openSUSE Security Update: Security update for icedtea-web
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2015:1595-1
Rating:             important
References:         #755054 #830880 #944208 #944209 
Cross-References:   CVE-2012-4540 CVE-2015-5234 CVE-2015-5235
                   
Affected Products:
                    openSUSE 13.2
                    openSUSE 13.1
______________________________________________________________________________

   An update that solves three vulnerabilities and has one
   errata is now available.

Description:


   The icedtea-web java plugin was updated to 1.6.1.

   Changes included:
   * Enabled Entry-Point attribute check
   * permissions sandbox and signed app and unsigned app with permissions
     all-permissions now run in sandbox instead of not at all.
   * fixed DownloadService
   * comments in deployment.properties now should persists load/save
   * fixed bug in caching of files with query
   * fixed issues with recreating of existing shortcut
   * trustAll/trustNone now processed correctly
   * headless no longer shows dialogues
   * RH1231441 Unable to read the text of the buttons of the security dialogue
   * Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235,
     bsc#944208)
   * Fixed RH1233667 icedtea-web: unexpected permanent authorization of
     unsigned applets (CVE-2015-5234, bsc#944209)
   * MissingALACAdialog made available also for unsigned applications (but
     ignoring actual manifest value) and fixed
   * NetX
     - fixed issues with -html shortcuts
     - fixed issue with -html receiving garbage in width and height
   * PolicyEditor
     - file flag made to work when used standalone
     - file flag and main argument cannot be used in combination
   * Fix generation of man-pages with some versions of "tail"

   Also included is the update to 1.6
   * Massively improved offline abilities. Added Xoffline switch to force
     work without inet connection.
   * Improved to be able to run with any JDK
   * JDK 6 and older no longer supported
   * JDK 8 support added (URLPermission granted if applicable)
   * JDK 9 supported
   * Added support for Entry-Point manifest attribute
   * Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to
     control scan of Manifest file
   * starting arguments now accept also -- abbreviations
   * Added new documentation
   * Added support for menu shortcuts - both javaws applications/applets and
     html applets are supported
   * added support for -html switch for javaws. Now you can run most
     of the applets without browser at all
   * Control Panel
     - PR1856: ControlPanel UI improvement for lower resolutions (800*600)
   * NetX
     - PR1858: Java Console accepts multi-byte encodings
     - PR1859: Java Console UI improvement for lower resolutions (800*600)
     - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception
       java.lang.ClassCastException in method
       sun.applet.PluginAppletViewer$8.run()
     - Dropped support for long unmaintained -basedir argument
     - Returned support for -jnlp argument
     - RH1095311, PR574 -  References class sun.misc.Ref removed in OpenJDK 9
       - fixed, and so buildable on JDK9
   * Plugin
     - PR1743 - Intermittant deadlock in PluginRequestProcessor
     - PR1298 - LiveConnect - problem setting array elements (applet
       variables) from JS
     - RH1121549: coverity defects
     - Resolves method overloading correctly with superclass heirarchy
       distance
   * PolicyEditor
     - codebases can be renamed in-place, copied, and pasted
     - codebase URLs can be copied to system clipboard
     - displays a progress dialog while opening or saving files
     - codebases without permissions assigned save to file anyway (and
       re-appear on next open)
     - PR1776: NullPointer on save-and-exit
     - PR1850: duplicate codebases when launching from security dialogs
     - Fixed bug where clicking "Cancel" on the "Save before Exiting" dialog
       could result in the editor exiting without saving changes
     - Keyboard accelerators and mnemonics greatly improved
     - "File - New" allows editing a new policy without first selecting the
       file to save to
   * Common
     - PR1769: support signed applets which specify Sandbox permissions in
       their manifests
   * Temporary Permissions in security dialog now multi-selectable and based
     on PolicyEditor permissions

   - Update to 1.5.2
   * NetX
     - RH1095311, PR574 -  References class sun.misc.Ref removed in OpenJDK 9
       - fixed, and so buildable on JDK9
     - RH1154177 - decoded file needed from cache
     - fixed NPE  in https dialog
     - empty codebase behaves  as "."


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.2:

      zypper in -t patch openSUSE-2015-602=1

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2015-602=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 13.2 (i586 x86_64):

      java-1_7_0-openjdk-plugin-1.6.1-6.1
      java-1_7_0-openjdk-plugin-debuginfo-1.6.1-6.1
      java-1_7_0-openjdk-plugin-debugsource-1.6.1-6.1
      java-1_8_0-openjdk-plugin-1.6.1-6.2
      java-1_8_0-openjdk-plugin-debuginfo-1.6.1-6.2
      java-1_8_0-openjdk-plugin-debugsource-1.6.1-6.2

   - openSUSE 13.2 (noarch):

      icedtea-web-javadoc-1.6.1-6.1

   - openSUSE 13.1 (i586 x86_64):

      icedtea-web-1.5.3-0.7.1
      icedtea-web-debuginfo-1.5.3-0.7.1
      icedtea-web-debugsource-1.5.3-0.7.1

   - openSUSE 13.1 (noarch):

      icedtea-web-javadoc-1.5.3-0.7.1


References:

   https://www.suse.com/security/cve/CVE-2012-4540.html
   https://www.suse.com/security/cve/CVE-2015-5234.html
   https://www.suse.com/security/cve/CVE-2015-5235.html
   https://bugzilla.suse.com/755054
   https://bugzilla.suse.com/830880
   https://bugzilla.suse.com/944208
   https://bugzilla.suse.com/944209

openSUSE: 2015:1595-1: important: icedtea-web

September 22, 2015
An update that solves three vulnerabilities and has one An update that solves three vulnerabilities and has one An update that solves three vulnerabilities and has one errata is no...

