{"id":"MGASA-2015-0376","summary":"Updated icedtea-web packages fix security vulnerabilities","details":"Updated icedtea-web packages fix security vulnerabilities:\n\nIt was discovered that IcedTea-Web did not properly sanitize applet URLs when\nstoring applet trust settings. A malicious web page could use this flaw to\ninject trust-settings configuration, and cause applets to be executed without\nuser approval (CVE-2015-5234).\n\nIt was discovered that IcedTea-Web did not properly determine an applet's\norigin when asking the user if the applet should be run. A malicious page\ncould use this flaw to cause IcedTea-Web to execute the applet without user\napproval, or confuse the user into approving applet execution based on an\nincorrectly indicated applet origin (CVE-2015-5235).\n","modified":"2026-04-16T06:25:40.916513932Z","published":"2015-09-17T18:02:40Z","upstream":["CVE-2015-5234","CVE-2015-5235"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0376.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16755"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1233667"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1233697"},{"type":"WEB","url":"http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-September/033546.html"}],"affected":[{"package":{"name":"icedtea-web","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/icedtea-web?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.3-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0376.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}