------------------------------------------------------------------- Tue Feb 22 09:09:12 UTC 2011 - mvyskocil@suse.cz - fix bnc#673738: VUL-0: java-*-ibm: denial of service by converting float CVE-2010-4476 - don't repack tarball to bz2 - add all sources to spec file to prevent warnings on commit ------------------------------------------------------------------- Tue Jan 25 14:18:20 UTC 2011 - mvyskocil@suse.cz - fix bnc#655440 - remove version from alternatives list ------------------------------------------------------------------- Mon Jan 17 09:21:37 UTC 2011 - mvyskocil@suse.cz - fix bnc#663953 - VUL-0: IBM Java 1.4.2 SR13 FP8 * CVE-2010-1321 * CVE-2010-3574 ------------------------------------------------------------------- Thu Dec 16 11:48:06 UTC 2010 - mvyskocil@suse.cz - fix bnc#658525 - VUL-0: IBM Java 1.4.2 SR13 FP7 update * CVE-2010-1321 * CVE-2010-3574 ------------------------------------------------------------------- Thu Nov 11 12:07:28 UTC 2010 - mvyskocil@suse.cz - Remove unecessary x86_64 jni.h patch - bnc#646906#c16 ------------------------------------------------------------------- Mon Oct 18 08:43:25 UTC 2010 - mvyskocil@suse.cz - fix bnc#646906 - VUL-0: IBM Java 1.4.2 SR13 FP6 update * CVE-2009-3555 * CVE-2010-3541 * CVE-2010-3548 * CVE-2010-3549 * CVE-2010-3551 * CVE-2010-3553 * CVE-2010-3556 * CVE-2010-3557 * CVE-2010-3562 * CVE-2010-3565 * CVE-2010-3568 * CVE-2010-3569 * CVE-2010-3571 * CVE-2010-3572 ------------------------------------------------------------------- Tue Jul 27 09:52:51 CEST 2010 - mvyskocil@suse.cz - fix bnc#594791 - VUL-0: IBM Java 1.4.2 SR13FP5 update * CVE-2010-0084 * CVE-2010-0085 * CVE-2010-0087 * CVE-2010-0088 * CVE-2010-0089 * CVE-2010-0091 * CVE-2010-0095 * CVE-2010-0839 * CVE-2010-0840 * CVE-2010-0841 * CVE-2010-0842 * CVE-2010-0843 * CVE-2010-0844 * CVE-2010-0846 * CVE-2010-0847 * CVE-2010-0848 * CVE-2010-0849 ------------------------------------------------------------------- Mon May 10 08:52:48 UTC 2010 - mvyskocil@suse.cz - fix bnc#603353 - iFixes for IBM Java 1.4.2 SR13FP4 for SAP * PM 07798 161784 (PMR 81083,001,866) JSPM * PM 07217 161888 (PMR 69103,110,846) calendar * PM 07211 161882 (PMR 82601,001,866) java.awt.color.CMMException * PM 07699 159186 (PMR 81433,001,866) NPE * PM 07122 161672 (PMR 00181,084,866) java launcher loops * PM 03996 159886 jextract issue ------------------------------------------------------------------- Mon Mar 29 15:23:50 UTC 2010 - mvyskocil@suse.cz - fix bnc#590826 - VUL-0: IBM java 1.4.2 U13FP4, Java 5 SR 11 FP1 ------------------------------------------------------------------- Tue Dec 29 11:19:46 UTC 2009 - mvyskocil@suse.cz - fixed [bnc#561831] - VUL-0: java 1.4.2 IBM 13 fp3 released ------------------------------------------------------------------- Mon Dec 7 11:00:55 UTC 2009 - mvyskocil@suse.cz - timezone 1.6.9s update (bnc#558342) ------------------------------------------------------------------- Thu Nov 5 12:47:29 UTC 2009 - mvyskocil@suse.cz - fixed [bnc#551829] - VUL-0: Update java-1_4_2-ibm to SR13 FP2 ------------------------------------------------------------------- Wed Sep 23 07:17:26 UTC 2009 - mvyskocil@suse.cz - fixed [bnc#540945] - VUL-0: Update java-1_4_2-ibm to SR13 FP1 - more ugly hacks to circumvent debuginfo scripts (for bnc#538528) - disabled jar indexing to prevent their modifications ------------------------------------------------------------------- Fri Apr 3 16:24:34 CEST 2009 - mvyskocil@suse.cz - fixed [bnc#489052]: IBM Java 1.4.2 SR13 updated to SR13 ------------------------------------------------------------------- Fri Jan 16 10:55:28 CET 2009 - mvyskocil@suse.cz - use a %%{javaver} in a top dir (bnc#466078) - move vendor opt flag to jre package - use fdupes ------------------------------------------------------------------- Wed Jan 7 15:31:48 CET 2009 - mvyskocil@suse.cz - added a new timezone update tool jtzu-1.6.8i - fixed bnc#456140 ------------------------------------------------------------------- Tue Dec 16 15:02:51 CET 2008 - mvyskocil@suse.cz - fixed a version number [bnc#456749] ------------------------------------------------------------------- Mon Nov 24 10:28:22 CET 2008 - mvyskocil@suse.cz - fixed [bnc#436868] - VUL-0: ibm java 1.4.2 SR12 available update to SR12 - also FATE#305091, bnc#417526 - CVE-2008-3104: Security vulnerabilities in the Java Runtime Environment may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on the local host, as if it were loaded from the system that the applet is running on. