Florian Weimer wrote: The random number generator in the gnu.java.security.util.PRNG class of GNU Classpath version 0.97.2 and earlier produces only a limited number of distinct byte streams, which may lead to guessable cryptographic key material and similar vulnerabilities.
CVE-2008-5659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5659): The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys.
This was fixed in 0.98, the only ebuild in tree is gnu-classpath-0.98-r3. Please proceed, thanks.
Wow. Stabilization was completed 2+ years ago in bug 296215. GLSA vote: no.
GLSA Vote: no too. Closing.