Security update for icedtea-web

Announcement ID:	SUSE-SU-2015:1689-1
Rating:	moderate
References:	bsc#944208 bsc#944209
Cross-References:	CVE-2015-5234 CVE-2015-5235
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 11 SP4

An update that solves two vulnerabilities can now be installed.

Description:

The Java Plugin IcedTea Web was updated to 1.5.2, fixing bugs and security issues.

• permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all.
• fixed DownloadService
• RH1231441 Unable to read the text of the buttons of the security dialogue
• Fixed RH1233697 icedtea-web: applet origin spoofing (CVE-2015-5235, bsc#944208)
• Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets (CVE-2015-5234, bsc#944209)
• MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 11 SP4
  zypper in -t patch sledsp4-icedtea-web-12116=1

Package List:

• SUSE Linux Enterprise Desktop 11 SP4 (x86_64 i586)
  • icedtea-web-1.5.3-0.9.1

References:

• https://www.suse.com/security/cve/CVE-2015-5234.html
• https://www.suse.com/security/cve/CVE-2015-5235.html
• https://bugzilla.suse.com/show_bug.cgi?id=944208
• https://bugzilla.suse.com/show_bug.cgi?id=944209