Debian Bug report logs - #601802
sun-java6-jre: update 22 not available in lenny is a security issue

version graph

Package: sun-java6-jre; Maintainer for sun-java6-jre is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Patrick Holthuizen <patrick@eaze.org>

Date: Fri, 29 Oct 2010 20:30:01 UTC

Owned by: Torsten Werner <twerner@debian.org>

Severity: critical

Tags: lenny

Found in version sun-java6/6-20-0lenny1

Fixed in version sun-java6/6-22-0lenny1

Done: Torsten Werner <twerner@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#601802; Package sun-java6-jre. (Fri, 29 Oct 2010 20:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patrick Holthuizen <patrick@eaze.org>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 29 Oct 2010 20:30:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Patrick Holthuizen <patrick@eaze.org>
To: submit@bugs.debian.org
Subject: sun-java6-jre: update 22 not available in lenny is a security issue
Date: Fri, 29 Oct 2010 21:36:44 +0200
Package: sun-java6-jre
Version: 6-20-0lenny1

Some time ago Oracle released Java 6 update 22 patching a critical
security issue. Is it possible to make this version available to Debian
Lenny?




Severity set to 'critical' from 'normal' Request was from Patrick Holthuizen <patrick@eaze.org> to control@bugs.debian.org. (Sun, 31 Oct 2010 08:09:06 GMT) Full text and rfc822 format available.

Added tag(s) lenny. Request was from Torsten Werner <twerner@debian.org> to control@bugs.debian.org. (Sat, 06 Nov 2010 09:15:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#601802; Package sun-java6-jre. (Sat, 06 Nov 2010 10:09:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Torsten Werner <twerner@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sat, 06 Nov 2010 10:09:09 GMT) Full text and rfc822 format available.

Message #14 received at 601802@bugs.debian.org (full text, mbox):

From: Torsten Werner <twerner@debian.org>
To: Patrick Holthuizen <patrick@eaze.org>, 601802@bugs.debian.org
Cc: Debian Bug Tracking System <control@bugs.debian.org>
Subject: Re: Bug#601802: sun-java6-jre: update 22 not available in lenny is a security issue
Date: Sat, 6 Nov 2010 11:07:14 +0100
owner 601802 !
thanks

Hi Patrick,

On Fri, Oct 29, 2010 at 9:36 PM, Patrick Holthuizen <patrick@eaze.org> wrote:
> Some time ago Oracle released Java 6 update 22 patching a critical
> security issue. Is it possible to make this version available to Debian
> Lenny?

a preliminary source package for Lenny is available at
<http://people.debian.org/~twerner/> but I need to build it in a
stable chroot.

Cheers,
Torsten




Owner recorded as Torsten Werner <twerner@debian.org>. Request was from Torsten Werner <twerner@debian.org> to control@bugs.debian.org. (Sat, 06 Nov 2010 10:09:11 GMT) Full text and rfc822 format available.

Added blocking bug(s) of 601802: 602593 Request was from Torsten Werner <twerner@debian.org> to control@bugs.debian.org. (Sat, 06 Nov 2010 10:45:06 GMT) Full text and rfc822 format available.

Information stored :
Bug#601802; Package sun-java6-jre. (Fri, 12 Nov 2010 06:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Torsten Werner <twerner@debian.org>:
Extra info received and filed, but not forwarded. (Fri, 12 Nov 2010 06:03:03 GMT) Full text and rfc822 format available.

Message #23 received at 601802-quiet@bugs.debian.org (full text, mbox):

From: Torsten Werner <twerner@debian.org>
To: Patrick Holthuizen <patrick@eaze.org>, 601802-quiet@bugs.debian.org
Subject: Re: Bug#601802: sun-java6-jre: update 22 not available in lenny is a security issue
Date: Fri, 12 Nov 2010 06:57:56 +0100
On Sat, Nov 6, 2010 at 11:07 AM, Torsten Werner <twerner@debian.org> wrote:
> a preliminary source package for Lenny is available at
> <http://people.debian.org/~twerner/> but I need to build it in a
> stable chroot.

Binary packages for amd64 and i386 are available from the same place now.

Cheers,
Torsten




Reply sent to Torsten Werner <twerner@debian.org>:
You have taken responsibility. (Sun, 14 Nov 2010 20:03:13 GMT) Full text and rfc822 format available.