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to. - CVE-2008-3112: A vulnerability in Java Web Start may allow an untrusted Java Web Start application downloaded from a website to create arbitrary files with the permissions of the user running the untrusted Java Web Start application. - CVE-2008-3113: A vulnerability in Java Web Start may allow an untrusted Java Web Start application downloaded from a website to create or delete arbitrary files with the permissions of the user running the untrusted Java Web Start application. - CVE-2008-3114: A vulnerability in Java Web Start may allow an untrusted Java Web Start application to determine the location of the Java Web Start cache. - j9jextract tool is not longer available on i386 see https://bugzilla.novell.com/show_bug.cgi?id=437213#c4 - added a rpmlintrc file and do not remove a build root in install section ------------------------------------------------------------------- Fri Oct 24 20:24:13 CEST 2008 - kukuk@suse.de - Replace compat-libstdc++ with libstdc++33 ------------------------------------------------------------------- Tue Oct 14 15:25:22 CEST 2008 - mvyskocil@suse.cz - prevent of: bnc#432772: /usr/bin/java is not executable - use a `install -m 0755' instead of `cp' for wrapper-script installation ------------------------------------------------------------------- Wed Oct 1 15:18:09 CEST 2008 - anosek@suse.cz - updated timezone data to 1.6.8f (bnc#427617) ------------------------------------------------------------------- Thu Sep 18 16:54:40 CEST 2008 - mvyskocil@suse.cz - fix for [bnc#394974]: Missing .systemPrefs - corrected compat symlink [bnc#404965] ------------------------------------------------------------------- Tue Jul 22 13:31:44 CEST 2008 - anosek@suse.cz - put fixed tarball IBMJava2-SDK-AMD64-1.4.2-11.0.x86_64.tar.bz2 from upstream ------------------------------------------------------------------- Thu Jul 10 09:29:02 CEST 2008 - anosek@suse.cz - fixed build (installed but unpackaged file) ------------------------------------------------------------------- Tue Jul 1 13:58:59 CEST 2008 - anosek@suse.cz - updated to 1.4.2 sr11 (bnc#404983) - updated timezone data (bnc#397378) ------------------------------------------------------------------- Tue May 20 10:18:53 CEST 2008 - mvyskocil@suse.cz - a compat symlink to fix a compatibility with vendor package ------------------------------------------------------------------- Tue Apr 15 13:51:31 CEST 2008 - mvyskocil@suse.cz - update to 1.4.2 sr10: VUL-0: IBM Java: multiple vulnerabilities [bnc#379038] - CVE-2008-1196: A buffer overflow vulnerability in Java Web Start may allow an untrusted Java Web Start application that is downloaded from a website to elevate its privileges. For example, an untrusted Java Web Start application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. - CVE-2008-1195: A vulnerability in the Java Runtime Environment may allow JavaScript(TM) code that is downloaded by a browser to make connections to network services on the system that the browser runs on, through Java APIs, This may allow files (that are accessible through these network services) or vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2008-1192: A vulnerability in the Java Plug-in may an untrusted applet to bypass same origin policy and leverage this flaw to execute local applications that are accessible to the user running the untrusted applet. - CVE-2008-1190: A vulnerability in Java Web Start may allow an untrusted