Updated ebuilds in java-overlay.
It was discovered that the JNLPSecurityManager in certain cases failed to
properly implement the security policy, and did not throw an exception to
prevent completion of a possibly unsafe or sensitive operation and simply
returned from the checkPermission method.
Any service relying on the SecurityManager.checkPermission() method to throw an
exception then incorrectly assumed that the permission was granted.
(In reply to comment #0)
> Updated ebuilds in java-overlay.
In tree as well, for the source dev-java/icedtea package. Now building icedtea6-bin.
The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7,
1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from
the checkPermission method instead of throwing an exception in
certain circumstances, which might allow context-dependent attackers
to bypass the intended security policy by creating instances of
The version bump for dev-java/icedtea caused bug 352314
Done, please stabilize dev-java/icedtea6-bin-1.9.4
amd64 done. Thanks Agostino
Thanks, folks. Added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).