Notification sent to Patrick Holthuizen <patrick@eaze.org>:
Bug acknowledged by developer. (Sun, 14 Nov 2010 20:03:13 GMT) Full text and rfc822 format available.

Message #28 received at 601802-close@bugs.debian.org (full text, mbox):

From: Torsten Werner <twerner@debian.org>
To: 601802-close@bugs.debian.org
Subject: Bug#601802: fixed in sun-java6 6-22-0lenny1
Date: Sun, 14 Nov 2010 19:59:30 +0000
Source: sun-java6
Source-Version: 6-22-0lenny1

We believe that the bug you reported is fixed in the latest version of
sun-java6, which is due to be installed in the Debian FTP archive:

ia32-sun-java6-bin_6-22-0lenny1_amd64.deb
  to non-free/s/sun-java6/ia32-sun-java6-bin_6-22-0lenny1_amd64.deb
sun-java6-bin_6-22-0lenny1_amd64.deb
  to non-free/s/sun-java6/sun-java6-bin_6-22-0lenny1_amd64.deb
sun-java6-bin_6-22-0lenny1_i386.deb
  to non-free/s/sun-java6/sun-java6-bin_6-22-0lenny1_i386.deb
sun-java6-demo_6-22-0lenny1_amd64.deb
  to non-free/s/sun-java6/sun-java6-demo_6-22-0lenny1_amd64.deb
sun-java6-demo_6-22-0lenny1_i386.deb
  to non-free/s/sun-java6/sun-java6-demo_6-22-0lenny1_i386.deb
sun-java6-doc_6-22-0lenny1_all.deb
  to non-free/s/sun-java6/sun-java6-doc_6-22-0lenny1_all.deb
sun-java6-fonts_6-22-0lenny1_all.deb
  to non-free/s/sun-java6/sun-java6-fonts_6-22-0lenny1_all.deb
sun-java6-javadb_6-22-0lenny1_all.deb
  to non-free/s/sun-java6/sun-java6-javadb_6-22-0lenny1_all.deb
sun-java6-jdk_6-22-0lenny1_amd64.deb
  to non-free/s/sun-java6/sun-java6-jdk_6-22-0lenny1_amd64.deb
sun-java6-jdk_6-22-0lenny1_i386.deb
  to non-free/s/sun-java6/sun-java6-jdk_6-22-0lenny1_i386.deb
sun-java6-jre_6-22-0lenny1_all.deb
  to non-free/s/sun-java6/sun-java6-jre_6-22-0lenny1_all.deb
sun-java6-plugin_6-22-0lenny1_amd64.deb
  to non-free/s/sun-java6/sun-java6-plugin_6-22-0lenny1_amd64.deb
sun-java6-plugin_6-22-0lenny1_i386.deb
  to non-free/s/sun-java6/sun-java6-plugin_6-22-0lenny1_i386.deb
sun-java6-source_6-22-0lenny1_all.deb
  to non-free/s/sun-java6/sun-java6-source_6-22-0lenny1_all.deb
sun-java6_6-22-0lenny1.diff.gz
  to non-free/s/sun-java6/sun-java6_6-22-0lenny1.diff.gz
sun-java6_6-22-0lenny1.dsc
  to non-free/s/sun-java6/sun-java6_6-22-0lenny1.dsc
sun-java6_6-22.orig.tar.gz
  to non-free/s/sun-java6/sun-java6_6-22.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 601802@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Torsten Werner <twerner@debian.org> (supplier of updated sun-java6 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 06 Nov 2010 10:56:16 +0100
Source: sun-java6
Binary: sun-java6-jre sun-java6-bin sun-java6-plugin ia32-sun-java6-bin ia32-sun-java6-plugin sun-java6-fonts sun-java6-jdk sun-java6-demo sun-java6-source sun-java6-doc sun-java6-javadb
Architecture: all amd64 i386 source
Version: 6-22-0lenny1
Distribution: stable
Urgency: low
Maintainer: Matthias Klose <doko@ubuntu.com>
Changed-By: Torsten Werner <twerner@debian.org>
Closes: 601802
Description: 
 ia32-sun-java6-bin - Sun Java(TM) Runtime Environment (JRE) 6 (32-bit)
 ia32-sun-java6-plugin - The Java(TM) Plug-in, Java SE 6 (32-bit)