Java Web Start application to elevate its privileges. For example, an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application. - CVE-2008-1189: A buffer overflow vulnerability in the Java Runtime Environment may allow an untrusted applet or application to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. - CVE-2008-1187: A vulnerability in the Java Runtime Environment with parsing XML data may allow an untrusted applet or application to elevate its privileges. For example, an applet may read certain URL resources (such as some files and web pages). - CVE-2007-5232: A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2007-5274: A vulnerability in the Java Runtime Environment (JRE) may allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2007-5273: A second vulnerability in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited. - CVE-2007-5236: An untrusted Java Web Start application may write arbitrary files with the privileges of the user running the application. - CVE-2007-5238: Three separate vulnerabilities may allow an untrusted Java Web Start application to determine the location of the Java Web Start cache. - CVE-2007-5239: An untrusted Java Web Start application or Java applet may move or copy arbitrary files by requesting the user of the application or applet to drag and drop a file from the Java Web Start application or Java applet window. - CVE-2007-5240: An untrusted applet may display an over-sized window so that the applet warning banner is not visible to the user running the untrusted applet. - CVE-2007-4381: A vulnerability in the font parsing code in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. - CVE-2007-3698: The Java Secure Socket Extension (JSSE) that is included in various releases of the Java Runtime Environment does not correctly process SSL/TLS handshake requests. This vulnerability may be exploited to create a Denial of Service (DoS) condition to the system as a whole on a server that listens for SSL/TLS connections using JSSE for SSL/TLS support. ------------------------------------------------------------------- Thu Oct 11 15:08:59 CEST 2007 - anosek@suse.cz - fixed VUL-0: jdk from IBM fixes security bugs [#303898] * updated to 1.4.2 sr9 * fixing: CVE-2007-2788 CVE-2007-2789 CVE-2007-3004 CVE-2007-3005 CVE-2007-3655 CVE-2007-3922 ------------------------------------------------------------------- Thu Sep 6 10:49:42 CEST 2007 - anosek@suse.cz - added 32-bit and 64-bit specific provides ------------------------------------------------------------------- Thu Jul 19 20:37:11 CEST 2007 - stbinner@suse.de - fix suse_update_desktop_file call ------------------------------------------------------------------- Tue Jul 3 20:02:25 CEST 2007 - dbornkessel@suse.de - update to 1.4.2 sr 8 (Bug #271326 / Bug #284423) ... fixes the following bugs: - DST bug in latest jdk releases when using EST MST and HST - dg traces are turned off on OutOfMemory - Bytecode/Qaud Classflow incorrectly removes NULLCHECK & INSTANC - OOM due to unnecessary object retention in Deflater - Callbacks do not work if Client connections from VPN Connection - Retries happening on NO_PERMISSION causing user to be blocked - NPE in ClientDelegate.servant_preinvoke() - Object with too many fields causes heap corruption - Incorrect behaviour of finally block when compiled with Jikes - AIXSVT: regression: Double Allocation Failure - JNI crash when trying to set the integer field of socket FD. - Jarsigner throws a error message while verifying signed Jar fil - High heap usage with javac because of ambiguity errors - -showversion not recognised in IBM_JAVA_OPTIONS - -showversion not recognised in IBM_JAVA_OPTIONS - Allow customizable KeepAlive enablement in server - In-Connection FVD Callback with Security - WAS JNIReader Thread hung due to network outage - DATA_CONVERSION errror whn EJB name has bidi characters - NullPointerException in Connection.cleanUp() - Marshal Exception while invoking a method on colocated EJB - Problem with