The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project. It
also contains a configuration tool for managing deployment settings for the
plug-in and Web Start implementations.
It was discovered that the IcedTea-Web plug-in incorrectly used the same
class loader instance for applets with the same value of the codebase
attribute, even when they originated from different domains. A malicious
applet could use this flaw to gain information about and possibly
manipulate applets from different domains currently running in the browser.
(CVE-2013-1926)
The IcedTea-Web plug-in did not properly check the format of the downloaded
Java Archive (JAR) files. This could cause the plug-in to execute code
hidden in a file in a different format, possibly allowing attackers to
execute code in the context of web sites that allow uploads of specific
file types, known as a GIFAR attack. (CVE-2013-1927)
The CVE-2013-1926 issue was discovered by Jiri Vanek of the Red Hat OpenJDK
Team, and CVE-2013-1927 was discovered by the Red Hat Security Response
Team.
This erratum also upgrades IcedTea-Web to version 1.2.3. Refer to the NEWS
file, linked to in the References, for further information.
All IcedTea-Web users should upgrade to these updated packages, which
resolve these issues. Web browsers using the IcedTea-Web browser plug-in
must be restarted for this update to take effect.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | x86_64 | icedtea-web | < 1.2.3-2.el6_4 | icedtea-web-1.2.3-2.el6_4.x86_64.rpm |
RedHat | 6 | x86_64 | icedtea-web-javadoc | < 1.2.3-2.el6_4 | icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm |
RedHat | 6 | i686 | icedtea-web-javadoc | < 1.2.3-2.el6_4 | icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm |
RedHat | 6 | src | icedtea-web | < 1.2.3-2.el6_4 | icedtea-web-1.2.3-2.el6_4.src.rpm |
RedHat | 6 | i686 | icedtea-web | < 1.2.3-2.el6_4 | icedtea-web-1.2.3-2.el6_4.i686.rpm |
RedHat | 6 | x86_64 | icedtea-web-debuginfo | < 1.2.3-2.el6_4 | icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm |
RedHat | 6 | i686 | icedtea-web-debuginfo | < 1.2.3-2.el6_4 | icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm |