Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 668948 (CVE-2018-13785, CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3150, CVE-2018-3157, CVE-2018-3169, CVE-2018-3180, CVE-2018-3183, CVE-2018-3209, CVE-2018-3211, CVE-2018-3214) - <dev-java/oracle-{jdk,jre}-bin-1.8.0.192: Multiple vulnerabilities
Summary: <dev-java/oracle-{jdk,jre}-bin-1.8.0.192: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-13785, CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3150, CVE-2018-3157, CVE-2018-3169, CVE-2018-3180, CVE-2018-3183, CVE-2018-3209, CVE-2018-3211, CVE-2018-3214
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-18 11:51 UTC by Guido Jäkel
Modified: 2019-08-15 15:49 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/oracle-jdk-bin-1.8.0.192 amd64 x86 dev-java/oracle-jre-bin-1.8.0.192 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Guido Jäkel 2018-10-18 11:51:14 UTC
Please bump "plain vanilla", an unmodified copy of oracle-jdk-bin-1.8.0.181 works for me out of the box.
Comment 1 Mike Limansky 2018-10-18 14:06:41 UTC
Actually it's a security issue:

https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html#AppendixJAVA

Several issues marked as critical.
Comment 2 Larry the Git Cow gentoo-dev 2018-10-19 14:34:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=897bfd4660be4123ebc6006b4cfccc095a6d8900

commit 897bfd4660be4123ebc6006b4cfccc095a6d8900
Author:     Philipp Ammann <philipp.ammann@posteo.de>
AuthorDate: 2018-10-19 13:14:22 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-10-19 14:34:34 +0000

    dev-java/oracle-jdk-bin: version bump to 1.8.0.192
    
    Bug: https://bugs.gentoo.org/668948
    Signed-off-by: Philipp Ammann <philipp.ammann@posteo.de>
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-java/oracle-jdk-bin/Manifest                   |  14 +
 .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.192.ebuild | 297 +++++++++++++++++++++
 2 files changed, 311 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22f3d7717f61f7303b279e5e99756c5efd25ba95

commit 22f3d7717f61f7303b279e5e99756c5efd25ba95
Author:     Philipp Ammann <philipp.ammann@posteo.de>
AuthorDate: 2018-10-19 13:13:11 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-10-19 14:33:09 +0000

    dev-java/oracle-jre-bin: version bump to 1.8.0.192
    
    Bug: https://bugs.gentoo.org/668948
    Closes: https://github.com/gentoo/gentoo/pull/10178
    Signed-off-by: Philipp Ammann <philipp.ammann@posteo.de>
    Signed-off-by: James Le Cuirot <chewi@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 dev-java/oracle-jre-bin/Manifest                   |   2 +
 .../oracle-jre-bin/oracle-jre-bin-1.8.0.192.ebuild | 220 +++++++++++++++++++++
 2 files changed, 222 insertions(+)
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-10-20 17:46:17 UTC
amd64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-26 00:54:04 UTC
x86 stable
Comment 5 Miroslav Šulc gentoo-dev 2019-01-17 08:46:31 UTC
the affected versions are gone:

commit ed2e7d8db523186f340c4d9db762109bc37486f0 (HEAD -> master, origin/master, origin/HEAD)
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 09:44:59 2019 +0100

    dev-java/oracle-jre-bin-1.8.0.181: removed obsolete
    
    also per bug #668948, #661456 and #653560
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

commit 9bd0311bf2956781e054945b1a6c925be085644f
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 09:43:09 2019 +0100

    dev-java/oracle-jdk-bin-1.8.0.181: removed obsolete
    
    also per bug #668948, #661456 and #653560
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>
Comment 6 Guido Jäkel 2019-01-17 13:52:45 UTC
Java8u191 is obsolete since last quarterly Oracle Patch day, 2019-01-15. But I tried out yesterday: 

Now please bump "plain vanilla" to 1.9.0.20{1,2}, an unmodified copy of oracle-jdk-bin-1.8.0.19{1,2} works for me out of the box.
Comment 7 Miroslav Šulc gentoo-dev 2019-01-17 14:17:04 UTC
(In reply to Guido Jäkel from comment #6)
> Java8u191 is obsolete since last quarterly Oracle Patch day, 2019-01-15. But
> I tried out yesterday: 
> 
> Now please bump "plain vanilla" to 1.9.0.20{1,2}, an unmodified copy of
> oracle-jdk-bin-1.8.0.19{1,2} works for me out of the box.

it's already in the tree, but i did not remove the obsolete 1.8.0.192 as it is the only stable we have:

commit 17e174a3a230c285fb5360ce1102c38f91bb8dec
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 10:47:41 2019 +0100

    dev-java/oracle-jre-bin-1.8.0.202: bump
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

commit 63caaadcbb604ac244446be687d8188a86ec15cd
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 10:37:52 2019 +0100

    dev-java/oracle-jdk-bin-1.8.0.202: bump
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>


wrt oracle-jdk-bin:9, it's gone forever from the main tree (i dropped it due to security issues), we will support only oracle-jdk-bin:1.8 and oracle-jdk-bin:11. and of course the other jdk's according to their support/eol and our plans wrt java in the main tree. as of now, oracle-jdk-bin:11 is already in the main tree.
Comment 8 Miroslav Šulc gentoo-dev 2019-01-24 08:14:14 UTC
security, you can move on with this bug, no affected version is in the tree anymore.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 05:32:42 UTC
Arches and Maintainer(s), Thank you for your work.
New GLSA opened.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:49:14 UTC
This issue was resolved and addressed in
 GLSA 201908-10 at https://security.gentoo.org/glsa/201908-10
by GLSA coordinator Aaron Bauman (b-man).