Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 377623 - <dev-java/ibm-{jre,jdk}-bin-{1.5.0.12_p5,1.6.0.9_p2}: Multiple vulnerabilities
Summary: <dev-java/ibm-{jre,jdk}-bin-{1.5.0.12_p5,1.6.0.9_p2}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.ibm.com/developerworks/jav...
Whiteboard: B2 [noglsa]
Keywords:
Depends on: CVE-2010-4476 370559
Blocks: java-security
  Show dependency tree
 
Reported: 2011-08-03 22:20 UTC by Vlastimil Babka (Caster) (RETIRED)
Modified: 2016-03-08 09:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-08-03 22:20:57 UTC
As usual, with sun-jdk security fixes come ibm-jdk-bin security fixes.
Comment 1 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-08-03 22:30:35 UTC
Please stabilize:

dev-java/
ibm-jdk-bin-1.6.0.9_p2
ibm-jdk-bin-1.5.0.12_p5
ibm-jre-bin-1.6.0.9_p2
ibm-jre-bin-1.5.0.12_p5

distfiles as usual (ssh d.g.o:~caster/tmp/)
Comment 2 Ian Delaney (RETIRED) gentoo-dev 2011-08-04 19:19:16 UTC
better luck to the next getting past the ibm maze  of links.
Comment 3 Tanktalus 2011-08-04 22:21:29 UTC
I can't get the dist file from the ibm site - there is no tar.gz file there, at least for amd64. Where did you get it from?
Comment 4 Vlastimil Babka (Caster) (RETIRED) gentoo-dev 2011-08-09 06:07:14 UTC
TGZ variants are under the "Deprecated SDKs and JREs" part of the download page. Here, deprecated means the packaging format (I hope they won't abandon it completely though...), not version.
Comment 5 Tanktalus 2011-08-09 15:46:25 UTC
I submitted an email to IBM to ask about this, and what I got, in a nutshell, is this:

* the tarball/rpm formats are deprecated and will be removed pretty soon, if not with the next release.

* there is a document on how to do a silent install: http://www-01.ibm.com/support/docview.wss?uid=swg21456902 - a quick look says that this will be moderately to very painful to set up.  My response to the IBMer was that this may cause Gentoo to drop IBM Java if it's too difficult (though I'm pretty sure he knows I don't speak for Gentoo, just as here I'm not speaking for IBM, merely relaying information).

* The IBMer I was contacting will take my concerns to the Java Project Manager in IBM.  That doesn't mean anything will change, merely that it'll be brought forward.

My suggestion, then, to the Gentoo Java team is to start planning for that tarball to go away.
Comment 6 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-13 07:04:55 UTC
ppc/ppc64 stable
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2011-08-19 19:45:51 UTC
Apart from getting-the-distfile-pain things worked well for me.
x86 stable.
Comment 8 Markos Chandras (RETIRED) gentoo-dev 2011-08-27 09:26:27 UTC
amd64 done. Thanks Ian
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2011-08-27 16:38:54 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-05 11:51:02 UTC
@maintainers, this is the last bug on the java-security tracker from ages ago.  Anything stopping a cleanup of versions 1.6.0.9_p1 in jre and jdk?  If not, please clean the tree.  Thanks.
Comment 11 James Le Cuirot gentoo-dev 2016-03-05 21:18:48 UTC
(In reply to Aaron Bauman from comment #10)
> @maintainers, this is the last bug on the java-security tracker from ages
> ago.  Anything stopping a cleanup of versions 1.6.0.9_p1 in jre and jdk?  If
> not, please clean the tree.  Thanks.

dev-java/ibm-{jre,jdk}-bin (and several other JVMs) will actually be last-rited as soon as ppc64 team deal with bug #567890. The branch is ready waiting to go.
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-05 23:54:19 UTC
Thanks for the update.  Do we have an estimated time when that merge will happen?
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-06 06:47:35 UTC
(In reply to James Le Cuirot from comment #11)
> (In reply to Aaron Bauman from comment #10)
> > @maintainers, this is the last bug on the java-security tracker from ages
> > ago.  Anything stopping a cleanup of versions 1.6.0.9_p1 in jre and jdk?  If
> > not, please clean the tree.  Thanks.
> 
> dev-java/ibm-{jre,jdk}-bin (and several other JVMs) will actually be
> last-rited as soon as ppc64 team deal with bug #567890. The branch is ready
> waiting to go.

Chewi, I understand you are working on a large move, however, 1.6.0.9_p2 is stable on ppc64.  Just asking to purge 1.6.0.9_p1 from the tree in order to close out a couple of security bugs.  That would be much appreciated if possible. Thanks.
Comment 14 James Le Cuirot gentoo-dev 2016-03-06 10:42:35 UTC
(In reply to Aaron Bauman from comment #13)
> Chewi, I understand you are working on a large move, however, 1.6.0.9_p2 is
> stable on ppc64.  Just asking to purge 1.6.0.9_p1 from the tree in order to
> close out a couple of security bugs.  That would be much appreciated if
> possible. Thanks.

Kill off p1 now if you like but we're simply waiting for someone from ppc64 team to find the time. That would usually be ago but he's been unavailable and pacho has been busy too. It could literally be today but I really don't know.
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-06 10:53:48 UTC
(In reply to James Le Cuirot from comment #14)
> (In reply to Aaron Bauman from comment #13)
> > Chewi, I understand you are working on a large move, however, 1.6.0.9_p2 is
> > stable on ppc64.  Just asking to purge 1.6.0.9_p1 from the tree in order to
> > close out a couple of security bugs.  That would be much appreciated if
> > possible. Thanks.
> 
> Kill off p1 now if you like but we're simply waiting for someone from ppc64
> team to find the time. That would usually be ago but he's been unavailable
> and pacho has been busy too. It could literally be today but I really don't
> know.

Thanks for the feedback.  The Git history shows that ~ppc64 was added later following the bump for security.  Of course this is spanning many years. It should have been requested in a separate bug.  I will remove _p1.  Thanks!
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-06 11:15:25 UTC
vulnerable versions dropped from tree.  No CVE's identified on this bug to add it to an existing Java GLSA or publish a new one.  Per previous comments these packages will be gone soon from the tree.

@security, thoughts on GLSA?