 sun-java6-bin - Sun Java(TM) Runtime Environment (JRE) 6 (architecture dependent 
 sun-java6-demo - Sun Java(TM) Development Kit (JDK) 6 demos and examples
 sun-java6-doc - Sun JDK(TM) Documention -- integration installer
 sun-java6-fonts - Lucida TrueType fonts (from the Sun JRE)
 sun-java6-javadb - Java(TM) DB, Sun Microsystems' distribution of Apache Derby
 sun-java6-jdk - Sun Java(TM) Development Kit (JDK) 6
 sun-java6-jre - Sun Java(TM) Runtime Environment (JRE) 6 (architecture independen
 sun-java6-plugin - The Java(TM) Plug-in, Java SE 6
 sun-java6-source - Sun Java(TM) Development Kit (JDK) 6 source files
Changes: 
 sun-java6 (6-22-0lenny1) stable; urgency=low
 .
   * New upstream release (Closes: #601802)
   * SECURITY UPDATE: multiple upstream vulnerabilities. Upstream fixes:
     - (CVE-2010-3556): JDK unspecified vulnerability in 2D component
     - (CVE-2010-3562): JDK IndexColorModel double-free
     - (CVE-2010-3565): JDK JPEG writeImage remote code execution
     - (CVE-2010-3566): JDK ICC Profile remote code execution
     - (CVE-2010-3567): Crash in ICU Opentype layout engine due to mismatch in
                        character counts
     - (CVE-2010-3571): JDK unspecified vulnerability in 2D component
     - (CVE-2010-3554): JDK corba reflection vulnerabilities
     - (CVE-2010-3563): JDK unspecified vulnerability in Deployment component
     - (CVE-2010-3568): JDK Deserialization Race condition
     - (CVE-2010-3569): JDK Serialization inconsistencies
     - (CVE-2010-3558): JDK unspecified vulnerability in Java Web Start component
     - (CVE-2010-3552): JDK unspecified vulnerability in New Java Plugin
                        component
     - (CVE-2010-3559): JDK unspecified vulnerability in Sound component
     - (CVE-2010-3572): JDK unspecified vulnerability in Sound component
     - (CVE-2010-3553): UIDefault.ProxyLazyValue has unsafe reflection usage
     - (CVE-2010-3555): JDK unspecified vulnerability in Deployment component
     - (CVE-2010-3550): JDK unspecified vulnerability in Java Web Start component
     - (CVE-2010-3570): JDK unspecified vulnerability in Deployment Toolkit
     - (CVE-2010-3561): Privileged ServerSocket.accept allows receiving
                        connections from any host
     - (CVE-2009-3555): TLS: MITM attacks via session renegotiation
     - (CVE-2010-1321): krb5: null pointer dereference in GSS-API library leads
                        to DoS
     - (CVE-2010-3549): HttpURLConnection chunked encoding issue (Http request
                        splitting)
     - (CVE-2010-3557): JDK Swing mutable static
     - (CVE-2010-3541): limit setting of some request headers in
                        HttpURLConnection
     - (CVE-2010-3573): limit HTTP request cookie headers in HttpURLConnection
     - (CVE-2010-3574): limit use of TRACE method in HttpURLConnection
     - (CVE-2010-3548): JDK DNS server IP address information leak
     - (CVE-2010-3551): NetworkInterface reveals local network address to
                        untrusted code
     - (CVE-2010-3560): JDK unspecified vulnerability in Networking component
