SUSE-SU-2015:1682-1: moderate: Security update for icedtea-web
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Mon Oct 5 11:09:44 MDT 2015
SUSE Security Update: Security update for icedtea-web
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:1682-1
Rating: moderate
References: #944208 #944209
Cross-References: CVE-2015-5234 CVE-2015-5235
Affected Products:
SUSE Linux Enterprise Workstation Extension 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that fixes two vulnerabilities is now available.
Description:
The Java IcedTea-Web Plugin was updated to 1.6.1 bringing various
features, bug- and securityfixes.
* Enabled Entry-Point attribute check
* permissions sandbox and signed app and unsigned app with permissions
all-permissions now run in sandbox instead of not t all.
* fixed DownloadService
* comments in deployment.properties now should persists load/save
* fixed bug in caching of files with query
* fixed issues with recreating of existing shortcut
* trustAll/trustNone now processed correctly
* headless no longer shows dialogues
* RH1231441 Unable to read the text of the buttons of the security dialogue
* Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235,
bsc#944208)
* Fixed RH1233667 icedtea-web: unexpected permanent authorization
of unsigned applets (CVE-2015-5234, bsc#944209)
* MissingALACAdialog made available also for unsigned applications (but
ignoring actual manifest value) and fixed
* NetX
- fixed issues with -html shortcuts
- fixed issue with -html receiving garbage in width and height
* PolicyEditor
- file flag made to work when used standalone
- file flag and main argument cannot be used in combination
The update to 1.6 is included and brings:
* Massively improved offline abilities. Added Xoffline switch to force
work without inet connection.
* Improved to be able to run with any JDK
* JDK 6 and older no longer supported
* JDK 8 support added (URLPermission granted if applicable)
* JDK 9 supported
* Added support for Entry-Point manifest attribute
* Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to
control scan of Manifest file
* starting arguments now accept also -- abbreviations
* Added new documentation
* Added support for menu shortcuts - both javaws applications/applets and
html applets are supported
* added support for -html switch for javaws. Now you can run most
of the applets without browser at all
* Control Panel
- PR1856: ControlPanel UI improvement for lower resolutions (800*600)
* NetX
- PR1858: Java Console accepts multi-byte encodings
- PR1859: Java Console UI improvement for lower resolutions (800*600)
- RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception
java.lang.ClassCastException in method
sun.applet.PluginAppletViewer$8.run()
- Dropped support for long unmaintained -basedir argument
- Returned support for -jnlp argument
- RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9
- fixed, and so buildable on JDK9
* Plugin
- PR1743 - Intermittant deadlock in PluginRequestProcessor
- PR1298 - LiveConnect - problem setting array elements (applet
variables) from JS
- RH1121549: coverity defects
- Resolves method overloading correctly with superclass heirarchy
distance
* PolicyEditor
- codebases can be renamed in-place, copied, and pasted
- codebase URLs can be copied to system clipboard
- displays a progress dialog while opening or saving files
- codebases without permissions assigned save to file anyway (and
re-appear on next open)
- PR1776: NullPointer on save-and-exit
- PR1850: duplicate codebases when launching from security dialogs
- Fixed bug where clicking "Cancel" on the "Save before Exiting" dialog
could result in the editor exiting without saving changes
- Keyboard accelerators and mnemonics greatly improved
- "File - New" allows editing a new policy without first selecting the
file to save to
* Common
- PR1769: support signed applets which specify Sandbox permissions in
their manifests
* Temporary Permissions in security dialog now multi-selectable and based
on PolicyEditor permissions
The update to 1.5.2 brings OpenJDK 8 support (fate#318956)
* NetX
- RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9
- fixed, and so buildable on JDK9
- RH1154177 - decoded file needed from cache
- fixed NPE in https dialog
- empty codebase behaves as "."
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Workstation Extension 12:
zypper in -t patch SUSE-SLE-WE-12-2015-642=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2015-642=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Workstation Extension 12 (x86_64):
java-1_7_0-openjdk-plugin-1.6.1-2.3.1
java-1_7_0-openjdk-plugin-debuginfo-1.6.1-2.3.1
java-1_7_0-openjdk-plugin-debugsource-1.6.1-2.3.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
java-1_7_0-openjdk-plugin-1.6.1-2.3.1
java-1_7_0-openjdk-plugin-debuginfo-1.6.1-2.3.1
java-1_7_0-openjdk-plugin-debugsource-1.6.1-2.3.1
References:
https://www.suse.com/security/cve/CVE-2015-5234.html
https://www.suse.com/security/cve/CVE-2015-5235.html
https://bugzilla.suse.com/944208
https://bugzilla.suse.com/944209
More information about the sle-updates
mailing list