Current IcedTea repository contains fixes for following security issues: CVE-2008-5360 - Temporary files have guessable file names. CVE-2008-5350 - Allows to list files within the user home directory. CVE-2008-5348 - Denial-Of-Service in kerberos authentication. CVE-2008-5359 - Buffer overflow in image processing. CVE-2008-5351 - UTF-8 decoder accepts non-shortest form sequences. CVE-2008-5356 - Font processing vulnerability. CVE-2008-5353 - Calendar object deserialization allows privilege escalation. CVE-2008-5354 - Privilege escalation in command line applications. CVE-2008-5357 - Truetype Font processing vulnerability. CVE-2008-5352 - Jar200 Decompression buffer overflow. CVE-2008-5358 - Buffer Overflow in GIF image processing.
No release yet for this.
These security fixes are in the Gentoo 1.3.1 ebuild and have been for sometime. Please check the ebuild for patches first. There is also now 1.4 which also has these fixes.
Just to clarify: dev-java/icedtea6-1.3.1-r2 is fixed, and this package is in java-overlay, not main tree dev-java/icedtea6-bin-1.3.1-r1 is built from the fixed sources, vulnerable version was never in the main tree. This package is in the main tree, but only ~arch yet. Which means IIRC no glsa and we are probably done here :) I'll leave it up to the security guys.
closing without GLSA since it's ~arch only, sorry for the lag.