Short update: One staff member told me that my options are to read the advisories, which don't contain any detailed information or patches, or, if I have a commercial license, to contact support. Great, let's buy a license to get more information about security bugs.
So far the only viable option would be to upgrade to the latest upstream release and backport that to Wheezy, Jessie and Stretch as well but I'm not thrilled to maintain another Oracle-like Java package when it comes to security bugs. Markus
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.