SUSE SLED12 Security Update : icedtea-web (SUSE-SU-2015:1682-1)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

The Java IcedTea-Web Plugin was updated to 1.6.1 bringing various
features, bug- and securityfixes.

- Enabled Entry-Point attribute check

- permissions sandbox and signed app and unsigned app with
permissions all-permissions now run in sandbox instead
of not t all.

- fixed DownloadService

- comments in deployment.properties now should persists
load/save

- fixed bug in caching of files with query

- fixed issues with recreating of existing shortcut

- trustAll/trustNone now processed correctly

- headless no longer shows dialogues

- RH1231441 Unable to read the text of the buttons of the
security dialogue

- Fixed RH1233697 icedtea-web: applet origin spoofing
(CVE-2015-5235, bsc#944208)

- Fixed RH1233667 icedtea-web: unexpected permanent
authorization of unsigned applets (CVE-2015-5234,
bsc#944209)

- MissingALACAdialog made available also for unsigned
applications (but ignoring actual manifest value) and
fixed

- NetX

- fixed issues with -html shortcuts

- fixed issue with -html receiving garbage in width and
height

- PolicyEditor

- file flag made to work when used standalone

- file flag and main argument cannot be used in
combination

The update to 1.6 is included and brings :

- Massively improved offline abilities. Added Xoffline
switch to force work without inet connection.

- Improved to be able to run with any JDK

- JDK 6 and older no longer supported

- JDK 8 support added (URLPermission granted if
applicable)

- JDK 9 supported

- Added support for Entry-Point manifest attribute

- Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment
property to control scan of Manifest file

- starting arguments now accept also -- abbreviations

- Added new documentation

- Added support for menu shortcuts - both javaws
applications/applets and html applets are supported

- added support for -html switch for javaws. Now you can
run most of the applets without browser at all

- Control Panel

- PR1856: ControlPanel UI improvement for lower
resolutions (800*600)

- NetX

- PR1858: Java Console accepts multi-byte encodings

- PR1859: Java Console UI improvement for lower
resolutions (800*600)

- RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught
exception java.lang.ClassCastException in method
sun.applet.PluginAppletViewer$8.run()

- Dropped support for long unmaintained -basedir argument

- Returned support for -jnlp argument

- RH1095311, PR574 - References class sun.misc.Ref removed
in OpenJDK 9

- fixed, and so buildable on JDK9

- Plugin

- PR1743 - Intermittant deadlock in PluginRequestProcessor

- PR1298 - LiveConnect - problem setting array elements
(applet variables) from JS

- RH1121549: coverity defects

- Resolves method overloading correctly with superclass
heirarchy distance

- PolicyEditor

- codebases can be renamed in-place, copied, and pasted

- codebase URLs can be copied to system clipboard

- displays a progress dialog while opening or saving files

- codebases without permissions assigned save to file
anyway (and re-appear on next open)

- PR1776: NullPointer on save-and-exit

- PR1850: duplicate codebases when launching from security
dialogs

- Fixed bug where clicking 'Cancel' on the 'Save before
Exiting' dialog could result in the editor exiting
without saving changes

- Keyboard accelerators and mnemonics greatly improved

- 'File - New' allows editing a new policy without first
selecting the file to save to

- Common

- PR1769: support signed applets which specify Sandbox
permissions in their manifests

- Temporary Permissions in security dialog now
multi-selectable and based on PolicyEditor permissions

The update to 1.5.2 brings OpenJDK 8 support (fate#318956)

- NetX

- RH1095311, PR574 - References class sun.misc.Ref removed
in OpenJDK 9

- fixed, and so buildable on JDK9

- RH1154177 - decoded file needed from cache

- fixed NPE in https dialog

- empty codebase behaves as '.'

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/944208
https://bugzilla.suse.com/944209
https://www.suse.com/security/cve/CVE-2015-5234.html
https://www.suse.com/security/cve/CVE-2015-5235.html
http://www.nessus.org/u?a60ef531

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Workstation Extension 12 :

zypper in -t patch SUSE-SLE-WE-12-2015-642=1

SUSE Linux Enterprise Desktop 12 :

zypper in -t patch SUSE-SLE-DESKTOP-12-2015-642=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: SuSE Local Security Checks

Nessus Plugin ID: 86308 ()

Bugtraq ID:

CVE ID: CVE-2015-5234
CVE-2015-5235

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now