Red Hat Product Errata RHSA-2013:0753 - Security Advisory

Issued:: 2013-04-17
Updated:: 2013-04-17

RHSA-2013:0753 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: icedtea-web security update

Type/Severity

Security Advisory: Moderate

Topic

Updated icedtea-web packages that fix two security issues are now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project. It
also contains a configuration tool for managing deployment settings for the
plug-in and Web Start implementations.

It was discovered that the IcedTea-Web plug-in incorrectly used the same
class loader instance for applets with the same value of the codebase
attribute, even when they originated from different domains. A malicious
applet could use this flaw to gain information about and possibly
manipulate applets from different domains currently running in the browser.
(CVE-2013-1926)

The IcedTea-Web plug-in did not properly check the format of the downloaded
Java Archive (JAR) files. This could cause the plug-in to execute code
hidden in a file in a different format, possibly allowing attackers to
execute code in the context of web sites that allow uploads of specific
file types, known as a GIFAR attack. (CVE-2013-1927)

The CVE-2013-1926 issue was discovered by Jiri Vanek of the Red Hat OpenJDK
Team, and CVE-2013-1927 was discovered by the Red Hat Security Response
Team.

This erratum also upgrades IcedTea-Web to version 1.2.3. Refer to the NEWS
file, linked to in the References, for further information.

All IcedTea-Web users should upgrade to these updated packages, which
resolve these issues. Web browsers using the IcedTea-Web browser plug-in
must be restarted for this update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Server - Extended Update Support 6.4 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 6.4 i386
Red Hat Enterprise Linux Workstation 6 x86_64
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386
Red Hat Enterprise Linux Server from RHUI 6 x86_64
Red Hat Enterprise Linux Server from RHUI 6 i386
Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.4 x86_64
Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.4 i386
Red Hat Gluster Storage Server for On-premise 2.1 x86_64
Red Hat Storage for Public Cloud (via RHUI) 2.1 x86_64
Red Hat Enterprise Linux Server - AUS 6.4 x86_64
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux for Scientific Computing 6 x86_64

Fixes

BZ - 884705 - CVE-2013-1927 icedtea-web: GIFAR issue
BZ - 916774 - CVE-2013-1926 icedtea-web: class loader sharing for applets with same codebase paths

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 6

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
i386
icedtea-web-1.2.3-2.el6_4.i686.rpm	SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm	SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd

Red Hat Enterprise Linux Server - Extended Update Support 6.4

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
i386
icedtea-web-1.2.3-2.el6_4.i686.rpm	SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm	SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd

Red Hat Enterprise Linux Workstation 6

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
i386
icedtea-web-1.2.3-2.el6_4.i686.rpm	SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm	SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd

Red Hat Enterprise Linux Desktop 6

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
i386
icedtea-web-1.2.3-2.el6_4.i686.rpm	SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm	SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd

Red Hat Enterprise Linux for Scientific Computing 6

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654

Red Hat Enterprise Linux Server from RHUI 6

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654
i386
icedtea-web-1.2.3-2.el6_4.i686.rpm	SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab
icedtea-web-javadoc-1.2.3-2.el6_4.i686.rpm	SHA-256: 1f8aff100101b89841479d380d9fbc43f1e946da90fb5f6ee0258c67ee3a04bd

Red Hat Enterprise Linux Server - Extended Update Support from RHUI 6.4

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
i386
icedtea-web-1.2.3-2.el6_4.i686.rpm	SHA-256: 49ce88888e295f4aa3ece590d25e1914e526566f4f3bf037cf3844eb62c7c9be
icedtea-web-debuginfo-1.2.3-2.el6_4.i686.rpm	SHA-256: 4cf0d096310f88e86c0a6a8cc72fe1787886f4cf5f160a6212b1657fe77241ab

Red Hat Gluster Storage Server for On-premise 2.1

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4

Red Hat Storage for Public Cloud (via RHUI) 2.1

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4

Red Hat Enterprise Linux Server - AUS 6.4

SRPM
icedtea-web-1.2.3-2.el6_4.src.rpm	SHA-256: d6beca890e49e0dcfadfdc05d36939d72490c572ee82d99b24097b97c3e84eb4
x86_64
icedtea-web-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 9bea06489782f4e1a45015a71215abc5308ecab3e392a3b5cf4e756c725a47ea
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-debuginfo-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 00a8a8d0313fb088e40fe988160a5a056c1b60ef5e8f0c56296fcc66a00828d4
icedtea-web-javadoc-1.2.3-2.el6_4.x86_64.rpm	SHA-256: 99e0b7ad60b7173c9a5b386a58f6bda658d8a9c13d8031924efa76804b93f654

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Support

Services

Knowledge

Ecosystem

Red Hat Customer Portal Labs

Additional Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Discussions

Blogs

Customer Events

Stories