Checksums-Sha1: 
 bee064c665b68702a19e91371071df2d1a5bdd03 1702 sun-java6_6-22-0lenny1.dsc
 d6f0032323ed0bd7fc00d86776920a48bebe84ba 165194956 sun-java6_6-22.orig.tar.gz
 eaa5599253ceaf8df9ac3ecf9f658b464a7b7f49 80237 sun-java6_6-22-0lenny1.diff.gz
 986441f35128bc6d6bffdbc339130055f9fc3010 27941368 sun-java6-bin_6-22-0lenny1_amd64.deb
 8faf80bf76042396f8835fb3ff08ebac9e33bd40 1954 sun-java6-plugin_6-22-0lenny1_amd64.deb
 950d5ea1aa5daa34ffaf2c8c0b7afe4fdcd03cfe 29701004 ia32-sun-java6-bin_6-22-0lenny1_amd64.deb
 061549ae0ef39fec143e13075bb82b45a970f5b7 19884002 sun-java6-jdk_6-22-0lenny1_amd64.deb
 9d48487840e4c37aa2af5d5b8909bb45d065e969 12162558 sun-java6-demo_6-22-0lenny1_amd64.deb
 76a3abeb824cdb2d005b8b67f2bb9fc93e3689ee 6540112 sun-java6-jre_6-22-0lenny1_all.deb
 4a36d65326e585a61dd10fbbafab3221465c5538 1848 sun-java6-fonts_6-22-0lenny1_all.deb
 25cfc417856c5906efa63bdf16b4bb243836bc6b 17936460 sun-java6-source_6-22-0lenny1_all.deb
 ee66ad58d23e922ebac817ed80d1e8eeca0664fd 34930 sun-java6-doc_6-22-0lenny1_all.deb
 365df5694d98f8fbc2f01ad839fbd1fb1d702274 10406694 sun-java6-javadb_6-22-0lenny1_all.deb
 1b963431a88aca79ea3fb9c5965763d41a8e6b02 29700188 sun-java6-bin_6-22-0lenny1_i386.deb
 2849915c5f6261f97d5f77fa1eb09e94e5a9b80e 1956 sun-java6-plugin_6-22-0lenny1_i386.deb
 605d53ae7b0b4e6f561ad78ec0319ebde69bd87f 19712180 sun-java6-jdk_6-22-0lenny1_i386.deb
 13bc7377e36bb9da06abf6ac68524522d8848a2e 12157626 sun-java6-demo_6-22-0lenny1_i386.deb
Checksums-Sha256: 
 8758b594de5e4dc692e4c527af86fc0be36e3e7dc825d0b20fceeed31383f92e 1702 sun-java6_6-22-0lenny1.dsc
 6c144a6524cb811ab4fa67ea857474d231c77222088166660b3957ed6dc1678c 165194956 sun-java6_6-22.orig.tar.gz
 644d2b1c8ba89e6200636bf68531499fcab22965a1b36946c04e48406eed2a28 80237 sun-java6_6-22-0lenny1.diff.gz
 8e59a612aaec47df85659d5d18b89ceaba80fb4758e59d3a7c2c9f83ba8fc542 27941368 sun-java6-bin_6-22-0lenny1_amd64.deb
 144a6984d242dc1f6d571301e040df220823e5f69b7dc0f9fb5b721857f51573 1954 sun-java6-plugin_6-22-0lenny1_amd64.deb
 b469c9c5e5ba24e0f840bd972dd62c0f8b1c9b1444cd53909b22eb28c447d930 29701004 ia32-sun-java6-bin_6-22-0lenny1_amd64.deb
 a6deaab6a8299212e1de7a63235645ad8b789574b641933573e345b588c4ea1a 19884002 sun-java6-jdk_6-22-0lenny1_amd64.deb
 4f2b8e9d5d47b620da6f42eb7df45c8851fe23b99118af030d7198f003de3ec2 12162558 sun-java6-demo_6-22-0lenny1_amd64.deb
 23df895113776393d88127045a8b9dd6da6df6485bd9c22c7568bef9945c556d 6540112 sun-java6-jre_6-22-0lenny1_all.deb
 2a9bd91181f152ad85d68f00cc582d91bb8ab139c0813a8b54769e462c8152c1 1848 sun-java6-fonts_6-22-0lenny1_all.deb
 5967a7e6f1f0f948bd0f8e227312f35174d7727a159e91364348da72276597d2 17936460 sun-java6-source_6-22-0lenny1_all.deb
 15505f1dd34104c9a1b0fc5ffbc5e9d2f43fab72f463dabe6a0a925050eb4c3a 34930 sun-java6-doc_6-22-0lenny1_all.deb
 486a763d5a7d80b138bb869941a80269cd4ce8a2bfe117719177d61732f7e427 10406694 sun-java6-javadb_6-22-0lenny1_all.deb
 abf0d40522b07e3d2bf342ca33616039b85ea4255dcbdd27eb5268aa7503db18 29700188 sun-java6-bin_6-22-0lenny1_i386.deb
 2096159a1b038135f00f6b095601392df5ce395a285581adb3bd0ef6ed37c00e 1956 sun-java6-plugin_6-22-0lenny1_i386.deb