spilling of long variables on 32 bit architecture - Incorrect resolution of forname in JIT - Crash in FT when Native SOF - Provide support for Sun system properties - File descriptor leak because of improper finalization - crash while draining the packets - Crash due to bad branch target - crash while draining the packets - Crash due to bad branch target - NCCB malloc failure. - mod should be used instead of remainder in RSA - Bad result from Long sub with both srcs same causes AIOOB - Make the COMPACT_FRAGMENTED2 as last resort - Crash when processing MSO - GC start time in verbosegc prints wrong - Copy propagation : Incorrect result do to bad JIT optimization. - Incorrect Peephole opt results in register corruption - crash in libnet.so in function jni_GetIntField - Tune fix 109973 for all the linux platforms - crash in libnet.so in function jni_GetIntField - Crash due to r10 not holding EE when executing exception stubs - Allow for message expansion in ClientRequestImpl.reInvoke() - Crash is happeining in mmisInvoker_IIO_VHelper call. - AdapterNonExistent Exceptions caused by POA long names - Chinese (traditional) chars are corrupted - *Linear Scan*Incorrect Unspill of src:crash in Compiled Code - Large Sized Work buffer usage by JIT - IBMCharsets.java not thread safe - *RAS* Fix tracepoint in jvmdi_Allocate - Remove stale references - verbosegc logs gets overwritten - Old NIO hang with client auth want and client has no cert ------------------------------------------------------------------- Tue May 29 18:57:27 CEST 2007 - dbornkessel@suse.de - added ia64 macros ------------------------------------------------------------------- Fri May 25 18:30:43 CEST 2007 - dbornkessel@suse.de - moved demo files to %{_jvmdir}/%{sdkdir}/demo (which is in %{_libdir}) in order to avoid having *.so file in /usr/share - switched on stripping again - removed versionless provide of j2sdk - hardlink duplicates - index jar files ------------------------------------------------------------------- Fri May 4 08:58:44 CEST 2007 - dbornkessel@suse.de - added unzip to BuildRequires ------------------------------------------------------------------- Sun Feb 11 12:05:58 CET 2007 - ro@suse.de - moved defattr lines around to fix build as non-root ------------------------------------------------------------------- Thu Feb 1 16:55:33 CET 2007 - dbornkessel@suse.de - deleted jdbc's unversioned self-provide. ------------------------------------------------------------------- Thu Dec 21 15:49:05 CET 2006 - dbornkessel@suse.de - update to 1.4.2 sr7 (Feature request #301576) ------------------------------------------------------------------- Fri Nov 10 12:35:51 CET 2006 - ro@suse.de - fix docu permissions ------------------------------------------------------------------- Thu Oct 26 17:23:45 CEST 2006 - dbornkessel@suse.de - update to 1.4.2 sr6 (feature#301576) ------------------------------------------------------------------- Tue Sep 19 19:14:50 CEST 2006 - dbornkessel@suse.de - update to 1.4.2 sr5 - naming scheme according to ibm naming ------------------------------------------------------------------- Wed Aug 16 10:44:44 CEST 2006 - sndirsch@suse.de - font.properties.SuSE.tar.gz: * added /usr/share/fonts/truetype to appendedfontpath in font.properties.{zh_CN,zh_HK,zh_TW}.SuSE; not sure if this helps since I think that font.properties.{zh_CN,zh_HK,zh_TW} is read instead; therefore question remains who is responsible to copy .{zh_CN,zh_HK,zh_TW}.SuSE to .