Summary: | <dev-java/oracle-{jdk,jre}-bin-1.8.0.192: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Guido Jäkel <G.Jaekel> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hydrapolic, java |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
dev-java/oracle-jdk-bin-1.8.0.192 amd64 x86
dev-java/oracle-jre-bin-1.8.0.192 amd64 x86
|
Runtime testing required: | --- |
Description
Guido Jäkel
2018-10-18 11:51:14 UTC
Actually it's a security issue: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA Several issues marked as critical. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=897bfd4660be4123ebc6006b4cfccc095a6d8900 commit 897bfd4660be4123ebc6006b4cfccc095a6d8900 Author: Philipp Ammann <philipp.ammann@posteo.de> AuthorDate: 2018-10-19 13:14:22 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2018-10-19 14:34:34 +0000 dev-java/oracle-jdk-bin: version bump to 1.8.0.192 Bug: https://bugs.gentoo.org/668948 Signed-off-by: Philipp Ammann <philipp.ammann@posteo.de> Signed-off-by: James Le Cuirot <chewi@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-java/oracle-jdk-bin/Manifest | 14 + .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.192.ebuild | 297 +++++++++++++++++++++ 2 files changed, 311 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22f3d7717f61f7303b279e5e99756c5efd25ba95 commit 22f3d7717f61f7303b279e5e99756c5efd25ba95 Author: Philipp Ammann <philipp.ammann@posteo.de> AuthorDate: 2018-10-19 13:13:11 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2018-10-19 14:33:09 +0000 dev-java/oracle-jre-bin: version bump to 1.8.0.192 Bug: https://bugs.gentoo.org/668948 Closes: https://github.com/gentoo/gentoo/pull/10178 Signed-off-by: Philipp Ammann <philipp.ammann@posteo.de> Signed-off-by: James Le Cuirot <chewi@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-java/oracle-jre-bin/Manifest | 2 + .../oracle-jre-bin/oracle-jre-bin-1.8.0.192.ebuild | 220 +++++++++++++++++++++ 2 files changed, 222 insertions(+) amd64 stable x86 stable the affected versions are gone: commit ed2e7d8db523186f340c4d9db762109bc37486f0 (HEAD -> master, origin/master, origin/HEAD) Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Thu Jan 17 09:44:59 2019 +0100 dev-java/oracle-jre-bin-1.8.0.181: removed obsolete also per bug #668948, #661456 and #653560 Package-Manager: Portage-2.3.56, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> commit 9bd0311bf2956781e054945b1a6c925be085644f Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Thu Jan 17 09:43:09 2019 +0100 dev-java/oracle-jdk-bin-1.8.0.181: removed obsolete also per bug #668948, #661456 and #653560 Package-Manager: Portage-2.3.56, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> Java8u191 is obsolete since last quarterly Oracle Patch day, 2019-01-15. But I tried out yesterday: Now please bump "plain vanilla" to 1.9.0.20{1,2}, an unmodified copy of oracle-jdk-bin-1.8.0.19{1,2} works for me out of the box. (In reply to Guido Jäkel from comment #6) > Java8u191 is obsolete since last quarterly Oracle Patch day, 2019-01-15. But > I tried out yesterday: > > Now please bump "plain vanilla" to 1.9.0.20{1,2}, an unmodified copy of > oracle-jdk-bin-1.8.0.19{1,2} works for me out of the box. it's already in the tree, but i did not remove the obsolete 1.8.0.192 as it is the only stable we have: commit 17e174a3a230c285fb5360ce1102c38f91bb8dec Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Thu Jan 17 10:47:41 2019 +0100 dev-java/oracle-jre-bin-1.8.0.202: bump Package-Manager: Portage-2.3.56, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> commit 63caaadcbb604ac244446be687d8188a86ec15cd Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Thu Jan 17 10:37:52 2019 +0100 dev-java/oracle-jdk-bin-1.8.0.202: bump Package-Manager: Portage-2.3.56, Repoman-2.3.12 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> wrt oracle-jdk-bin:9, it's gone forever from the main tree (i dropped it due to security issues), we will support only oracle-jdk-bin:1.8 and oracle-jdk-bin:11. and of course the other jdk's according to their support/eol and our plans wrt java in the main tree. as of now, oracle-jdk-bin:11 is already in the main tree. security, you can move on with this bug, no affected version is in the tree anymore. Arches and Maintainer(s), Thank you for your work. New GLSA opened. This issue was resolved and addressed in GLSA 201908-10 at https://security.gentoo.org/glsa/201908-10 by GLSA coordinator Aaron Bauman (b-man). |