Synopsis: Moderate: icedtea-web security, bug fix, and Advisory ID: SLSA-2016:0778-1 Issue Date: 2016-05-10 CVE Numbers: CVE-2015-5234 CVE-2015-5235 -- The following packages have been upgraded to a newer upstream version: icedtea-web (1.6.2). Security Fix(es): * It was discovered that IcedTea-Web did not properly sanitize applet URLs when storing applet trust settings. A malicious web page could use this flaw to inject trust-settings configuration, and cause applets to be executed without user approval. (CVE-2015-5234) * It was discovered that IcedTea-Web did not properly determine an applet's origin when asking the user if the applet should be run. A malicious page could use this flaw to cause IcedTea-Web to execute the applet without user approval, or confuse the user into approving applet execution based on an incorrectly indicated applet origin. (CVE-2015-5235) -- SL6 x86_64 icedtea-web-1.6.2-1.el6.x86_64.rpm icedtea-web-debuginfo-1.6.2-1.el6.x86_64.rpm i386 icedtea-web-1.6.2-1.el6.i686.rpm icedtea-web-debuginfo-1.6.2-1.el6.i686.rpm noarch icedtea-web-javadoc-1.6.2-1.el6.noarch.rpm - Scientific Linux Development Team