After installing dev-java/icedtea-bin-3.0.0_pre09-r1 on a hardened amd64 Gentoo linux box : # glsa-check -t all This system is affected by the following GLSAs: 201406-32 # glsa-check --print 201406-32 GLSA 201406-32: IcedTea JDK: Multiple vulnerabilities ============================================================================ Synopsis: Multiple vulnerabilities have been found in the IcedTea JDK, the worst of which could lead to arbitrary code execution. Announced on: June 29, 2014 Last revised on: June 29, 2014 : 01 Affected package: dev-java/icedtea-bin Affected archs: All Vulnerable: <6.1.13.3 Unaffected: >=6.1.13.3 Related bugs: 312297, 330205, 340819, 346799, 352035, 353418, 354231, 355127, 370787, 387637, 404095, 421031, 429522, 433389, 438750, 442478, 457206, 458410, 461714, 466822, 477210, 489570, 508270 Background: IcedTea is a distribution of the Java OpenJDK source code built with free build tools. Description: Multiple vulnerabilities have been discovered in the IcedTea JDK. Please review the CVE identifiers referenced below for details. Impact: A remote attacker could possibly execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, bypass intended security policies, or have other unspecified impact. Workaround: There is no known workaround at this time. Resolution: All IcedTea JDK users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/icedtea-bin-6.1.13.3" References: (...) Reproducible: Always Steps to Reproduce: 1. Emerge dev-java/icedtea-bin-3.0.0_pre09-r1 2. Run glsa-check -t all 3. Actual Results: # glsa-check -t all This system is affected by the following GLSAs: 201406-32 Expected Results: # glsa-check -t all This system is not affected by any of the listed GLSAs
I've just been alerted to this and it now also affects GLSA 201603-14. icedtea-3 is actually the latest version (for Java 8) because we've switched to match upstream's versioning scheme instead of our own weird one. Apart from this issue, it hasn't been a problem because we always depend on JVMs using SLOTs. Since I'm currently trying to push icedtea-3 as the new big thing right now, I'd really like this fixed! I don't like touching GLSAs myself though so please take a look.
After discussing this with b-man and trying it locally, it looks like adding this is the way to go. <unaffected range="lt">6</unaffected> We don't have icedtea-3 in the tree yet, only icedtea-bin-3, but it will be coming so don't forget to add it for both.
dev-java/icedtea-3.0.0 is now in the tree and is also affected by this bug.
I pinged b-man about it a while ago and he said he wasn't allowed to modify the GLSA files yet. Obviously I'm not allowed either but I don't care, security team, if you don't make the changes this coming week, I will do it myself.
commit b47115cd45a31ae205124ceb2e64da40905eeadd Author: Tobias Heinlein <keytoaster@gentoo.org> Date: Tue Apr 19 23:37:16 2016 +0200 IcedTea GLSAs: Add unaffected < 6 due to new versioning scheme (bug 576428).
The problem reappeared with 201606-18 and dev-java/icedtea-bin-3.1.0 : # glsa-check -vt all This system is affected by the following GLSAs: [A] means this GLSA was marked as applied (injected), [U] means the system is not affected and [N] indicates that the system might be affected. 201606-18 [N] [remote ] IcedTea: Multiple vulnerabilities ( dev-java/icedtea-bin-3.1.0 ) #
(In reply to Sylvain CANOINE from comment #6) > The problem reappeared with 201606-18 and dev-java/icedtea-bin-3.1.0 : Reopening. Guys, let's keep on top of this, please! 201606-18 also mentions just icedtea-bin, not icedtea, which is equally affected.
Issue with GLSA-201606-18 is fixed in bug #591346