From ${URL} : The July 2013 updates for the IBM JDK (5.0 SR16-FP3, 6 SR14, 6.0.1 SR6, 7 SR5) contain patches for unspecified security flaws. For the majority of the flaws, upstream has provided a CVSSv2 base score of 9.3, which suggests a CVSSv2 vector of AV:N/AC:M/Au:N/C:P/I:P/A:P. The exception is CVE-2013-4002 with a CVSSv2 base score of 7.1. CVE CVSSv2 Score Fixed in CVE-2013-3006 9.3 7 SR5 CVE-2013-3007 9.3 6.0.1 SR6, 7 SR5 CVE-2013-3008 9.3 7 SR5 CVE-2013-3009 9.3 5.0 SR16-FP3, 6 SR14, 6.0.1 SR6, 7 SR5 CVE-2013-3010 9.3 6.0.1 SR6, 7 SR5 CVE-2013-3011 9.3 5.0 SR16-FP3, 6 SR14, 6.0.1 SR6, 7 SR5 CVE-2013-3012 9.3 5.0 SR16-FP3, 6 SR14, 6.0.1 SR6, 7 SR5 CVE-2013-4002 7.1 5.0 SR16-FP3, 6 SR14, 6.0.1 SR6, 7 SR5 References: https://www.ibm.com/developerworks/java/jdk/alerts/ http://www.ibm.com/developerworks/java/jdk/aix/j764/Java7_64.fixes.html#SR5 http://www.ibm.com/developerworks/java/jdk/aix/j664/Java6_64.fixes.html#SR14 http://www.ibm.com/developerworks/java/jdk/aix/j564/fixes.html#SR16FP3 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
@java team: ping, can we get a version bump please?
CVE-2013-4002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4002): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect availability via unknown vectors. CVE-2013-3012 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3012): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3009 and CVE-2013-3011. CVE-2013-3011 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3011): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3009 and CVE-2013-3012. CVE-2013-3010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3010): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 6.0.1 before 6.0.1 SR6 and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3007. CVE-2013-3009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3009): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 1.4.2 before 1.4.2 SR13-FP18, 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3011 and CVE-2013-3012. CVE-2013-3008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3008): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3006. CVE-2013-3007 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3007): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 6.0.1 before 6.0.1 SR6 and 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3006. CVE-2013-3006 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3006): Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 7 before 7 SR5 allows remote attackers to affect confidentiality, availability, and integrity via unknown vectors, a different vulnerability than CVE-2013-3008.
(In reply to Chris Reffett from comment #1) > @java team: ping, can we get a version bump please? Well, I tried ... but it seems upstream uploaded bin files instead of tgz for their tgz download links; when I rename the bin to tgz, it doesn't appear to work. So, I don't really know what is going on with this. >>> Unpacking ibm-java-sdk-6.0-14.0-linux-x86_64.tgz to /var/tmp/portage/dev-java/ibm-jdk-bin-1.6.0.14/work gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error is not recoverable: exiting now * ERROR: dev-java/ibm-jdk-bin-1.6.0.14::gentoo failed (unpack phase): * failure unpacking ibm-java-sdk-6.0-14.0-linux-x86_64.tgz I hope someone else of the Java team will look into this; maybe I'm just missing something, maybe not and if that is the case we need to contact upstream about that. If someone can tell me which file to download instead (or rather, what to click on) then feel free to do so; I'll keep the distfiles around so that the other maintainer doesn't need to go through fetching them all again.
It's been last-rited. Security team, please close this out. Java team is done here.
GLSA Vote: No