Bug 773458 - VUL-0: icedtea-web: security issue
VUL-0: icedtea-web: security issue
Status: RESOLVED FIXED
: 755054 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp2:48546
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-27 13:53 UTC by Marcus Meissner
Modified: 2012-09-04 07:00 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2012-07-27 13:53:39 UTC
NOT PUBLIC YET, keep inside SUSE

CRD July 31st 2012, 2PM EDT. (proposed)

CVE-2012-3422 and CVE-2012-3423

heap buffer overflows in iced-tea plugin implementation of java-1_6_0-opendk.

(tarballs were sent via seperate email)
Comment 1 Swamp Workflow Management 2012-07-27 22:00:08 UTC
bugbot adjusting priority
Comment 2 Michal Vyskocil 2012-08-02 11:22:57 UTC
submitted

11.4: 129645
12.1: 129648
12.2: 129646
factory: 129647

sle-11: 21039
Comment 3 Swamp Workflow Management 2012-08-02 11:39:59 UTC
The SWAMPID for this issue is 48544.
This issue was rated as important.
Please submit fixed packages until 2012-08-09.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 4 Bernhard Wiedemann 2012-08-02 12:00:11 UTC
This is an autogenerated message for OBS integration:
This bug (773458) was mentioned in
https://build.opensuse.org/request/show/129647 Factory / icedtea-web
Comment 5 Michal Vyskocil 2012-08-08 12:46:13 UTC
There is a regression[1] with FF 14 caused a plugin crash. I am going to resubmit package with a fix [2], so we won't get into the trouble when FF wil be updated.

[1] http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1106
[2] http://icedtea.classpath.org//hg/release/icedtea-web-1.2?cmd=changeset;node=f6cdd8639a8d
Comment 6 Michal Vyskocil 2012-08-08 13:12:05 UTC
resubmitted

factory: 130401
12.2:    130403
12.1:    130404
11.4:    130406

sle-11: 21208
Comment 7 Matthias Weckbecker 2012-08-09 12:03:43 UTC
released
Comment 8 Swamp Workflow Management 2012-08-09 14:49:11 UTC
Update released for: icedtea-web, icedtea-web-debuginfo, icedtea-web-debugsource, icedtea-web-javadoc
Products:
SLE-DEBUGINFO 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
Comment 9 Swamp Workflow Management 2012-08-09 14:53:14 UTC
Update released for: icedtea-web, icedtea-web-debuginfo, icedtea-web-debugsource, icedtea-web-javadoc
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
Comment 10 Swamp Workflow Management 2012-08-10 19:08:40 UTC
openSUSE-SU-2012:0981-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 773458
CVE References: CVE-2012-3422,CVE-2012-3423
Sources used:
openSUSE 12.1 (src):    icedtea-web-1.2.1-6.1
openSUSE 11.4 (src):    icedtea-web-1.2.1-0.13.1
Comment 11 Swamp Workflow Management 2012-08-13 07:08:50 UTC
openSUSE-SU-2012:0982-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 773458
CVE References: CVE-2012-3422,CVE-2012-3423
Sources used:
openSUSE 12.1 (src):    icedtea-web-1.2.1-10.1
openSUSE 11.4 (src):    icedtea-web-1.2.1-0.17.1
Comment 12 Michal Vyskocil 2012-08-20 12:13:34 UTC
*** Bug 755054 has been marked as a duplicate of this bug. ***
Comment 13 Michal Vyskocil 2012-08-20 12:16:13 UTC
Hallo, the 

https://build.suse.de/request/show/21208

has been auto-declined as it does not build on ppc. However it-web is SLED thing only, so please make a new update including the firefox crash fix.

BTW: may I resubmit it with ExclusiveArch: %ix86 x86_64?
Comment 14 Michal Vyskocil 2012-08-20 12:17:44 UTC
setting the needinfo:

BTW: openSUSE has been released with the patch, so only sle11 needs to be released again
Comment 15 Marcus Meissner 2012-08-20 12:21:45 UTC
making it exclusivearch is fine by us.
Comment 16 Michal Vyskocil 2012-08-20 12:38:47 UTC
ok, resubmitted with ExclusiveArch to ignore build errors on non intel arches

https://build.suse.de/request/show/21410
Comment 17 Marcus Meissner 2012-08-22 16:06:27 UTC
michal, we released the sle11 version already.

do we need to push this out too with the current FIrefox 10ESR we use?
Comment 18 Michal Vyskocil 2012-08-23 06:41:36 UTC
(In reply to comment #17)
> michal, we released the sle11 version already.
> 
> do we need to push this out too with the current FIrefox 10ESR we use?

Yes, the bnc#755054 has been reported for SLED

I have the following firefox packages installed: 
MozillaFirefox-10.0.3-0.7.1
MozillaFirefox-branding-SLED-7-0.6.7.7

Thus the issue appears with FF 10, even originally has been reported on FF 14 only.
Comment 19 Swamp Workflow Management 2012-08-23 08:22:30 UTC
The SWAMPID for this issue is 48829.
This issue was rated as moderate.
Please submit fixed packages until 2012-09-06.
Also create a patchinfo file using this link:
https://swamp.suse.de/webswamp/wf/48829
Comment 20 Marcus Meissner 2012-08-23 09:18:06 UTC
maint-coord will handle the regression, tracking is in bug 755054
Comment 21 Bernhard Wiedemann 2012-08-31 12:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (773458) was mentioned in
https://build.opensuse.org/request/show/132152 Evergreen:11.2 / icedtea-web
Comment 22 Bernhard Wiedemann 2012-09-04 07:00:21 UTC
This is an autogenerated message for OBS integration:
This bug (773458) was mentioned in
https://build.opensuse.org/request/show/132464 Evergreen:11.2 / icedtea-web