SUSE-SU-2015:1682-1

Source
https://www.suse.com/support/update/announcement/2015/suse-su-20151682-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2015:1682-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2015:1682-1
Related
Published
2015-09-15T09:42:59Z
Modified
2015-09-15T09:42:59Z
Summary
Security update for icedtea-web
Details

The Java IcedTea-Web Plugin was updated to 1.6.1 bringing various features, bug- and securityfixes.

  • Enabled Entry-Point attribute check
  • permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not t all.
  • fixed DownloadService
  • comments in deployment.properties now should persists load/save
  • fixed bug in caching of files with query
  • fixed issues with recreating of existing shortcut
  • trustAll/trustNone now processed correctly
  • headless no longer shows dialogues
  • RH1231441 Unable to read the text of the buttons of the security dialogue
  • Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235, bsc#944208)
  • Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets (CVE-2015-5234, bsc#944209)
  • MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed
  • NetX
    • fixed issues with -html shortcuts
    • fixed issue with -html receiving garbage in width and height
  • PolicyEditor
    • file flag made to work when used standalone
    • file flag and main argument cannot be used in combination

The update to 1.6 is included and brings:

  • Massively improved offline abilities. Added Xoffline switch to force work without inet connection.
  • Improved to be able to run with any JDK
  • JDK 6 and older no longer supported
  • JDK 8 support added (URLPermission granted if applicable)
  • JDK 9 supported
  • Added support for Entry-Point manifest attribute
  • Added KEYENABLEMANIFESTATTRIBUTESCHECK deployment property to control scan of Manifest file
  • starting arguments now accept also -- abbreviations
  • Added new documentation
  • Added support for menu shortcuts - both javaws applications/applets and html applets are supported
  • added support for -html switch for javaws. Now you can run most of the applets without browser at all
  • Control Panel
    • PR1856: ControlPanel UI improvement for lower resolutions (800*600)
  • NetX
    • PR1858: Java Console accepts multi-byte encodings
    • PR1859: Java Console UI improvement for lower resolutions (800*600)
    • RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception java.lang.ClassCastException in method sun.applet.PluginAppletViewer$8.run()
    • Dropped support for long unmaintained -basedir argument
    • Returned support for -jnlp argument
    • RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9
  • Plugin
    • PR1743 - Intermittant deadlock in PluginRequestProcessor
    • PR1298 - LiveConnect - problem setting array elements (applet variables) from JS
    • RH1121549: coverity defects
    • Resolves method overloading correctly with superclass heirarchy distance
  • PolicyEditor
    • codebases can be renamed in-place, copied, and pasted
    • codebase URLs can be copied to system clipboard
    • displays a progress dialog while opening or saving files
    • codebases without permissions assigned save to file anyway (and re-appear on next open)
    • PR1776: NullPointer on save-and-exit
    • PR1850: duplicate codebases when launching from security dialogs
    • Fixed bug where clicking 'Cancel' on the 'Save before Exiting' dialog could result in the editor exiting without saving changes
    • Keyboard accelerators and mnemonics greatly improved
    • 'File - New' allows editing a new policy without first selecting the file to save to
  • Common
    • PR1769: support signed applets which specify Sandbox permissions in their manifests
  • Temporary Permissions in security dialog now multi-selectable and based on PolicyEditor permissions

The update to 1.5.2 brings OpenJDK 8 support (fate#318956) * NetX - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9 - fixed, and so buildable on JDK9 - RH1154177 - decoded file needed from cache - fixed NPE in https dialog - empty codebase behaves as '.'

References

Affected packages

SUSE:Linux Enterprise Desktop 12 / java-1_7_0-openjdk-plugin

Package

Name
java-1_7_0-openjdk-plugin
Purl
pkg:rpm/suse/java-1_7_0-openjdk-plugin&distro=SUSE%20Linux%20Enterprise%20Desktop%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.1-2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "java-1_7_0-openjdk-plugin": "1.6.1-2.3.1"
        }
    ]
}

SUSE:Linux Enterprise Workstation Extension 12 / java-1_7_0-openjdk-plugin

Package

Name
java-1_7_0-openjdk-plugin
Purl
pkg:rpm/suse/java-1_7_0-openjdk-plugin&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2012

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.6.1-2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "java-1_7_0-openjdk-plugin": "1.6.1-2.3.1"
        }
    ]
}