Two security issues have been fixed in icedtea-web 1.6.1 and 1.5.3: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html Mageia 4 and Mageia 5 are also affected. 1.5 was supposed to no longer be supported, but the issue was serious enough that they issued an update for it. We can use 1.5.3 for now, but we should update to 1.6 before too long. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
There is no update for 1.4, which is what we still have on Mageia 4. We decided to stop building updates for Mageia 4 at the end of last week unless they're really serious, which this may be, but it's a non-trivial update. Calling this WONTFIX for Mageia 4. All users of the Java plugin should update to Mageia 5 ASAP. Updated packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated icedtea-web packages fix security vulnerabilities: It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval (CVE-2015-5234). It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin (CVE-2015-5235). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5234 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5235 https://bugzilla.redhat.com/show_bug.cgi?id=1233667 https://bugzilla.redhat.com/show_bug.cgi?id=1233697 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html ======================== Updated packages in core/updates_testing: ======================== icedtea-web-1.5.3-1.mga5 icedtea-web-javadoc-1.5.3-1.mga5 from icedtea-web-1.5.3-1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => has_procedureSeverity: critical => major
Oops, assigning to QA. This is just the Java plugin. See Comment 1 for advisory and package list.
Assignee: bugsquad => qa-bugs
Working fine Mageia 5 i586 on various Java plugin test sites.
Whiteboard: has_procedure => has_procedure MGA5-32-OK
Tested mga5-64 on javatester.org. Runs normally. Validating. Ready for push when advisory uploaded to svn.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK mga5-64-okCC: (none) => wrw105, sysadmin-bugs
Advisory uploaded.
Whiteboard: has_procedure MGA5-32-OK mga5-64-ok => has_procedure advisory MGA5-32-OK mga5-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0376.html
Status: NEW => RESOLVEDResolution: (none) => FIXED