A vulnerability in the Libraries component can be exploited by remote attackers to affect confidentiality, integrity and availability.
Upstream associates this with upstream bug id 7023639. The related commit is: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/6e34c6d3479f which references the following upstream bugs: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7023639 http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6984705 related to implementation of JSR-292 "Supporting Dynamically Typed Languages on the JavaTM Platform": http://jcp.org/en/jsr/detail?id=292 The change was included in Oracle JDK 7u40. A security issue addressed by this change is not specified.
External References: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html http://seclists.org/fulldisclosure/2013/Oct/116 http://www.security-explorations.com/materials/SE-2012-01-ORACLE-13.pdf
Fixed in Oracle Java SE 7u45.
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2013:1440 https://rhn.redhat.com/errata/RHSA-2013-1440.html
Further details of the issue were posted by Adam Gowdiak (Security Explorations), along with the example exploit: http://seclists.org/fulldisclosure/2013/Oct/116 http://www.security-explorations.com/materials/SE-2012-01-ORACLE-13.pdf http://www.security-explorations.com/materials/se-2012-01-69.zip
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1447 https://rhn.redhat.com/errata/RHSA-2013-1447.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1451 https://rhn.redhat.com/errata/RHSA-2013-1451.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2013:1507 https://rhn.redhat.com/errata/RHSA-2013-1507.html
Fixed in IcedTea7 2.4.3: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-October/025087.html Note that this will not be fixed in IcedTea7 2.3.x versions. Quoting from the above 2.4.3 announcement: Existing users of the 2.3.x series are strongly advised to upgrade to the 2.4.x series. Although there will be a 2.3.x update, one security issue (CVE-2013-5838) is resolved by the JSR292 rewrite (S7023639) which is present in the 2.4.x series, but not 2.3.x. It may or may not be possible to backport this for the Zero port, but the safest solution is to use 2.4.x where possible.