Risks
Advisories
Browse
or
or
SUSE Security Update - icedtea-web (SUSE-SU-2013:1174-1)
SUSE Security Update: Security update for icedtea-web
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1174-1
Rating:             important
References:         #815596 #818768 #825880
Cross-References:   CVE-2012-3422 CVE-2012-3423 CVE-2013-1926
                    CVE-2013-1927
Affected Products:
                    SUSE Linux Enterprise Desktop 11 SP3
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.
   It includes one version update.

Description:


   This update to IcedTea-Web 1.4 provides the following fixes
   and  enhancements:

   *

   Security updates

   o CVE-2013-1926, RH916774: Class-loader
   incorrectly shared for applets with same relative-path o
   CVE-2013-1927, RH884705: fixed gifar vulnerabilit o
   CVE-2012-3422, RH840592: Potential read from an
   uninitialized memory location o CVE-2012-3423, RH841345:
   Incorrect handling of not 0-terminated strings o
   CVE-2013-1927, RH884705: fixed gifar vulnerability o
   CVE-2013-1926, RH916774: Class-loader incorrectly shared
   for applets with same relative-path.
   *

   NetX

   o PR1027: DownloadService is not supported by
   IcedTea-Web o PR725: JNLP applications will prompt for
   creating desktop shortcuts every time they are run o
   PR1292: Javaws does not resolve versioned jar names with
   periods correctly o PR580: http://www.horaoficial.cl/ loads
   improperly.
   *

   Plugin

   o PR1106: Buffer overflow in plugin table- o
   PR1166: Embedded JNLP File is not supported in applet tag o
   PR1217: Add command line arguments for plugins o PR1189:
   Icedtea-plugin requires code attribute when using jnlp_href
   o PR1198: JSObject is not passed to javascript correctly o
   PR1260: IcedTea-Web should not rely on GTK o PR1157:
   Applets can hang browser after fatal exception o PR580:
   http://www.horaoficial.cl/ loads improperly o PR1260:
   IcedTea-Web should not rely on GTK o PR1157: Applets can
   hang browser after fatal exception.
   *

   Common

   o PR1049: Extension jnlp's signed jar with the
   content of only META-INF/* is considered o PR955:
   regression: SweetHome3D fails to run o PR1145: IcedTea-Web
   can cause ClassCircularityError o PR1161:
   X509VariableTrustManager does not work correctly with
   OpenJDK7 o PR822: Applets fail to load if jars have
   different signers o PR1186:
   System.getProperty("deployment.user.security.trusted.cacerts
   ") is null o PR909: The Java applet at
   http://de.gosupermodel.com/games/wardrobegame.jsp fails o
   PR1299: WebStart doesn't read socket proxy settings from
   firefox correctly.
   *

   Added cs, de, pl localization

   * Splash screen for javaws and plugin
   * Better error reporting for plugin via
   Error-splash-screen
   * All IcedTea-Web dialogues are centered to middle of
   active screen
   * Download indicator made compact for more then one jar
   * User can select its own JVM via itw-settings and
   deploy.properties
   * Added extended applets security settings and dialogue
   * Added new option in itw-settings which allows users
   to set JVM arguments when plugin is initialized
   * Fixed a build failure with older xulrunner
   * Changed strict openjdk6 dependencies to anything
   java-openjdk >= 1.6.0.

   Security Issue references:

   * CVE-2013-1926
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926
   >
   * CVE-2013-1927
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927
   >
   * CVE-2012-3422
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3422
   >
   * CVE-2012-3423
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3423
   >
   * CVE-2013-1927
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1927
   >
   * CVE-2013-1926
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1926
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Desktop 11 SP3:

      zypper in -t patch sledsp3-icedtea-web-7981

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Desktop 11 SP3 (i586 x86_64) [New Version: 1.4]:

      icedtea-web-1.4-0.10.1


References:

   http://support.novell.com/security/cve/CVE-2012-3422.html
   http://support.novell.com/security/cve/CVE-2012-3423.html
   http://support.novell.com/security/cve/CVE-2013-1926.html
   http://support.novell.com/security/cve/CVE-2013-1927.html
   https://bugzilla.novell.com/815596
   https://bugzilla.novell.com/818768
   https://bugzilla.novell.com/825880
   http://download.novell.com/patch/finder/?keywords=e2d8b10b4253bb88de271814cd974a83




Spotlight

What can we learn from the top 10 biggest data breaches?

Posted on 21 August 2014.  |  Here's a list of the top 10 biggest data breaches of the last five years. It identifies the cause of each breach as well as the resulting financial and reputation damage suffered by each company.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //