Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-18 06:41:23 UTC

Handling app-emulation/emul-linux-x86-java on bug 178962.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-19 22:29:10 UTC

*** Bug 179155 has been marked as a duplicate of this bug. ***

Comment 3 Vlastimil Babka (Caster) (RETIRED) 2007-05-20 20:30:13 UTC

To sum it up, for 1.6 this is probably [upstream] because they didn't release fixed version under the friendly license yet.
For 1.5 you could glsa it together with 176675 (if that's possible per your policies?) because the fixed version is the same - 1.5.0.11. But this bug isn't applicable for 1.4 which is also handled by 176675 so dunno.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2007-05-21 03:52:06 UTC

Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not stable we (security) don't mind.

Comment 5 Raphael Marichez (Falco) (RETIRED) 2007-06-01 07:14:45 UTC

200705-23 combined with bug 176675

Comment 6 Vlastimil Babka (Caster) (RETIRED) 2007-06-01 07:41:48 UTC

(In reply to comment #4)
> Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> stable we (security) don't mind.

But x86 already stabilized 1.6.0 jre

Comment 7 Petteri Räty (RETIRED) 2007-06-02 16:33:41 UTC

(In reply to comment #6)
> (In reply to comment #4)
> > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not
> > stable we (security) don't mind.
> 
> But x86 already stabilized 1.6.0 jre
> 

u1 is out. x86 please mark stable

Comment 8 Vlastimil Babka (Caster) (RETIRED) 2007-06-03 22:44:45 UTC

> u1 is out. x86 please mark stable

Precisely, dev-java/sun-jre-bin-1.6.0.01-r1 

Comment 9 Christian Faulhammer (RETIRED) 2007-06-04 07:48:54 UTC

x86 stable

Comment 10 Petteri Räty (RETIRED) 2007-06-04 21:12:18 UTC

(In reply to comment #9)
> x86 stable
> 

Or not.
  04 Jun 2007; Christian Faulhammer <opfer@gentoo.org> ChangeLog:
  stable x86, security bug 178851

Comment 11 Christian Faulhammer (RETIRED) 2007-06-05 05:11:46 UTC

I stabled the wrong version, sorry for that.  x86 done again

Comment 12 Raphael Marichez (Falco) (RETIRED) 2007-06-10 18:16:59 UTC

it was 200705-23 combined with bug 176675

Comment 13 Vlastimil Babka (Caster) (RETIRED) 2007-06-10 18:31:49 UTC

(In reply to comment #12)
> it was 200705-23 combined with bug 176675

But that wasn't dealing with 1.6 JDK, because we didn't have fixed version available that time.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) 2007-06-11 06:41:11 UTC

Caster are we still waiting for upstream on 1.6?

We'll close this one once we have an unstable ebuild for 1.6.

Comment 15 Vlastimil Babka (Caster) (RETIRED) 2007-06-11 08:59:56 UTC

(In reply to comment #14)
> Caster are we still waiting for upstream on 1.6?

No.

> We'll close this one once we have an unstable ebuild for 1.6.

You might want to do glsa because vulnerable version was stable on x86 (and now the fixed one is stable, see comment 11)

Vulnerable that was stable: dev-java/sun-jre-bin-1.6.0-r1
Fixed that is stable: dev-java/sun-jre-bin-1.6.0.01-r1

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) 2007-06-16 06:56:01 UTC

Security please comment on GLSA need.

Comment 17 Pierre-Yves Rofes (RETIRED) 2007-06-20 08:25:39 UTC

we released glsa 200705-23 for a similar issue, so I guess we should have another one for this.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-01 02:17:52 UTC

Security please vote.

Comment 19 Matt Drew (RETIRED) 2007-07-02 21:25:01 UTC

I vote yes, we glsa'd the JPEG/BMP one, this is basically the same thing.

Comment 20 Vlastimil Babka (Caster) (RETIRED) 2007-07-02 21:32:24 UTC

You can do the GLSA together with bug 183580 which is same package different slot (maybe I didn't have to open extra bug for it anyways...)

Comment 21 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 07:24:02 UTC

Voting YES.

Comment 22 Matthias Geerdsen (RETIRED) 2007-09-11 11:21:35 UTC

changing product/component

please file security bugs in the Gentoo Security product

Comment 23 Robert Buchholz (RETIRED) 2008-03-31 19:05:43 UTC

I would close this bug without a GLSA because the GLSA has been updated more than half a year ago:

----------------------------
revision 1.2
date: 2007-06-05 16:24:43 +0200;  author: falco;  state: Exp;  lines: +4 -3;  commitid: 72f7466571f24567;
add the 1.6.x branch of sun-jre-bin since it had been stabilized on x86 just a few days before the glsa was sent.
----------------------------

--- glsa-200705-23.xml  31 May 2007 18:12:05 -0000      1.1
+++ glsa-200705-23.xml  5 Jun 2007 14:24:43 -0000       1.2
@@ -11,7 +11,7 @@
   </synopsis>
   <product type="ebuild">sun-jdk,sun-jre-bin</product>
   <announced>May 31, 2007</announced>
-  <revised>May 31, 2007: 01</revised>
+  <revised>June 05, 2007: 02</revised>
   <bug>176675</bug>
   <bug>178851</bug>
   <access>remote</access>
@@ -22,9 +22,10 @@
       <vulnerable range="lt">1.5.0.11</vulnerable>
     </package>
     <package name="dev-java/sun-jre-bin" auto="yes" arch="*">
-      <unaffected range="ge">1.5.0.11</unaffected>
+      <unaffected range="rge">1.5.0.11</unaffected>
       <unaffected range="rge">1.4.2.14</unaffected>
-      <vulnerable range="lt">1.5.0.11</vulnerable>
+      <unaffected range="ge">1.6.0.01</unaffected>
+      <vulnerable range="lt">1.6.0.01</vulnerable>
     </package>
   </affected>
   <background>

Comment 24 Robert Buchholz (RETIRED) 2008-03-31 19:09:34 UTC

Oh wait, that did not deal with the JDK. Assuming that was affected, it needs to get GLSA'd.

Comment 25 Robert Buchholz (RETIRED) 2008-04-17 23:43:35 UTC

GLSA 200804-20, sorry for the long delay.