openSUSE Security Update : icedtea-web (openSUSE-2015-602)

medium Nessus Plugin ID 86094

Synopsis

The remote openSUSE host is missing a security update.

Description

The icedtea-web java plugin was updated to 1.6.1.

Changes included :

- Enabled Entry-Point attribute check

- permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all.

- fixed DownloadService

- comments in deployment.properties now should persists load/save

- fixed bug in caching of files with query

- fixed issues with recreating of existing shortcut

- trustAll/trustNone now processed correctly

- headless no longer shows dialogues

- RH1231441 Unable to read the text of the buttons of the security dialogue

- Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235, bsc#944208)

- Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets (CVE-2015-5234, bsc#944209)

- MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed

- NetX

- fixed issues with -html shortcuts

- fixed issue with -html receiving garbage in width and height

- PolicyEditor

- file flag made to work when used standalone

- file flag and main argument cannot be used in combination

- Fix generation of man-pages with some versions of 'tail'

Also included is the update to 1.6

- Massively improved offline abilities. Added Xoffline switch to force work without inet connection.

- Improved to be able to run with any JDK

- JDK 6 and older no longer supported

- JDK 8 support added (URLPermission granted if applicable)

- JDK 9 supported

- Added support for Entry-Point manifest attribute

- Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to control scan of Manifest file

- starting arguments now accept also -- abbreviations

- Added new documentation

- Added support for menu shortcuts - both javaws applications/applets and html applets are supported

- added support for -html switch for javaws. Now you can run most of the applets without browser at all

- Control Panel

- PR1856: ControlPanel UI improvement for lower resolutions (800*600)

- NetX

- PR1858: Java Console accepts multi-byte encodings

- PR1859: Java Console UI improvement for lower resolutions (800*600)

- RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception java.lang.ClassCastException in method sun.applet.PluginAppletViewer$8.run()

- Dropped support for long unmaintained -basedir argument

- Returned support for -jnlp argument

- RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9

- Plugin

- PR1743 - Intermittant deadlock in PluginRequestProcessor

- PR1298 - LiveConnect - problem setting array elements (applet variables) from JS

- RH1121549: coverity defects

- Resolves method overloading correctly with superclass heirarchy distance

- PolicyEditor

- codebases can be renamed in-place, copied, and pasted

- codebase URLs can be copied to system clipboard

- displays a progress dialog while opening or saving files

- codebases without permissions assigned save to file anyway (and re-appear on next open)

- PR1776: NullPointer on save-and-exit

- PR1850: duplicate codebases when launching from security dialogs

- Fixed bug where clicking 'Cancel' on the 'Save before Exiting' dialog could result in the editor exiting without saving changes

- Keyboard accelerators and mnemonics greatly improved

- 'File - New' allows editing a new policy without first selecting the file to save to

- Common

- PR1769: support signed applets which specify Sandbox permissions in their manifests

- Temporary Permissions in security dialog now multi-selectable and based on PolicyEditor permissions

- Update to 1.5.2

- NetX

- RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9

- RH1154177 - decoded file needed from cache

- fixed NPE in https dialog

- empty codebase behaves as '.'

Solution

Update the affected icedtea-web packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=755054

https://bugzilla.opensuse.org/show_bug.cgi?id=830880

https://bugzilla.opensuse.org/show_bug.cgi?id=944208

https://bugzilla.opensuse.org/show_bug.cgi?id=944209

Plugin Details

Severity: Medium

ID: 86094

File Name: openSUSE-2015-602.nasl

Version: 2.3

Type: local

Agent: unix

Published: 9/23/2015

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:icedtea-web, p-cpe:/a:novell:opensuse:icedtea-web-debuginfo, p-cpe:/a:novell:opensuse:icedtea-web-debugsource, p-cpe:/a:novell:opensuse:icedtea-web-javadoc, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-plugin, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-plugin-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-plugin-debugsource, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-plugin, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-plugin-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-plugin-debugsource, cpe:/o:novell:opensuse:13.1, cpe:/o:novell:opensuse:13.2

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 9/15/2015

Reference Information

CVE: CVE-2012-4540, CVE-2015-5234, CVE-2015-5235