openSUSE Security Update : icedtea-web (openSUSE-2015-602)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The icedtea-web java plugin was updated to 1.6.1.

Changes included :

- Enabled Entry-Point attribute check

- permissions sandbox and signed app and unsigned app with
permissions all-permissions now run in sandbox instead
of not at all.

- fixed DownloadService

- comments in deployment.properties now should persists
load/save

- fixed bug in caching of files with query

- fixed issues with recreating of existing shortcut

- trustAll/trustNone now processed correctly

- headless no longer shows dialogues

- RH1231441 Unable to read the text of the buttons of the
security dialogue

- Fixed RH1233697 icedtea-web: applet origin spoofing
(CVE-2015-5235, bsc#944208)

- Fixed RH1233667 icedtea-web: unexpected permanent
authorization of unsigned applets (CVE-2015-5234,
bsc#944209)

- MissingALACAdialog made available also for unsigned
applications (but ignoring actual manifest value) and
fixed

- NetX

- fixed issues with -html shortcuts

- fixed issue with -html receiving garbage in width and
height

- PolicyEditor

- file flag made to work when used standalone

- file flag and main argument cannot be used in
combination

- Fix generation of man-pages with some versions of 'tail'

Also included is the update to 1.6

- Massively improved offline abilities. Added Xoffline
switch to force work without inet connection.

- Improved to be able to run with any JDK

- JDK 6 and older no longer supported

- JDK 8 support added (URLPermission granted if
applicable)

- JDK 9 supported

- Added support for Entry-Point manifest attribute

- Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment
property to control scan of Manifest file

- starting arguments now accept also -- abbreviations

- Added new documentation

- Added support for menu shortcuts - both javaws
applications/applets and html applets are supported

- added support for -html switch for javaws. Now you can
run most of the applets without browser at all

- Control Panel

- PR1856: ControlPanel UI improvement for lower
resolutions (800*600)

- NetX

- PR1858: Java Console accepts multi-byte encodings

- PR1859: Java Console UI improvement for lower
resolutions (800*600)

- RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught
exception java.lang.ClassCastException in method
sun.applet.PluginAppletViewer$8.run()

- Dropped support for long unmaintained -basedir argument

- Returned support for -jnlp argument

- RH1095311, PR574 - References class sun.misc.Ref removed
in OpenJDK 9 - fixed, and so buildable on JDK9

- Plugin

- PR1743 - Intermittant deadlock in PluginRequestProcessor

- PR1298 - LiveConnect - problem setting array elements
(applet variables) from JS

- RH1121549: coverity defects

- Resolves method overloading correctly with superclass
heirarchy distance

- PolicyEditor

- codebases can be renamed in-place, copied, and pasted

- codebase URLs can be copied to system clipboard

- displays a progress dialog while opening or saving files

- codebases without permissions assigned save to file
anyway (and re-appear on next open)

- PR1776: NullPointer on save-and-exit

- PR1850: duplicate codebases when launching from security
dialogs

- Fixed bug where clicking 'Cancel' on the 'Save before
Exiting' dialog could result in the editor exiting
without saving changes

- Keyboard accelerators and mnemonics greatly improved

- 'File - New' allows editing a new policy without first
selecting the file to save to

- Common

- PR1769: support signed applets which specify Sandbox
permissions in their manifests

- Temporary Permissions in security dialog now
multi-selectable and based on PolicyEditor permissions

- Update to 1.5.2

- NetX

- RH1095311, PR574 - References class sun.misc.Ref removed
in OpenJDK 9 - fixed, and so buildable on JDK9

- RH1154177 - decoded file needed from cache

- fixed NPE in https dialog

- empty codebase behaves as '.'

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=755054
https://bugzilla.opensuse.org/show_bug.cgi?id=830880
https://bugzilla.opensuse.org/show_bug.cgi?id=944208
https://bugzilla.opensuse.org/show_bug.cgi?id=944209

Solution :

Update the affected icedtea-web packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 86094 ()

Bugtraq ID:

CVE ID: CVE-2012-4540
CVE-2015-5234
CVE-2015-5235

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now