Bug 904889 (CVE-2014-3065) - VUL-0: CVE-2014-3065: java-1_4_2-ibm, java-1_7_0-ibm, java-1_6_0-ibm, java-1_4_2-ibm-sap, java-1_5_0-ibm, java-1_7_1-ibm: IBM Security Update November 2014
Summary: VUL-0: CVE-2014-3065: java-1_4_2-ibm, java-1_7_0-ibm, java-1_6_0-ibm, java-1_...
Status: RESOLVED FIXED
Alias: CVE-2014-3065
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2014-11-18
Assignee: Tomáš Chvátal
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/110611/
Whiteboard: maint:released:sle10-sp3:59744 maint:...
Keywords:
Depends on:
Blocks: 930365 931693
  Show dependency treegraph
 
Reported: 2014-11-11 15:15 UTC by Johannes Segitz
Modified: 2015-06-03 09:58 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
tchvatal: needinfo? (mcowley)

Attachments
sh_x_installer.log (95.62 KB, text/plain)
2014-11-20 14:42 UTC, Tomáš Chvátal 		Details
installer-debug-output.log (3.35 MB, text/x-log)
2014-11-20 14:43 UTC, Tomáš Chvátal 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-11-11 15:15:23 UTC 
See http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2014

java-1_5_0-ibm
current 1.5.0_sr16.7
new 1.5.0_sr16.8
Please submit for SLE10 SP3, SLE11 SP1
CVEs:
- CVE-2014-3065: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (bnc#)
- CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. (bnc#901223 901254 901277 901748 901757 901759 901889 901968 902229 902476 902912 903684 903690 903692)
- CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (bnc#901239 901242 901246)
- CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. (bnc#901239 901242 901246)
- CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security. (bnc#901239 901242 901246)

java-1_6_0-ibm
current 1.6.0_sr16.1
new 1.6.0_sr16.2
Please submit for SLE10 SP3, SLE11 SP1, SLE11 SP2 and SLE11 SP3
CVEs:
- CVE-2014-3065: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (bnc#)
- CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. (bnc#901223 901254 901277 901748 901757 901759 901889 901968 902229 902476 902912 903684 903690 903692)
- CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. (bnc#901239 901242 901246)
- CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503. (bnc#901239 901242 901246)
- CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (bnc#901239 901242 901246)
- CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. (bnc#901239 901242 901246)
- CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security. (bnc#901239 901242 901246)

java-1_7_0-ibm
current 1.7.0_sr7.1
new 1.7.0_sr7.2
Please submit for SLE 11 SP3
CVEs:
- CVE-2014-3065: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (bnc#)
- CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. (bnc#901223 901254 901277 901748 901757 901759 901889 901968 902229 902476 902912 903684 903690 903692)
- CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. (bnc#901239 901242 901246)
- CVE-2014-6456: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (bnc#901239 901242 901246)
- CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503. (bnc#901239 901242 901246)
- CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6476: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527. (bnc#901239 901242 901246)
- CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (bnc#901239 901242 901246)
- CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. (bnc#901239 901242 901246)
- CVE-2014-6527: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476. (bnc#901239 901242 901246)
- CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security. (bnc#901239 901242 901246)

java-1_7_1-ibm
current 1.7.1_sr1.1
new 1.7.1_sr1.2
Please submit for SLE 12.
CVEs:
- CVE-2014-3065: ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided. (bnc#)
- CVE-2014-3566: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. (bnc#901223 901254 901277 901748 901757 901759 901889 901968 902229 902476 902912 903684 903690 903692)
- CVE-2014-6513: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. (bnc#901239 901242 901246)
- CVE-2014-6456: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (bnc#901239 901242 901246)
- CVE-2014-6503: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6532: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6493, and CVE-2014-6503. (bnc#901239 901242 901246)
- CVE-2014-4288: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6493, CVE-2014-6503, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6493: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532. (bnc#901239 901242 901246)
- CVE-2014-6492: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6458: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6466: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Internet Explorer, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6506: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6476: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6527. (bnc#901239 901242 901246)
- CVE-2014-6515: Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment. (bnc#901239 901242 901246)
- CVE-2014-6511: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality via unknown vectors related to 2D. (bnc#901239 901242 901246)
- CVE-2014-6531: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6512: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6457: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3, and R28.3.3 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. (bnc#901239 901242 901246)
- CVE-2014-6527: Unspecified vulnerability in Oracle Java SE 7u67 and 8u20 allows remote attackers to affect integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-6476. (bnc#901239 901242 901246)
- CVE-2014-6502: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20, and Java SE Embedded 7u60, allows remote attackers to affect integrity via unknown vectors related to Libraries. (bnc#901239 901242 901246)
- CVE-2014-6558: Unspecified vulnerability in Oracle Java SE 5.0u71, 6u81, 7u67, and 8u20; Java SE Embedded 7u60; and JRockit R27.8.3 and JRockit R28.3.3 allows remote attackers to affect integrity via unknown vectors related to Security. (bnc#901239 901242 901246)


