jdk and jre have reached version 7u51. Thanks :)
thanks for the report. This is also a security bug.
The vulnerabilities are reported in the following products: * JDK and JRE 7 Update 45 and prior * JDK and JRE 6 Update 65 and prior * JDK and JRE 5 Update 55 and prior Original Advisory: Oracle: http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html#JAVA
+*oracle-jdk-bin-1.7.0.51 (17 Jan 2014) + + 17 Jan 2014; Lars Wendler <polynomial-c@gentoo.org> + +oracle-jdk-bin-1.7.0.51.ebuild: + non-maintainer security bump due to slacking java herd (bug #498148). +
+*oracle-jre-bin-1.7.0.51 (17 Jan 2014) + + 17 Jan 2014; Lars Wendler <polynomial-c@gentoo.org> + +oracle-jre-bin-1.7.0.51.ebuild: + non-maintainer security bump due to slacking java herd (bug #498148). +
Thank you for the bumps, please advise when tested and ready for stabilization.
Is it just me or the bumper forgot to update the FX_VERSION variable in the ebuild? It's still FX_VERSION="2_2_45" and the corresponding package is not available for download anymore, anyway.
(In reply to xenon from comment #6) > Is it just me or the bumper forgot to update the FX_VERSION variable in the > ebuild? I see the same problem.
+*oracle-jdk-bin-1.7.0.51-r1 (19 Jan 2014) + + 19 Jan 2014; Lars Wendler <polynomial-c@gentoo.org> + -oracle-jdk-bin-1.7.0.51.ebuild, +oracle-jdk-bin-1.7.0.51-r1.ebuild: + Forgot to change java_fx version. + Thanks for spotting this and sorry for the circumstances...
Please stabilize the following for amd64 and x86: =dev-java/oracle-jre-bin-1.7.0.51 =dev-java/oracle-jdk-bin-1.7.0.51 Thanks to Lars for taking care of the bump.
CVE-2014-0375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0375): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0403. CVE-2014-0373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0373): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serviceability. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to throwing of an incorrect exception when SnmpStatusException should have been used in the SNMP implementation, which allows attackers to escape the sandbox. CVE-2014-0368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0368): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to incorrect permission checks when listening on a socket, which allows attackers to escape the sandbox. CVE-2013-5910 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5910): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, and Java SE Embedded 7u45, allows remote attackers to affect integrity via unknown vectors related to Security. CVE-2013-5907 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5907): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is due to incorrect input validation in LookupProcessor.cpp in the ICU Layout Engine, which allows attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted font file. CVE-2013-5906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5906): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install, a different vulnerability than CVE-2013-5905. CVE-2013-5905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5905): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install, a different vulnerability than CVE-2013-5906. CVE-2013-5904 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5904): Unspecified vulnerability in Oracle Java SE 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2013-5902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5902): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. CVE-2013-5899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5899): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality via unknown vectors related to Deployment. CVE-2013-5898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5898): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2014-0375 and CVE-2014-0403. CVE-2013-5896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5896): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; and Java SE Embedded 7u45; allows remote attackers to affect availability via vectors related to CORBA. CVE-2013-5895 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5895): Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect confidentiality via unknown vectors related to JavaFX. CVE-2013-5893 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5893): Unspecified vulnerability in Oracle Java SE 7u45 and Java SE Embedded 7u45, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to improper handling of methods in MethodHandles in HotSpot JVM, which allows attackers to escape the sandbox. CVE-2013-5889 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5889): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. CVE-2013-5888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5888): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, when running with GNOME, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2013-5887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5887): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect availability via unknown vectors related to Deployment. CVE-2013-5884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5884): Unspecified vulnerability in Oracle Java SE Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an incorrect check for code permissions by CORBA stub factories. CVE-2013-5878 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5878): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45, Java SE Embedded 7u45, and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Security. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the the Security component does not properly handle null XML namespace (xmlns) attributes during XML document canonicalization, which allows attackers to escape the sandbox. CVE-2013-5870 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5870): Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.
CVE-2014-0428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0428): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to "insufficient security checks in IIOP streams," which allows attackers to escape the sandbox. CVE-2014-0424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0424): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0418. CVE-2014-0423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0423): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; and Java SE Embedded 7u45 allows remote authenticated users to affect confidentiality and availability via unknown vectors related to Beans. CVE-2014-0422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0422): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JNDI. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to missing package access checks in the Naming / JNDI component, which allows attackers to escape the sandbox. CVE-2014-0418 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0418): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0415, and CVE-2014-0424. CVE-2014-0417 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0417): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX 2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVE-2014-0416 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0416): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAAS. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to how principals are set for the Subject class, which allows attackers to escape the sandbox using deserialization of a crafted Subject instance. CVE-2014-0415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0415): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0410, CVE-2014-0418, and CVE-2014-0424. CVE-2014-0411 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0411): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JRockit R27.7.7 and R28.2.9; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. CVE-2014-0410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0410): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5889, CVE-2013-5902, CVE-2014-0415, CVE-2014-0418, and CVE-2014-0424. CVE-2014-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0408): Unspecified vulnerability in Oracle Java SE 7u45, when running on OS X, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-0403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0403): Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment, a different vulnerability than CVE-2013-5898 and CVE-2014-0375. CVE-2014-0387 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0387): Unspecified vulnerability in Oracle Java SE 6u65 and Java SE 7u45, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2014-0385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0385): Unspecified vulnerability in Oracle Java SE 7u45, when installing on OS X, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install. CVE-2014-0382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0382): Unspecified vulnerability in Oracle Java SE 7u45 and JavaFX 2.2.45 allows remote attackers to affect availability via unknown vectors related to JavaFX. CVE-2014-0376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0376): Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect integrity via vectors related to JAXP. NOTE: the previous information is from the January 2014 CPU. Oracle has not commented on third-party claims that the issue is related to an improper check for "code permissions when creating document builder factories."
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle).
Maintainers, please drop vulnerable versions.
(In reply to Sean Amoss from comment #15) > Maintainers, please drop vulnerable versions. Was already done two days ago.
(In reply to Lars Wendler (Polynomial-C) from comment #16) > (In reply to Sean Amoss from comment #15) > > Maintainers, please drop vulnerable versions. > > Was already done two days ago. Thanks.