Sorry for the lateness of this, I've never filed a security bug and was used to other people doing it for me! These are usually coupled with Oracle security releases but Oracle is no longer providing public updates for Java 7 (or 6) so this applies to IcedTea only. As such, it probably didn't get much publicity.
I have already bumped icedtea and icedtea-bin. icedtea doesn't get marked stable so the vulnerable versions of that are already cleared.
amd64, x86, and ppc arch teams, please stabilise:
dev-java/icedtea-bin-188.8.131.52 (ppc only)
dev-java/icedtea-bin-184.108.40.206 (not ppc)
Note that 220.127.116.11 is required because the 2.6 series is currently broken on ppc.
So, if I understand well:
(In reply to Agostino Sarubbo from comment #1)
> So, if I understand well:
> Please confirm.
Please hold off on ppc for a second, we've just realised why CACAO has been causing memory problems, it has a fixed 128MB heap. :|
(In reply to James Le Cuirot from comment #5)
> Please hold off on ppc for a second, we've just realised why CACAO has been
> causing memory problems, it has a fixed 128MB heap. :|
Okay, I have now pushed a fix for that as -r1.
ppc team, please stabilise:
18.104.22.168-r1 went straight to stable for amd64 and x86 as only the core ppc tarball changed.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Thanks. Vulnerable versions now removed.
Arches and Maintainer(s), Thank you for your work.
Added to an existing GLSA Request.
This issue was resolved and addressed in
GLSA 201603-14 at https://security.gentoo.org/glsa/201603-14
by GLSA coordinator Kristian Fiskerstrand (K_F).