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1162554
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3065
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2014
Comment 1 Tomáš Chvátal 2014-11-11 15:31:50 UTC 
For some magic reason they are not fetchable yet....

http://www.ibm.com/developerworks/java/jdk/linux/download.html
Comment 2 Swamp Workflow Management 2014-11-11 15:33:48 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-11-18.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59615
Comment 3 Tomáš Chvátal 2014-11-11 16:02:29 UTC 
Really can't find the downloads so can't proceed with the update, any ideas what to do?
Comment 4 Swamp Workflow Management 2014-11-11 23:00:14 UTC 
bugbot adjusting priority
Comment 5 Johannes Segitz 2014-11-12 09:05:03 UTC 
(In reply to Tomáš Chvátal from comment #3)
Give it another try, I tried it right now and it worked
Comment 6 Tomáš Chvátal 2014-11-12 11:39:57 UTC 
Downloads are now available but this one is missing:

"""
IBM 32-bit SDK for Linux on Intel architecture, Java 2 Technology Edition
Version  5 SR16FP8 
"""
Simply 32b intel platform.


The newst available is SR16FP7.

Checked it here:
https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=sdk5&S_PKG=intel5sr16fp8&S_TACT=105AGX05&S_CMP=JDK

@Mark: could you poke somebody to take look on why it was not released?
Comment 7 Tomáš Chvátal 2014-11-12 12:26:21 UTC 
And same apply to:

"""
IBM 64-bit (LE) SDK for Linux on iSeries and pSeries architecture, Java Technology Edition, v7r1
Version  71_SR2
"""

The newest is again SR1...
Comment 8 Mark Cowley 2014-11-12 18:06:43 UTC 
(In reply to Tomas Chvatal from comment #6)
> @Mark: could you poke somebody to take look on why it was not released?

I spoke to Hanns Uhl about this today.  He will check into these bits that are still missing.  Could be they are just a day or two later showing up than the rest for some reason.... but I expect we will know more soon.
Comment 9 Hanns-Joachim Uhl 2014-11-14 09:57:09 UTC 
(In reply to Tomas Chvatal from comment #6)
> Downloads are now available but this one is missing:
> 
> """
> IBM 32-bit SDK for Linux on Intel architecture, Java 2 Technology Edition
> Version  5 SR16FP8 
> """
> Simply 32b intel platform.
> 
> 
> The newst available is SR16FP7.
> 
> Checked it here:
> https://www14.software.ibm.com/webapp/iwm/web/preLogin.
> do?source=sdk5&S_PKG=intel5sr16fp8&S_TACT=105AGX05&S_CMP=JDK
> 
> @Mark: could you poke somebody to take look on why it was not released?
,
Hello SUSE / Tomas,
I was told that this (and also the issue in comment #7 ..) should be 
corrected now ...
... can you please give it a try from your side ..? 
Please provide feedback in this bugzilla if it is working now
as soon as possible ..
Thanks in advance for your support.
Comment 10 Tomáš Chvátal 2014-11-14 10:26:26 UTC 
(In reply to Hanns-Joachim Uhl from comment #9)
> Hello SUSE / Tomas,
> I was told that this (and also the issue in comment #7 ..) should be 
> corrected now ...
> ... can you please give it a try from your side ..? 
> Please provide feedback in this bugzilla if it is working now
> as soon as possible ..
> Thanks in advance for your support.

