Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 252416 - dev-java/ibm-jdk-bin <= 1.4.2.12 <= 1.5.0.9 <= 1.6.0.3 and ibm-jre-bin: multiple vulnerabilities
Summary: dev-java/ibm-jdk-bin <= 1.4.2.12 <= 1.5.0.9 <= 1.6.0.3 and ibm-jre-bin: multi...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.ibm.com/developerworks/jav...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 233652
Blocks: java-security 287490
  Show dependency tree
 
Reported: 2008-12-24 18:44 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2013-07-07 12:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-12-24 18:44:32 UTC
There is no advisory from IBM I know of, but the changelog of 1.5.0.9 contains several security mentionments:

wsdev-20081119	143565	IZ37676	c	N/A	Sun Security Fix 6767668
asdev-20081030	143026	-	c	N/A	Sun Security Defects
asdev-20081029	142959	-	c	N/A	Sun Security Defects
audev-20081028	142130	IZ35743	c	N/A	Sun Security Defects
asdev-20081028	142130	IZ35743	c	N/A	Sun Security Defects
asdev-20081028	142691	IZ35744	c	N/A	Sun Security Defects
wsdev-20081028	142130	IZ35743	c	N/A	Sun Security Defects
asdevplug-20081028	142130	IZ35743	c	N/A	Sun Security Defects
asdev-20080813	139180	IZ29053	c	6332953	Sun Security fix 6332953
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2008-12-24 18:45:38 UTC
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.9. Distfiles as usual
via ssh d.g.o/~caster/tmp

Comment 2 Markus Meier gentoo-dev 2008-12-25 10:18:23 UTC
amd64/x86 stable
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-29 18:26:05 UTC
ppc stable
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-01-06 17:07:17 UTC
ppc64 done
Comment 5 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-01-14 09:11:39 UTC
Alerts appeared on ibm's $URL. Good that we done 1.5.0.9 - it's fixed. For 1.4 and 1.6 there are not yet releases, as usual :/
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2009-02-27 22:56:07 UTC
Due to impacts like DoS, privilege escalation and remote execution of arbitrary code, i set the bug to B3.

I would vote for a GLSA because of the numerous possible attack vectors and the very wide usage of Java.
Comment 7 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-03-29 23:12:02 UTC
ppc/ppc64 please stabilize ibm-jdk-bin-1.6.0.4 distfiles are being uploaded as usual (comment 1)
Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-03-30 16:00:37 UTC
ppc and ppc64 done
Comment 9 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-04-02 11:44:48 UTC
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.4.2.13. Distfiles as usual.
Comment 10 Joe Jezak (RETIRED) gentoo-dev 2009-04-02 22:13:54 UTC
Marked 1.4.2.13 ppc/ppc64 stable.
Comment 11 Joe Jezak (RETIRED) gentoo-dev 2009-04-03 12:58:32 UTC
Removing ppc/ppc64 CC's (sorry for the bugspam).
Comment 12 Markus Meier gentoo-dev 2009-04-04 13:54:52 UTC
amd64/x86 stable, all arches done.
Comment 13 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-04-05 18:37:47 UTC
All's left is GLSA then, covering also bug 233652
Comment 14 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-04-21 19:13:13 UTC
(In reply to comment #10)
> Marked 1.4.2.13 ppc/ppc64 stable.
> 

You forgot ibm-jre-bin, please do.
Comment 15 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-04-21 19:18:38 UTC
Also please note that the distfiles of 1.6 were meanwhile changed upstream and redigested (bug 265760) so take care not to redigest with the old ones - remove DISTDIR/ibm-java-*6.0-4.0* or use FEATURES=assume-digests etc...
Comment 16 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2009-04-22 13:03:48 UTC
So, apparently 1.5.0.9 was not fixed, IBM released a security update, which I bumped as 1.5.0.9-r1. They didn't care to rename the versions distfiles though. To prevent users from renaming distfiles of the fixed version (in order to coexist with the old version), the old ebuild was updated to expect old distfiles to be renamed to .old.tgz.

So, please stabilize 1.5.0.9-r1, you need to download new distfiles from usual place and rename or replace the old distfiles. Take care also about comment 15. Sorry that their naming schemes suck.
Comment 17 Brent Baude (RETIRED) gentoo-dev 2009-04-22 14:30:25 UTC
ppc and ppc64 done
Comment 18 Markus Meier gentoo-dev 2009-05-01 14:21:29 UTC
amd64/x86 stable, all arches done.
Comment 19 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-08 22:45:56 UTC
Remote passive execution of arbitrary code is B2.
Added to already existing glsa.