openSUSE Security Update: update for icedtea-web ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:0371-1 Rating: moderate References: #729870 #737105 #746895 Cross-References: CVE-2011-3377 Affected Products: openSUSE 12.1 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: - update to 1.2 - New features: * Signed JNLP support * Support for client authentication certificates * Cache size enforcement now supported via itweb-settings * Applet parameter passing through JNLP files now supported * Better icons for access warning dialog * Security Dialog UI revamped to make it look less threatening when appropriate - Fixes (plugin, webstart, common) * PR618: Can't install OpenDJ, JavaWebStart fails with Input stream is null error * PR765: JNLP file with all resource jars marked as 'lazy' fails to validate signature and stops the launch of application * PR788: Elluminate Live! is not working * PR804: javaws launcher incorrectly handles file names with spaces * PR820, bnc#746895: IcedTea-Web 1.1.3 crashing Firefox when loading Citrix XenApp * PR838: IcedTea plugin crashes with chrome browser when javascript is executed * PR852: Classloader not being flushed after last applet from a site is closed * RH586194: Unable to connect to connect with Juniper VPN client * PR771: IcedTea-Web certificate verification code does not use the right API * PR742: IcedTea-Web checks certs only upto 1 level deep before declaring them untrusted. * PR789: typo in jrunscript.sh * PR808: javaws is unable to start, when missing jars are enumerated before main jar * RH738814: Access denied at ssl handshake * Support for authenticating using client certificates - fix bnc#737105/FATE#313084: add Supplements: packageand(broswer(npapi):java-openjdk) ensures the web plugin is pulled in when openjdk and capable browser is installed - enable make check in respective section - update to 1.1.4 (fixes bnc#729870) - RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains and suffix domain SOP bypass - PR778: Jar download and server certificate verification deadlock Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.1: zypper in -t patch openSUSE-2012-163 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.1 (i586 x86_64): icedtea-web-1.2-3.1 icedtea-web-debuginfo-1.2-3.1 icedtea-web-debugsource-1.2-3.1 - openSUSE 12.1 (noarch): icedtea-web-javadoc-1.2-3.1 References: http://support.novell.com/security/cve/CVE-2011-3377.html https://bugzilla.novell.com/729870 https://bugzilla.novell.com/737105 https://bugzilla.novell.com/746895