tech-pkg: Re: lang/sun-j* security updates

Subject: Re: lang/sun-j* security updates
To: None <tech-pkg@netbsd.org>
From: Geert Hendrickx <ghen@telenet.be>
List: tech-pkg
Date: 11/30/2005 12:13:52
On Wed, Nov 30, 2005 at 11:56:19AM +0100, Geert Hendrickx wrote:
> On Wed, Nov 30, 2005 at 11:41:09AM +0100, Geert Hendrickx wrote:
> > On Wed, Nov 30, 2005 at 11:07:00AM +0100, Geert Hendrickx wrote:
> > > Is anyone upgrading the lang/sun-j*14 packages already?  (security update
> > > 1.4.2.10 released today).  Otherwise /me volunteers.  
> > 
> > Here are the diffs.  The update is minimal, so the diffs are quite trivial.
> > The most important is this one: 
> > 
> > --- pkg-vulnerabilities.orig	2005-11-30 11:35:31.000000000 +0100
> > +++ pkg-vulnerabilities	2005-11-30 11:35:27.000000000 +0100
> > @@ -1145,7 +1145,7 @@
> >  gsharutils<4.2.1nb6	1119,privilege-escalation	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0990
> >  mysql-server<3.23.59	1120,privilege-escalation	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0957
> >  sun-{jre,jdk}15-*	1121,local-file-write	http://secunia.com/advisories/14902/
> > -sun-{jre,jdk}14-*	1122,local-file-write	http://secunia.com/advisories/14902/
> > +sun-{jre,jdk}14<2.10	1122,local-file-write	http://secunia.com/advisories/14902/
> >  kdelibs-3.4.0{,nb1,nb2}	1123,buffer-overflow		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1046
> >  kdelibs<3.3.2nb10	1124,buffer-overflow		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1046
> >  gnome-vfs2-cdda-2.10.0	1125,remote-code-execution	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0706
> 
> My mistake; this update fixes _another_ vulnerability, so the correct
> pkg-vulnerabilities diff is this one: 
> 
> --- pkg-vulnerabilities.orig	2005-11-30 11:54:11.000000000 +0100
> +++ pkg-vulnerabilities	2005-11-30 11:54:09.000000000 +0100
> @@ -1577,3 +1577,4 @@
>  suse_gtk2<9.1nb4	1550,denial-of-service		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975
>  suse_gtk2<9.1nb4	1551,arbitrary-code-execution	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976
>  suse_gtk2<9.1nb4	1552,arbitrary-code-execution	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186
> +sun-{jre,jdk}14<2.10	1553,local-file-write   	http://secunia.com/advisories/17748/
> 
> And vulnerability id. 1122 (Secunia #14902) remains unpatched.  

Ok, never post before (a third) coffee; the release of 1.4.2_10 and the
announcement of this vulnerability are unrelated.  The vulnerability has
been fixed in 1.4.2_9, and 1.4.2_10 is just another update.  

tron@ has added the correct vulnerability IDs to pkg-vulnerabilities in the
meantime.  Thanks tron for waking me up. ;-)  And sorry for the noise.  

	Geert