Bug 863107 - VUL-0: icedtea-web: version 1.4.2 fixes insecure temporary directory use
VUL-0: icedtea-web: version 1.4.2 fixes insecure temporary directory use
Status: RESOLVED DUPLICATE of bug 864364
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Michal Vyskocil
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-10 17:14 UTC by Alexander Bergmann
Modified: 2014-02-19 13:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-02-10 17:14:55 UTC
Via OSS:12065

IcedTea-Web version 1.4.2 released earlier this week fixes an issue
related to handling of the directory that is used to store sockets for
communication between in browser plugin, and JVM running applets.  The
directory was usually created in /tmp, using predictable name, and its
ownership and permissions were not checked.  This issue was reported by
Michael Scherer of Red Hat and was assigned CVE-2013-6493.

References:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html
http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a
http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663
https://bugzilla.redhat.com/show_bug.cgi?id=1010958
http://comments.gmane.org/gmane.comp.security.oss.general/12065
Comment 1 Alexander Bergmann 2014-02-10 17:18:09 UTC
This issue needs to be addresses for:

openSUSE:12.3
openSUSE:13.1
SLE-11-SP3

and the Factory channels.
Comment 2 Swamp Workflow Management 2014-02-11 23:00:11 UTC
bugbot adjusting priority
Comment 3 Michal Vyskocil 2014-02-19 10:09:48 UTC
I've made my own bug, sorry :)

*** This bug has been marked as a duplicate of bug 864364 ***