File _patchinfo of Package patchinfo.1114

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.1114

<patchinfo incident="1114">
  <issue id="944209" tracker="bnc">VUL-0: CVE-2015-5234: icedtea-web: unexpected permanent authorization of unsigned applets</issue>
  <issue id="944208" tracker="bnc">VUL-0: CVE-2015-5235: icedtea-web: applet origin spoofing</issue>
  <issue id="CVE-2015-5235" tracker="cve" />
  <issue id="CVE-2015-5234" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>fstrba</packager>
  <description>
The Java IcedTea-Web Plugin was updated to 1.6.1 bringing
various features, bug- and securityfixes.

* Enabled Entry-Point attribute check
* permissions sandbox and signed app and unsigned app with
  permissions all-permissions now run in sandbox instead of not
t all.
* fixed DownloadService
* comments in deployment.properties now should persists load/save
* fixed bug in caching of files with query
* fixed issues with recreating of existing shortcut
* trustAll/trustNone now processed correctly
* headless no longer shows dialogues
* RH1231441 Unable to read the text of the buttons of the security
  dialogue
* Fixed RH1233697 icedtea-web: applet origin spoofing
  (CVE-2015-5235, bsc#944208)
* Fixed RH1233667 icedtea-web: unexpected permanent authorization
  of unsigned applets (CVE-2015-5234, bsc#944209)
* MissingALACAdialog made available also for unsigned applications
  (but ignoring actual manifest value) and fixed
* NetX
  - fixed issues with -html shortcuts
  - fixed issue with -html receiving garbage in width and height
* PolicyEditor
  - file flag made to work when used standalone
  - file flag and main argument cannot be used in combination

The update to 1.6 is included and brings:

* Massively improved offline abilities. Added Xoffline switch to
  force work without inet connection.
* Improved to be able to run with any JDK
* JDK 6 and older no longer supported
* JDK 8 support added (URLPermission granted if applicable)
* JDK 9 supported 
* Added support for Entry-Point manifest attribute
* Added KEY_ENABLE_MANIFEST_ATTRIBUTES_CHECK deployment property
  to control scan of Manifest file 
* starting arguments now accept also -- abbreviations
* Added new documentation
* Added support for menu shortcuts - both javaws
  applications/applets and html applets are supported
* added support for -html switch for javaws. Now you can run most
  of the applets without browser at all
* Control Panel
  - PR1856: ControlPanel UI improvement for lower resolutions
    (800*600)
* NetX
  - PR1858: Java Console accepts multi-byte encodings
  - PR1859: Java Console UI improvement for lower resolutions
    (800*600)
  - RH1091563: [abrt] icedtea-web-1.5-2.fc20: Uncaught exception
   java.lang.ClassCastException in method
   sun.applet.PluginAppletViewer$8.run()
  - Dropped support for long unmaintained -basedir argument
  - Returned support for -jnlp argument
  - RH1095311, PR574 -  References class sun.misc.Ref removed in
    OpenJDK 9 - fixed, and so buildable on JDK9
* Plugin
  - PR1743 - Intermittant deadlock in PluginRequestProcessor
  - PR1298 - LiveConnect - problem setting array elements (applet
    variables) from JS
  - RH1121549: coverity defects
  - Resolves method overloading correctly with superclass
    heirarchy distance
* PolicyEditor
  - codebases can be renamed in-place, copied, and pasted
  - codebase URLs can be copied to system clipboard
  - displays a progress dialog while opening or saving files
  - codebases without permissions assigned save to file anyway
    (and re-appear on next open)
  - PR1776: NullPointer on save-and-exit
  - PR1850: duplicate codebases when launching from security dialogs
  - Fixed bug where clicking "Cancel" on the "Save before Exiting"
    dialog could result in the editor exiting without saving
    changes
  - Keyboard accelerators and mnemonics greatly improved
  - "File - New" allows editing a new policy without first
    selecting the file to save to
* Common
  - PR1769: support signed applets which specify Sandbox
    permissions in their manifests
* Temporary Permissions in security dialog now multi-selectable
  and based on PolicyEditor permissions

The update to 1.5.2 brings OpenJDK 8 support (fate#318956)
* NetX
  - RH1095311, PR574 -  References class sun.misc.Ref removed in
    OpenJDK 9 - fixed, and so buildable on JDK9
  - RH1154177 - decoded file needed from cache
  - fixed NPE  in https dialog
  - empty codebase behaves  as "."
</description>
  <summary>Security update for icedtea-web</summary>
</patchinfo>

Places

File _patchinfo of Package patchinfo.1114

Places