CERT Vulnerability Note VU#625617.
Limited information at $URL. Issue appears to affect Java 7 u10 and prior.
The following are now in tree and need to be stabilized on x86. Thanks.
*** Bug 451980 has been marked as a duplicate of this bug. ***
The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7
Update 10 and earlier allows remote attackers to execute arbitrary code via
vectors related to unspecified classes that allow access to the class
loader, as exploited in the wild in January 2013, as demonstrated by
Blackhole and Nuclear Pack, and a different vulnerability than
Oracle Java 7 before Update 11 allows remote attackers to execute arbitrary
code via unspecified vectors, a different vulnerability than CVE-2013-0422.
NOTE: as of 20130114, the scope of this CVE is not clear due to the lack of
technical details from Oracle, the CNA. It is currently unknown whether
this CVE is related to (1) the findClass method in the MBeanInstantiator
class, (2) recursive use of the reflection API, (3) an unrelated
vulnerability, or (4) a combination of two or more of these vulnerabilities.
* Please download jdk-7u6-apidocs.zip from
Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?
(In reply to comment #5)
> I get:
> * Please download jdk-7u6-apidocs.zip from
> Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?
Seems to be caused by the package dev-java/java-sdk-docs-220.127.116.11
(In reply to comment #6)
> (In reply to comment #5)
> > I get:
> > * Please download jdk-7u6-apidocs.zip from
> > *
> > http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-
> > download-435117.html
> > Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?
> Seems to be caused by the package dev-java/java-sdk-docs-18.104.22.168
Bumped to 22.214.171.124, please add =dev-java/java-sdk-docs-126.96.36.199 to the stabilization list.
Builds fine on x86. Please mark stable for x86.
x86 done in bug 455174
Already on existing GLSA draft.
This issue was resolved and addressed in
GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml
by GLSA coordinator Sean Amoss (ackle).