 dedd841909d38b21a6cd91530748fcb856947238ec7025226836ad04e0210d51 19712180 sun-java6-jdk_6-22-0lenny1_i386.deb
 85f3376bb725a104883b6d1336e1bcba92c9426870c10ad7e4a48487e5cfddd8 12157626 sun-java6-demo_6-22-0lenny1_i386.deb
Files: 
 a38312ab50af756a1fddc7953fe8fc5a 1702 non-free/devel optional sun-java6_6-22-0lenny1.dsc
 981bd97edf98849f108df9d3d40352bb 165194956 non-free/devel optional sun-java6_6-22.orig.tar.gz
 ba25a238582f592884a7787cc7054f42 80237 non-free/devel optional sun-java6_6-22-0lenny1.diff.gz
 ea9074ce40b0a65a5f200a5a518cc3e2 27941368 non-free/libs optional sun-java6-bin_6-22-0lenny1_amd64.deb
 7af2b1facf190c4dc319990cbaad2fe5 1954 non-free/web optional sun-java6-plugin_6-22-0lenny1_amd64.deb
 55ad1d256177001e376199087590733b 29701004 non-free/libs optional ia32-sun-java6-bin_6-22-0lenny1_amd64.deb
 dcc3a421b1a6950d7e41d9bb7c7a0fd1 19884002 non-free/devel optional sun-java6-jdk_6-22-0lenny1_amd64.deb
 34364eaf246182c12f6604f0546bcaac 12162558 non-free/devel optional sun-java6-demo_6-22-0lenny1_amd64.deb
 c7d0c65a38b92822540cceb283748d47 6540112 non-free/libs optional sun-java6-jre_6-22-0lenny1_all.deb
 5a9d5b0d3ccfa2ea5bbe34773152f138 1848 non-free/x11 optional sun-java6-fonts_6-22-0lenny1_all.deb
 209b6d8d3dd279e95c8ef02694eefdaf 17936460 non-free/devel optional sun-java6-source_6-22-0lenny1_all.deb
 078f3003ecf3b865db6e9d9f5b4fac3e 34930 non-free/doc optional sun-java6-doc_6-22-0lenny1_all.deb
 a2e108ad37169323b46346c2818ef504 10406694 non-free/libs optional sun-java6-javadb_6-22-0lenny1_all.deb
 c1b0b026c6120c3e480c63f8e8078f62 29700188 non-free/libs optional sun-java6-bin_6-22-0lenny1_i386.deb
 5751607c1a87ec0e781879b2adb34feb 1956 non-free/web optional sun-java6-plugin_6-22-0lenny1_i386.deb
 054d7fcbe8cf41de621d91719f3185ec 19712180 non-free/devel optional sun-java6-jdk_6-22-0lenny1_i386.deb
 1d963f0331056a609c2c6321a50750f7 12157626 non-free/devel optional sun-java6-demo_6-22-0lenny1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzcaAoACgkQfY3dicTPjsOo7wCfdsMh3ZxnMaC5gPnJj63+7+IX
NFsAn0FsmW5bRoJyQm7OZtQKwa5RTKnU
=q74h
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>, Torsten Werner <twerner@debian.org>:
Bug#601802; Package sun-java6-jre. (Tue, 16 Nov 2010 19:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patrick Holthuizen <patrick@eaze.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>, Torsten Werner <twerner@debian.org>. (Tue, 16 Nov 2010 19:12:05 GMT) Full text and rfc822 format available.

Message #33 received at 601802@bugs.debian.org (full text, mbox):

From: Patrick Holthuizen <patrick@eaze.org>
To: 601802@bugs.debian.org
Subject: (geen onderwerp)
Date: Tue, 16 Nov 2010 19:36:18 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks Torsten!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkzizyEACgkQ2xeQKUlEiTaiowCfX0n1OYN38AmlRpaEswYott2c
5bkAnAsPn6gErMAyIPUKJxFOOP+qhaZk
=oy36
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 15 Dec 2010 07:30:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:06:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.