Bug 330205

Summary:	<dev-java/icedtea6-bin-1.8.1: security vulnerabilities
Product:	Gentoo Security	Reporter:	Andrew John Hughes <gnu_andrew>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	java
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://blog.fuseyism.com/index.php/2010/07/28/icedtea6-181-released/
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---
Bug Depends on:	312297
Bug Blocks:

Description Andrew John Hughes 2010-07-28 12:59:02 UTC

* CVE-2010-2783, RH616895: IcedTea ‘Extended JNLP Services’ arbitrary file access
* CVE-2010-2548, RH616893: IcedTea Incomplete property access check for unsigned applications

New ebuilds in java-overlay.  New binaries needed.

Reproducible: Always

Comment 1 Andrew John Hughes 2010-07-28 12:59:54 UTC

http://blog.fuseyism.com/index.php/2010/07/28/icedtea6-174-released/

Comment 2 Andrew John Hughes 2010-07-28 20:21:43 UTC

http://blog.fuseyism.com/index.php/2010/07/28/icedtea6-181-released/

Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2010-07-30 14:57:30 UTC

I've built new binaries for icedtea6-bin-1.8.1, please stabilize.
I also removed the 1.7 series as 1.8 seems to work for users, so we don't need the 1.7.4 bump.
The source version in main tree in dev-java/icedtea was also bumped, but since the package is not stable yet, there's nothing more to do.

Comment 4 Myckel Habets 2010-07-30 19:45:49 UTC

Installs fine on x86. Rdep builds against this version. Please mark stable for x86.

Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2010-07-31 03:25:19 UTC

x86 stable, thanks Myckel

Comment 6 Markos Chandras (RETIRED) gentoo-dev

2010-07-31 14:41:11 UTC

amd64 done

Comment 7 Andrew John Hughes 2010-08-01 15:39:43 UTC

There are some fixes in 1.7.4 that didn't make 1.8.1.  I can understand you not wanting to maintain two binaries, but both ebuild streams in the overlay will be retained.

Comment 8 Tobias Heinlein (RETIRED) gentoo-dev

2010-08-14 15:01:49 UTC

Rating B3 [ebuild?].

Vlastimil, please see Andrew's last comment.

Comment 9 Vlastimil Babka (Caster) (RETIRED) gentoo-dev

2010-08-26 23:14:31 UTC

(In reply to comment #8)
> Rating B3 [ebuild?].
> 
> Vlastimil, please see Andrew's last comment.

He didn't mean security fixes but general bugfixes. 1.8.1 is thus fine.

Comment 10 Andrew John Hughes 2010-08-26 23:26:35 UTC

To elaborate, 1.7.4 has:

S6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks.
S6963870: Eliminate NullPointerEx in swing class CompoundBorder method getBorderInsets.
PR453, OJ100142: Fix policy evaluation to match the proprietary JDK.

and a number of javadoc fixes which didn't make 1.8.1.  We could add these locally to the ebuild.

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2010-11-18 20:29:41 UTC

GLSA Vote: yes, perhaps with 340819.

Comment 12 Stefan Behte (RETIRED) gentoo-dev

2010-11-21 17:02:40 UTC

Yes, added.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2014-06-29 15:28:20 UTC

This issue was resolved and addressed in
 GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).