| Summary: | glsa-check -f 200705-23 downgrades unaffected sun-jdk-1.6.0.05 | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hannes Erven <h.e> |
| Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | gentoo, heraud |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
I have same behaviour with this GLSA on my system but occurs with the "200804-20" one.
#glsa-check -p affected
Checking GLSA 200804-20
The following updates will be performed for this GLSA:
dev-java/sun-jdk-1.6.0.05 (1.5.0.16)
The sun-jdk package is uptodate because in version 1.5.0.16 while 1.5.0.15 is required by this GLSA.:
#emerge -pv "<dev-java/sun-jdk-1.6.0"
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild R ] dev-java/sun-jdk-1.5.0.16 USE="alsa -X -doc -examples -jce (-nsplugin) -odbc" 0 kB
I have similar issue too. I have the latest amd64-stable sun-jdk 1.5, 1.6 and blackdown 1.4.2. No emul-linux-x86-java. My system should not be affected by the GLSA but still:
# glsa-check -t all
This system is affected by the following GLSAs:
200804-20
Letting glsa-check apply the fix results in a unneeded downgrade:
# glsa-check -p 200804-20
Checking GLSA 200804-20
The following updates will be performed for this GLSA:
dev-java/sun-jdk-1.6.0.05 (1.6.0.07)
Running any of the emerges suggested by "glsa-check -d" either results in a new package being installed or a reemerge of an installed one (the latest 1.6 in all cases).
I'm also on amd64 arch. I have no lib sun-jre-bin or emul-linux-x86-java installed. I just commited an updated GLSA 200804-20 which adds the 1.5.0.16 versions as unaffected. Due to bug 106677 we are unfortunately not able to deal with slotted packages in a better way. I also updated GLSA 200705-23 with the latest versions. Please reopen the bug when there are any issues left after the updates have propagated to the rsync mirrors and you have resynced your trees. |
When applying GLSA advisories on this system, glsa-check attempts to downgrade an unaffected version of sun-jdk : # glsa-check -p 200705-23 Checking GLSA 200705-23 The following updates will be performed for this GLSA: dev-java/sun-jdk-1.5.0.15 (1.6.0.05) According to glsa-check -d 200705-23 , the installed version is not affected by this GLSA: # glsa-check -d 200705-23 GLSA 200705-23: Sun JDK/JRE: Multiple vulnerabilities ============================================================================ Synopsis: Multiple vulnerabilities have been identified in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE). Announced on: May 31, 2007 Last revised on: October 02, 2007: 03 Affected package: dev-java/sun-jre-bin Affected archs: All Vulnerable: <1.6.0.01 Unaffected: >=~1.5.0.11 >=~1.4.2.14 >=1.6.0.01 >=~1.4.2.15 >=~1.5.0.12 Reproducible: Always Expected Results: Since sun-jdk-1.6.0.05 seems to be not affected by the GLSA, glsa-check should not attempt to apply it.