Now it is broken bit differently.

The tarballs are there at least accordingly to the web but downloading fails with:

HTTPError: HTTP Error 403: Forbidden

Example:
"""

https://iwm.dhe.ibm.com/sdfdl/1v2/regs2/linuxjavasdks/java/java5/5.0.16.8/linuxia32/Xa.2/Xb.V4HO5ljJ9dYBtdWohYF9bIest_HC6x4pUcbmEbvVRg/Xc.java/java5/5.0.16.8/linuxia32/ibm-java2-i386-sdk-5.0-16.8.i386.rpm/Xd./Xf.LPr.D1vk/Xg.7822704/Xi.sdk5/XY.regsrvs/XZ.O0-ruoGh0WHnt4C5hyPJzc7Hlg8/ibm-java2-i386-sdk-5.0-16.8.i386.rpm

Access Denied

You don't have permission to access "http://iwm.dhe.ibm.com/sdfdl/1v2/regs2/linuxjavasdks/java/java5/5.0.16.8/linuxia32/Xa.2/Xb.V4HO5ljJ9dYBtdWohYF9bIest_HC6x4pUcbmEbvVRg/Xc.java/java5/5.0.16.8/linuxia32/ibm-java2-i386-sdk-5.0-16.8.i386.rpm/Xd./Xf.LPr.D1vk/Xg.7822704/Xi.sdk5/XY.regsrvs/XZ.O0-ruoGh0WHnt4C5hyPJzc7Hlg8/ibm-java2-i386-sdk-5.0-16.8.i386.rpm" on this server.
Reference #18.15841402.1415960703.2e7872
Comment 12 Hanns-Joachim Uhl 2014-11-17 15:41:52 UTC 
Hello SUSE / Tomas,
next try ... it should be corrected now ...
... can you please give it a try from your side ..? 
Please provide feedback in this bugzilla if it is working now
as soon as possible ..
Thanks in advance for your support.
Comment 16 Tomáš Chvátal 2014-11-18 15:11:49 UTC 
Ok tarballs are downloadable now.

jdk5 update prepared
jdk6 update in progress

jdk7 and jdk7.1 have big problem, they seem to not extract from the .bin file.

The spec file does this:

[    2s] + sh /home/abuild/rpmbuild/SOURCES/ibm-java-sdk-7.1-2.0-x86_64-archive.bin -f /home/abuild/rpmbuild/BUILD/java-1_7_1-ibm-1.7.1_sr2.0/installer.properties
[    2s] Preparing to install...
[    2s] Extracting the JRE from the installer archive...
[    3s] Unpacking the JRE...
[    4s] Extracting the installation resources from the installer archive...
[    4s] Configuring the installer for this system's environment...
[    4s] 
[    4s] Launching installer...
[    4s] 
[   14s] + '[' '!' -d ibm-java-x86_64-71 -a -d /home/abuild/rpmbuild/SOURCES/ibm-java-x86_64-71 ']'

There is no error reported but the directory is not created. The properties are like this:
INSTALLER_UI=silent
USER_INSTALL_DIR=ibm-java-x86_64-71

I am not sure how to figure exactly what was changed in the binary to install it now, maybe some new variable or something?
Comment 17 Tomáš Chvátal 2014-11-18 15:54:15 UTC 
Could you please check what was changed and if there is some way how to make the binaries still work for us at SUSE?
Comment 21 Tomáš Chvátal 2014-11-19 14:40:08 UTC 
The shell script at the begining of the binary is same between the 6.0 and 7.0 and 7.1. So there probably is not the culprit.

Executing the installer localy on machine does not work either, so really I don't know what is wrong:

scarabeus@bugaboo: ~/tmp/javatest $ sh ibm-java-sdk-7.0-8.0-x86_64-archive.bin
Preparing to install...
Extracting the JRE from the installer archive...
Unpacking the JRE...
Extracting the installation resources from the installer archive...
Configuring the installer for this system's environment...

