ArchLinux: 201509-6: icedtea-web: multiple issues
Summary
- CVE-2015-5234 (unexpected permanent authorization of unsigned applets)
It was discovered that IcedTea-Web did not properly sanitize applet URLs
when storing applet trust settings. A malicious web page could use this
flaw to inject trust-settings configuration, and cause applets to be
executed without user approval.
- CVE-2015-5235 (applet origin spoofing)
It was discovered that IcedTea-Web did not properly determine an
applet's origin when asking the user if the applet should be run. A
malicious page could use this flaw to cause IcedTea-Web to execute the
applet without user approval, or confuse the user into approving applet
execution based on an incorrectly indicated applet origin.
Resolution
Upgrade to 1.6.1-1.
# pacman -Syu "icedtea-web>=1.6.1-1"
The problem has been fixed upstream in version 1.6.1.
References
https://mail.openjdk.org/pipermail/distro-pkg-dev/2015-September/033546.html https://access.redhat.com/security/cve/CVE-2015-5234 https://access.redhat.com/security/cve/CVE-2015-5235
Workaround
None.