http://www.blackdown.org/java-linux/java2-status/security/Blackdown-SA-2005-03.txt 1.4.2.03 is already in the tree so it just needs to be marked stable.
Latest blackdown-jdk and blackdown-jre versions are now stable on x86.
Ok, arches pls try to mark the latest blackdown-jre and -jdk stable. Shouldn't be a problem for amd64, but maybe there are no fixed packages for ppc and sparc.
(In reply to comment #2) > [...] but maybe there are no fixed packages for ppc and sparc. That's how it look like. The Blackdown SA isn't clear about affected earlier versions, but from the referenced SUN SA i would guess that our latest stable versions (blackdown-jdk-1.3.1-r10 and blackdown-jre-1.3.1-r9) are also affected.
(In reply to comment #2) > Ok, arches pls try to mark the latest blackdown-jre and -jdk stable. Shouldn't > be a problem for amd64, but maybe there are no fixed packages for ppc and > sparc. > sparc being toast has been known for some time. This same issue has come up with previous 1.4.2 versions.
It would be acceptable to remove the ppc marking from these builds imho, we are unlikely to see new ppc versions and IBM's JRE/JDK function as a more modern replacement.
Marked amd64 stable.
We're phasing out java altogether for the 2006.0 release, it's all p/u.masked in the new profile.
i think we issue a tempglsa about this like last time, any other ideas?
I've placed a nice ad in the 1.4.1 ebuilds about security issues and going away soon, feel free to adjust too.
Yes, temporary GLSA showing (1) ppc and sparc as still affected and (2) advising users on how to mitigate the vulnerability on those archs (like switching to IBM for ppc) would be in order. GLSA editors: see GLSA 200506-14 for inspiration ("Reuse" is your friend here)
I don't think this is a big issue on ppc. Since a year and a half the virtual java ebuild directs to the ibm one. And frankly the blackdown should be removed as it's unmaintained upstream. greetings
In fact this also affects Sun's JDK and JRE, see http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102003-1 Fixed versions include : * SDK and JRE 1.3.1_16 and later * SDK and JRE 1.4.2_09 and later * JDK and JRE 5.0 Update 4 and later All up-to-date in portage.
GLSA 200601-10. It's not really temporary since there probably won't be fixed versions.