OpenJDK is announced to be affected by multiple vulnerabilities, the worst of worst could allow an attacker with network access to read a subset of Java SE-accessible data. The advisory lists <=15, <=13.0.4, <=11.0.8, <=8u262, <=7u271 as affected, so it appears we need a bump for -bin and -jre-bin's 8.x branch.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8207cdab845fb91d12e7a8c1f95b6d7a087029c commit d8207cdab845fb91d12e7a8c1f95b6d7a087029c Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-10-23 22:23:18 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-10-23 22:24:53 +0000 dev-java/openjdk-jre-bin: bump to 8.272_p10 Bug: https://bugs.gentoo.org/750833 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-jre-bin/Manifest | 1 + .../openjdk-jre-bin-8.272_p10.ebuild | 80 ++++++++++++++++++++++ 2 files changed, 81 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d6575b3d08ddc912897372d3511ea2abaf998c9 commit 5d6575b3d08ddc912897372d3511ea2abaf998c9 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-10-23 22:19:02 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-10-23 22:19:39 +0000 dev-java/openjdk-bin: bump to 8.272_p10 arm not available yet, will re-add later. Bug: https://bugs.gentoo.org/750833 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> dev-java/openjdk-bin/Manifest | 3 + dev-java/openjdk-bin/openjdk-bin-8.272_p10.ebuild | 91 +++++++++++++++++++++++ 2 files changed, 94 insertions(+)
I already bumped source versions of openjdk:8 and openjdk:11 yesterday. so what's left is openjdk-bin:11 and openjdk-bin:8 on arm, but all of that unstable ~ anyway. we can proceed with stabilization of 8.272 bin except x86, and source on amd64 arm64 ppc64 x86
openjdk-bin:11 and openjdk-jre-bin:11 bumped, but should remain unstable ofc. old versions will be cleaned up by the end of next week. only 1 left is openjdk-bin:8 arm, no tarball yet, it's normal for it to arrive later.
x86 stable
arm64 done
ppc64 done
amd64 done all arches done
cleanup done, vulnerable versions gone.
Resetting sanity check; package list is empty or all packages are done.
This issue was resolved and addressed in GLSA 202101-19 at https://security.gentoo.org/glsa/202101-19 by GLSA coordinator Aaron Bauman (b-man).