Skip Menu | Logged in as guest | Logout
 
New messages
There are unread messages on this ticket. You can jump to the first unread message or jump to the first unread message and mark all messages as seen.
Ticket metadata
The Basics
Id: 5101
Status: resolved
Priority: -3/0
Queue: vdt-support
Custom Fields
Fixed in: 1.10.1w
Fix scheduled: CUR
People
Owner: Scot Kronenfeld
Requestors: Alain Roy
Cc:
AdminCc:
Reminders
New reminder:
Dates
Created: Fri Mar 27 14:14:11 2009
Starts: Not set
Started: Not set
Last Contact: Mon Jun 01 11:14:51 2009
Due: Not set
Closed: Mon Jun 01 11:14:51 2009
Updated: Mon Jun 01 11:15:03 2009 by kronenfe
Links
Depends on: (Create)
Depended on by: (Create)
Parents: (Create)
Children: (Create)
Refers to: (Create)
Referred to by: (Create)

History Brief headersFull headers
# Fri Mar 27 14:14:12 2009 roy - Ticket created [Reply
Subject: Fwd: [Security] Sun Java Updates for Multiple Vulnerabilities
Date: Fri, 27 Mar 2009 14:13:46 -0500
To: Alain Roy via RT <vdt-support@OPENSCIENCEGRID.ORG>
From: Alain Roy <roy@cs.wisc.edu>
Download (untitled) / with headers
text/plain 1.1k
Begin forwarded message:
> From: Aashish Sharma <aashish@ncsa.uiuc.edu>
> Date: March 27, 2009 12:26:45 PM CDT
> To: Alain Roy <roy@cs.wisc.edu>
> Cc: osg-security-team@OPENSCIENCEGRID.ORG
> Subject: [Security] Sun Java Updates for Multiple Vulnerabilities
>
> Hello Alain:
>
> Sun has released updates for Java SE to address multiple
> vulnerabilities on 03/26. These vulnerabilities may allow an
> attacker to execute arbitrary code, cause a denial-of-service
> condition, or operate with escalated privileges.
>
> Secunia Advisory: http://secunia.com/advisories/34451/
>
> Security team has determined that amongst others '(JRE) LDAP
> Implementation may Allow a Denial of Service (DoS)' would affect us
> most:
>
> http://sunsolve.sun.com/search/document.do?assetkey=1-66-254569-1
>
> We don't think this issue is of immediate concern and would
> recommend update be rolled with the next scheduled update for Java
> in VDT or with-in a month which ever is earliest. Let us know if you
> are fine with this arrangement.
>
> All supported versions of VDT will need these updates.
>
> Please let me know if you have any questions/concerns.
>
> Thanks a lot,
> Aashish Sharma
> OSG Security Team
# Sat Mar 28 20:35:56 2009 roy - Priority changed from (no value) to '3'
# Sat Mar 28 20:35:56 2009 roy - Fix scheduled CUR added
# Sat Mar 28 20:36:11 2009 roy - Subject changed from 'Fwd: [Security] Sun Java Updates for Multiple Vulnerabilities' to 'Update Java to new versions'
# Sat Mar 28 20:36:54 2009 roy - Comments added [Reply
Download (untitled) / with headers
text/plain 127b
This should be done in both VDT 1.10.1 and 1.11.0.

It should be done after the big merge from vdt-1.10.1-gums-prima.

-alain
# Wed Apr 01 06:39:33 2009 kronenfe - Taken
# Wed Apr 01 06:42:39 2009 kronenfe - Correspondence added [Reply
Download (untitled) / with headers
text/plain 324b
Alain,
I'm building the latest 1.5.0 and 1.6.0 JDKs for 1.11.0 now (and then we
can re-use them for 1.10.1). I can't find an update for 1.4.2, we seem
to have the latest.

So we should *not* release this in the upcoming 1.10.1 lettered update,
right? After we release it, we'll update Java and then do another
release?
# Wed Apr 01 06:42:39 2009 RT_System - Status changed from 'new' to 'open'
# Wed Apr 01 06:56:41 2009 kronenfe - Comments added [Reply
Subject: [vdt-support #5101] SVN commit, rev 8988
To: vdt-support@cs.wisc.edu
From: kronenfe@cs.wisc.edu
Download (untitled) / with headers
text/plain 203b
Commit comment:
Upgraded JDK-1.5 from 1.5.0_17 to 1.5.0_18
Upgraded JDK-1.6 from 1.6.0_12 to 1.6.0_13


Changed files:
U vdt/trunk/defs

To generate a diff:
svn diff -c 8988 file:///p/vdt/workspace/svn
# Wed Apr 01 07:27:12 2009 roy - Correspondence added [Reply
Subject: Re: [vdt-support #5101] Update Java to new versions
Date: Wed, 01 Apr 2009 14:26:34 +0200
To: vdt-support@OPENSCIENCEGRID.ORG
From: Alain Roy <roy@cs.wisc.edu>
Download (untitled) / with headers
text/plain 571b
On Apr 1, 2009, at 1:42 PM, Scot Kronenfeld via RT wrote:
> I'm building the latest 1.5.0 and 1.6.0 JDKs for 1.11.0 now (and
> then we
> can re-use them for 1.10.1). I can't find an update for 1.4.2, we
> seem
> to have the latest.

That sounds good, thanks!

> So we should *not* release this in the upcoming 1.10.1 lettered
> update,
> right? After we release it, we'll update Java and then do another
> release?

Right, I don't want to introduce something at the very last minute--it
will cause confusion. But we do want to do it in the near future.

-alain
# Tue Apr 21 16:01:32 2009 kronenfe - Comments added [Reply
Subject: [vdt-support #5101] SVN commit, rev 9086
To: vdt-support@cs.wisc.edu
From: kronenfe@cs.wisc.edu
Download (untitled) / with headers
text/plain 251b
Commit comment:
Updated JAVA5 to 1.5.0_18
Updated JAVA6 to 1.6.0_13

These updates fix a security problem (see RT ticket for more info)


Changed files:
U vdt/branches/vdt-1.10.1/defs

To generate a diff:
svn diff -c 9086 file:///p/vdt/workspace/svn
# Tue Apr 21 16:02:13 2009 kronenfe - Priority changed from '3' to '-3'
# Mon Jun 01 11:14:50 2009 kronenfe - Correspondence added [Reply
Download (untitled) / with headers
text/plain 111b
1.10.1 now has the latest releases of Java 5 and 6.

1.5.0_18
1.6.0_13

2.0.0 was released with these versions.
# Mon Jun 01 11:14:51 2009 kronenfe - Status changed from 'open' to 'resolved'
# Mon Jun 01 11:15:03 2009 kronenfe - Fixed in 1.10.1w added