There is no advisory from IBM I know of, but the changelog of 188.8.131.52 contains several security mentionments:
wsdev-20081119 143565 IZ37676 c N/A Sun Security Fix 6767668
asdev-20081030 143026 - c N/A Sun Security Defects
asdev-20081029 142959 - c N/A Sun Security Defects
audev-20081028 142130 IZ35743 c N/A Sun Security Defects
asdev-20081028 142130 IZ35743 c N/A Sun Security Defects
asdev-20081028 142691 IZ35744 c N/A Sun Security Defects
wsdev-20081028 142130 IZ35743 c N/A Sun Security Defects
asdevplug-20081028 142130 IZ35743 c N/A Sun Security Defects
asdev-20080813 139180 IZ29053 c 6332953 Sun Security fix 6332953
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 184.108.40.206. Distfiles as usual
via ssh d.g.o/~caster/tmp
Alerts appeared on ibm's $URL. Good that we done 220.127.116.11 - it's fixed. For 1.4 and 1.6 there are not yet releases, as usual :/
Due to impacts like DoS, privilege escalation and remote execution of arbitrary code, i set the bug to B3.
I would vote for a GLSA because of the numerous possible attack vectors and the very wide usage of Java.
ppc/ppc64 please stabilize ibm-jdk-bin-18.104.22.168 distfiles are being uploaded as usual (comment 1)
ppc and ppc64 done
Arches please stabilize ibm-jdk-bin and ibm-jre-bin 22.214.171.124. Distfiles as usual.
Marked 126.96.36.199 ppc/ppc64 stable.
Removing ppc/ppc64 CC's (sorry for the bugspam).
amd64/x86 stable, all arches done.
All's left is GLSA then, covering also bug 233652
(In reply to comment #10)
> Marked 188.8.131.52 ppc/ppc64 stable.
You forgot ibm-jre-bin, please do.
Also please note that the distfiles of 1.6 were meanwhile changed upstream and redigested (bug 265760) so take care not to redigest with the old ones - remove DISTDIR/ibm-java-*6.0-4.0* or use FEATURES=assume-digests etc...
So, apparently 184.108.40.206 was not fixed, IBM released a security update, which I bumped as 220.127.116.11-r1. They didn't care to rename the versions distfiles though. To prevent users from renaming distfiles of the fixed version (in order to coexist with the old version), the old ebuild was updated to expect old distfiles to be renamed to .old.tgz.
So, please stabilize 18.104.22.168-r1, you need to download new distfiles from usual place and rename or replace the old distfiles. Take care also about comment 15. Sorry that their naming schemes suck.
Remote passive execution of arbitrary code is B2.
Added to already existing glsa.