Comment 1 Ralph Sennhauser (RETIRED) 2013-01-14 07:19:14 UTC

The following are now in tree and need to be stabilized on x86. Thanks.

=dev-java/oracle-jdk-bin-1.7.0.11
=dev-java/oracle-jre-bin-1.7.0.11

Comment 2 Tobias Heinlein (RETIRED) 2013-01-14 10:24:49 UTC

*** Bug 451980 has been marked as a duplicate of this bug. ***

Comment 3 GLSAMaker/CVETool Bot 2013-01-14 11:59:20 UTC

CVE-2013-0422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0422):
  The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in Java 7
  Update 10 and earlier allows remote attackers to execute arbitrary code via
  vectors related to unspecified classes that allow access to the class
  loader, as exploited in the wild in January 2013, as demonstrated by
  Blackhole and Nuclear Pack, and a different vulnerability than
  CVE-2012-4681.

Comment 4 GLSAMaker/CVETool Bot 2013-01-16 00:18:56 UTC

CVE-2012-3174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3174):
  Oracle Java 7 before Update 11 allows remote attackers to execute arbitrary
  code via unspecified vectors, a different vulnerability than CVE-2013-0422. 
  NOTE: as of 20130114, the scope of this CVE is not clear due to the lack of
  technical details from Oracle, the CNA.  It is currently unknown whether
  this CVE is related to (1) the findClass method in the MBeanInstantiator
  class, (2) recursive use of the reflection API, (3) an unrelated
  vulnerability, or (4) a combination of two or more of these vulnerabilities.

I get:

 * Please download jdk-7u6-apidocs.zip from 
 * http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-download-435117.html

Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?

(In reply to comment #5)
> I get:
> 
>  * Please download jdk-7u6-apidocs.zip from 
>  *
> http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-
> download-435117.html
> 
> Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?

Seems to be caused by the package dev-java/java-sdk-docs-1.7.0.6

Comment 7 Ralph Sennhauser (RETIRED) 2013-01-19 12:21:16 UTC

(In reply to comment #6)
> (In reply to comment #5)
> > I get:
> > 
> >  * Please download jdk-7u6-apidocs.zip from 
> >  *
> > http://www.oracle.com/technetwork/java/javase/documentation/java-se-7-doc-
> > download-435117.html
> > 
> > Link only gives jdk-7u11-apidocs.zip to download. What should I do with this?
> 
> Seems to be caused by the package dev-java/java-sdk-docs-1.7.0.6

Bumped to 1.7.0.11, please add =dev-java/java-sdk-docs-1.7.0.11 to the stabilization list.

Builds fine on x86. Please mark stable for x86.

Comment 9 Agostino Sarubbo 2013-02-14 13:15:00 UTC

x86 done in bug 455174

Comment 10 Sean Amoss (RETIRED) 2013-03-17 15:22:47 UTC

Already on existing GLSA draft.

Comment 11 GLSAMaker/CVETool Bot 2014-01-27 01:27:51 UTC

This issue was resolved and addressed in
 GLSA 201401-30 at http://security.gentoo.org/glsa/glsa-201401-30.xml
by GLSA coordinator Sean Amoss (ackle).