Launching installer...

scarabeus@bugaboo: ~/tmp/javatest $ echo $?
0
Comment 23 Tomáš Chvátal 2014-11-20 14:42:32 UTC 
Created attachment 614414 [details]
sh_x_installer.log
Comment 24 Tomáš Chvátal 2014-11-20 14:43:14 UTC 
Created attachment 614415 [details]
installer-debug-output.log

LAX_DEBUG=1 output
Comment 28 Tomáš Chvátal 2014-11-25 13:46:23 UTC 
We are unable to install the ppc64le version as it links to cuda which is not provided on sle:

> +can't install java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le:
> +  nothing provides libcudart.so.5.5()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
> +  nothing provides libcuda.so.1()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
> +can't install java-1_7_1-ibm-jdbc-1.7.1_sr2.0-4.1.ppc64le:
> +  package java-1_7_1-ibm-jdbc-1.7.1_sr2.0-4.1.ppc64le requires java-1_7_1-ibm = 1.7.1_sr2.0-4.1, but none of the providers can be installed
> +  nothing provides libcudart.so.5.5()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
> +  nothing provides libcuda.so.1()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
>  

On filelists for all platforms this is what I can see with CUDA:
                                                                                                      
filelist.ppc64le:e03b0c64f6680c85e81e7ad0094975d3;ibm-java-ppc64le-71/jre/lib/cuda4j.jar;usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/cuda4j.jar;java-1_7_1-ibm
filelist.ppc64le:807eb361be0c4c6efe6e387b104f8baa;ibm-java-ppc64le-71/jre/lib/ppc64le/libcuda4j55_27.so;usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/ppc64le/libcuda4j55_27.so;java-1_7_1-ibm

@Mark: any ideas whom to ask wether this should be packaged of if it is mistake?
Eg. should we add cuda to SLE or should we get updated java packages?
Comment 30 Swamp Workflow Management 2014-11-28 18:05:50 UTC 
SUSE-SU-2014:1526-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 904889
CVE References: CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6456,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6476,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6527,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    java-1_6_0-ibm-1.6.0_sr16.2-0.3.1, java-1_7_0-ibm-1.7.0_sr8.0-0.5.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    java-1_6_0-ibm-1.6.0_sr16.2-0.3.1, java-1_7_0-ibm-1.7.0_sr8.0-0.5.1
SUSE Linux Enterprise Server 11 SP3 (src):    java-1_6_0-ibm-1.6.0_sr16.2-0.3.1, java-1_7_0-ibm-1.7.0_sr8.0-0.5.1
Comment 31 Swamp Workflow Management 2014-12-02 17:05:13 UTC 
SUSE-SU-2014:1541-1: An update that fixes 18 vulnerabilities is now available.

Category: security (moderate)
Bug References: 901223,901239,904889
CVE References: CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Sources used:
Comment 32 Swamp Workflow Management 2014-12-02 18:04:51 UTC 
SUSE-SU-2014:1526-2: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 904889
CVE References: CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6456,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6476,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6527,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Sources used:
SUSE Manager 1.7 for SLE 11 SP2 (src):    java-1_6_0-ibm-1.6.0_sr16.2-0.3.1
Comment 33 Swamp Workflow Management 2014-12-03 16:05:14 UTC 
SUSE-SU-2014:1549-1: An update that fixes 21 vulnerabilities is now available.

