See URL. A full round of bumps will follow.
Version bumps are now in tree: * app-emulation/emul-linux-x86-java-1.6.0.33 * dev-java/sun-jdk-1.6.0.33 * dev-java/sun-jre-bin-1.6.0.33 * dev-java/oracle-jdk-bin-1.7.0.5 * dev-java/oracle-jre-bin-1.7.0.5 The following need to be stabilized: =app-emulation/emul-linux-x86-java-1.6.0.33 (amd64) =dev-java/sun-jdk-1.6.0.33 (amd64, x86) =dev-java/sun-jre-bin-1.6.0.33 (amd64, x86) As x86 accidentally stabilized oracle-{jdk,jre}-bin the following need to be stabilized on x86 as well: =dev-java/oracle-jdk-bin-1.7.0.5 (x86) =dev-java/oracle-jre-bin-1.7.0.5 (x86)
amd64 stable
Stabilising =dev-java/java-sdk-docs-1.7.0.4 on x86 as well as it's required by =dev-java/oracle-jdk-bin-1.7.0.5[doc]
x86 stable
@security: please vote
CVE-2012-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1726): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. CVE-2012-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1725): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2012-1724 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1724): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect availability, related to JAXP. CVE-2012-1723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1723): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2012-1722 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1722): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1721. CVE-2012-1721 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1721): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, and 6 update 32 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2012-1722. CVE-2012-1719 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1719): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect integrity, related to CORBA. CVE-2012-1718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1718): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect availability via unknown vectors related to Security. CVE-2012-1717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1717): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux. CVE-2012-1716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1716): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, and 5 update 35 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Swing. CVE-2012-1713 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1713): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, 1.4.2_37 and earlier, and JavaFX 2.1 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVE-2012-1711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1711): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to CORBA.
Thanks, everyone. Added to existing GLSA request.
x86 please stabilize again, dev-java/oracle-{jdk,jre}-bin-1.7.0.5-r1 Upstream silently changed contents of the distfiles so I did a revbump to better be sure everyone gets this. Could be related to security, but no idea :( changing bug summary to -r1 as well
(In reply to comment #8) > x86 please stabilize again, dev-java/oracle-{jdk,jre}-bin-1.7.0.5-r1 > > Upstream silently changed contents of the distfiles so I did a revbump to > better be sure everyone gets this. Could be related to security, but no idea > :( > > changing bug summary to -r1 as well Same for java 6, arch teams please also stabilize: =app-emulation/emul-linux-x86-java-1.6.0.33-r1 (amd64) =dev-java/sun-jdk-1.6.0.33-r1 (amd64, x86) =dev-java/sun-jre-bin-1.6.0.33-r1 (amd64, x86) Thanks.
amd64: ok (for packages bellow) =dev-java/oracle-{jdk,jre}-bin-1.7.0.5-r1 =dev-java/sun-{jdk,jre}-1.6.0.33-r1 can't test emul-linux-.. package, I switched my boxes to nomultilib due to some problems on hardened. Also, there are some problems on hardened that r2 supposedly fix (pax marking), wouldn't it be worth to stabilize r2 instead? This may have been fixed already in eclass, see #427642
GLSA together with #404071
The bundle jre-6u33-linux-i586.bin is no longer available from http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html. That URL provides now jre-6u34-linux-i586.bin. In fact, I cannot find any downloadables for Java 6 update 33 at the Java 6 SE archives at http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html. The latest update available is 32.
(In reply to comment #14) > The bundle jre-6u33-linux-i586.bin is no longer available from > http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads- > 1637595.html. That URL provides now jre-6u34-linux-i586.bin. > > In fact, I cannot find any downloadables for Java 6 update 33 at the Java 6 > SE archives at > http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive- > downloads-javase6-419409.html. The latest update available is 32. Erik, this looks be bug 431492.
This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle).