Scientific Linux Security Update : icedtea-web on SL6.x i386/x86_64

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Scientific Linux host is missing one or more security
updates.

Description :

The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project.
It also contains a configuration tool for managing deployment settings
for the plug-in and Web Start implementations.

A flaw was discovered in the JNLP (Java Network Launching Protocol)
implementation in IcedTea-Web. An unsigned Java Web Start application
could use this flaw to manipulate the content of a Security Warning
dialog box, to trick a user into granting the application unintended
access permissions to local files. (CVE-2011-2514)

An information disclosure flaw was discovered in the JNLP
implementation in IcedTea-Web. An unsigned Java Web Start application
or Java applet could use this flaw to determine the path to the cache
directory used to store downloaded Java class and archive files, and
therefore determine the user's login name. (CVE-2011-2513)

All icedtea-web users should upgrade to these updated packages, which
contain backported patches to correct these issues.

See also :

http://www.nessus.org/u?a75c64de

Solution :

Update the affected icedtea-web and / or icedtea-web-javadoc packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Scientific Linux Local Security Checks

Nessus Plugin ID: 61098 ()

Bugtraq ID:

CVE ID: CVE-2011-2513
CVE-2011-2514