Security update for icedtea-web
| Announcement ID: | SUSE-SU-2015:1689-1 |
| Rating: | moderate |
| References: | #944208 #944209 |
| Affected Products: |
An update that fixes two vulnerabilities is now available.
Description:
The Java Plugin IcedTea Web was updated to 1.5.2, fixing bugs and security
issues.
* permissions sandbox and signed app and unsigned app with permissions
all-permissions now run in sandbox instead of not at all.
* fixed DownloadService
* RH1231441 Unable to read the text of the buttons of the security dialogue
* Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235,
bsc#944208)
* Fixed RH1233667 icedtea-web: unexpected permanent authorization
of unsigned applets (CVE-2015-5234, bsc#944209)
* MissingALACAdialog made available also for unsigned applications (but
ignoring actual manifest value) and fixed
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Desktop 11-SP4:
zypper in -t patch sledsp4-icedtea-web-12116=1 - SUSE Linux Enterprise Debuginfo 11-SP4:
zypper in -t patch dbgsp4-icedtea-web-12116=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Desktop 11-SP4 (i586 x86_64):
- icedtea-web-1.5.3-0.9.1
- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 x86_64):
- icedtea-web-debuginfo-1.5.3-0.9.1
- icedtea-web-debugsource-1.5.3-0.9.1