openSUSE Security Update: Package icedtea-web was updated to version 1.4. ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0893-1 Rating: moderate References: #818768 Cross-References: CVE-2012-3422 CVE-2012-3423 CVE-2013-1926 CVE-2013-1927 Affected Products: openSUSE 12.3 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: Changes in icedtea-web with update to 1.4 (bnc#818768): * Added cs, de, pl localization * Splash screen for javaws and plugin * Better error reporting for plugin via Error-splash-screen * All IcedTea-Web dialogues are centered to middle of active screen * Download indicator made compact for more then one jar * User can select its own JVM via itw-settings and deploy.properties. * Added extended applets security settings and dialogue * Security updates - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - CVE-2013-1927, RH884705: fixed gifar vulnerabilit - CVE-2012-3422, RH840592: Potential read from an uninitialized memory location - CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings * NetX - PR1027: DownloadService is not supported by IcedTea-Web - PR725: JNLP applications will prompt for creating desktop shortcuts every time they are run - PR1292: Javaws does not resolve versioned jar names with periods correctly * Plugin - PR1106: Buffer overflow in plugin table- - PR1166: Embedded JNLP File is not supported in applet tag - PR1217: Add command line arguments for plugins - PR1189: Icedtea-plugin requires code attribute when using jnlp_href - PR1198: JSObject is not passed to javascript correctly - PR1260: IcedTea-Web should not rely on GTK - PR1157: Applets can hang browser after fatal exception - PR580: http://www.horaoficial.cl/ loads improperly * Common - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered - PR955: regression: SweetHome3D fails to run - PR1145: IcedTea-Web can cause ClassCircularityError - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7 - PR822: Applets fail to load if jars have different signers - PR1186: System.getProperty("deployment.user.security.trusted.cacerts ") is null - PR909: The Java applet at http://de.gosupermodel.com/games/wardrobegame.jsp fails - PR1299: WebStart doesn't read socket proxy settings from firefox correctly Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-439 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.3 (i586 x86_64): icedtea-web-1.4-4.14.1 icedtea-web-debuginfo-1.4-4.14.1 icedtea-web-debugsource-1.4-4.14.1 - openSUSE 12.3 (noarch): icedtea-web-javadoc-1.4-4.14.1 References: http://support.novell.com/security/cve/CVE-2012-3422.html http://support.novell.com/security/cve/CVE-2012-3423.html http://support.novell.com/security/cve/CVE-2013-1926.html http://support.novell.com/security/cve/CVE-2013-1927.html https://bugzilla.novell.com/818768