http://www-128.ibm.com/developerworks/java/jdk/linux/download.html
Didn't find any IBM security advisories, but maybe they exist too.
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-11-11 00:02:34 UTC 
Arches, please stabilize:

dev-java/ibm-jdk-bin-1.5.0.6
dev-java/ibm-jre-bin-1.5.0.6

The distfiles are as usual available via scp from d.g.o/~caster/tmp/
Comment 2 Dawid Węgliński (RETIRED) gentoo-dev 2007-11-11 15:01:47 UTC 
x86 stable
Comment 3 Markus Rothe (RETIRED) gentoo-dev 2007-11-12 19:36:14 UTC 
ppc64 stable
Comment 4 Alex Howells (RETIRED) gentoo-dev 2007-11-14 15:42:39 UTC 
stable on amd64
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-18 18:23:37 UTC 
ppc stable
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-11-23 21:43:39 UTC 
So I found the security alerts url today, and know that 1.4.2.9 is also affected, and the fixed 1.4.2.10 is not yet available so we have to wait.
Comment 7 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-02-26 16:35:16 UTC 
Hm looks like 1.4.2.10 was finally released month ago, so bumped.
Arches, please stabilize:

dev-java/ibm-jdk-bin-1.4.2.10
dev-java/ibm-jre-bin-1.4.2.10

The distfiles will be as usual available via scp from d.g.o/~caster/tmp/

Pretty sure this does not affect release...
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-02-26 16:40:44 UTC 
Adding release just to make sure.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-27 09:16:04 UTC 
IBMJava2-SDK-1.4.2-10.0.tgz is missing, Vlastimil.

/me will never ever touch the IBM interface again.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-27 09:20:37 UTC 
Back to ebuild to get this fixed.
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-27 09:35:33 UTC 
(In reply to comment #10)
> Back to ebuild to get this fixed.

 Not needed, really...masochistic people could get the tarball themselves (and ppc, amd64, ppc64 are complete, by the way).
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-27 09:37:45 UTC 
Ahh ok. Thx.
Comment 13 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-02-27 21:58:16 UTC 
Sorry, my upload rate sucks, had to interrupt it and forgot to resume. It's all there now.
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-28 08:31:45 UTC 
x86 stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2008-02-29 02:17:08 UTC 
Pretty sure this is good for ppc64 now, heh, ping if not...stuck in releng work
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-05 21:09:20 UTC 
1.4.2.10 stable for ppc
Comment 17 Peter Weller (RETIRED) gentoo-dev 2008-03-10 08:58:54 UTC 
amd64 stable
Comment 18 Peter Weller (RETIRED) gentoo-dev 2008-03-10 16:12:44 UTC 
And now I've done ibm-jre-bin too!
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2008-03-10 18:09:04 UTC 
Fixed in release snapshot.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-04-05 22:14:26 UTC 
Yeah, sure, glsa with other ibm bugs :-)
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-06-26 13:07:07 UTC 
GLSA 200806-11