Linux Security
    Linux Security
    Linux Security

    Debian LTS: DLA-1914-1: icedtea-web security update

    Date
    777
    Posted By
    Several security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP). CVE-2019-10181
    
    Package        : icedtea-web
    Version        : 1.5.3-1+deb8u1
    CVE ID         : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185
    Debian Bug     : 934319
    
    Several security vulnerabilities were found in icedtea-web, an
    implementation of the Java Network Launching Protocol (JNLP).
    
    CVE-2019-10181
    
         It was found that in icedtea-web executable code could be injected
         in a JAR file without compromising the signature verification. An
         attacker could use this flaw to inject code in a trusted JAR. The
         code would be executed inside the sandbox.
    
    CVE-2019-10182
    
         It was found that icedtea-web did not properly sanitize paths from
          elements in JNLP files. An attacker could trick a victim
         into running a specially crafted application and use this flaw to
         upload arbitrary files to arbitrary locations in the context of the
         user.
    
    CVE-2019-10185
    
        It was found that icedtea-web was vulnerable to a zip-slip attack
        during auto-extraction of a JAR file. An attacker could use this
        flaw to write files to arbitrary locations. This could also be used
        to replace the main running application and, possibly, break out of
        the sandbox.
    
    For Debian 8 "Jessie", these problems have been fixed in version
    1.5.3-1+deb8u1.
    
    We recommend that you upgrade your icedtea-web packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    

    Advisories

    LinuxSecurity Poll

    Have you ever used tcpdump for network troubleshooting or debugging?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/36-have-you-ever-used-tcpdump-for-network-troubleshooting-or-debugging?task=poll.vote&format=json
    36
    radio
    [{"id":"125","title":"Yes","votes":"45","type":"x","order":"1","pct":83.33,"resources":[]},{"id":"126","title":"No ","votes":"9","type":"x","order":"2","pct":16.67,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.