Bug 12654 - icedtea-web new security issue CVE-2013-6493
Summary: icedtea-web new security issue CVE-2013-6493
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/584750/
Whiteboard: MGA3TOO advisory has_procedure mga4-6...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-02-07 18:11 CET by David Walser
Modified: 2014-02-10 21:33 CET (History)
3 users (show)

See Also:
Source RPM: icedtea-web-1.4.1-3.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-02-07 18:11:00 CET 
Fedora has issued an advisory on February 6:
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127944.html

The issue was fixed upstream in 1.4.2, announced on February 5:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html

LWN reference for the other RH bug noted as fixed in that release:
http://lwn.net/Vulnerabilities/584747/

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated icedtea-web packages fix security vulnerability:

LiveConnect provides a gateway between the JavaScript engine in the web
browser and Java applets. An insecure temporary file use flaw was found in
the LiveConnect implementation in the IcedTea-Web browser plug-in. A
malicious, local user could possibly use this flaw to inject or read the
communication between a Java applet and web browser of a different user's
session (CVE-2013-6493).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6493
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127944.html
========================

Updated packages in core/updates_testing:
========================
icedtea-web-1.4.2-1.mga3
icedtea-web-javadoc-1.4.2-1.mga3
icedtea-web-1.4.2-1.mga4
icedtea-web-javadoc-1.4.2-1.mga4

from SRPMS:
icedtea-web-1.4.2-1.mga3.src.rpm
icedtea-web-1.4.2-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-07 18:11:07 CET

Whiteboard: (none) => MGA3TOO

David Walser 2014-02-07 18:11:18 CET

Component: Release (media or process) => Security
QA Contact: (none) => security

Comment 1 Bill Wilkinson 2014-02-09 03:59:15 CET 
tested mga4-64

Installed and tested functionality. Verified version with about:config in firefox, ran version test at javatester.com.  All OK.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Comment 2 Bill Wilkinson 2014-02-09 04:14:43 CET 
tested mga4-32 as above, all OK.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok

Comment 3 Bill Wilkinson 2014-02-09 04:20:23 CET 
Tested mga3-64 as above, results ok.

Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok

Comment 4 Bill Wilkinson 2014-02-09 04:31:59 CET 
Tested mga3-32 as above, results OK.

Ready to validate when advisory uploaded to svn.

Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok

Comment 5 claire robinson 2014-02-10 15:59:11 CET 
Advisory uploaded (with unintentional commit msg).

Validating.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO advisory has_procedure mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok

Comment 6 Thomas Backlund 2014-02-10 21:33:01 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0049.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.