As subject says, another set of security releases from Oracle.
Version bumps are now in tree. The following need to be stabilized on amd64: =app-emulation/emul-linux-x86-java-1.6.0.41 =dev-java/sun-jdk-1.6.0.41 =dev-java/sun-jre-bin-1.6.0.41 The following need to be stabilized on x86: =dev-java/sun-jdk-1.6.0.41 =dev-java/sun-jre-bin-1.6.0.41 =dev-java/oracle-jdk-bin-1.7.0.15 =dev-java/oracle-jre-bin-1.7.0.15 As suggested by Agostino Sarubbo (ago), @java will do the stabilization in 72h on it's own if needed.
(In reply to comment #1) > Version bumps are now in tree. > > The following need to be stabilized on amd64: > > =app-emulation/emul-linux-x86-java-1.6.0.41 > =dev-java/sun-jdk-1.6.0.41 > =dev-java/sun-jre-bin-1.6.0.41 > > The following need to be stabilized on x86: > > =dev-java/sun-jdk-1.6.0.41 > =dev-java/sun-jre-bin-1.6.0.41 > =dev-java/oracle-jdk-bin-1.7.0.15 > =dev-java/oracle-jre-bin-1.7.0.15 Done. > As suggested by Agostino Sarubbo (ago), @java will do the stabilization in > 72h on it's own if needed. As I was asked on irc what I meant with that comment I extend a little. First due to the fetch restriction and quite a couple tarballs testing is unusually tedious and in case of binaries chances it won't build are ... low. The other aspect is, a delay will result in bugs like bug 458914 due to Oracle removing old downloads or similar. Most user are probably using ~arch by now anyway after having been screwed once or more.
CVE-2013-1487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1487): Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE 7 Update 13 and earlier and 6 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. CVE-2013-1486 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1486): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier, 6 Update 39 and earlier, and 5.0 Update 39 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. CVE-2013-1485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1485): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries. CVE-2013-1484 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1484): Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 13 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. CVE-2013-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0169): The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Added to existing GLSA draft.
(In reply to comment #2) > As I was asked on irc what I meant with that comment I extend a little. Thanks for the explanation. :)
This issue was resolved and addressed in GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml by GLSA coordinator Sean Amoss (ackle).
