Summary: | dev-java/ibm-jdk-bin <= 1.4.2.12 <= 1.5.0.9 <= 1.6.0.3 and ibm-jre-bin: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Vlastimil Babka (Caster) (RETIRED) <caster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | minor | CC: | java |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.ibm.com/developerworks/java/jdk/alerts/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 233652 | ||
Bug Blocks: | 215614, 287490 |
Description
Vlastimil Babka (Caster) (RETIRED)
2008-12-24 18:44:32 UTC
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.9. Distfiles as usual via ssh d.g.o/~caster/tmp amd64/x86 stable ppc stable ppc64 done Alerts appeared on ibm's $URL. Good that we done 1.5.0.9 - it's fixed. For 1.4 and 1.6 there are not yet releases, as usual :/ Due to impacts like DoS, privilege escalation and remote execution of arbitrary code, i set the bug to B3. I would vote for a GLSA because of the numerous possible attack vectors and the very wide usage of Java. ppc/ppc64 please stabilize ibm-jdk-bin-1.6.0.4 distfiles are being uploaded as usual (comment 1) ppc and ppc64 done Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.4.2.13. Distfiles as usual. Marked 1.4.2.13 ppc/ppc64 stable. Removing ppc/ppc64 CC's (sorry for the bugspam). amd64/x86 stable, all arches done. All's left is GLSA then, covering also bug 233652 (In reply to comment #10) > Marked 1.4.2.13 ppc/ppc64 stable. > You forgot ibm-jre-bin, please do. Also please note that the distfiles of 1.6 were meanwhile changed upstream and redigested (bug 265760) so take care not to redigest with the old ones - remove DISTDIR/ibm-java-*6.0-4.0* or use FEATURES=assume-digests etc... So, apparently 1.5.0.9 was not fixed, IBM released a security update, which I bumped as 1.5.0.9-r1. They didn't care to rename the versions distfiles though. To prevent users from renaming distfiles of the fixed version (in order to coexist with the old version), the old ebuild was updated to expect old distfiles to be renamed to .old.tgz. So, please stabilize 1.5.0.9-r1, you need to download new distfiles from usual place and rename or replace the old distfiles. Take care also about comment 15. Sorry that their naming schemes suck. ppc and ppc64 done amd64/x86 stable, all arches done. Remote passive execution of arbitrary code is B2. Added to already existing glsa. |