icedtea-web installed and enabled by default in Fedora 19

Eric Smith brouhaha at
Wed Jun 19 16:03:49 UTC 2013

On Tue, Jun 18, 2013 at 11:29 PM, Dhiru Kholia <dhiru.kholia at> wrote:
> Some recent news,
> "The majority are vulnerable through browser plugins, 11 of which are
> exploitable for complete control of the underlying operating system,"
> said Ross Barrett, senior manager of security engineering at Rapid7.

I can see how a vulnerability in Java running in user space can cause
all sorts of problems for the user, but unless someone is running a
browser as superuser, how can it possibly take "complete control of
the underlying operating system"?  Surely that would require a
privilege escalation vulnerability in the kernel or a setuid program,
and such a vulnerability is the fault of that package, not of Java.


More information about the devel mailing list