USN-1505-2: IcedTea-Web regression
30 August 2012
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.10
- Ubuntu 11.04
USN 1505-1 introduced a regression in the IcedTea-Web Java web browser plugin that prevented it from working with the Chromium web browser.
- icedtea-web - A web browser plugin to execute Java applets
USN-1505-1 fixed vulnerabilities in OpenJDK 6. As part of the update, IcedTea-Web packages were upgraded to a new version. That upgrade introduced a regression which prevented the IcedTea-Web plugin from working with the Chromium web browser in Ubuntu 11.04 and Ubuntu 11.10. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that multiple flaws existed in the CORBA (Common Object Request Broker Architecture) implementation in OpenJDK. An attacker could create a Java application or applet that used these flaws to bypass Java sandbox restrictions or modify immutable object data. (CVE-2012-1711, CVE-2012-1719)
It was discovered that multiple flaws existed in the OpenJDK font manager’s layout lookup implementation. A attacker could specially craft a font file that could cause a denial of service through crashing the JVM (Java Virtual Machine) or possibly execute arbitrary code. (CVE-2012-1713)
It was discovered that the SynthLookAndFeel class from Swing in OpenJDK did not properly prevent access to certain UI elements from outside the current application context. An attacker could create a Java application or applet that used this flaw to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions. (CVE-2012-1716)
It was discovered that OpenJDK runtime library classes could create temporary files with insecure permissions. A local attacker could use this to gain access to sensitive information. (CVE-2012-1717)
It was discovered that OpenJDK did not handle CRLs (Certificate Revocation Lists) properly. A remote attacker could use this to gain access to sensitive information. (CVE-2012-1718)
It was discovered that the OpenJDK HotSpot Virtual Machine did not properly verify the bytecode of the class to be executed. A remote attacker could create a Java application or applet that used this to cause a denial of service through crashing the JVM or bypass Java sandbox restrictions. (CVE-2012-1723, CVE-2012-1725)
It was discovered that the OpenJDK XML (Extensible Markup Language) parser did not properly handle some XML documents. An attacker could create an XML document that caused a denial of service in a Java application or applet parsing the document. (CVE-2012-1724)
As part of this update, the IcedTea web browser applet plugin was updated for Ubuntu 10.04 LTS, Ubuntu 11.04, and Ubuntu 11.10.
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 11.10
- icedtea-6-plugin - 1.2-2ubuntu0.11.10.3
- Ubuntu 11.04
- icedtea-6-plugin - 1.2-2ubuntu0.11.04.3
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart your web browser to make all the necessary changes.