Risks
Advisories
Browse
or
or
SUSE Security Update - icedtea-web (SUSE-SU-2013:1174-1)
SUSE Security Update: Security update for icedtea-web
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1174-1
Rating:             important
References:         #815596 #818768 #825880
Cross-References:   CVE-2012-3422 CVE-2012-3423 CVE-2013-1926
                    CVE-2013-1927
Affected Products:
                    SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.
   It includes one version update.

Description:


   This update to IcedTea-Web 1.4 provides the following fixes
   and  enhancements:

   *

   Security updates

   o CVE-2013-1926, RH916774: Class-loader
   incorrectly shared for applets with same relative-path o
   CVE-2013-1927, RH884705: fixed gifar vulnerabilit o
   CVE-2012-3422, RH840592: Potential read from an
   uninitialized memory location o CVE-2012-3423, RH841345:
   Incorrect handling of not 0-terminated strings o
   CVE-2013-1927, RH884705: fixed gifar vulnerability o
   CVE-2013-1926, RH916774: Class-loader incorrectly shared
   for applets with same relative-path.
   *

   NetX

   o PR1027: DownloadService is not supported by
   IcedTea-Web o PR725: JNLP applications will prompt for
   creating desktop shortcuts every time they are run o
   PR1292: Javaws does not resolve versioned jar names with
   periods correctly o PR580: http://www.horaoficial.cl/ loads
   improperly.
   *

   Plugin

   o PR1106: Buffer overflow in plugin table- o
   PR1166: Embedded JNLP File is not supported in applet tag o
   PR1217: Add command line arguments for plugins o PR1189:
   Icedtea-plugin requires code attribute when using jnlp_href
   o PR1198: JSObject is not passed to javascript correctly o
   PR1260: IcedTea-Web should not rely on GTK o PR1157:
   Applets can hang browser after fatal exception o PR580:
   http://www.horaoficial.cl/ loads improperly o PR1260:
   IcedTea-Web should not rely on GTK o PR1157: Applets can
   hang browser after fatal exception.
   *

   Common

   o PR1049: Extension jnlp's signed jar with the
   content of only META-INF/* is considered o PR955:
   regression: SweetHome3D fails to run o PR1145: IcedTea-Web
   can cause ClassCircularityError o PR1161:
   X509VariableTrustManager does not work correctly with
   OpenJDK7 o PR822: Applets fail to load if jars have
   different signers o PR1186:
   System.getProperty("deployment.user.security.trusted.cacerts
   ") is null o PR909: The Java applet at
   http://de.gosupermodel.com/games/wardrobegame.jsp fails o
   PR1299: WebStart doesn't read socket proxy settings from
   firefox correctly.
   *

   Added cs, de, pl localization

   * Splash screen for javaws and plugin
   * Better error reporting for plugin via
   Error-splash-screen
   * All IcedTea-Web dialogues are centered to middle of
   active screen
   * Download indicator made compact for more then one jar
   * User can select its own JVM via itw-settings and
   deploy.properties
   * Added extended applets security settings and dialogue
   * Added new option in itw-settings which allows users
   to set JVM arguments when plugin is initialized
   * Fixed a build failure with older xulrunner
   * Changed strict openjdk6 dependencies to anything
   java-openjdk >= 1.6.0.

   Security Issue references:

   * CVE-2013-1926
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926
   >
   * CVE-2013-1927
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927
   >
   * CVE-2012-3422
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3422
   >
   * CVE-2012-3423
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3423
   >
   * CVE-2013-1927
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927
   >
   * CVE-2013-1926
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Desktop 11 SP3:

      zypper in -t patch sledsp3-icedtea-web-7981

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4]:

      icedtea-web-1.4-0.10.1


References:

   http://support.novell.com/security/cve/CVE-2012-3422.html
   http://support.novell.com/security/cve/CVE-2012-3423.html
   http://support.novell.com/security/cve/CVE-2013-1926.html
   http://support.novell.com/security/cve/CVE-2013-1927.html
   https://bugzilla.novell.com/815596
   https://bugzilla.novell.com/818768
   https://bugzilla.novell.com/825880
   http://download.novell.com/patch/finder/?keywords=e2d8b10b4253bb88de271814cd974a83




Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //