Detections
Analytics

openSUSE Security Update : icedtea-web (openSUSE-2015-602)

medium Nessus Plugin ID 86094

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

The icedtea-web java plugin was updated to 1.6.1.

Changes included :

 - Enabled Entry-Point attribute check

 - permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all.

 - fixed DownloadService

 - comments in deployment.properties now should persists load/save

 - fixed bug in caching of files with query

 - fixed issues with recreating of existing shortcut

 - trustAll/trustNone now processed correctly

 - headless no longer shows dialogues

 - RH1231441 Unable to read the text of the buttons of the security dialogue

 - Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235, bsc#944208)

 - Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets (CVE-2015-5234, bsc#944209)

 - MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed

 - NetX

 - fixed issues with -html shortcuts

 - fixed issue with -html receiving garbage in width and height

 - PolicyEditor

 - file flag made to work when used standalone

 - file flag and main argument cannot be used in combination

 - Fix generation of man-pages with some versions of 'tail'

Also included is the update to 1.6

 - Massively improved offline abilities. Added Xoffline switch to force work without inet connection.

 - Improved to be able to run with any JDK

 - JDK 6 and older no longer supported

 - JDK 8 support added (URLPermission granted if applicable)

 - JDK 9 supported

- Added support for Entry-Point manifest attribute

 - Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to control scan of Manifest file

- starting arguments now accept also -- abbreviations

 - Added new documentation

 - Added support for menu shortcuts - both javaws applications/applets and html applets are supported

 - added support for -html switch for javaws. Now you can run most of the applets without browser at all

 - Control Panel

 - PR1856: ControlPanel UI improvement for lower resolutions (800*600)

 - NetX

 - PR1858: Java Console accepts multi-byte encodings

 - PR1859: Java Console UI improvement for lower resolutions (800*600)

 - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception java.lang.ClassCastException in method sun.applet.PluginAppletViewer$8.run()

 - Dropped support for long unmaintained -basedir argument

 - Returned support for -jnlp argument

 - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9

 - Plugin

 - PR1743 - Intermittant deadlock in PluginRequestProcessor

 - PR1298 - LiveConnect - problem setting array elements (applet variables) from JS

 - RH1121549: coverity defects

 - Resolves method overloading correctly with superclass heirarchy distance

 - PolicyEditor

 - codebases can be renamed in-place, copied, and pasted

 - codebase URLs can be copied to system clipboard

 - displays a progress dialog while opening or saving files

 - codebases without permissions assigned save to file anyway (and re-appear on next open)

 - PR1776: NullPointer on save-and-exit

 - PR1850: duplicate codebases when launching from security dialogs

 - Fixed bug where clicking 'Cancel' on the 'Save before Exiting' dialog could result in the editor exiting without saving changes

 - Keyboard accelerators and mnemonics greatly improved

 - 'File - New' allows editing a new policy without first selecting the file to save to

 - Common

 - PR1769: support signed applets which specify Sandbox permissions in their manifests

 - Temporary Permissions in security dialog now multi-selectable and based on PolicyEditor permissions

 - Update to 1.5.2

 - NetX

 - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9

 - RH1154177 - decoded file needed from cache

 - fixed NPE in https dialog

 - empty codebase behaves as '.'

Solution

Update the affected icedtea-web packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=755054

https://bugzilla.opensuse.org/show_bug.cgi?id=830880

https://bugzilla.opensuse.org/show_bug.cgi?id=944208

https://bugzilla.opensuse.org/show_bug.cgi?id=944209

Plugin Details

Severity: Medium

ID: 86094

File Name: openSUSE-2015-602.nasl

Version: 2.3

Type: local

Agent: unix

Published: 9/23/2015

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:icedtea-web, p-cpe:/a:novell:opensuse:icedtea-web-debuginfo, p-cpe:/a:novell:opensuse:icedtea-web-debugsource, p-cpe:/a:novell:opensuse:icedtea-web-javadoc, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-plugin, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-plugin-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-plugin-debugsource, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-plugin, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-plugin-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-plugin-debugsource, cpe:/o:novell:opensuse:13.1, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 9/15/2015

Reference Information

CVE: CVE-2012-4540, CVE-2015-5234, CVE-2015-5235