There is no advisory from IBM I know of, but the changelog of 1.5.0.9 contains several security mentionments: wsdev-20081119 143565 IZ37676 c N/A Sun Security Fix 6767668 asdev-20081030 143026 - c N/A Sun Security Defects asdev-20081029 142959 - c N/A Sun Security Defects audev-20081028 142130 IZ35743 c N/A Sun Security Defects asdev-20081028 142130 IZ35743 c N/A Sun Security Defects asdev-20081028 142691 IZ35744 c N/A Sun Security Defects wsdev-20081028 142130 IZ35743 c N/A Sun Security Defects asdevplug-20081028 142130 IZ35743 c N/A Sun Security Defects asdev-20080813 139180 IZ29053 c 6332953 Sun Security fix 6332953
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.5.0.9. Distfiles as usual via ssh d.g.o/~caster/tmp
amd64/x86 stable
ppc stable
ppc64 done
Alerts appeared on ibm's $URL. Good that we done 1.5.0.9 - it's fixed. For 1.4 and 1.6 there are not yet releases, as usual :/
Due to impacts like DoS, privilege escalation and remote execution of arbitrary code, i set the bug to B3. I would vote for a GLSA because of the numerous possible attack vectors and the very wide usage of Java.
ppc/ppc64 please stabilize ibm-jdk-bin-1.6.0.4 distfiles are being uploaded as usual (comment 1)
ppc and ppc64 done
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 1.4.2.13. Distfiles as usual.
Marked 1.4.2.13 ppc/ppc64 stable.
Removing ppc/ppc64 CC's (sorry for the bugspam).
amd64/x86 stable, all arches done.
All's left is GLSA then, covering also bug 233652
(In reply to comment #10) > Marked 1.4.2.13 ppc/ppc64 stable. > You forgot ibm-jre-bin, please do.
Also please note that the distfiles of 1.6 were meanwhile changed upstream and redigested (bug 265760) so take care not to redigest with the old ones - remove DISTDIR/ibm-java-*6.0-4.0* or use FEATURES=assume-digests etc...
So, apparently 1.5.0.9 was not fixed, IBM released a security update, which I bumped as 1.5.0.9-r1. They didn't care to rename the versions distfiles though. To prevent users from renaming distfiles of the fixed version (in order to coexist with the old version), the old ebuild was updated to expect old distfiles to be renamed to .old.tgz. So, please stabilize 1.5.0.9-r1, you need to download new distfiles from usual place and rename or replace the old distfiles. Take care also about comment 15. Sorry that their naming schemes suck.
Remote passive execution of arbitrary code is B2. Added to already existing glsa.