|Summary:||dev-java/blackdown*: JRE prior to v1.4.2-01 vulnerable|
|Product:||Gentoo Security||Reporter:||Michael Mauch <michael.mauch>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||java, polynomial-c, ppc|
|Whiteboard:||A2 [glsa] koon|
|Package list:||Runtime testing required:||---|
|Bug Depends on:|
Description Michael Mauch 2004-11-23 04:24:24 UTC
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2004-11-23 04:30:36 UTC
java please bump to 1.4.2-01.
Comment 2 Lars Wendler (Polynomial-C) 2004-11-23 18:30:28 UTC
Created attachment 44615 [details] blackdown-jdk-1.4.2.ebuild.diff Hi, I got the new version installed with the attached changes. I did a quick test on x86 with mozilla and jdk at this german website: http://www.heise.de/security/dienste/browsercheck/tests/java.shtml Poly
Comment 3 Thomas Matthijs (RETIRED) 2004-11-24 12:51:39 UTC
blackdown-jdk/jre bumped too 1.4.2.01 still needs amd64 keywording
Comment 4 Matthias Geerdsen (RETIRED) 2004-11-24 14:07:34 UTC
amd64, please test and mark stable: target KEYWORDS: blackdown-jre-1.4.2.01.ebuild:KEYWORDS="-* amd64 x86" blackdown-jdk-1.4.2.01.ebuild:KEYWORDS="-* x86 amd64"
Comment 5 Thierry Carrez (RETIRED) 2004-11-25 01:54:40 UTC
Comment 6 Thomas Matthijs (RETIRED) 2004-11-25 05:00:28 UTC
oeps, sparc had blackdown 1.4.1 stable too. its was the only jdk for there arch, but that it seems to be affected too(i removed it), so they no longer have a stable jdk, blackdown doesn't release them for sparc anymore
Comment 7 Thomas Matthijs (RETIRED) 2004-11-25 05:27:57 UTC
bumped 1.4.1 to 1.4.1-r1 for sparc, it no longer installs the mozilla plugin.
Comment 8 Thierry Carrez (RETIRED) 2004-11-26 02:29:01 UTC
amd64, please test and mark blackdown-jdk-1.4.2.01 stable.
Comment 9 Thierry Carrez (RETIRED) 2004-11-26 13:45:22 UTC
Axxo & PPC: Versions 1.3.x are probably vulnerable too. What solution do we have for the ppc arch (which has a 1.3 version stable). Can it be bumped to 1.4.x ? What else could we do to secure ppc ?
Comment 10 Thomas Matthijs (RETIRED) 2004-11-27 04:25:35 UTC
i cannot test the plugins of 1.3* since they don't work on newer version of mozilla/firefox all sun/blackdown >=1.4.0 in the tree now shouldn't be affected ppc also has a stable ibm-jdk-bin
Comment 11 Matthias Geerdsen (RETIRED) 2004-11-27 04:43:44 UTC
As Lars posted above, a test can be found at <http://www.heise.de/security/dienste/browsercheck/tests/java.shtml> (German). In the stanza beginning with "Am 23.11.2004 wurde ein Problem bekannt" click on the link "hier", a popup should appear saying "Sie sind verwundbar" if you are still vulnerable. Opera still seems to have problems with this, probably because of its non-standard java usage (s. bug #71818).
Comment 12 Thierry Carrez (RETIRED) 2004-11-27 11:13:10 UTC
amd64 is ready now ppc: please try blackdown-jdk/jre 1.4.x and see if you could mark it stable. We've a short schedule on this one, we might need to issue a temporary GLSA with affected versions by Monday. See what you can do :)
Comment 13 Thierry Carrez (RETIRED) 2004-11-29 01:50:47 UTC
JoseJX just said that ppc has no "Java plug-in" functionality from blackdown-jdk/jre so it's not affected by this vulnerability. We're waiting for a confirmation on this and will send a x86/amd64 restricted GLSA if this is verified.
Comment 14 Matthias Geerdsen (RETIRED) 2004-11-29 08:10:25 UTC
a thread on FD talks about the necessity to remove old java versions http://www.securityfocus.com/archive/1/382281 http://www.securityfocus.com/archive/1/382413 http://java.sun.com/products/plugin/versions.html#answers : Question: What happens when the user at some later point returns to the applet that specifies the 1.3.1 plug-in? Does the 1.4 plug-in load, ignoring the applet's HTML plug-in version parameters? Answer: Here the answer depends on whether the 1.3.1 applet specifies clsid:8AD ... or clsid:CAF .... The clsid:CAF ... indicates that the applet requires the specific version of 1.3.1 to run; and so it will run with the 1.3.1 version if it has not been removed from the system and will prompt the user to install it if it has. However, if the clsid:8AD ... is used and both versions of the Plug-in are still installed on the system, then the 1.3.1 version will be run. If 1.3.1has been removed, the 1.4 version will be run. In this case, any version of Plug-in equal to or higher than the indicated version will be used. Question: What happens when the user has a newer version of the plug-in installed (e.g., 1.4) but opens an applet whose HTML specifies an older version (1.3.1 or 1.2.1)? Will the user be prompted to install the older one? If so, what happens when the user returns to the newer applet? Answer: This is similar to the question above. If the clsid:CAF ... is used, then the older version will be installed and run. However, if the clsid:8AD is used, then the newer version will run the applet. _______ another test can be found here: http://bcheck.scanit.be/bcheck/
Comment 15 Thierry Carrez (RETIRED) 2004-11-29 08:23:46 UTC
Holding on the GLSA a few more hours on konq/opera vulnerability test to see if we should have a "Note:" about their vulnerable status.
Comment 16 Thierry Carrez (RETIRED) 2004-11-29 13:56:00 UTC