Bug 864364 - (CVE-2013-6493) VUL-1: CVE-2013-6493: icedtea-web 1.4.2 released
(CVE-2013-6493)
VUL-1: CVE-2013-6493: icedtea-web 1.4.2 released
Status: RESOLVED FIXED
: 863107 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp3:56310
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-18 10:25 UTC by Michal Vyskocil
Modified: 2014-03-19 17:26 UTC (History)
4 users (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michal Vyskocil 2014-02-18 10:25:27 UTC
Already public

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html

New in release 1.4.2 (2014-02-05):
* Dialogs center on screen before becoming visible
* Support for u45 new manifest attributes (Application-Name)
* Custom applet permission policies panel in itweb-settings control panel
* Plugin
   - PR1271: icedtea-web does not handle 'javascript:'-protocol URLs
   - RH976833: Multiple applets on one page cause deadlock
   - Enabled javaconsole
   - RH1010958: insecure temporary file use flaw in LiveConnect implementation


Except above also:
  - Christmas splashscreen extension
  - fixed classloading deadlocks
  - cleaned code from warnings
  - pipes moved to XDG runtime dir

RH1010958 is https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6493
Comment 1 Bernhard Wiedemann 2014-02-18 14:00:52 UTC
This is an autogenerated message for OBS integration:
This bug (864364) was mentioned in
https://build.opensuse.org/request/show/222715 Factory / icedtea-web
https://build.opensuse.org/request/show/222716 13.1 / icedtea-web
https://build.opensuse.org/request/show/222717 12.3 / icedtea-web
Comment 3 Bernhard Wiedemann 2014-02-18 15:00:53 UTC
This is an autogenerated message for OBS integration:
This bug (864364) was mentioned in
https://build.opensuse.org/request/show/222724 Factory / icedtea-web
Comment 4 Swamp Workflow Management 2014-02-18 23:00:19 UTC
bugbot adjusting priority
Comment 5 Michal Vyskocil 2014-02-19 10:09:48 UTC
*** Bug 863107 has been marked as a duplicate of this bug. ***
Comment 6 Michal Vyskocil 2014-02-19 10:10:45 UTC
An original announcement

Alexander Bergmann 2014-02-10 17:14:55 UTC

Via OSS:12065

IcedTea-Web version 1.4.2 released earlier this week fixes an issue
related to handling of the directory that is used to store sockets for
communication between in browser plugin, and JVM running applets.  The
directory was usually created in /tmp, using predictable name, and its
ownership and permissions were not checked.  This issue was reported by
Michael Scherer of Red Hat and was assigned CVE-2013-6493.

References:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html
http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a
http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663
https://bugzilla.redhat.com/show_bug.cgi?id=1010958
http://comments.gmane.org/gmane.comp.security.oss.general/12065
Comment 7 SMASH SMASH 2014-02-19 13:19:48 UTC
Affected packages:

SLE-11-SP3: icedtea-web
SLE-11-SP2: icedtea-web
Comment 8 Swamp Workflow Management 2014-02-28 11:04:21 UTC
openSUSE-SU-2014:0310-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 864364
CVE References: CVE-2013-6493
Sources used:
openSUSE 13.1 (src):    icedtea-web-1.4.2-4.1
openSUSE 12.3 (src):    icedtea-web-1.4.2-4.26.1
Comment 10 Marcus Meissner 2014-03-19 09:02:39 UTC
released
Comment 11 Swamp Workflow Management 2014-03-19 12:45:47 UTC
Update released for: icedtea-web, icedtea-web-debuginfo, icedtea-web-debugsource, icedtea-web-javadoc
Products:
SLE-DEBUGINFO 11-SP3 (i386, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
Comment 12 Swamp Workflow Management 2014-03-19 16:04:24 UTC
SUSE-SU-2014:0397-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 864364
CVE References: CVE-2013-6493
Sources used:
SUSE Linux Enterprise Desktop 11 SP3 (src):    icedtea-web-1.4.2-0.7.1