Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 233652 - <dev-java/ibm-{jdk,jre}-bin:1.4.2.12: multiple vulnerabilities
Summary: <dev-java/ibm-{jdk,jre}-bin:1.4.2.12: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.ibm.com/developerworks/jav...
Whiteboard: B2 [noglsa]
Keywords:
Depends on: CVE-2008-3103
Blocks: java-security 239991 240384 252416
  Show dependency tree
 
Reported: 2008-08-01 22:23 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2014-05-31 18:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-08-01 22:23:43 UTC 
As usual, bugs in Sun JDK are likely to affect other vendors also due to shared classes etc, and updatess come after a while after Sun updates. The IBM JDK 1.5.0.8 update I noticed today mentions the following security stuff in changelog (which you probably can't access without login to IBM site):

asdev-20080626	136205	IZ24898	c	N/A	Sun Security Bulletin 150_16
jsdev-20080613	134284	IZ24844	c	6581221	Sun Security fixes 6450319 6557220 6581221 6607339 6661918
xs2dev-20080613	134284	IZ24844	c	6581221	Sun Security fixes 6450319 6557220 6581221 6607339 6661918

Some of the fix numbers are mentioned in Sun advisories in bug 231337. Not sure if all apply to IBM and are fixed in this version. Seems IBM didn't release own advisory yet. I'll at least put the new version in tree and ask for stabling. There are no updates for slots 1.6 and 1.4 yet.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-08-02 12:06:56 UTC 
Thanks for following this up, please cc arches as yo push updates.
Comment 2 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-08-03 21:54:05 UTC 
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.8. Distfiles as usual via ssh d.g.o/~caster/tmp
Comment 3 Markus Meier gentoo-dev 2008-08-06 19:21:29 UTC 
amd64/x86 stable
Comment 4 Markus Rothe (RETIRED) gentoo-dev 2008-08-07 18:28:52 UTC 
ppc64 stable
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-19 21:12:47 UTC 
ppc stable for 1.5.0.8
Comment 6 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-09-09 04:52:50 UTC 
Bah, instead of the other slots they released 1.5.0.8a which has "Sun Security fix 6332953" which is probably this vuln: http://sunsolve.sun.com/search/document.do?assetkey=1-66-238965-1

So please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.8a. Distfiles as usual.
Comment 7 Brent Baude (RETIRED) gentoo-dev 2008-09-10 13:37:32 UTC 
ppc and ppc64 stable
Comment 8 Kenneth Prugh (RETIRED) gentoo-dev 2008-09-10 15:49:26 UTC 
amd64 stable
Comment 9 Markus Meier gentoo-dev 2008-09-12 22:17:12 UTC 
x86 stable, all arches done for 1.5
Comment 10 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-09-16 07:45:40 UTC 
So, IBM finally released alerts (in $URL) and a fixed 1.6 which I'm gonna update. No 1.4 yet.
Comment 11 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-09-16 09:52:58 UTC 
ppc/ppc64 please stabilize (other arches don't have any 1.6 stable yet)

dev-java/ibm-jdk-bin-1.6.0.2

distfiles as usual
Comment 12 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-09-16 09:53:48 UTC 
(In reply to comment #11)
> ppc/ppc64 please stabilize (other arches don't have any 1.6 stable yet)
> dev-java/ibm-jdk-bin-1.6.0.2

actually adding arches to CC, sorry...
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2008-09-17 15:14:07 UTC 
ppc/ppc64 stable
Comment 14 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-10-11 17:16:33 UTC 
Please stabilize the finally released 1.4.2.12 (jdk and jre), as usual.
Comment 15 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-10-11 17:51:31 UTC 
Turns out in bug 240384 that I've used old distfiles for the javacomm optional stuff in 1.6, so ppc/ppc64 please stabilize also ibm-jdk-bin-1.6.0.2-r1 thanks.
Comment 16 Markus Meier gentoo-dev 2008-10-12 15:12:31 UTC 
amd64/x86 stable
Comment 17 Markus Rothe (RETIRED) gentoo-dev 2008-10-14 08:17:29 UTC 
1.6.0.2-r1 stable on ppc/ppc64.
Comment 18 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-10-14 18:51:32 UTC 
(In reply to comment #17)
> 1.6.0.2-r1 stable on ppc/ppc64.

Please do also 1.4.2.12 (jdk and jre) see comment 14, sorry for confusion.
Comment 19 Markus Rothe (RETIRED) gentoo-dev 2008-10-15 07:47:38 UTC 
whoops.. 1.4.2.12 (jdk and jre) stable on ppc/ppc64, too.
Comment 20 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-10-18 22:04:02 UTC 
all done except glsa
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-10-19 20:40:35 UTC 
request filed, thanks caster.
Comment 22 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-01-14 09:15:27 UTC 
Looks officially obsoleted/additive to bug 252416 now.
Comment 23 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 18:15:28 UTC 
This issue has been fixed since Oct 15, 2008. No GLSA will be issued.