Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 7 Feb 2014 20:45:59 +0100
From: Tomas Hoger <thoger@...hat.com>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: IcedTea-Web insecure temporary directory use - CVE-2013-6493

Hi!

IcedTea-Web version 1.4.2 released earlier this week fixes an issue
related to handling of the directory that is used to store sockets for
communication between in browser plugin, and JVM running applets.  The
directory was usually created in /tmp, using predictable name, and its
ownership and permissions were not checked.  This issue was reported by
Michael Scherer of Red Hat and was assigned CVE-2013-6493.

References:
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-February/026192.html
http://icedtea.classpath.org/hg/icedtea-web/rev/228e3652214a
http://icedtea.classpath.org/hg/icedtea-web/rev/1e0507976663
https://bugzilla.redhat.com/show_bug.cgi?id=1010958

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.