Skip to navigation

Security Advisory Moderate: icedtea-web security update

Advisory: RHSA-2013:0753-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-04-17
Last updated on: 2013-04-17
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server EUS (v. 6.4.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-1926
CVE-2013-1927

Details

Updated icedtea-web packages that fix two security issues are now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project. It
also contains a configuration tool for managing deployment settings for the
plug-in and Web Start implementations.

It was discovered that the IcedTea-Web plug-in incorrectly used the same
class loader instance for applets with the same value of the codebase
attribute, even when they originated from different domains. A malicious
applet could use this flaw to gain information about and possibly
manipulate applets from different domains currently running in the browser.
(CVE-2013-1926)

The IcedTea-Web plug-in did not properly check the format of the downloaded
Java Archive (JAR) files. This could cause the plug-in to execute code
hidden in a file in a different format, possibly allowing attackers to
execute code in the context of web sites that allow uploads of specific
file types, known as a GIFAR attack. (CVE-2013-1927)

The CVE-2013-1926 issue was discovered by Jiri Vanek of the Red Hat OpenJDK
Team, and CVE-2013-1927 was discovered by the Red Hat Security Response
Team.

This erratum also upgrades IcedTea-Web to version 1.2.3. Refer to the NEWS
file, linked to in the References, for further information.

All IcedTea-Web users should upgrade to these updated packages, which
resolve these issues. Web browsers using the IcedTea-Web browser plug-in
must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
icedtea-web-1.2.3-2.el6_4.src.rpm
File outdated by:  RHBA-2013:1584
    MD5: 2f95f464728c525c33fb01f0a32ae0bc
SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
 
IA-32:
icedtea-web-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:1584
    MD5: 45cd35a78fa0d24206bf542a140f6c48
SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:0959
    MD5: 141b38cbdf74d1fa376a1df47086c9eb
SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm     MD5: 6d89da638cd2b63d1a5fcb772bddcb1e
SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd
 
x86_64:
icedtea-web-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:1584
    MD5: 9b09effb04278774b73a1293cb29affd
SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 5b208d53365127422d48eb16ad593661
SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm     MD5: a8db3e6d6ef516c180fb82a5f074f68e
SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
icedtea-web-1.2.3-2.el6_4.src.rpm
File outdated by:  RHBA-2013:1584
    MD5: 2f95f464728c525c33fb01f0a32ae0bc
SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
 
x86_64:
icedtea-web-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:1584
    MD5: 9b09effb04278774b73a1293cb29affd
SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 5b208d53365127422d48eb16ad593661
SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm     MD5: a8db3e6d6ef516c180fb82a5f074f68e
SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
icedtea-web-1.2.3-2.el6_4.src.rpm
File outdated by:  RHBA-2013:1584
    MD5: 2f95f464728c525c33fb01f0a32ae0bc
SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
 
IA-32:
icedtea-web-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:1584
    MD5: 45cd35a78fa0d24206bf542a140f6c48
SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:0959
    MD5: 141b38cbdf74d1fa376a1df47086c9eb
SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm     MD5: 6d89da638cd2b63d1a5fcb772bddcb1e
SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd
 
x86_64:
icedtea-web-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:1584
    MD5: 9b09effb04278774b73a1293cb29affd
SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 5b208d53365127422d48eb16ad593661
SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm     MD5: a8db3e6d6ef516c180fb82a5f074f68e
SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
 
Red Hat Enterprise Linux Server AUS (v. 6.4)

SRPMS:
icedtea-web-1.2.3-2.el6_4.src.rpm
File outdated by:  RHBA-2013:1584
    MD5: 2f95f464728c525c33fb01f0a32ae0bc
SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
 
x86_64:
icedtea-web-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 9b09effb04278774b73a1293cb29affd
SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 5b208d53365127422d48eb16ad593661
SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: a8db3e6d6ef516c180fb82a5f074f68e
SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
 
Red Hat Enterprise Linux Server EUS (v. 6.4.z)

SRPMS:
icedtea-web-1.2.3-2.el6_4.src.rpm
File outdated by:  RHBA-2013:1584
    MD5: 2f95f464728c525c33fb01f0a32ae0bc
SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
 
IA-32:
icedtea-web-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:0959
    MD5: 45cd35a78fa0d24206bf542a140f6c48
SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:0959
    MD5: 141b38cbdf74d1fa376a1df47086c9eb
SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:0959
    MD5: 6d89da638cd2b63d1a5fcb772bddcb1e
SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd
 
x86_64:
icedtea-web-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 9b09effb04278774b73a1293cb29affd
SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 5b208d53365127422d48eb16ad593661
SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: a8db3e6d6ef516c180fb82a5f074f68e
SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
icedtea-web-1.2.3-2.el6_4.src.rpm
File outdated by:  RHBA-2013:1584
    MD5: 2f95f464728c525c33fb01f0a32ae0bc
SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
 
IA-32:
icedtea-web-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:1584
    MD5: 45cd35a78fa0d24206bf542a140f6c48
SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm
File outdated by:  RHBA-2013:0959
    MD5: 141b38cbdf74d1fa376a1df47086c9eb
SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm     MD5: 6d89da638cd2b63d1a5fcb772bddcb1e
SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd
 
x86_64:
icedtea-web-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:1584
    MD5: 9b09effb04278774b73a1293cb29affd
SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm
File outdated by:  RHBA-2013:0959
    MD5: 5b208d53365127422d48eb16ad593661
SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm     MD5: a8db3e6d6ef516c180fb82a5f074f68e
SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

884705 - CVE-2013-1927 icedtea-web: GIFAR issue
916774 - CVE-2013-1926 icedtea-web: class loader sharing for applets with same codebase paths


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/