Bug 8020 - icedtea-web new security issue CVE-2012-4540
: icedtea-web new security issue CVE-2012-4540
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/523621/
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-08 19:00 CET by David Walser
Modified: 2012-11-09 00:38 CET (History)
3 users (show)

See Also:
Source RPM: icedtea-web-1.3-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-11-08 19:00:13 CET
RedHat has issued an advisory on November 7:
https://rhn.redhat.com/errata/RHSA-2012-1434.html

Updated packages uploaded for Mageia 1, Mageia 2, and Cauldron.

Advisory:
========================

Updated icedtea-web packages fix security vulnerability:

A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a
malicious web page could cause a web browser using the IcedTea-Web plug-in
to crash or, possibly, execute arbitrary code (CVE-2012-4540).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4540
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
https://rhn.redhat.com/errata/RHSA-2012-1434.html
========================

Updated packages in core/updates_testing:
========================
icedtea-web-1.1.7-1.mga1
icedtea-web-javadoc-1.1.7-1.mga1
icedtea-web-1.3.1-1.mga2
icedtea-web-javadoc-1.3.1-1.mga2

from SRPMS:
icedtea-web-1.1.7-1.mga1.src.rpm
icedtea-web-1.3.1-1.mga2.src.rpm
Comment 1 Dave Hodgins 2012-11-08 23:01:52 CET
No poc, so just testing that a java web applet works.  I'm using the
speed test under "Tools and Tips" at http://www.ody.ca/

Testing complete Mageia 1 and 2, i586 and x86-64.

Could someone from the sysadmin team push the srpm
icedtea-web-1.3.1-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
icedtea-web-1.1.7-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated icedtea-web packages fix security vulnerability:

A buffer overflow flaw was found in the IcedTea-Web plug-in. Visiting a
malicious web page could cause a web browser using the IcedTea-Web plug-in
to crash or, possibly, execute arbitrary code (CVE-2012-4540).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4540
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-November/020775.html
https://rhn.redhat.com/errata/RHSA-2012-1434.html

https://bugs.mageia.org/show_bug.cgi?id=8020
Comment 2 Thomas Backlund 2012-11-09 00:38:05 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0329

Note You need to log in before you can comment on or make changes to this bug.