Straight from the announcement:
A vulnerability in the Java Plug-in may allow an untrusted applet
including reading and writing files with the privileges of the user
running the applet.
This issue is described in the following document: CVE CAN-2004-1029
2. Vulnerable Versions
All Blackdown VMs previous to J2SE v1.4.2-01.
Upgrade to J2SE v1.4.2-01
sun-jdk-1.4.2.06.ebuild is not vulnerable and already stable for x86.
"Sun Microsystems was informed on April 29, 2004 and has fixed the
problem in J2SE 1.4.2_06"
java please bump to 1.4.2-01.
Created attachment 44615 [details]
I got the new version installed with the attached changes.
I did a quick test on x86 with mozilla and jdk at this german website:
blackdown-jdk/jre bumped too 1.4.2.01
still needs amd64 keywording
amd64, please test and mark stable:
blackdown-jre-1.4.2.01.ebuild:KEYWORDS="-* amd64 x86"
blackdown-jdk-1.4.2.01.ebuild:KEYWORDS="-* x86 amd64"
sparc had blackdown 1.4.1 stable too. its was the only jdk for there arch, but that it seems to be affected too(i removed it), so they no longer have a stable jdk, blackdown doesn't release them for sparc anymore
bumped 1.4.1 to 1.4.1-r1 for sparc, it no longer installs the mozilla plugin.
amd64, please test and mark blackdown-jdk-1.4.2.01 stable.
Axxo & PPC:
Versions 1.3.x are probably vulnerable too. What solution do we have for the ppc arch (which has a 1.3 version stable). Can it be bumped to 1.4.x ? What else could we do to secure ppc ?
i cannot test the plugins of 1.3* since they don't work on newer version of mozilla/firefox
all sun/blackdown >=1.4.0 in the tree now shouldn't be affected
ppc also has a stable ibm-jdk-bin
As Lars posted above, a test can be found at <http://www.heise.de/security/dienste/browsercheck/tests/java.shtml> (German).
In the stanza beginning with "Am 23.11.2004 wurde ein Problem bekannt" click on the link "hier", a popup should appear saying "Sie sind verwundbar" if you are still vulnerable.
Opera still seems to have problems with this, probably because of its non-standard java usage (s. bug #71818).
amd64 is ready now
ppc: please try blackdown-jdk/jre 1.4.x and see if you could mark it stable.
We've a short schedule on this one, we might need to issue a temporary GLSA with affected versions by Monday. See what you can do :)
JoseJX just said that ppc has no "Java plug-in" functionality from blackdown-jdk/jre so it's not affected by this vulnerability.
We're waiting for a confirmation on this and will send a x86/amd64 restricted GLSA if this is verified.
a thread on FD talks about the necessity to remove old java versions
Question: What happens when the user at some later point returns to the applet that specifies the 1.3.1 plug-in? Does the 1.4 plug-in load, ignoring the applet's HTML plug-in version parameters?
Answer: Here the answer depends on whether the 1.3.1 applet specifies clsid:8AD ... or clsid:CAF .... The clsid:CAF ... indicates that the applet requires the specific version of 1.3.1 to run; and so it will run with the 1.3.1 version if it has not been removed from the system and will prompt the user to install it if it has. However, if the clsid:8AD ... is used and both versions of the Plug-in are still installed on the system, then the 1.3.1 version will be run. If 1.3.1has been removed, the 1.4 version will be run. In this case, any version of Plug-in equal to or higher than the indicated version will be used.
Question: What happens when the user has a newer version of the plug-in installed (e.g., 1.4) but opens an applet whose HTML specifies an older version (1.3.1 or 1.2.1)? Will the user be prompted to install the older one? If so, what happens when the user returns to the newer applet?
Answer: This is similar to the question above. If the clsid:CAF ... is used, then the older version will be installed and run. However, if the clsid:8AD is used, then the newer version will run the applet.
another test can be found here:
Holding on the GLSA a few more hours on konq/opera vulnerability test to see if we should have a "Note:" about their vulnerable status.