Mageia alert MGASA-2012-0198 (icedtea-web) [LWN.net]


From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2012-0198: icedtea-web-1.1.6-1.mga1
 (1/core), icedtea-web-1.2.1-1.mga2 (2/core) 
Date:
    	       Fri, 3 Aug 2012 23:15:23 +0200
Message-ID:
    	       <20120803211523.GA29683@valstar.mageia.org>
Archive-link:
    	       Article, Thread
              
MGASA-2012-0198
Date: 	August 3rd, 2012
Affected releases: 	1, 2


Description:
Updated icedtea-web packages fix security vulnerabilities:

An uninitialized pointer use flaw was found in the IcedTea-Web plug-in.
Visiting a malicious web page could possibly cause a web browser using
the IcedTea-Web plug-in to crash, disclose a portion of its memory, or
execute arbitrary code (CVE-2012-3422).

It was discovered that the IcedTea-Web plug-in incorrectly assumed all
strings received from the browser were NUL terminated. When using the
plug-in with a web browser that does not NUL terminate strings, visiting
a web page containing a Java applet could possibly cause the browser to
crash, disclose a portion of its memory, or execute arbitrary code
(CVE-2012-3423).


Updated Packages:
Mageia 1:
icedtea-web-1.1.6-1.mga1
icedtea-web-javadoc-1.1.6-1.mga1

Mageia 2:
icedtea-web-1.2.1-1.mga2
icedtea-web-javadoc-1.2.1-1.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3423
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/201...
https://rhn.redhat.com/errata/RHSA-2012-1132.html
https://bugs.mageia.org/show_bug.cgi?id=6930
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)