Nome do pacote
icedtea-web
Data
2013-04-19
ID Alerta
MDVSA-2013:146
Versões afetadas
MES5 i586 , MES5 x86_64

Descrição do problema

Multiple vulnerabilities has been discovered and corrected in
icedtea-web:

It was discovered that the IcedTea-Web plug-in incorrectly used
the same class loader instance for applets with the same value of
the codebase attribute, even when they originated from different
domains. A malicious applet could use this flaw to gain information
about and possibly manipulate applets from different domains currently
running in the browser (CVE-2013-1926).

The IcedTea-Web plug-in did not properly check the format of the
downloaded Java Archive (JAR) files. This could cause the plug-in
to execute code hidden in a file in a different format, possibly
allowing attackers to execute code in the context of web sites
that allow uploads of specific file types, known as a GIFAR attack
(CVE-2013-1927).

The updated packages have been upgraded to the 1.3.2 version which
is not affected by these issues.

Pacotes atualizados

MES5 i586

 8a5205be2fa90ec7ceb265d003fb6319  mes5/i586/icedtea-web-1.3.2-0.1mdvmes5.2.i586.rpm
 82d1bba57c11c38d8a689006b3934195  mes5/i586/icedtea-web-javadoc-1.3.2-0.1mdvmes5.2.i586.rpm 
 367346ef59c0a54b1e84bef1689a1b79  mes5/SRPMS/icedtea-web-1.3.2-0.1mdvmes5.2.src.rpm

MES5 x86_64

 30d0305592522d22bd6c45c022d24256  mes5/x86_64/icedtea-web-1.3.2-0.1mdvmes5.2.x86_64.rpm
 36e06b40fe04616fc8b4a355b7d739e3  mes5/x86_64/icedtea-web-javadoc-1.3.2-0.1mdvmes5.2.x86_64.rpm 
 367346ef59c0a54b1e84bef1689a1b79  mes5/SRPMS/icedtea-web-1.3.2-0.1mdvmes5.2.src.rpm

Referências