Originally reported by Martin Capitanio <gentoo-bug@capitanio.org> in bug 178575. Programs affected: JDK 1.5.0_07-b03 and others. Fixed in: JDK 1.5.0_11-b03 and JDK 1.6.0_01-b06. Severity: Probable remote compromise of systems which use the vulnerable JDK APIs to parse images. We already have 1.5.0.11 stabled so that's fine but we need to finally get them to release 1.6.0_01 under DLJ.
Handling app-emulation/emul-linux-x86-java on bug 178962.
*** Bug 179155 has been marked as a duplicate of this bug. ***
To sum it up, for 1.6 this is probably [upstream] because they didn't release fixed version under the friendly license yet. For 1.5 you could glsa it together with 176675 (if that's possible per your policies?) because the fixed version is the same - 1.5.0.11. But this bug isn't applicable for 1.4 which is also handled by 176675 so dunno.
Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not stable we (security) don't mind.
200705-23 combined with bug 176675
(In reply to comment #4) > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not > stable we (security) don't mind. But x86 already stabilized 1.6.0 jre
(In reply to comment #6) > (In reply to comment #4) > > Thx Caster. I think we're going to combine them. Also as long as 1.6.x is not > > stable we (security) don't mind. > > But x86 already stabilized 1.6.0 jre > u1 is out. x86 please mark stable
> u1 is out. x86 please mark stable Precisely, dev-java/sun-jre-bin-1.6.0.01-r1
x86 stable
(In reply to comment #9) > x86 stable > Or not. 04 Jun 2007; Christian Faulhammer <opfer@gentoo.org> ChangeLog: stable x86, security bug 178851
I stabled the wrong version, sorry for that. x86 done again
it was 200705-23 combined with bug 176675
(In reply to comment #12) > it was 200705-23 combined with bug 176675 But that wasn't dealing with 1.6 JDK, because we didn't have fixed version available that time.
Caster are we still waiting for upstream on 1.6? We'll close this one once we have an unstable ebuild for 1.6.
(In reply to comment #14) > Caster are we still waiting for upstream on 1.6? No. > We'll close this one once we have an unstable ebuild for 1.6. You might want to do glsa because vulnerable version was stable on x86 (and now the fixed one is stable, see comment 11) Vulnerable that was stable: dev-java/sun-jre-bin-1.6.0-r1 Fixed that is stable: dev-java/sun-jre-bin-1.6.0.01-r1
Security please comment on GLSA need.
we released glsa 200705-23 for a similar issue, so I guess we should have another one for this.
Security please vote.
I vote yes, we glsa'd the JPEG/BMP one, this is basically the same thing.
You can do the GLSA together with bug 183580 which is same package different slot (maybe I didn't have to open extra bug for it anyways...)
Voting YES.
changing product/component please file security bugs in the Gentoo Security product
I would close this bug without a GLSA because the GLSA has been updated more than half a year ago: ---------------------------- revision 1.2 date: 2007-06-05 16:24:43 +0200; author: falco; state: Exp; lines: +4 -3; commitid: 72f7466571f24567; add the 1.6.x branch of sun-jre-bin since it had been stabilized on x86 just a few days before the glsa was sent. ---------------------------- --- glsa-200705-23.xml 31 May 2007 18:12:05 -0000 1.1 +++ glsa-200705-23.xml 5 Jun 2007 14:24:43 -0000 1.2 @@ -11,7 +11,7 @@ </synopsis> <product type="ebuild">sun-jdk,sun-jre-bin</product> <announced>May 31, 2007</announced> - <revised>May 31, 2007: 01</revised> + <revised>June 05, 2007: 02</revised> <bug>176675</bug> <bug>178851</bug> <access>remote</access> @@ -22,9 +22,10 @@ <vulnerable range="lt">1.5.0.11</vulnerable> </package> <package name="dev-java/sun-jre-bin" auto="yes" arch="*"> - <unaffected range="ge">1.5.0.11</unaffected> + <unaffected range="rge">1.5.0.11</unaffected> <unaffected range="rge">1.4.2.14</unaffected> - <vulnerable range="lt">1.5.0.11</vulnerable> + <unaffected range="ge">1.6.0.01</unaffected> + <vulnerable range="lt">1.6.0.01</vulnerable> </package> </affected> <background>
Oh wait, that did not deal with the JDK. Assuming that was affected, it needs to get GLSA'd.
GLSA 200804-20, sorry for the long delay.