openSUSE Security Update: Security update for icedtea-web ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:1595-1 Rating: important References: #755054 #830880 #944208 #944209 Cross-References: CVE-2012-4540 CVE-2015-5234 CVE-2015-5235 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that solves three vulnerabilities and has one errata is now available. Description: The icedtea-web java plugin was updated to 1.6.1. Changes included: * Enabled Entry-Point attribute check * permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all. * fixed DownloadService * comments in deployment.properties now should persists load/save * fixed bug in caching of files with query * fixed issues with recreating of existing shortcut * trustAll/trustNone now processed correctly * headless no longer shows dialogues * RH1231441 Unable to read the text of the buttons of the security dialogue * Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235, bsc#944208) * Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets (CVE-2015-5234, bsc#944209) * MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed * NetX - fixed issues with -html shortcuts - fixed issue with -html receiving garbage in width and height * PolicyEditor - file flag made to work when used standalone - file flag and main argument cannot be used in combination * Fix generation of man-pages with some versions of "tail" Also included is the update to 1.6 * Massively improved offline abilities. Added Xoffline switch to force work without inet connection. * Improved to be able to run with any JDK * JDK 6 and older no longer supported * JDK 8 support added (URLPermission granted if applicable) * JDK 9 supported * Added support for Entry-Point manifest attribute * Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to control scan of Manifest file * starting arguments now accept also -- abbreviations * Added new documentation * Added support for menu shortcuts - both javaws applications/applets and html applets are supported * added support for -html switch for javaws. Now you can run most of the applets without browser at all * Control Panel - PR1856: ControlPanel UI improvement for lower resolutions (800*600) * NetX - PR1858: Java Console accepts multi-byte encodings - PR1859: Java Console UI improvement for lower resolutions (800*600) - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception java.lang.ClassCastException in method sun.applet.PluginAppletViewer$8.run() - Dropped support for long unmaintained -basedir argument - Returned support for -jnlp argument - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9 * Plugin - PR1743 - Intermittant deadlock in PluginRequestProcessor - PR1298 - LiveConnect - problem setting array elements (applet variables) from JS - RH1121549: coverity defects - Resolves method overloading correctly with superclass heirarchy distance * PolicyEditor - codebases can be renamed in-place, copied, and pasted - codebase URLs can be copied to system clipboard - displays a progress dialog while opening or saving files - codebases without permissions assigned save to file anyway (and re-appear on next open) - PR1776: NullPointer on save-and-exit - PR1850: duplicate codebases when launching from security dialogs - Fixed bug where clicking "Cancel" on the "Save before Exiting" dialog could result in the editor exiting without saving changes - Keyboard accelerators and mnemonics greatly improved - "File - New" allows editing a new policy without first selecting the file to save to * Common - PR1769: support signed applets which specify Sandbox permissions in their manifests * Temporary Permissions in security dialog now multi-selectable and based on PolicyEditor permissions - Update to 1.5.2 * NetX - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9 - RH1154177 - decoded file needed from cache - fixed NPE in https dialog - empty codebase behaves as "." Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-602=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-602=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): java-1_7_0-openjdk-plugin-1.6.1-6.1 java-1_7_0-openjdk-plugin-debuginfo-1.6.1-6.1 java-1_7_0-openjdk-plugin-debugsource-1.6.1-6.1 java-1_8_0-openjdk-plugin-1.6.1-6.2 java-1_8_0-openjdk-plugin-debuginfo-1.6.1-6.2 java-1_8_0-openjdk-plugin-debugsource-1.6.1-6.2 - openSUSE 13.2 (noarch): icedtea-web-javadoc-1.6.1-6.1 - openSUSE 13.1 (i586 x86_64): icedtea-web-1.5.3-0.7.1 icedtea-web-debuginfo-1.5.3-0.7.1 icedtea-web-debugsource-1.5.3-0.7.1 - openSUSE 13.1 (noarch): icedtea-web-javadoc-1.5.3-0.7.1 References: https://www.suse.com/security/cve/CVE-2012-4540.html https://www.suse.com/security/cve/CVE-2015-5234.html https://www.suse.com/security/cve/CVE-2015-5235.html https://bugzilla.suse.com/755054 https://bugzilla.suse.com/830880 https://bugzilla.suse.com/944208 https://bugzilla.suse.com/944209 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org