Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559532 - <dev-java/icedtea{,-bin}-{6.1.13.8,7.2.5.6}: Multiple vulnerabilities (CVE-2015-{2808,2625,4760,2601,4748,4749,2613,2621,4000,2628,4731,2590,4732,4733,2632,4000})
Summary: <dev-java/icedtea{,-bin}-{6.1.13.8,7.2.5.6}: Multiple vulnerabilities (CVE-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://blog.fuseyism.com/index.php/20...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-03 15:18 UTC by James Le Cuirot
Modified: 2016-03-12 23:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James Le Cuirot gentoo-dev 2015-09-03 15:18:24 UTC
Sorry for the lateness of this, I've never filed a security bug and was used to other people doing it for me! These are usually coupled with Oracle security releases but Oracle is no longer providing public updates for Java 7 (or 6) so this applies to IcedTea only. As such, it probably didn't get much publicity.

I have already bumped icedtea and icedtea-bin. icedtea doesn't get marked stable so the vulnerable versions of that are already cleared.

amd64, x86, and ppc arch teams, please stabilise:
dev-java/icedtea-bin-6.1.13.8
dev-java/icedtea-bin-7.2.5.6 (ppc only)
dev-java/icedtea-bin-7.2.6.1 (not ppc)

Note that 7.2.5.6 is required because the 2.6 series is currently broken on ppc.
Comment 1 Agostino Sarubbo gentoo-dev 2015-09-03 15:28:14 UTC
So, if I understand well:

AMD64/X86:
=dev-java/icedtea-bin-6.1.13.8
=dev-java/icedtea-bin-7.2.6.1


PPC:
=dev-java/icedtea-bin-6.1.13.8
=dev-java/icedtea-bin-7.2.5.6


Please confirm.
Comment 2 James Le Cuirot gentoo-dev 2015-09-03 15:32:20 UTC
(In reply to Agostino Sarubbo from comment #1)
> So, if I understand well:
> ...
> Please confirm.

Yes.
Comment 3 Agostino Sarubbo gentoo-dev 2015-09-06 08:48:26 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-09-06 08:49:19 UTC
x86 stable
Comment 5 James Le Cuirot gentoo-dev 2015-09-06 13:45:56 UTC
Please hold off on ppc for a second, we've just realised why CACAO has been causing memory problems, it has a fixed 128MB heap. :|
Comment 6 James Le Cuirot gentoo-dev 2015-09-07 22:45:59 UTC
(In reply to James Le Cuirot from comment #5)
> Please hold off on ppc for a second, we've just realised why CACAO has been
> causing memory problems, it has a fixed 128MB heap. :|

Okay, I have now pushed a fix for that as -r1.

ppc team, please stabilise:
dev-java/icedtea-bin-6.1.13.8-r1
dev-java/icedtea-bin-7.2.5.6-r1

6.1.13.8-r1 went straight to stable for amd64 and x86 as only the core ppc tarball changed.
Comment 7 Agostino Sarubbo gentoo-dev 2015-09-08 07:27:27 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 James Le Cuirot gentoo-dev 2015-09-08 09:33:17 UTC
Thanks. Vulnerable versions now removed.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-31 03:05:21 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 23:41:11 UTC
This issue was resolved and addressed in
 GLSA 201603-14 at https://security.gentoo.org/glsa/201603-14
by GLSA coordinator Kristian Fiskerstrand (K_F).