From ${URL} : IcedTea-Web version 1.4.2 released earlier this week fixes an issue related to handling of the directory that is used to store sockets for communication between in browser plugin, and JVM running applets. The directory was usually created in /tmp, using predictable name, and its ownership and permissions were not checked. This issue was reported by Michael Scherer of Red Hat and was assigned CVE-2013-6493. References: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663 https://bugzilla.redhat.com/show_bug.cgi?id=1010958 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Not sure if this affects 1.3.2 which is built into icedtea-bin-6, or just 1.4 series :/
I guess 1.3.2 is also affected, so it's time icedtea-bin:6 stopped bundling it, and depend on 1.4.2 which can handle multiple icedtea versions in single installation. So I made dev-java/icedtea-bin-6.1.13.3-r1 revbump that should be tested and stabilized together with dev-java/icedtea-web-1.4.2 Testing means trying javaws on some webstart file, and checking if the browser plugin works. Thanks.
I get: dependency.bad 22 dev-java/icedtea-web/icedtea-web-1.4.2.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['dev-java/icedtea:7']
Please fix bug #502280 first.
With Bug 502280, #502280 closed, please advise when you want to go to stabilization.
Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so it seems we don't need to stabilize it.
(In reply to Paweł Hajdan, Jr. from comment #6) > Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so > it seems we don't need to stabilize it. This was a question for dev-java/icedtea-bin to stabilize 6.1.13.3-r1 as per comment 2 above. Sorry for not asking specifics. icedtea-web does not need to be stabilized, just tested.
(In reply to Yury German from comment #7) > (In reply to Paweł Hajdan, Jr. from comment #6) > > Actually it seems that icedtea-web only has ~arch ebuilds and not stable, so > > it seems we don't need to stabilize it. > > This was a question for dev-java/icedtea-bin to stabilize 6.1.13.3-r1 as per > comment 2 above. Sorry for not asking specifics. icedtea-web does not need > to be stabilized, just tested. No, it needs to be stabilized. icedtea-bin (which is stable) bundles a vulnerable version of icedtea-web. Now it's possible to unbundle it, so that icedtea-bin PDEPENDS on icedtea-web. But for that, icedtea-web needs to be stable. (In reply to Agostino Sarubbo from comment #3) > I get: > > dependency.bad 22 > > dev-java/icedtea-web/icedtea-web-1.4.2.ebuild: DEPEND: > amd64(default/linux/amd64/13.0) ['dev-java/icedtea:7'] I have fixed this by stripping the icedtea7 USE flag from icedtea-web-1.4.2, and creating a icedtea-web-1.4.2-r1 revbump that keeps it. Also for bug 502280, dev-java/icedtea-bin-6.1.13.3-r1 had to be revbumped to dev-java/icedtea-bin-6.1.13.3-r3 (without a change, but previously the bug was fixed without revbump so people didn't get the fix). So the sum up, please stabilize the following: dev-java/icedtea-bin-6.1.13.3-r3 dev-java/icedtea-web-1.4.2 (NOT -r1) Thanks.
Arches, please test and mark stable: =dev-java/icedtea-bin-6.1.13.3-r3 =dev-java/icedtea-web-1.4.2 (New Stabilization - see comment #8) Target Keywords : "amd64 x86"
RepoMan scours the neighborhood... >>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin dependency.bad 11 dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/gnome/systemd) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/kde) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/desktop/kde/systemd) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(default/linux/amd64/13.0/developer) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/no-multilib) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/no-multilib/selinux) ['dev-java/icedtea-web:0[icedtea7]'] dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: amd64(hardened/linux/amd64/selinux) ['dev-java/icedtea-web:0[icedtea7]']
(In reply to Agostino Sarubbo from comment #10) > RepoMan scours the neighborhood... > > >>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin > dependency.bad 11 > > dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: > amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]'] I'm updating title so it says 'dev-java/icedtea-bin-6.1.13.3-r3' explicitly. I will also remove -r0 and -r1 to be sure.
(In reply to Agostino Sarubbo from comment #10) > RepoMan scours the neighborhood... > > >>> Creating Manifest for /home/at/gentoo-x86/dev-java/icedtea-bin > dependency.bad 11 > > dev-java/icedtea-bin/icedtea-bin-6.1.13.3-r1.ebuild: PDEPEND: > amd64(default/linux/amd64/13.0) ['dev-java/icedtea-web:0[icedtea7]'] Should be fixed, please try again.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA vote: no,
GLSA Vote: No No GLSA will be issued. Maintainer(s), please drop the vulnerable version.
CVE-2013-6493 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6493): The LiveConnect implementation in plugin/icedteanp/IcedTeaNPPlugin.cc in IcedTea-Web before 1.4.2 allows local users to read the messages between a Java applet and a web browser by pre-creating a temporary socket file with a predictable name in /tmp.
Vulnerable versions have been removed a while ago. Closing as its noglsa.