MDVSA-2013:146 -- Mandriva icedtea-webID: oval:org.secpod.oval:def:1300182 | Date: (C)2013-04-23 (M)2022-10-10 |
Class: PATCH | Family: unix |
Multiple vulnerabilities has been discovered and corrected in icedtea-web: It was discovered that the IcedTea-Web plug-in incorrectly used the same class loader instance for applets with the same value of the codebase attribute, even when they originated from different domains. A malicious applet could use this flaw to gain information about and possibly manipulate applets from different domains currently running in the browser . The IcedTea-Web plug-in did not properly check the format of the downloaded Java Archive files. This could cause the plug-in to execute code hidden in a file in a different format, possibly allowing attackers to execute code in the context of web sites that allow uploads of specific file types, known as a GIFAR attack . The updated packages have been upgraded to the 1.3.2 version which is not affected by these issues.
Platform: |
Mandriva Enterprise Server 5.2 |