Updated icedtea-web packages fix security vulnerabilitiesPublication date: 17 Sep 2015
Affected Mageia releases : 5
CVE: CVE-2015-5234 , CVE-2015-5235
Updated icedtea-web packages fix security vulnerabilities: It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval (CVE-2015-5234). It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin (CVE-2015-5235).