Category: security (important)
Bug References: 901223,901239,904889
CVE References: CVE-2014-3065,CVE-2014-3566,CVE-2014-4288,CVE-2014-6456,CVE-2014-6457,CVE-2014-6458,CVE-2014-6466,CVE-2014-6476,CVE-2014-6492,CVE-2014-6493,CVE-2014-6502,CVE-2014-6503,CVE-2014-6506,CVE-2014-6511,CVE-2014-6512,CVE-2014-6513,CVE-2014-6515,CVE-2014-6527,CVE-2014-6531,CVE-2014-6532,CVE-2014-6558
Sources used:
Comment 34 LTC BugProxy 2014-12-03 17:42:33 UTC 
------- Comment From chavez@us.ibm.com 2014-12-03 17:32 EDT-------
(In reply to comment #15)
> We are unable to install the ppc64le version as it links to cuda which is
> not provided on sle:
>
> > +can't install java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le:
> > +  nothing provides libcudart.so.5.5()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
> > +  nothing provides libcuda.so.1()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
> > +can't install java-1_7_1-ibm-jdbc-1.7.1_sr2.0-4.1.ppc64le:
> > +  package java-1_7_1-ibm-jdbc-1.7.1_sr2.0-4.1.ppc64le requires java-1_7_1-ibm = 1.7.1_sr2.0-4.1, but none of the providers can be installed
> > +  nothing provides libcudart.so.5.5()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
> > +  nothing provides libcuda.so.1()(64bit) needed by java-1_7_1-ibm-1.7.1_sr2.0-4.1.ppc64le
> >
>
> On filelists for all platforms this is what I can see with CUDA:
>
> filelist.ppc64le:e03b0c64f6680c85e81e7ad0094975d3;ibm-java-ppc64le-71/jre/
> lib/cuda4j.jar;usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/cuda4j.jar;java-
> 1_7_1-ibm
> filelist.ppc64le:807eb361be0c4c6efe6e387b104f8baa;ibm-java-ppc64le-71/jre/
> lib/ppc64le/libcuda4j55_27.so;usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/
> ppc64le/libcuda4j55_27.so;java-1_7_1-ibm
>
> @Mark: any ideas whom to ask wether this should be packaged of if it is
> mistake?
> Eg. should we add cuda to SLE or should we get updated java packages?

Hello SUSE,

I opened a ticket with Java L3 today about the issue you ran into with the libcuda dependency and below is their response. Can you answer the last question please?

I'm Will from the Java Level 3 service team. Thanks for opening PMR 46319,001,866.

I found out that some people in Java development have already looked at the problem, but did not have enough information to recreate the problem yet. None of the java packages are intended to have a dependency on libcuda.so. If the library is present then IBM Java can work with it, but it is optional - if the library is not found on a system then the Java run time can still run successfully. If one of the Java packages does indicate a dependency on libcuda.so then we will fix our packaging and remove that dependency.

Please can you find out which package file gave the problem, and exactly what install commands are run when the problem happens?
Comment 35 Tomáš Chvátal 2014-12-03 19:36:13 UTC 
> 
> I opened a ticket with Java L3 today about the issue you ran into with the
> libcuda dependency and below is their response. Can you answer the last
> question please?
> 
> I'm Will from the Java Level 3 service team. Thanks for opening PMR
> 46319,001,866.
> 
> I found out that some people in Java development have already looked at the
> problem, but did not have enough information to recreate the problem yet.
> None of the java packages are intended to have a dependency on libcuda.so.
> If the library is present then IBM Java can work with it, but it is optional
> - if the library is not found on a system then the Java run time can still
> run successfully. If one of the Java packages does indicate a dependency on
> libcuda.so then we will fix our packaging and remove that dependency.

Files in archive (sh):
ibm-java-ppc64le-71/jre/lib/cuda4j.jar
ibm-java-ppc64le-71/jre/lib/ppc64le/libcuda4j55_27.so
Files on SLE:
/usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/ppc64le/libcuda4j55_27.so
/usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/cuda4j.jar

Note: this cuda dep is really only on ppc64le, all other platforms do not install this file.
> 
> Please can you find out which package file gave the problem, and exactly
> what install commands are run when the problem happens?

sh %{ARCHIVE} -i silent -f `pwd`/installer.properties
Content of properites:
INSTALLER_UI=silent
USER_INSTALL_DIR=%{_sourcedir}/%{top_leveldir}
Comment 36 Hanns-Joachim Uhl 2014-12-04 15:39:17 UTC 
Hello Tomas,
a short question ...
.
... I just realized that the IBM Java 7 Release 1 SR2 was made available at 12/03
on the maintweb for SLES 12 and also for ppc64le ... see
https://download.suse.com/Download?buildid=sDsrz5b_pek~ ...
... how do you have made this happen considering comment #35 ..?
Please advise ..
.
Thanks for your support.
Comment 37 Tomáš Chvátal 2014-12-04 16:09:35 UTC 
(In reply to Hanns-Joachim Uhl from comment #36)
> Hello Tomas,
> a short question ...
> .
> ... I just realized that the IBM Java 7 Release 1 SR2 was made available at
> 12/03
> on the maintweb for SLES 12 and also for ppc64le ... see
> https://download.suse.com/Download?buildid=sDsrz5b_pek~ ...
> ... how do you have made this happen considering comment #35 ..?
> Please advise ..
> .
> Thanks for your support.