{zh_CN,zh_HK,zh_TW} (maybe fonts-config?) ------------------------------------------------------------------- Wed Jul 26 17:16:16 CEST 2006 - dbornkessel@suse.de - patch for jni.h (Bug 194790) ------------------------------------------------------------------- Wed Jun 7 15:41:50 CEST 2006 - dbornkessel@suse.de - deactivated wrapper script as it can be problematic in some occasions (see Bug #179737). This should not be a problem, as all packages for all archs are now >= sr4 (where the double-link problem was resolved). ------------------------------------------------------------------- Thu Jun 1 13:02:16 CEST 2006 - dbornkessel@suse.de - repackaged all archive to bz2 - update ia64 to sr4 provided by IBM (see Bug #179736) ------------------------------------------------------------------- Mon May 8 17:13:59 CEST 2006 - dbornkessel@suse.de - updated ppc/ppc64 to sr5_gold (see Bug #115562, comment #67) ------------------------------------------------------------------- Wed Apr 19 20:23:34 CEST 2006 - dbornkessel@suse.de - updated ppc/ppc64 to sr5_silver (see Bug #115562, #comment 64) - subsequent update-alternative call deleted symbolic links (Bug #164953) ------------------------------------------------------------------- Mon Mar 27 15:15:21 CEST 2006 - dbornkessel@suse.de - provide j2re and j2sdk (Bug #160109) - provides jndi and some other stuff with realese-less versions ------------------------------------------------------------------- Fri Mar 24 11:57:51 CET 2006 - schwab@suse.de - Readd wrapper scripts. ------------------------------------------------------------------- Thu Mar 23 18:14:49 CET 2006 - dbornkessel@suse.de - changed /usr/lib to %{_libdir} in compatibility links - update for ppc and ppc64 - deactivated wrapper script as it was fixed with sr4 ------------------------------------------------------------------- Thu Mar 23 16:53:59 CET 2006 - schwab@suse.de - Add compatibility links. ------------------------------------------------------------------- Fri Mar 17 14:34:01 CET 2006 - dbornkessel@suse.de - added versionless jdbc provide: Provides: %{name}-jdbc = %{version}, %{name}-jdbc, java-jdbc = %{version}, java-jdbc ------------------------------------------------------------------- Mon Mar 13 11:51:17 CET 2006 - dbornkessel@suse.de - added missing PreReq: /usr/sbin/update-alternatives ------------------------------------------------------------------- Mon Feb 13 15:06:51 CET 2006 - schwab@suse.de - Fix %pluginpath. ------------------------------------------------------------------- Fri Feb 3 11:10:29 CET 2006 - dbornkessel@suse.de - update to 1.4.2.s4 which fixes bug #117085 - fixed several rpmlint warnings and errors ------------------------------------------------------------------- Wed Jan 25 21:36:47 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Thu Dec 15 16:05:08 CET 2005 - dbornkessel@suse.de - NoSource'd binary tar balls - added Provides: jre1.1.x jre1.2.x jre1.3.x jre1.4.x ------------------------------------------------------------------- Fri Dec 9 15:55:43 CET 2005 - dbornkessel@suse.de - ifarch'ed compat to s390 and s390x ------------------------------------------------------------------- Fri Dec 9 13:22:01 CET 2005 - dbornkessel@suse.de - added 'Requires: compat', as it is needed by the JIT compiler ------------------------------------------------------------------- Mon Dec 5 16:37:09 CET 2005 - dbornkessel@suse.de - added missing 'Provides: jaas' ------------------------------------------------------------------- Mon Nov 21 19:13:37 CET 2005 - dbornkessel@suse.de - corrected link for javaws which could have made trouble when used together with older versions ------------------------------------------------------------------- Mon Nov 21 13:45:04 CET 2005 - dbornkessel@suse.de - updated to latest binaries ------------------------------------------------------------------- Fri Nov 18 16:34:50 CET 2005 - dbornkessel@suse.de - added x86_64 platform - added work around for binaries that can't be called with symbolic links deeper than 1 - added work around for missing file in x86_64 version - added SUSE specific font stuff - added SUSE READMEs - added link to browser plugins as requested in Bug #119416 - corrected javaws link (see Bug #127562) - added menu entry for plugin control panel ------------------------------------------------------------------- Wed Oct 19 13:56:25 CEST 2005 - dbornkessel@suse.de - ifarch'ed plugin and jdbc packages, as plugin is only available for x86 platforms and jdbc is not available for 64 bit platforms