Summary: | dev-java/blackdown-{jdk|jre} privilege escalation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chad Patten <cpatten> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | bugreports, java, rockoo |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
URL: | http://blackdown.org/java-linux/java2-status/security/Blackdown-SA-2005-02.txt | ||
Whiteboard: | A2 [glsa | sparc-removed] jaervosz | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 96092 |
Description
Chad Patten
2005-06-15 17:09:21 UTC
A new version which fixes the vulnerability, 1.4.2-02, has been released by blackdown.org. Java please bump. This is similar to bug #96092. bumped too ~arch haven't had time todo more then a basic test From Blackdown : Affected : Blackdown J2SE 1.4.2-01 and earlier 1.4 releases. 1.3.1 release are not affected. Target KEYWORDS : blackdown-jdk-1.4.2.02 : x86 sparc amd64 blackdown-jre-1.4.2.02 : x86 sparc amd64 blackdown-jdk-1.4.2.02 is currently failing digest checks on the file from the mirrors. I don't know if the mirror is wrong or the digest is wrong. digest md5 is the same as on http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2005-02. txt and all the mirrors i tried have the file with that md5 It was on amd64 (sorry, I didn't realize blackdown came in 64-bit versions) and is now fixed. Blackdown never release 1.4.2* for sparc. Is there a workaround for 1.4.1? stable on amd64 and x86 I sent an email off to Blackdown asking about a newer version of the JRE/JDK for Linux/SPARC and the response was "1.4.2-02 for SPARC is mostly ready but there's one show-stopping bug holding it up.". So its possible there may be something soon, but not sure when. We should issue a temporary GLSA with the current fixed versions which says 1.4 on sparc is vulnerable, then issue an update when the sparc version is released. GLSA 200506-14 Keeping open (enhancement scope) to remember to update the GLSA when sparc is fixed. # emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.02" These are the packages that I would merge, in order: Calculating dependencies !!! All ebuilds that could satisfy ">=dev-java/blackdown-jre-1.4.2.02" have been masked. !!! One of the following masked packages is required to complete your request: - dev-java/blackdown-jre-1.4.2.02 (masked by: -* keyword) For more information, see MASKED PACKAGES section in the emerge man page or section 2.2 "Software Availability" in the Gentoo Handbook. http://www.gentoo.org/security/en/glsa/glsa-200506-14.xml Jan, please mark jre asap. keyworded x86 & amd64 Thx Thomas, back to enhancement, waiting for fixed Sparc version. Any news with the Sparc version? No. Any news on a sparc version? You should check www.blackdown.org, and the answer is no. Note that the current stable profile (2006.0/2.4) has java masked entirely, so when the previous ones are gone it can be safely nuked. (In reply to comment #20) > You should check www.blackdown.org, and the answer is no. > Note that the current stable profile (2006.0/2.4) has java masked entirely, so > when the previous ones are gone it can be safely nuked. > When do you plan on removing the previous ones? When 2006.1 ships Jason any news on this one? We'll deprecate the 2005.1 profile later today, send a mail with a 30-day warning period and nuke java keywords/old profiles then. the sparc cleanup is done, removed all java-dependant keywords from ebuilds and nuked the old profiles. feel free to call us back if you feel nostalgic or something ;) So ... do we even need a GLSA update on this now that sparc has been purged? Close it? Thanks Matt. indeed the policy doesn't talk about this configuration in which a package has been removed for the unpatched architecture. I think no GLSA nor GLSA-update is needed to be sent. And the note in GLSA 200506-14 is still true: "Note to SPARC users: There is no stable secure Blackdown Java for the SPARC architecture. Affected users should remove the package until a SPARC package is released. " So I close that bug (finally :) ) . Feel free to reopen if you disagree. |