The Blackdown project's JDK and JRE for the x86 and AMD64 platforms is
vulnerable to the same privilege escalation bug that affects Sun JDK/JRE < 1.4.2_08.
Reproducible: Didn't try
Steps to Reproduce:
Please refer to reference security notice on Blackdown project's site.
A new version which fixes the vulnerability, 1.4.2-02, has been released by
Java please bump.
This is similar to bug #96092.
bumped too ~arch
haven't had time todo more then a basic test
From Blackdown :
Affected : Blackdown J2SE 1.4.2-01 and earlier 1.4 releases. 1.3.1 release are
Target KEYWORDS :
blackdown-jdk-1.4.2.02 : x86 sparc amd64
blackdown-jre-1.4.2.02 : x86 sparc amd64
blackdown-jdk-1.4.2.02 is currently failing digest checks on the file from the
mirrors. I don't know if the mirror is wrong or the digest is wrong.
digest md5 is the same as on
and all the mirrors i tried have the file with that md5
It was on amd64 (sorry, I didn't realize blackdown came in 64-bit versions) and
is now fixed.
Blackdown never release 1.4.2* for sparc.
Is there a workaround for 1.4.1?
stable on amd64 and x86
I sent an email off to Blackdown asking about a newer version of the JRE/JDK for
Linux/SPARC and the response was "1.4.2-02 for SPARC is mostly ready but there's
one show-stopping bug holding it up.". So its possible there may be something
soon, but not sure when.
We should issue a temporary GLSA with the current fixed versions which says 1.4
on sparc is vulnerable, then issue an update when the sparc version is released.
Keeping open (enhancement scope) to remember to update the GLSA when sparc is fixed.
# emerge --ask --oneshot --verbose ">=dev-java/blackdown-jre-1.4.2.02"
These are the packages that I would merge, in order:
!!! All ebuilds that could satisfy ">=dev-java/blackdown-jre-1.4.2.02" have been
!!! One of the following masked packages is required to complete your request:
- dev-java/blackdown-jre-1.4.2.02 (masked by: -* keyword)
For more information, see MASKED PACKAGES section in the emerge man page or
section 2.2 "Software Availability" in the Gentoo Handbook.
Jan, please mark jre asap.
keyworded x86 & amd64
Thx Thomas, back to enhancement, waiting for fixed Sparc version.
Any news with the Sparc version?
Any news on a sparc version?
You should check www.blackdown.org, and the answer is no.
Note that the current stable profile (2006.0/2.4) has java masked entirely, so when the previous ones are gone it can be safely nuked.
(In reply to comment #20)
> You should check www.blackdown.org, and the answer is no.
> Note that the current stable profile (2006.0/2.4) has java masked entirely, so
> when the previous ones are gone it can be safely nuked.
When do you plan on removing the previous ones?
When 2006.1 ships
Jason any news on this one?
We'll deprecate the 2005.1 profile later today, send a mail with a 30-day warning period and nuke java keywords/old profiles then.
the sparc cleanup is done, removed all java-dependant keywords from ebuilds and nuked the old profiles.
feel free to call us back if you feel nostalgic or something ;)
So ... do we even need a GLSA update on this now that sparc has been purged? Close it?
Thanks Matt. indeed the policy doesn't talk about this configuration in which a package has been removed for the unpatched architecture. I think no GLSA nor GLSA-update is needed to be sent. And the note in GLSA 200506-14 is still true:
"Note to SPARC users: There is no stable secure Blackdown Java for the SPARC architecture. Affected users should remove the package until a SPARC package is released. "
So I close that bug (finally :) ) . Feel free to reopen if you disagree.