LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Scientific Linux alert SL-iced-20110727 (icedtea-web)



From:
    	      Troy Dawson <dawson@fnal.gov> 


To:
    	      "scientific-linux-errata@fnal.gov" <scientific-linux-errata@fnal.gov> 


Subject:
    	      Security ERRATA Moderate: icedtea-web on SL6.x i386/x86_64 


Date:
    	      Thu, 28 Jul 2011 15:00:36 -0500


Message-ID:
    	      <4E31BFE4.9050908@fnal.gov>


Archive-link:
    	      Article, Thread
              


Synopsis:    Moderate: icedtea-web security update
Issue Date:  2011-07-27
CVE Numbers: CVE-2011-2513
              CVE-2011-2514


The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project. It
also contains a configuration tool for managing deployment settings for 
the plug-in and Web Start implementations.

A flaw was discovered in the JNLP (Java Network Launching Protocol)
implementation in IcedTea-Web. An unsigned Java Web Start application
could use this flaw to manipulate the content of a Security Warning
dialog box, to trick a user into granting the application unintended 
access permissions to local files. (CVE-2011-2514)

An information disclosure flaw was discovered in the JNLP implementation 
in IcedTea-Web. An unsigned Java Web Start application or Java applet 
could use this flaw to determine the path to the cache directory used to 
store downloaded Java class and archive files, and therefore determine 
the user's login name. (CVE-2011-2513)

All icedtea-web users should upgrade to these updated packages, which
contain backported patches to correct these issues.

SL6:
   i386
      icedtea-web-1.0.4-2.el6_1.i686.rpm
      icedtea-web-javadoc-1.0.4-2.el6_1.i686.rpm
   x86_64
      icedtea-web-1.0.4-2.el6_1.x86_64.rpm
      icedtea-web-javadoc-1.0.4-2.el6_1.x86_64.rpm

- Scientific Linux Development Team
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds