Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 330205 - <dev-java/icedtea6-bin-1.8.1: security vulnerabilities
Summary: <dev-java/icedtea6-bin-1.8.1: security vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 312297
  Show dependency tree
Reported: 2010-07-28 12:59 UTC by Andrew John Hughes
Modified: 2014-06-29 15:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew John Hughes 2010-07-28 12:59:02 UTC
* CVE-2010-2783, RH616895: IcedTea ‘Extended JNLP Services’ arbitrary file access
* CVE-2010-2548, RH616893: IcedTea Incomplete property access check for unsigned applications

New ebuilds in java-overlay.  New binaries needed.

Reproducible: Always
Comment 3 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-07-30 14:57:30 UTC
I've built new binaries for icedtea6-bin-1.8.1, please stabilize.
I also removed the 1.7 series as 1.8 seems to work for users, so we don't need the 1.7.4 bump.
The source version in main tree in dev-java/icedtea was also bumped, but since the package is not stable yet, there's nothing more to do.
Comment 4 Myckel Habets 2010-07-30 19:45:49 UTC
Installs fine on x86. Rdep builds against this version. Please mark stable for x86.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-07-31 03:25:19 UTC
x86 stable, thanks Myckel
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-07-31 14:41:11 UTC
amd64 done
Comment 7 Andrew John Hughes 2010-08-01 15:39:43 UTC
There are some fixes in 1.7.4 that didn't make 1.8.1.  I can understand you not wanting to maintain two binaries, but both ebuild streams in the overlay will be retained.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2010-08-14 15:01:49 UTC
Rating B3 [ebuild?].

Vlastimil, please see Andrew's last comment.
Comment 9 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2010-08-26 23:14:31 UTC
(In reply to comment #8)
> Rating B3 [ebuild?].
> Vlastimil, please see Andrew's last comment.

He didn't mean security fixes but general bugfixes. 1.8.1 is thus fine.

Comment 10 Andrew John Hughes 2010-08-26 23:26:35 UTC
To elaborate, 1.7.4 has:

S6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks.
S6963870: Eliminate NullPointerEx in swing class CompoundBorder method getBorderInsets.
PR453, OJ100142: Fix policy evaluation to match the proprietary JDK.

and a number of javadoc fixes which didn't make 1.8.1.  We could add these locally to the ebuild.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2010-11-18 20:29:41 UTC
GLSA Vote: yes, perhaps with 340819.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:02:40 UTC
Yes, added.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-06-29 15:28:20 UTC
This issue was resolved and addressed in
 GLSA 201406-32 at
by GLSA coordinator Mikle Kolyada (Zlogene).