Opened 10 years ago
Closed 10 years ago
#6926 closed enhancement (fixed)
icedtea-web-1.6.1 CVE-2015-5235 and CVE-2015-5234
| Reported by: | Fernando de Oliveira | Owned by: | Pierre Labastie |
|---|---|---|---|
| Priority: | high | Milestone: | 7.8 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by ) ¶
http://icedtea.wildebeest.org/download/source/icedtea-web-1.6.1.tar.gz
35d6712a5d9db69e8bd14ab68f94d748 icedtea-web-1.6.1.tar.gz
This is a security release:
CVE-2015-5235 icedtea-web: applet origin spoofing at
CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned app... at
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html
IcedTea-Web 1.6.1 and 1.5.3 released
Jiri Vanek jvanek at redhat.com
Fri Sep 11 14:39:17 UTC 2015
Hello, after pretty rush two weeks here is just half expected release of
icedtea-web
The release is mainly because of two flaws, specific for itw:
https://bugzilla.redhat.com/show_bug.cgi?id=1233697
https://bugzilla.redhat.com/show_bug.cgi?id=1233667
***********************************
Part of this security security is recommendation, that you should use
jdk8 as runtime for ITW, because of slightly more secure
HTTPUrlConnection (comapred with older JDKs)
***********************************
I know 1.5 was supposed to be unmaintained, but the issue was so
shaming, that I decided to fully patch it and release.
The docs of 1.6.1 are at
http://icedtea.wildebeest.org/download/icedtea-web-docs/1.6.1/html/ (As
usually :) , but PL and pig part of DE transaltion is still missing.
Special thanks goes to
Andrea Palazzo
Tomas Hoger
J.
NEWS:
New in release 1.6.1 (2015-09-11):
• Enabled Entry-Point attribute check
• permissions sandbox and signed app and unsigned app with permissions
all-permissions now run in sandbox instead of not at all.
• fixed DownloadService
• comments in deployment.properties now should persists load/save
• fixed bug in caching of files with query
• fixed issues with recreating of existing shortcut
• trustAll/trustNone now processed correctly
• headless no longer shows dialogues
• RH1231441 Unable to read the text of the buttons of the security
dialogue
• Fixed RH1233697 icedtea-web: applet origin spoofing
• Fixed RH1233667 icedtea-web: unexpected permanent authorization of
unsigned applets
• MissingALACAdialog made available also for unsigned applications (but
ignoring actual manifest value) and fixed
• NetX
- fixed issues with -html shortcuts
- fixed issue with -html receiving garbage in width and height
• PolicyEditor
- file flag made to work when used standalone
- file flag and main argument cannot be used in combination
New in release 1.5.3 (2015-09-11):
• permissions sandbox and signed app and unsigned app with permissions
all-permissions now run in sandbox instead of not at all.
• fixed DownloadService
• RH1231441 Unable to read the text of the buttons of the security
dialogue
• Fixed RH1233697 icedtea-web: applet origin spoofing
• Fixed RH1233667 icedtea-web: unexpected permanent authorization of
unsigned applets
• MissingALACAdialog made available also for unsigned applications (but
ignoring actual manifest value) and fixed
More information about the distro-pkg-dev mailing list
Change History (3)
comment:1 by , 10 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | icedtea-web-1.6.1 → icedtea-web-1.6.1 CVE-2015-5235 and CVE-2015-5234 |
comment:2 by , 10 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
Note:
See TracTickets
for help on using tickets.
This a good test of OpenJDK, so I take it.