CVE-2013-1927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1927): The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 allows remote attackers to execute arbitrary code via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR." CVE-2013-1926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1926): The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet. Looks like all we need to do here is cleanup.
1.2.3 is not anymore in the tree
Ping! Maintainer(s), please drop the vulnerable version.
Dropped 1.3.1*; since the summary change is odd, do we need to drop 1.3.2*? + 30 Dec 2013; Tom Wijsman <TomWij@gentoo.org> -icedtea-web-1.3.1-r7.ebuild, + -icedtea-web-1.3.1.ebuild, metadata.xml: + Dropped vulnerable 1.3.1* (and unused local USE-descriptions gtk2 and gtk3) + for security bug #483198.
(In reply to Tom Wijsman (TomWij) from comment #3) > Dropped 1.3.1*; since the summary change is odd, do we need to drop 1.3.2*? The change is not odd. This is fine as-is. Thanks for the cleanup. Closing as noglsa.
