Summary: | <dev-java/ibm-{jre,jdk}-bin-{1.5.0.12_p5,1.6.0.9_p2}: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Vlastimil Babka (Caster) (RETIRED) <caster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | java, Tanktalus |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.ibm.com/developerworks/java/jdk/alerts/ | ||
Whiteboard: | B2 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 354213, 370559 | ||
Bug Blocks: | 215614 |
Description
Vlastimil Babka (Caster) (RETIRED)
2011-08-03 22:20:57 UTC
Please stabilize: dev-java/ ibm-jdk-bin-1.6.0.9_p2 ibm-jdk-bin-1.5.0.12_p5 ibm-jre-bin-1.6.0.9_p2 ibm-jre-bin-1.5.0.12_p5 distfiles as usual (ssh d.g.o:~caster/tmp/) better luck to the next getting past the ibm maze of links. I can't get the dist file from the ibm site - there is no tar.gz file there, at least for amd64. Where did you get it from? TGZ variants are under the "Deprecated SDKs and JREs" part of the download page. Here, deprecated means the packaging format (I hope they won't abandon it completely though...), not version. I submitted an email to IBM to ask about this, and what I got, in a nutshell, is this: * the tarball/rpm formats are deprecated and will be removed pretty soon, if not with the next release. * there is a document on how to do a silent install: http://www-01.ibm.com/support/docview.wss?uid=swg21456902 - a quick look says that this will be moderately to very painful to set up. My response to the IBMer was that this may cause Gentoo to drop IBM Java if it's too difficult (though I'm pretty sure he knows I don't speak for Gentoo, just as here I'm not speaking for IBM, merely relaying information). * The IBMer I was contacting will take my concerns to the Java Project Manager in IBM. That doesn't mean anything will change, merely that it'll be brought forward. My suggestion, then, to the Gentoo Java team is to start planning for that tarball to go away. ppc/ppc64 stable Apart from getting-the-distfile-pain things worked well for me. x86 stable. amd64 done. Thanks Ian Thanks, everyone. Added to existing GLSA request. @maintainers, this is the last bug on the java-security tracker from ages ago. Anything stopping a cleanup of versions 1.6.0.9_p1 in jre and jdk? If not, please clean the tree. Thanks. (In reply to Aaron Bauman from comment #10) > @maintainers, this is the last bug on the java-security tracker from ages > ago. Anything stopping a cleanup of versions 1.6.0.9_p1 in jre and jdk? If > not, please clean the tree. Thanks. dev-java/ibm-{jre,jdk}-bin (and several other JVMs) will actually be last-rited as soon as ppc64 team deal with bug #567890. The branch is ready waiting to go. Thanks for the update. Do we have an estimated time when that merge will happen? (In reply to James Le Cuirot from comment #11) > (In reply to Aaron Bauman from comment #10) > > @maintainers, this is the last bug on the java-security tracker from ages > > ago. Anything stopping a cleanup of versions 1.6.0.9_p1 in jre and jdk? If > > not, please clean the tree. Thanks. > > dev-java/ibm-{jre,jdk}-bin (and several other JVMs) will actually be > last-rited as soon as ppc64 team deal with bug #567890. The branch is ready > waiting to go. Chewi, I understand you are working on a large move, however, 1.6.0.9_p2 is stable on ppc64. Just asking to purge 1.6.0.9_p1 from the tree in order to close out a couple of security bugs. That would be much appreciated if possible. Thanks. (In reply to Aaron Bauman from comment #13) > Chewi, I understand you are working on a large move, however, 1.6.0.9_p2 is > stable on ppc64. Just asking to purge 1.6.0.9_p1 from the tree in order to > close out a couple of security bugs. That would be much appreciated if > possible. Thanks. Kill off p1 now if you like but we're simply waiting for someone from ppc64 team to find the time. That would usually be ago but he's been unavailable and pacho has been busy too. It could literally be today but I really don't know. (In reply to James Le Cuirot from comment #14) > (In reply to Aaron Bauman from comment #13) > > Chewi, I understand you are working on a large move, however, 1.6.0.9_p2 is > > stable on ppc64. Just asking to purge 1.6.0.9_p1 from the tree in order to > > close out a couple of security bugs. That would be much appreciated if > > possible. Thanks. > > Kill off p1 now if you like but we're simply waiting for someone from ppc64 > team to find the time. That would usually be ago but he's been unavailable > and pacho has been busy too. It could literally be today but I really don't > know. Thanks for the feedback. The Git history shows that ~ppc64 was added later following the bump for security. Of course this is spanning many years. It should have been requested in a separate bug. I will remove _p1. Thanks! vulnerable versions dropped from tree. No CVE's identified on this bug to add it to an existing Java GLSA or publish a new one. Per previous comments these packages will be gone soon from the tree. @security, thoughts on GLSA? |