http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixJAVA
+ 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jre-bin-1.7.0.76.ebuild: + Version bump of oracle-jre-bin:7 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jre-bin-1.8.0.31.ebuild: + Version bump of oracle-jre-bin:8 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jdk-bin-1.7.0.76.ebuild: + Version bump of oracle-jdk-bin:7 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +oracle-jdk-bin-1.8.0.31.ebuild: + Version bump of oracle-jdk-bin:8 wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> +java-sdk-docs-1.7.0.76.ebuild, + +java-sdk-docs-1.8.0.31.ebuild: + Version bump of java-sdk-docs wrt bug #537214 + 23 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + +emul-linux-x86-java-1.7.0.76.ebuild: + Version bump of emul-linux-x86-java wrt bug #537214 I hope i didn't forget anything.
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
CVE-2015-0421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0421): Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process. CVE-2015-0413 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0413): Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability. CVE-2015-0412 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0412): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS. CVE-2015-0410 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0410): Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security. CVE-2015-0408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0408): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. CVE-2015-0407 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0407): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing. CVE-2015-0406 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0406): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. CVE-2015-0403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0403): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2015-0400 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0400): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. CVE-2015-0395 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0395): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2015-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0383): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot.
CVE-2014-6601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6601): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. CVE-2014-6593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6593): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. CVE-2014-6591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6591): Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. CVE-2014-6587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6587): Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2014-6585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6585): Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591. CVE-2014-6549 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6549): Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
*** Bug 537576 has been marked as a duplicate of this bug. ***
I would like to proceed here, but i'm now getting repoman warnings and have no idea how to resolve them: app-emulation/emul-linux-x86-java/emul-linux-x86-java-1.7.0.76.ebuild: RDEPEND: >=media-libs/alsa-lib-1.0.27.2[abi_x86_32(-)], x11-libs/libX11[abi_x86_32(-)], x11-libs/libXext[abi_x86_32(-)], x11-libs/libXi[abi_x86_32(-)], x11-libs/libXrender[abi_x86_32(-)], x11-libs/libXtst[abi_x86_32(-)] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~amd64(default/linux/uclibc/amd64) ['sys-libs/glibc'] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~x86(default/linux/uclibc/x86) ['sys-libs/glibc'] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~amd64(hardened/linux/uclibc/amd64) ['sys-libs/glibc'] dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: ~x86(hardened/linux/uclibc/x86) ['sys-libs/glibc']
(In reply to Johann Schmitz (ercpe) from comment #6) > I would like to proceed here, but i'm now getting repoman warnings and have > no idea how to resolve them: > > app-emulation/emul-linux-x86-java/emul-linux-x86-java-1.7.0.76.ebuild: > RDEPEND: >=media-libs/alsa-lib-1.0.27.2[abi_x86_32(-)], > x11-libs/libX11[abi_x86_32(-)], x11-libs/libXext[abi_x86_32(-)], > x11-libs/libXi[abi_x86_32(-)], x11-libs/libXrender[abi_x86_32(-)], > x11-libs/libXtst[abi_x86_32(-)] > > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~amd64(default/linux/uclibc/amd64) ['sys-libs/glibc'] > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~x86(default/linux/uclibc/x86) ['sys-libs/glibc'] > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~amd64(hardened/linux/uclibc/amd64) ['sys-libs/glibc'] > dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.76.ebuild: RDEPEND: > ~x86(hardened/linux/uclibc/x86) ['sys-libs/glibc'] it works for me for the interested arches.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
+ 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + -oracle-jre-bin-1.7.0.71.ebuild, -oracle-jre-bin-1.7.0.72.ebuild, + -oracle-jre-bin-1.8.0.25.ebuild: + Dropped vulnerable versions (#537214) + 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + -oracle-jdk-bin-1.7.0.71.ebuild, -oracle-jdk-bin-1.7.0.72.ebuild, + -oracle-jdk-bin-1.8.0.25.ebuild: + Removed vulnerable versions (#537214) + 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> -java-sdk-docs-1.7.0.71.ebuild, + -java-sdk-docs-1.7.0.72.ebuild, -java-sdk-docs-1.8.0.25.ebuild: + Removed java-sdk-docs for dropped versions (#537214) + 30 Jan 2015; Johann Schmitz <ercpe@gentoo.org> + -emul-linux-x86-java-1.7.0.71.ebuild, -emul-linux-x86-java-1.7.0.72.ebuild: + Removed vulnerable versions (#537214) Cleanup done
oracle-jdk-bin-1.7.0.60.ebuild was missed on cleanup.
Maintainers, thank you for cleaning up. A new GLSA has been filed by security.
This issue was resolved and addressed in GLSA 201507-14 at https://security.gentoo.org/glsa/201507-14 by GLSA coordinator Kristian Fiskerstrand (K_F).
1.7.0.60 still hasn't been removed, though that's the only version available to arm. I was half thinking of removing it on the next Oracle bump because icedtea is now working well for arm.
