Bug 16755

Summary: icedtea-web new security issues CVE-2015-5234 and CVE-2015-5235
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wrw105
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/657320/
Whiteboard: has_procedure advisory MGA5-32-OK mga5-64-ok
Source RPM: icedtea-web-1.5.2-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-14 23:58:37 CEST 
Two security issues have been fixed in icedtea-web 1.6.1 and 1.5.3:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html

Mageia 4 and Mageia 5 are also affected.

1.5 was supposed to no longer be supported, but the issue was serious enough that they issued an update for it.  We can use 1.5.3 for now, but we should update to 1.6 before too long.

Reproducible: 

Steps to Reproduce:
David Walser 2015-09-14 23:58:52 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-09-15 00:09:57 CEST 
There is no update for 1.4, which is what we still have on Mageia 4.  We decided to stop building updates for Mageia 4 at the end of last week unless they're really serious, which this may be, but it's a non-trivial update.  Calling this WONTFIX for Mageia 4.  All users of the Java plugin should update to Mageia 5 ASAP.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated icedtea-web packages fix security vulnerabilities:

It was discovered that IcedTea-Web did not properly sanitize applet URLs when
storing applet trust settings. A malicious web page could use this flaw to
inject trust-settings configuration, and cause applets to be executed without
user approval (CVE-2015-5234).

It was discovered that IcedTea-Web did not properly determine an applet's
origin when asking the user if the applet should be run. A malicious page
could use this flaw to cause IcedTea-Web to execute the applet without user
approval, or confuse the user into approving applet execution based on an
incorrectly indicated applet origin (CVE-2015-5235).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5234
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5235
https://bugzilla.redhat.com/show_bug.cgi?id=1233667
https://bugzilla.redhat.com/show_bug.cgi?id=1233697
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html
========================

Updated packages in core/updates_testing:
========================
icedtea-web-1.5.3-1.mga5
icedtea-web-javadoc-1.5.3-1.mga5

from icedtea-web-1.5.3-1.mga5.src.rpm

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => has_procedure
Severity: critical => major

Comment 2 David Walser 2015-09-15 00:11:35 CEST 
Oops, assigning to QA.  This is just the Java plugin.  See Comment 1 for advisory and package list.

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2015-09-15 20:47:21 CEST 
Working fine Mageia 5 i586 on various Java plugin test sites.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 4 Bill Wilkinson 2015-09-16 17:35:52 CEST 
Tested mga5-64 on javatester.org. Runs normally.

Validating. Ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-ok
CC: (none) => wrw105, sysadmin-bugs

Comment 5 claire robinson 2015-09-17 17:01:05 CEST 
Advisory uploaded.

Whiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure advisory MGA5-32-OK mga5-64-ok

Comment 6 Mageia Robot 2015-09-17 20:03:31 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0376.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED