Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 118114 - dev-java/{sun|blackdown}-{jre|jdk}: privilege escalation
Summary: dev-java/{sun|blackdown}-{jre|jdk}: privilege escalation
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] DerCorny
Depends on:
Reported: 2006-01-06 15:54 UTC by Petteri Räty (RETIRED)
Modified: 2019-12-12 21:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Petteri Räty (RETIRED) gentoo-dev 2006-01-06 15:54:04 UTC is already in the tree so it just needs to be marked stable.
Comment 1 Petteri Räty (RETIRED) gentoo-dev 2006-01-06 16:22:55 UTC
Latest blackdown-jdk and blackdown-jre versions are now stable on x86.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-07 06:28:02 UTC
Ok, arches pls try to mark the latest blackdown-jre and -jdk stable. Shouldn't be a problem for amd64, but maybe there are no fixed packages for ppc and sparc.
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-07 07:47:06 UTC
(In reply to comment #2)
> [...] but maybe there are no fixed packages for ppc and sparc.

That's how it look like. The Blackdown SA isn't clear about affected earlier versions, but from the referenced SUN SA i would guess that our latest stable versions (blackdown-jdk-1.3.1-r10 and blackdown-jre-1.3.1-r9) are also affected.

Comment 4 Petteri Räty (RETIRED) gentoo-dev 2006-01-07 08:13:09 UTC
(In reply to comment #2)
> Ok, arches pls try to mark the latest blackdown-jre and -jdk stable. Shouldn't
> be a problem for amd64, but maybe there are no fixed packages for ppc and
> sparc.

sparc being toast has been known for some time. This same issue has come up with previous 1.4.2 versions.
Comment 5 Joe Jezak (RETIRED) gentoo-dev 2006-01-07 14:36:33 UTC
It would be acceptable to remove the ppc marking from these builds imho, we are unlikely to see new ppc versions and IBM's JRE/JDK function as a more modern replacement.
Comment 6 Josh Nichols (RETIRED) gentoo-dev 2006-01-07 15:48:58 UTC
Marked amd64 stable.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-09 07:59:43 UTC
We're phasing out java altogether for the 2006.0 release, it's all p/u.masked in the new profile.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-11 23:43:38 UTC
i think we issue a tempglsa about this like last time, any other ideas?
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-12 04:55:55 UTC
I've placed a nice ad in the 1.4.1 ebuilds about security issues and going away soon, feel free to adjust too.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2006-01-12 08:33:03 UTC
Yes, temporary GLSA showing (1) ppc and sparc as still affected and (2) advising users on how to mitigate the vulnerability on those archs (like switching to IBM for ppc) would be in order.

GLSA editors: see GLSA 200506-14 for inspiration ("Reuse" is your friend here)
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2006-01-12 23:25:30 UTC
I don't think this is a big issue on ppc. 
Since a year and a half the virtual java ebuild directs to the ibm one. And frankly the blackdown should be removed as it's unmaintained upstream. 

Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2006-01-13 01:43:00 UTC
In fact this also affects Sun's JDK and JRE, see

Fixed versions include :
    * SDK and JRE 1.3.1_16 and later
    * SDK and JRE 1.4.2_09 and later
    * JDK and JRE 5.0 Update 4 and later

All up-to-date in portage.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-01-16 05:44:44 UTC
GLSA 200601-10. It's not really temporary since there probably won't be fixed versions.