Description

The icedtea-web java plugin was updated to 1.6.1. Changes included: * Enabled Entry-Point attribute check * permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all. * fixed DownloadService * comments in deployment.properties now should persists load/save * fixed bug in caching of files with query * fixed issues with recreating of existing shortcut * trustAll/trustNone now processed correctly * headless no longer shows dialogues * RH1231441 Unable to read the text of the buttons of the security dialogue * Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235, bsc#944208) * Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets (CVE-2015-5234, bsc#944209) * MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed * NetX - fixed issues with -html shortcuts - fixed issue with -html receiving garbage in width and height * PolicyEditor - file flag made to work when used standalone - file flag and main argument cannot be used in combination * Fix generation of man-pages with some versions of "tail" Also included is the update to 1.6 * Massively improved offline abilities. Added Xoffline switch to force work without inet connection. * Improved to be able to run with any JDK * JDK 6 and older no longer supported * JDK 8 support added (URLPermission granted if applicable) * JDK 9 supported * Added support for Entry-Point manifest attribute * Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to control scan of Manifest file * starting arguments now accept also -- abbreviations * Added new documentation * Added support for menu shortcuts - both javaws applications/applets and html applets are supported * added support for -html switch for javaws. Now you can run most of the applets without browser at all * Control Panel - PR1856: ControlPanel UI improvement for lower resolutions (800*600) * NetX - PR1858: Java Console accepts multi-byte encodings - PR1859: Java Console UI improvement for lower resolutions (800*600) - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception java.lang.ClassCastException in method sun.applet.PluginAppletViewer$8.run() - Dropped support for long unmaintained -basedir argument - Returned support for -jnlp argument - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9 * Plugin - PR1743 - Intermittant deadlock in PluginRequestProcessor - PR1298 - LiveConnect - problem setting array elements (applet variables) from JS - RH1121549: coverity defects - Resolves method overloading correctly with superclass heirarchy distance * PolicyEditor - codebases can be renamed in-place, copied, and pasted - codebase URLs can be copied to system clipboard - displays a progress dialog while opening or saving files - codebases without permissions assigned save to file anyway (and re-appear on next open) - PR1776: NullPointer on save-and-exit - PR1850: duplicate codebases when launching from security dialogs - Fixed bug where clicking "Cancel" on the "Save before Exiting" dialog could result in the editor exiting without saving changes - Keyboard accelerators and mnemonics greatly improved - "File - New" allows editing a new policy without first selecting the file to save to * Common - PR1769: support signed applets which specify Sandbox permissions in their manifests * Temporary Permissions in security dialog now multi-selectable and based on PolicyEditor permissions - Update to 1.5.2 * NetX - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9 - RH1154177 - decoded file needed from cache - fixed NPE in https dialog - empty codebase behaves as "."

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-602=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-602=1 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 13.2 (i586 x86_64): java-1_7_0-openjdk-plugin-1.6.1-6.1 java-1_7_0-openjdk-plugin-debuginfo-1.6.1-6.1 java-1_7_0-openjdk-plugin-debugsource-1.6.1-6.1 java-1_8_0-openjdk-plugin-1.6.1-6.2 java-1_8_0-openjdk-plugin-debuginfo-1.6.1-6.2 java-1_8_0-openjdk-plugin-debugsource-1.6.1-6.2 - openSUSE 13.2 (noarch): icedtea-web-javadoc-1.6.1-6.1 - openSUSE 13.1 (i586 x86_64): icedtea-web-1.5.3-0.7.1 icedtea-web-debuginfo-1.5.3-0.7.1 icedtea-web-debugsource-1.5.3-0.7.1 - openSUSE 13.1 (noarch): icedtea-web-javadoc-1.5.3-0.7.1


References

https://www.suse.com/security/cve/CVE-2012-4540.html https://www.suse.com/security/cve/CVE-2015-5234.html https://www.suse.com/security/cve/CVE-2015-5235.html https://bugzilla.suse.com/755054 https://bugzilla.suse.com/830880 https://bugzilla.suse.com/944208 https://bugzilla.suse.com/944209


Severity
Announcement ID: openSUSE-SU-2015:1595-1
Rating: important
Affected Products: openSUSE 13.2 openSUSE 13.1

Related News

22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly
19.Laptop Bed Esm H320
2 - 3 min read
The recently released Linux Kernel 6.9 brings forth a blend of crucial upgrades and enhancements, catering to the ever-evolving needs of the Linux
4.Lock AbstractDigital Esm H320
1 - 2 min read
Nmap 7.95 introduces myriad enhancements, primarily focusing on OS and service detection signatures. This reflects the dedication of the Nmap
5.ShakingHands Esm H320
3 - 5 min read
There has been a promising shift in the tech industry, with major companies pledging to release products with built-in security features. This
18.WifiCutout Landscape Esm H320
2 - 3 min read
A novel attack called TunnelVision has been discovered. It compromises the security of virtually all VPN apps, rendering their purpose useless. The
21.Globe RadiatingCode Esm H320
2 - 3 min read
The recent discovery of a backdoor in XZ Utils , a widely used Linux tool, raises concerns about the security of the open-source ecosystem. While
13.Lock StylizedMotherboard Esm H320
1 - 2 min read
Spiral Linux is a Debian-based distribution that offers a range of desktop environments, making it stand out from other Linux distributions. In

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved