Updated icedtea-web packages fix security vulnerabilities
Publication date: 17 Sep 2015Modification date: 17 Sep 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5234 , CVE-2015-5235
Description
Updated icedtea-web packages fix security vulnerabilities:
It was discovered that IcedTea-Web did not properly sanitize applet URLs when
storing applet trust settings. A malicious web page could use this flaw to
inject trust-settings configuration, and cause applets to be executed without
user approval (CVE-2015-5234).
It was discovered that IcedTea-Web did not properly determine an applet's
origin when asking the user if the applet should be run. A malicious page
could use this flaw to cause IcedTea-Web to execute the applet without user
approval, or confuse the user into approving applet execution based on an
incorrectly indicated applet origin (CVE-2015-5235).
References
- https://bugs.mageia.org/show_bug.cgi?id=16755
- https://bugzilla.redhat.com/show_bug.cgi?id=1233667
- https://bugzilla.redhat.com/show_bug.cgi?id=1233697
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5234
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5235
SRPMS
5/core
- icedtea-web-1.5.3-1.mga5