Security update for icedtea-web

SUSE Security Update: Security update for icedtea-web
Announcement ID: SUSE-SU-2015:1682-1
Rating: moderate
References: #944208 #944209
Affected Products:
  • SUSE Linux Enterprise Workstation Extension 12
  • SUSE Linux Enterprise Desktop 12
    		•

    An update that fixes two vulnerabilities is now available.

    Description:


    The Java IcedTea-Web Plugin was updated to 1.6.1 bringing various
    features, bug- and securityfixes.

    * Enabled Entry-Point attribute check
    * permissions sandbox and signed app and unsigned app with permissions
    all-permissions now run in sandbox instead of not t all.
    * fixed DownloadService
    * comments in deployment.properties now should persists load/save
    * fixed bug in caching of files with query
    * fixed issues with recreating of existing shortcut
    * trustAll/trustNone now processed correctly
    * headless no longer shows dialogues
    * RH1231441 Unable to read the text of the buttons of the security dialogue
    * Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235,
    bsc#944208)
    * Fixed RH1233667 icedtea-web: unexpected permanent authorization
    of unsigned applets (CVE-2015-5234, bsc#944209)
    * MissingALACAdialog made available also for unsigned applications (but
    ignoring actual manifest value) and fixed
    * NetX
    - fixed issues with -html shortcuts
    - fixed issue with -html receiving garbage in width and height
    * PolicyEditor
    - file flag made to work when used standalone
    - file flag and main argument cannot be used in combination

    The update to 1.6 is included and brings:

    * Massively improved offline abilities. Added Xoffline switch to force
    work without inet connection.
    * Improved to be able to run with any JDK
    * JDK 6 and older no longer supported
    * JDK 8 support added (URLPermission granted if applicable)
    * JDK 9 supported
    * Added support for Entry-Point manifest attribute
    * Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property to
    control scan of Manifest file
    * starting arguments now accept also -- abbreviations
    * Added new documentation
    * Added support for menu shortcuts - both javaws applications/applets and
    html applets are supported
    * added support for -html switch for javaws. Now you can run most
    of the applets without browser at all
    * Control Panel
    - PR1856: ControlPanel UI improvement for lower resolutions (800*600)
    * NetX
    - PR1858: Java Console accepts multi-byte encodings
    - PR1859: Java Console UI improvement for lower resolutions (800*600)
    - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception
    java.lang.ClassCastException in method
    sun.applet.PluginAppletViewer$8.run()
    - Dropped support for long unmaintained -basedir argument
    - Returned support for -jnlp argument
    - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9
    - fixed, and so buildable on JDK9
    * Plugin
    - PR1743 - Intermittant deadlock in PluginRequestProcessor
    - PR1298 - LiveConnect - problem setting array elements (applet
    variables) from JS
    - RH1121549: coverity defects
    - Resolves method overloading correctly with superclass heirarchy
    distance
    * PolicyEditor
    - codebases can be renamed in-place, copied, and pasted
    - codebase URLs can be copied to system clipboard
    - displays a progress dialog while opening or saving files
    - codebases without permissions assigned save to file anyway (and
    re-appear on next open)
    - PR1776: NullPointer on save-and-exit
    - PR1850: duplicate codebases when launching from security dialogs
    - Fixed bug where clicking "Cancel" on the "Save before Exiting" dialog
    could result in the editor exiting without saving changes
    - Keyboard accelerators and mnemonics greatly improved
    - "File - New" allows editing a new policy without first selecting the
    file to save to
    * Common
    - PR1769: support signed applets which specify Sandbox permissions in
    their manifests
    * Temporary Permissions in security dialog now multi-selectable and based
    on PolicyEditor permissions

    The update to 1.5.2 brings OpenJDK 8 support (fate#318956)
    * NetX
    - RH1095311, PR574 - References class sun.misc.Ref removed in OpenJDK 9
    - fixed, and so buildable on JDK9
    - RH1154177 - decoded file needed from cache
    - fixed NPE in https dialog
    - empty codebase behaves as "."

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Workstation Extension 12:
      zypper in -t patch SUSE-SLE-WE-12-2015-642=1
    • SUSE Linux Enterprise Desktop 12:
      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-642=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Workstation Extension 12 (x86_64):
      • java-1_7_0-openjdk-plugin-1.6.1-2.3.1
      • java-1_7_0-openjdk-plugin-debuginfo-1.6.1-2.3.1
      • java-1_7_0-openjdk-plugin-debugsource-1.6.1-2.3.1
    • SUSE Linux Enterprise Desktop 12 (x86_64):
      • java-1_7_0-openjdk-plugin-1.6.1-2.3.1
      • java-1_7_0-openjdk-plugin-debuginfo-1.6.1-2.3.1
      • java-1_7_0-openjdk-plugin-debugsource-1.6.1-2.3.1

    References: