Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 182824 - dev-java/blackdown-{jdk|jre} probably affected by GLSA 200705-23
Summary: dev-java/blackdown-{jdk|jre} probably affected by GLSA 200705-23
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.gentoo.org/security/en/gls...
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks: java-security
  Show dependency tree
 
Reported: 2007-06-21 21:27 UTC by Stefan Cornelius (RETIRED)
Modified: 2009-11-17 23:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2007-06-21 21:27:38 UTC
http://www.gentoo.org/security/en/glsa/glsa-200705-23.xml

hlieberman pointed out that blackdown is probably affected by GLSA 200705-23.

java, please provide new ebuilds if possible (i guess its not). if not, we need to find another solution here.
Comment 1 Petteri Räty (RETIRED) gentoo-dev 2007-06-21 21:54:22 UTC
(In reply to comment #0)
> http://www.gentoo.org/security/en/glsa/glsa-200705-23.xml
> 
> hlieberman pointed out that blackdown is probably affected by GLSA 200705-23.
> 
> java, please provide new ebuilds if possible (i guess its not). if not, we need
> to find another solution here.
> 

blackdown upstream has been long dead. Maybe just make it ~arch only? The stuff that needs =virtual/jdk-1.4* will just pull in ibm-jdk-bin for amd64 and sun-jdk for x86. I will post an RFC to gentoo-java mailing list.
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2007-06-21 22:02:13 UTC
Yup, it's affected. It's also affected by any vulnerability that affects sun-jdk-1.4.2.10 since it's just relicensed that. But I don't remember any that wasn't about browser applets and we already masked nsplugin flag.
This one is different. Upstream seems dead though.

Let's summarize why we keep blackdown around.
- x86 - because it's not fetch restricted, while sun-jdk and others are
- amd64 - ditto, also provides the only 64bit nsplugin (although now use.masked), and the only alternative jdk here is ibm-jdk-bin-1.4 which on some system has font issues. Although that's less of problem because for running stuff one can almost always use sun-jdk-1.5/1.6

Masking it now for this vulnerability seems pointless at least until the alternatives are also fixed (they are vulnerable too but at least have live upstream). Unless there are some other vulnerabilities too.

Maybe we could somehow restrict blackdown-jdk to be used only for building (gen-1 packages and some gen-2 need 1.4) and not running stuff. Compiling sources is unlikely to exploit vulnerabilities.
Comment 3 Petteri Räty (RETIRED) gentoo-dev 2007-06-21 22:38:14 UTC
(In reply to comment #2)
> 
> Maybe we could somehow restrict blackdown-jdk to be used only for building
> (gen-1 packages and some gen-2 need 1.4) and not running stuff. Compiling
> sources is unlikely to exploit vulnerabilities.
> 

Or just fix the four cases cases where it's needed:
http://article.gmane.org/gmane.linux.gentoo.java/1689

Comment 4 Petteri Räty (RETIRED) gentoo-dev 2007-06-21 22:38:57 UTC
(In reply to comment #3)
>
> Or just fix the four cases cases where it's needed:
> http://article.gmane.org/gmane.linux.gentoo.java/1689
> 

Ah yes gen 1 stuff. Well we have stabilization weekend coming up.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-06-29 22:46:58 UTC
One year passed, where are we with removing or restricting Blackdown? What is left holding this back?
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-12-17 08:33:34 UTC
(In reply to comment #5)
> One year passed, where are we with removing or restricting Blackdown? What is
> left holding this back?
> 

*ping*
Comment 7 Nico Baggus 2009-09-03 13:03:46 UTC
To day i had issues with blackdown demolishing a nepomuk update for kde-4.3.1
upstream is a japanese site parking, it seems dead.....
Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-17 23:09:26 UTC
GLSA 200911-02