SUSE-SU-2015:1682-1: moderate: Security update for icedtea-web

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Oct 5 11:09:44 MDT 2015


   SUSE Security Update: Security update for icedtea-web
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:1682-1
Rating:             moderate
References:         #944208 #944209 
Cross-References:   CVE-2015-5234 CVE-2015-5235
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that fixes two vulnerabilities is now available.

Description:


   The Java IcedTea-Web Plugin was updated to 1.6.1 bringing various
   features, bug- and securityfixes.

   * Enabled Entry-Point attribute check
   * permissions sandbox and signed app and unsigned app with permissions
     all-permissions now run in sandbox instead of not t all.
   * fixed DownloadService
   * comments in deployment.properties now should persists load/save
   * fixed bug in caching of files with query
   * fixed issues with recreating of existing shortcut
   * trustAll/trustNone now processed correctly
   * headless no longer shows dialogues
   * RH1231441 Unable to read the text of the buttons of the security dialogue
   * Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235,
     bsc#944208)
   * Fixed RH1233667 icedtea-web: unexpected permanent authorization
     of unsigned applets (CVE-2015-5234, bsc#944209)
   * MissingALACAdialog made available also for unsigned applications (but
     ignoring actual manifest value) and fixed
   * NetX
     - fixed issues with -html shortcuts
     - fixed issue with -html receiving garbage in width and height
   * PolicyEditor
     - file flag made to work when used standalone
     - file flag and main argument cannot be used in combination

   The update to 1.6 is included and brings:

   * Massively improved offline abilities. Added Xoffline switch to force
     work without inet connection.
   * Improved to be able to run with any JDK
   * JDK 6 and older no longer supported
   * JDK 8 support added (URLPermission granted if applicable)
   * JDK 9 supported
   * Added support for Entry-Point manifest attribute
   * Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to
     control scan of Manifest file
   * starting arguments now accept also -- abbreviations
   * Added new documentation
   * Added support for menu shortcuts - both javaws applications/applets and
     html applets are supported
   * added support for -html switch for javaws. Now you can run most
     of the applets without browser at all
   * Control Panel
     - PR1856: ControlPanel UI improvement for lower resolutions (800*600)
   * NetX
     - PR1858: Java Console accepts multi-byte encodings
     - PR1859: Java Console UI improvement for lower resolutions (800*600)
     - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception
       java.lang.ClassCastException in method
       sun.applet.PluginAppletViewer$8.run()
     - Dropped support for long unmaintained -basedir argument
     - Returned support for -jnlp argument
     - RH1095311, PR574 -  References class sun.misc.Ref removed in OpenJDK 9
       - fixed, and so buildable on JDK9
   * Plugin
     - PR1743 - Intermittant deadlock in PluginRequestProcessor
     - PR1298 - LiveConnect - problem setting array elements (applet
       variables) from JS
     - RH1121549: coverity defects
     - Resolves method overloading correctly with superclass heirarchy
       distance
   * PolicyEditor
     - codebases can be renamed in-place, copied, and pasted
     - codebase URLs can be copied to system clipboard
     - displays a progress dialog while opening or saving files
     - codebases without permissions assigned save to file anyway (and
       re-appear on next open)
     - PR1776: NullPointer on save-and-exit
     - PR1850: duplicate codebases when launching from security dialogs
     - Fixed bug where clicking "Cancel" on the "Save before Exiting" dialog
       could result in the editor exiting without saving changes
     - Keyboard accelerators and mnemonics greatly improved
     - "File - New" allows editing a new policy without first selecting the
       file to save to
   * Common
     - PR1769: support signed applets which specify Sandbox permissions in
       their manifests
   * Temporary Permissions in security dialog now multi-selectable and based
     on PolicyEditor permissions

   The update to 1.5.2 brings OpenJDK 8 support (fate#318956)
   * NetX
     - RH1095311, PR574 -  References class sun.misc.Ref removed in OpenJDK 9
       - fixed, and so buildable on JDK9
     - RH1154177 - decoded file needed from cache
     - fixed NPE  in https dialog
     - empty codebase behaves  as "."


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 12:

      zypper in -t patch SUSE-SLE-WE-12-2015-642=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-642=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Workstation Extension 12 (x86_64):

      java-1_7_0-openjdk-plugin-1.6.1-2.3.1
      java-1_7_0-openjdk-plugin-debuginfo-1.6.1-2.3.1
      java-1_7_0-openjdk-plugin-debugsource-1.6.1-2.3.1

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      java-1_7_0-openjdk-plugin-1.6.1-2.3.1
      java-1_7_0-openjdk-plugin-debuginfo-1.6.1-2.3.1
      java-1_7_0-openjdk-plugin-debugsource-1.6.1-2.3.1


References:

   https://www.suse.com/security/cve/CVE-2015-5234.html
   https://www.suse.com/security/cve/CVE-2015-5235.html
   https://bugzilla.suse.com/944208
   https://bugzilla.suse.com/944209



More information about the sle-updates mailing list