Slight accident, the error is present but it was released...
The error is present in the released package :/
Comment 38 LTC BugProxy 2014-12-04 16:22:03 UTC 
------- Comment From hannsj_uhl@de.ibm.com 2014-12-04 16:12 EDT-------
Comment 39 LTC BugProxy 2014-12-05 16:54:51 UTC 
------- Comment From chavez@us.ibm.com 2014-12-05 16:49 EDT-------
Thanks for the reply. The Java packaging team is going to investigate the libcuda dependency in the Linux PPC LE package reported.
Comment 40 LTC BugProxy 2014-12-17 22:24:03 UTC 
------- Comment From chavez@us.ibm.com 2014-12-17 22:12 EDT-------
Java L3 is trying to recreate the issue...
Comment 41 LTC BugProxy 2015-01-05 19:02:55 UTC 
------- Comment From chavez@us.ibm.com 2015-01-05 18:52 EDT-------
Java L3 updated the ticket while I was out on holiday. They were not able to recreate the reported issue but I have left an update to confirm they were using SLES 12 GA.

"I finally got hold of a ppc64le machine without CUDA and tried
installing 1.7.1 SR2 on it - pxl6470_27sr2-20141101_01. The
installation went well. I am not sure which level SUSE is referring."
Comment 42 Tomáš Chvátal 2015-01-06 08:58:36 UTC 
(In reply to LTC BugProxy from comment #41)
> ------- Comment From chavez@us.ibm.com 2015-01-05 18:52 EDT-------
> Java L3 updated the ticket while I was out on holiday. They were not able to
> recreate the reported issue but I have left an update to confirm they were
> using SLES 12 GA.
> 
> "I finally got hold of a ppc64le machine without CUDA and tried
> installing 1.7.1 SR2 on it - pxl6470_27sr2-20141101_01. The
> installation went well. I am not sure which level SUSE is referring."

Well that is to be expected. The installation itself won't fail. There are libraries installed that are unresolvable tho, and thus failing for our QA checks and could cause the user to have runtime issues under some specified cases.
Comment 43 Marcus Meissner 2015-01-07 10:17:54 UTC 
there will probably be dependency errors when you try install the update from our maintenance web.
Comment 44 LTC BugProxy 2015-02-02 14:34:12 UTC 
------- Comment From tstaudt@de.ibm.com 2015-02-02 14:29 EDT-------
Hello SUSE,

the CUDA dependency is optional and not required on SLES.
Please adapt any dependencies or checks accordingly for the time being.
IBM is working to remove the explicit dependencies for future versions of the IBM Java SDK.
Thanks for your support.
Comment 47 Swamp Workflow Management 2015-02-21 00:06:24 UTC 
SUSE-SU-2015:0344-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 891701,901223,901239,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    java-1_7_0-ibm-1.7.0_sr8.10-0.6.4, java-1_7_0-ibm-1.7.0_sr8.10-0.6.5
Comment 48 Swamp Workflow Management 2015-02-21 00:07:38 UTC 
SUSE-SU-2015:0345-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 901223,901239,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.3-0.9.1
Comment 49 Swamp Workflow Management 2015-02-25 18:06:13 UTC 
SUSE-SU-2015:0376-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 891699,901223,901239,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    java-1_5_0-ibm-1.5.0_sr16.9-0.6.1
Comment 50 Swamp Workflow Management 2015-02-27 18:06:20 UTC 
SUSE-SU-2015:0392-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 592934,891700,901223,904889,916265,916266
CVE References: CVE-2014-8891,CVE-2014-8892
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.3-0.4.5
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.3-0.4.5
Comment 51 Marcus Meissner 2015-03-02 10:00:33 UTC 
CUDA packaging issue not yet resolved... keeping open.
Comment 52 Tomáš Chvátal 2015-06-03 09:58:42 UTC 
Removed the requirements on our side. But still if some customer expects it he is out of luck as the library is still there.