From http://www.openwall.com/lists/oss-security/2012/11/07/5 : IcedTea-Web versions 1.1.7, 1.2.2 and 1.3.1 that were just released fix a buffer overflow IcedTeaScriptableJavaObject::invoke. The issue got CVE-2012-4540 assigned. http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/e7970f3da5fe
CVE-2012-4540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4540): Off-by-one error in the invoke function in IcedTeaScriptablePluginObject.cc in IcedTea-Web 1.1.x before 1.1.7, 1.2.x before 1.2.2, and 1.3.x before 1.3.1 allows remote attackers to obtain sensitive information, cause a denial of service (crash), or possibly execute arbitrary code via a crafted webpage that triggers a heap-based buffer overflow, related to an error message and a "triggering event attached to applet."
icedtea-web bumped to 1.3.1 nsplugin part of icedtea-bin built and bumped Please stabilize dev-java/icedtea-bin-6.1.11.3-r1 (test the nsplugin, the rest is unchanged from -r0)
There is no dev-java/icedtea-bin-6.1.11.3-r1 in portage as of now!?
amd64 stable
(In reply to comment #3) > There is no dev-java/icedtea-bin-6.1.11.3-r1 in portage as of now!? Sorry, it was 6.1.11.5-r1
(In reply to comment #5) > (In reply to comment #3) > > There is no dev-java/icedtea-bin-6.1.11.3-r1 in portage as of now!? > > Sorry, it was 6.1.11.5-r1 I know, I did it correctly: 16 Nov 2012; Agostino Sarubbo <ago@gentoo.org> icedtea-bin-6.1.11.5-r1.ebuild: Stable for amd64, wrt bug #442478
x86 stable
Thanks, everyone. Already on existing GLSA draft.
I'm just going to close this since no one cares. These versions have long gone.