Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 653560 (CVE-2018-2790, CVE-2018-2794, CVE-2018-2795, CVE-2018-2796, CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2800, CVE-2018-2811, CVE-2018-2814, CVE-2018-2815) - <dev-java/oracle-jdk-bin-1.8.0.171:1.8, <dev-java/oracle-jre-bin-1.8.0.171:1.8, dev-java/oracle-jdk-bin:9, dev-java/oracle-jre-bin:9: Multiple vulnerabilities
Summary: <dev-java/oracle-jdk-bin-1.8.0.171:1.8, <dev-java/oracle-jre-bin-1.8.0.171:1....
Status: RESOLVED FIXED
Alias: CVE-2018-2790, CVE-2018-2794, CVE-2018-2795, CVE-2018-2796, CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2800, CVE-2018-2811, CVE-2018-2814, CVE-2018-2815
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://www.oracle.com/technetwork/sec...
Whiteboard: A2 [glsa+ cve]
Keywords:
: 653562 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-04-19 20:28 UTC by Manuel Ullmann
Modified: 2019-03-14 01:45 UTC (History)
2 users (show)

See Also:
Package list:
dev-java/oracle-jdk-bin-1.8.0.172 amd64 x86 dev-java/oracle-jre-bin-1.8.0.172 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Ullmann 2018-04-19 20:28:54 UTC 
Version bump to 1.8.0.172. This is a security update.
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Reproducible: Always
Comment 1 James Le Cuirot gentoo-dev 2018-04-22 22:29:55 UTC 
*** Bug 653562 has been marked as a duplicate of this bug. ***
Comment 2 James Le Cuirot gentoo-dev 2018-04-22 22:38:02 UTC 
Java 8 bumps are on the way, thanks to Manuel. Java 9 is now EOL already so we would need to update to 10. I believe java-config needs fixing to handle the version ordering. I barely have time to even think about this right now. :| Let's just get 8 sorted first.
Comment 3 Larry the Git Cow gentoo-dev 2018-04-22 23:01:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d2d827010ce3163e70f8c820e85acc3c6e38ecdd

commit d2d827010ce3163e70f8c820e85acc3c6e38ecdd
Author:     Manuel Ullmann <labre@posteo.de>
AuthorDate: 2018-04-19 19:22:36 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-04-22 23:01:40 +0000

    dev-java/oracle-jre-bin: Security bump to 1.8.0.172
    
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    Bug: https://bugs.gentoo.org/653560

 dev-java/oracle-jre-bin/Manifest                   |   2 +
 .../oracle-jre-bin/oracle-jre-bin-1.8.0.172.ebuild | 220 +++++++++++++++++++++
 2 files changed, 222 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d86a9fce4f78214f024a6923383218ef80ec8ad2

commit d86a9fce4f78214f024a6923383218ef80ec8ad2
Author:     Manuel Ullmann <labre@posteo.de>
AuthorDate: 2018-04-19 19:19:10 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-04-22 23:01:34 +0000

    dev-java/oracle-jdk-bin: Security bump to 1.8.0.172
    
    Package-Manager: Portage-2.3.24, Repoman-2.3.6
    Bug: https://bugs.gentoo.org/653560
    Closes: https://github.com/gentoo/gentoo/pull/8076

 dev-java/oracle-jdk-bin/Manifest                   |  14 +
 .../oracle-jdk-bin/oracle-jdk-bin-1.8.0.172.ebuild | 301 +++++++++++++++++++++
 2 files changed, 315 insertions(+)}
Comment 4 James Le Cuirot gentoo-dev 2018-04-22 23:04:11 UTC 
Java 8 is bumped, arch teams please stabilise.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-04-23 10:02:23 UTC 
amd64 stable
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-04-24 23:56:10 UTC 
x86 stable
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2018-04-25 00:15:22 UTC 
@ Maintainer(s): Please cleanup!
Comment 8 Larry the Git Cow gentoo-dev 2018-04-25 20:43:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=924eaeb0261360612df8780e17e8c432a5e73702

commit 924eaeb0261360612df8780e17e8c432a5e73702
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2018-04-25 20:43:02 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-04-25 20:43:02 +0000

    dev-java/oracle-jre-bin: Drop vulnerable 1.8.0.162-r1
    
    Bug: https://bugs.gentoo.org/653560
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 dev-java/oracle-jre-bin/Manifest                   |   2 -
 .../oracle-jre-bin-1.8.0.162-r1.ebuild             | 220 ---------------------
 2 files changed, 222 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb62a19820abd5e4a1f761765ccac2627ca0197f

commit eb62a19820abd5e4a1f761765ccac2627ca0197f
Author:     James Le Cuirot <chewi@gentoo.org>
AuthorDate: 2018-04-25 20:42:12 +0000
Commit:     James Le Cuirot <chewi@gentoo.org>
CommitDate: 2018-04-25 20:42:12 +0000

    dev-java/oracle-jdk-bin: Drop vulnerable 1.8.0.162-r1
    
    Bug: https://bugs.gentoo.org/653560
    Package-Manager: Portage-2.3.31, Repoman-2.3.9

 dev-java/oracle-jdk-bin/Manifest                   |  14 -
 .../oracle-jdk-bin-1.8.0.162-r1.ebuild             | 301 ---------------------
 2 files changed, 315 deletions(-)}
Comment 9 James Le Cuirot gentoo-dev 2018-04-25 20:45:05 UTC 
That's the vulnerable Java 8 versions dropped. I don't have time to deal with 9 right now. If someone could put forward a bump to 10, that would help a lot but I'll still have to deal with java-config.
Comment 10 Miroslav Šulc gentoo-dev 2019-01-17 09:52:34 UTC 
both dev-java/oracle-jdk-bin:9 and dev-java/oracle-jre-bin:9 are gone now:

commit 5a3351a36469f37a21d660639fef0f8045ea50cd (HEAD -> master, origin/master, origin/HEAD)
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 10:50:08 2019 +0100

    dev-java/oracle-jdk-bin-9.0.4: removed (security issues #653560)
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

commit 6624b07b579b5507d3bbf62ba4f1ab5c2852e02a
Author: Miroslav Šulc <fordfrog@gentoo.org>
Date:   Thu Jan 17 10:22:58 2019 +0100

    dev-java/oracle-jre-bin-9.0.4: removed (security issues #653560)
    
    Package-Manager: Portage-2.3.56, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2019-03-10 04:53:37 UTC 
Arches and Maintainer(s), Thank you for your work.
New GLSA Request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2019-03-14 01:45:42 UTC 
This issue was resolved and addressed in
 GLSA 201903-14 at https://security.gentoo.org/glsa/201903-14
by GLSA coordinator Aaron Bauman (b-man).