quoting $url: Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions. (...) This vulnerability is being actively exploited in the wild, and exploit code is publicly available. see also: [1] http://secunia.com/advisories/cve_reference/CVE-2012-4681/ [2] https://bugzilla.redhat.com/show_bug.cgi?id=852051 [3] http://secunia.com/advisories/50133 Icedtea may be affected too. Thanks to Ryuno-Ki for telling about it on IRC. Reproducible: Always
Upstream advisory: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Bumped, please stabilize amd64/x86: dev-java/sun-jdk-1.6.0.35 dev-java/sun-jre-bin-1.6.0.35 amd64 also: app-emulation/emul-linux-x86-java-1.6.0.35 x86 also: dev-java/oracle-jdk-bin-1.7.0.7 dev-java/oracle-jre-bin-1.7.0.7
Same problem in IcedTea. Updated Icedtea 2.3.1 available upstream with the same fixes. Please provide ebuilds!
(In reply to comment #3) > Same problem in IcedTea. > > Updated Icedtea 2.3.1 available upstream with the same fixes. > > Please provide ebuilds! This is not the place to discuss IcedTea. Please see the bug in the "See Also" section.
*** Bug 431692 has been marked as a duplicate of this bug. ***
amd64 stable
*** Bug 433465 has been marked as a duplicate of this bug. ***
CVE-2012-4681 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4681): Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. CVE-2012-3136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3136): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-1682. CVE-2012-1682 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1682): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. CVE-2012-0547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0547): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities.
x86 stable
Thanks, everyone. GLSA draft ready for review.
please mark the amd64 ebuild as stable as per comment from Agostino Sarubbo on 9/2/2012. Keywords still contains ~amd64 after syncing today. Thank you
(In reply to comment #11) > please mark the amd64 ebuild as stable as per comment from Agostino Sarubbo > on 9/2/2012. > > Keywords still contains ~amd64 after syncing today. > > Thank you All amd64 ebuilds are appropriately marked. Please file a new bug if you are having syncing issues as we don't deal with those in security bugs.
*** Bug 435644 has been marked as a duplicate of this bug. ***
> All amd64 ebuilds are appropriately marked. Please file a new bug if you are > having syncing issues as we don't deal with those in security bugs. No, they aren't. 56 KEYWORDS="~amd64 x86 ~amd64-linux ~x86-linux ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/dev-java/oracle-jdk-bin/oracle-jdk-bin-1.7.0.7.ebuild?revision=1.4&view=markup
Sorry, it was never suppose to be marked stable. I am wrong, sorry for the noise.
This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle).
