Advisories ยป MGASA-2015-0376

Updated icedtea-web packages fix security vulnerabilities

Publication date: 17 Sep 2015
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5234 , CVE-2015-5235

Description

Updated icedtea-web packages fix security vulnerabilities:

It was discovered that IcedTea-Web did not properly sanitize applet URLs when
storing applet trust settings. A malicious web page could use this flaw to
inject trust-settings configuration, and cause applets to be executed without
user approval (CVE-2015-5234).

It was discovered that IcedTea-Web did not properly determine an applet's
origin when asking the user if the applet should be run. A malicious page
could use this flaw to cause IcedTea-Web to execute the applet without user
approval, or confuse the user into approving applet execution based on an
incorrectly indicated applet origin (CVE-2015-5235).
                

References

SRPMS

5/core