id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 6926,icedtea-web-1.6.1 CVE-2015-5235 and CVE-2015-5234,Fernando de Oliveira,Pierre Labastie,"[http://icedtea.wildebeest.org/download/source/icedtea-web-1.6.1.tar.gz] 35d6712a5d9db69e8bd14ab68f94d748 icedtea-web-1.6.1.tar.gz This is a security release: '''CVE-2015-5235 icedtea-web: applet origin spoofing at''' [https://bugzilla.redhat.com/show_bug.cgi?id=1233697] '''CVE-2015-5234 icedtea-web: unexpected permanent authorization of unsigned app... at''' [https://bugzilla.redhat.com/show_bug.cgi?id=1233667] [http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html] {{{ IcedTea-Web 1.6.1 and 1.5.3 released Jiri Vanek jvanek at redhat.com Fri Sep 11 14:39:17 UTC 2015 Hello, after pretty rush two weeks here is just half expected release of icedtea-web The release is mainly because of two flaws, specific for itw: https://bugzilla.redhat.com/show_bug.cgi?id=1233697 https://bugzilla.redhat.com/show_bug.cgi?id=1233667 *********************************** Part of this security security is recommendation, that you should use jdk8 as runtime for ITW, because of slightly more secure HTTPUrlConnection (comapred with older JDKs) *********************************** I know 1.5 was supposed to be unmaintained, but the issue was so shaming, that I decided to fully patch it and release. The docs of 1.6.1 are at http://icedtea.wildebeest.org/download/icedtea-web-docs/1.6.1/html/ (As usually :) , but PL and pig part of DE transaltion is still missing. Special thanks goes to Andrea Palazzo Tomas Hoger J. NEWS: New in release 1.6.1 (2015-09-11): • Enabled Entry-Point attribute check • permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all. • fixed DownloadService • comments in deployment.properties now should persists load/save • fixed bug in caching of files with query • fixed issues with recreating of existing shortcut • trustAll/trustNone now processed correctly • headless no longer shows dialogues • RH1231441 Unable to read the text of the buttons of the security dialogue • Fixed RH1233697 icedtea-web: applet origin spoofing • Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets • MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed • NetX - fixed issues with -html shortcuts - fixed issue with -html receiving garbage in width and height • PolicyEditor - file flag made to work when used standalone - file flag and main argument cannot be used in combination New in release 1.5.3 (2015-09-11): • permissions sandbox and signed app and unsigned app with permissions all-permissions now run in sandbox instead of not at all. • fixed DownloadService • RH1231441 Unable to read the text of the buttons of the security dialogue • Fixed RH1233697 icedtea-web: applet origin spoofing • Fixed RH1233667 icedtea-web: unexpected permanent authorization of unsigned applets • MissingALACAdialog made available also for unsigned applications (but ignoring actual manifest value) and fixed More information about the distro-pkg-dev mailing list }}}",enhancement,closed,high,7.8,BOOK,SVN,normal,fixed,,