http://blog.fuseyism.com/index.php/2011/10/18/security-icedtea6-1-8-10-1-9-10-and-1-10-4-released/ New ebuilds in java-overlay. Reproducible: Always
(In reply to comment #0) > New ebuilds in java-overlay. @Java, please bump the new version in tree
CVE-2011-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity, related to JSSE. CVE-2011-3558 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to HotSpot. CVE-2011-3557 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI. CVE-2011-3556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, 1.4.2_33 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability, related to RMI. CVE-2011-3554 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors. CVE-2011-3553 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote authenticated users to affect confidentiality, related to JAXWS. CVE-2011-3552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote attackers to affect integrity via unknown vectors related to Networking. CVE-2011-3551 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, and JRockit R28.1.4 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. CVE-2011-3548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability, related to AWT. CVE-2011-3547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. CVE-2011-3544 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting. CVE-2011-3521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE, 7, 6 Update 27 and earlier, and 5.0 Update 31 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deserialization. CVE-2011-3389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389): The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
dev-java/icedtea bumped to 1.10.4, package is not yet stabilized so nothing more to do dev-java/icedtea6-bin-1.10.4 also bumped, arches please stabilize
amd64 ok
gentoo64 icedtea # USE="X alsa -doc -examples nsplugin source" emerge =dev-java/icedtea6-bin-1.10.4 gentoo64 icedtea # emerge =virtual/jdk-1.6.0 all ok
x86 stable
Package moved icedtea6-bin to icedtea-bin. Sorry for the trouble.
+ 01 Nov 2011; Tony Vroon <chainsaw@gentoo.org> icedtea-bin-1.10.4.ebuild: + Marked stable on AMD64 based on arch testing by Ian "idella4" Delaney & + Agostino "ago" Sarubbo in security bug #387637.
Thanks, everyone. Added to existing GLSA request.
This issue was resolved and addressed in GLSA 201406-32 at http://security.gentoo.org/glsa/glsa-201406-32.xml by GLSA coordinator Mikle Kolyada (Zlogene).