I've already bumped these. icedtea doesn't get marked stable so the vulnerable versions have already been cleared. The Java 7 release was done shortly after the Java 8 one and the list of CVEs is the same so I'm lumping these into one report. I know the version numbers are a pain (not entirely my fault!) but please try and get the GLSA right this time. Note bug #576428. Be aware that I have added multilib in these releases so the ebuild has changed quite a lot. This is only available on amd64 (disabled by default) but please watch out for any weirdness, regardless of arch. amd64 and x86 arch teams, please stabilise: dev-java/icedtea-bin-7.2.6.7 dev-java/icedtea-bin-3.1.0 ppc64 arch team, please stabilise: dev-java/icedtea-bin-3.1.0
amd64 stable
Stable for PPC64.
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Old removed. Security team, please continue.
CVE-2016-3610 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3610): Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3598. CVE-2016-3606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3606): Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. CVE-2016-3598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3598): Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3610. CVE-2016-3587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3587): Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. CVE-2016-3550 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3550): Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot. CVE-2016-3508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3508): Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500. CVE-2016-3500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3500): Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508. CVE-2016-3485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3485): Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows local users to affect integrity via vectors related to Networking. CVE-2016-3458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3458): Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectors related to CORBA.
This issue was resolved and addressed in GLSA 201701-43 at https://security.gentoo.org/glsa/201701-43 by GLSA coordinator Thomas Deutschmann (whissi).