SUSE Security Update: Security update for icedtea-web ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1174-1 Rating: important References: #815596 #818768 #825880 Cross-References: CVE-2012-3422 CVE-2012-3423 CVE-2013-1926 CVE-2013-1927 Affected Products: SUSE Linux Enterprise Desktop 11 SP3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. It includes one version update. Description: This update to IcedTea-Web 1.4 provides the following fixes and enhancements: * Security updates o CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path o CVE-2013-1927, RH884705: fixed gifar vulnerabilit o CVE-2012-3422, RH840592: Potential read from an uninitialized memory location o CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings o CVE-2013-1927, RH884705: fixed gifar vulnerability o CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. * NetX o PR1027: DownloadService is not supported by IcedTea-Web o PR725: JNLP applications will prompt for creating desktop shortcuts every time they are run o PR1292: Javaws does not resolve versioned jar names with periods correctly o PR580: http://www.horaoficial.cl/ loads improperly. * Plugin o PR1106: Buffer overflow in plugin table- o PR1166: Embedded JNLP File is not supported in applet tag o PR1217: Add command line arguments for plugins o PR1189: Icedtea-plugin requires code attribute when using jnlp_href o PR1198: JSObject is not passed to javascript correctly o PR1260: IcedTea-Web should not rely on GTK o PR1157: Applets can hang browser after fatal exception o PR580: http://www.horaoficial.cl/ loads improperly o PR1260: IcedTea-Web should not rely on GTK o PR1157: Applets can hang browser after fatal exception. * Common o PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered o PR955: regression: SweetHome3D fails to run o PR1145: IcedTea-Web can cause ClassCircularityError o PR1161: X509VariableTrustManager does not work correctly with OpenJDK7 o PR822: Applets fail to load if jars have different signers o PR1186: System.getProperty("deployment.user.security.trusted.cacerts ") is null o PR909: The Java applet at http://de.gosupermodel.com/games/wardrobegame.jsp fails o PR1299: WebStart doesn't read socket proxy settings from firefox correctly. * Added cs, de, pl localization * Splash screen for javaws and plugin * Better error reporting for plugin via Error-splash-screen * All IcedTea-Web dialogues are centered to middle of active screen * Download indicator made compact for more then one jar * User can select its own JVM via itw-settings and deploy.properties * Added extended applets security settings and dialogue * Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized * Fixed a build failure with older xulrunner * Changed strict openjdk6 dependencies to anything java-openjdk >= 1.6.0. Security Issue references: * CVE-2013-1926 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926

* CVE-2013-1927 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927

* CVE-2012-3422 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3422

* CVE-2012-3423 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3423

* CVE-2013-1927 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927

* CVE-2013-1926 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926

Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Desktop 11 SP3: zypper in -t patch sledsp3-icedtea-web-7981 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4]: icedtea-web-1.4-0.10.1 References: http://support.novell.com/security/cve/CVE-2012-3422.html http://support.novell.com/security/cve/CVE-2012-3423.html http://support.novell.com/security/cve/CVE-2013-1926.html http://support.novell.com/security/cve/CVE-2013-1927.html https://bugzilla.novell.com/815596 https://bugzilla.novell.com/818768 https://bugzilla.novell.com/825880 http://download.novell.com/patch/finder/?keywords=e2d8b10b4253bb88de271814cd... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org