Scientific Linux Security Update : icedtea-web on SL6.x i386/x86_64
Medium Nessus Plugin ID 91538
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionThe following packages have been upgraded to a newer upstream version:
Security Fix(es) :
- It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings.
A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval. (CVE-2015-5234)
- It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin. (CVE-2015-5235)
SolutionUpdate the affected icedtea-web, icedtea-web-debuginfo and / or icedtea-web-javadoc packages.