Summary: | <dev-java/oracle-jdk-bin-1.8.0.181: <dev-java/oracle-jre-bin-1.8.0.181: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | ap, java, ktrace |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | ||
See Also: | https://github.com/gentoo/gentoo/pull/9478 | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
dev-java/oracle-jdk-bin-1.8.0.181 amd64 x86
dev-java/oracle-jre-bin-1.8.0.181 amd64 x86
|
Runtime testing required: | --- |
Bug Depends on: | 663566 | ||
Bug Blocks: |
Description
D'juan McDonald (domhnall)
2018-07-18 05:41:12 UTC
Shouldn't the versions be 10.0.2 and 8u181? http://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html http://www.oracle.com/technetwork/java/javase/10-0-2-relnotes-4477557.html (In reply to Mike Limansky from comment #1) >Shouldn't the versions be 10.0.2 and 8u181? For affected? Not according to the CVEs on mitre. Unless I am missing something. (In reply to D'juan McDonald (domhnall) from comment #2) > (In reply to Mike Limansky from comment #1) > >Shouldn't the versions be 10.0.2 and 8u181? > > For affected? Not according to the CVEs on mitre. Unless I am missing > something. Sorry, I've misread the description. I've just tested with copied ebuild from the previous version and it works fine for me. *** Bug 661868 has been marked as a duplicate of this bug. *** Sorry for the noise, but once again this bug can not easily be found since the package name is somewhat obscured. You might save a few characters while typing, displaying this bug page or whatever by having the packages dev-java/oracle-jdk-bin and dev-java/oracle-jre-bin shortened to dev-java/oracle-{jdk,jre}-bin. But since the Bugzilla search does not resolve this to the actual package names bugs will often be missed, not only coming from "Related Bugs" at packages.gentoo.org: https://packages.gentoo.org/packages/dev-java/oracle-jdk-bin So you get duplicate bugs and many people wasting time and bandwidth until they finally find the correct bug for a small saving of what exactly? tl;dr Please, always write full package names in bug titles. Bugs will not be found otherwise. This was discussed before and considered best practice. Thanks! (In reply to Mike Limansky from comment #4) > I've just tested with copied ebuild from the previous version and it works > fine for me. I also just test this and confirm. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f406fccb349764c34a993953abd0c052d603abd0 commit f406fccb349764c34a993953abd0c052d603abd0 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2018-08-10 20:55:48 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2018-08-10 21:02:13 +0000 dev-java/oracle-jre-bin: Security bump to 1.8.0.181 Bug: https://bugs.gentoo.org/661456 Package-Manager: Portage-2.3.45, Repoman-2.3.10 dev-java/oracle-jre-bin/Manifest | 2 + .../oracle-jre-bin/oracle-jre-bin-1.8.0.181.ebuild | 220 +++++++++++++++++++++ 2 files changed, 222 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d96a80b1a9d2af7f5ce9adacd463968f645e9653 commit d96a80b1a9d2af7f5ce9adacd463968f645e9653 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2018-08-10 20:49:51 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2018-08-10 21:02:11 +0000 dev-java/oracle-jdk-bin: Security bump to 1.8.0.181 Bug: https://bugs.gentoo.org/661456 Package-Manager: Portage-2.3.45, Repoman-2.3.10 dev-java/oracle-jdk-bin/Manifest | 14 + .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.181.ebuild | 301 +++++++++++++++++++++ 2 files changed, 315 insertions(+) I have dealt with Java 8. Java 9 is probably vulnerable already but there are issues blocking the addition of 10. Let's just focus on 8 here. amd64 stable @security, please update status to IN_P. x86 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=384d196024de436c1aae39431c010a6d112a95ce commit 384d196024de436c1aae39431c010a6d112a95ce Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2018-08-18 21:30:11 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2018-08-18 21:30:11 +0000 dev-java/oracle-jre-bin: Drop vulnerable 1.8.0.172 Bug: https://bugs.gentoo.org/661456 Package-Manager: Portage-2.3.47, Repoman-2.3.10 dev-java/oracle-jre-bin/Manifest | 2 - .../oracle-jre-bin/oracle-jre-bin-1.8.0.172.ebuild | 220 --------------------- 2 files changed, 222 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e6e5285f5bba1b9d640decf9f270e6e7fcebfe9 commit 7e6e5285f5bba1b9d640decf9f270e6e7fcebfe9 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2018-08-18 21:29:16 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2018-08-18 21:29:16 +0000 dev-java/oracle-jdk-bin: Drop vulnerable 1.8.0.172 Bug: https://bugs.gentoo.org/661456 Package-Manager: Portage-2.3.47, Repoman-2.3.10 dev-java/oracle-jdk-bin/Manifest | 14 - dev-java/oracle-jdk-bin/metadata.xml | 1 - .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.172.ebuild | 301 --------------------- 3 files changed, 316 deletions(-) the affected versions are gone: commit ed2e7d8db523186f340c4d9db762109bc37486f0 (HEAD -> master, origin/master, origin/HEAD) Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Thu Jan 17 09:44:59 2019 +0100 dev-java/oracle-jre-bin-1.8.0.181: removed obsolete also per bug #668948, #661456 and #653560 Package-Manager: Portage-2.3.56, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> commit 9bd0311bf2956781e054945b1a6c925be085644f Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Thu Jan 17 09:43:09 2019 +0100 dev-java/oracle-jdk-bin-1.8.0.181: removed obsolete also per bug #668948, #661456 and #653560 Package-Manager: Portage-2.3.56, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> ah, sorry, i overlooked one digit :-) the commits are not related to this bug :-) This issue was resolved and addressed in GLSA 201903-14 at https://security.gentoo.org/glsa/201903-14 by GLSA coordinator Aaron Bauman (b-man). |