Debian LTS: DLA-1914-1: icedtea-web security update

    Date09 Sep 2019
    CategoryDebian LTS
    544
    Posted ByLinuxSecurity Advisories
    Debianlts Large
    Several security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP). CVE-2019-10181
    
    Package        : icedtea-web
    Version        : 1.5.3-1+deb8u1
    CVE ID         : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185
    Debian Bug     : 934319
    
    Several security vulnerabilities were found in icedtea-web, an
    implementation of the Java Network Launching Protocol (JNLP).
    
    CVE-2019-10181
    
         It was found that in icedtea-web executable code could be injected
         in a JAR file without compromising the signature verification. An
         attacker could use this flaw to inject code in a trusted JAR. The
         code would be executed inside the sandbox.
    
    CVE-2019-10182
    
         It was found that icedtea-web did not properly sanitize paths from
          elements in JNLP files. An attacker could trick a victim
         into running a specially crafted application and use this flaw to
         upload arbitrary files to arbitrary locations in the context of the
         user.
    
    CVE-2019-10185
    
        It was found that icedtea-web was vulnerable to a zip-slip attack
        during auto-extraction of a JAR file. An attacker could use this
        flaw to write files to arbitrary locations. This could also be used
        to replace the main running application and, possibly, break out of
        the sandbox.
    
    For Debian 8 "Jessie", these problems have been fixed in version
    1.5.3-1+deb8u1.
    
    We recommend that you upgrade your icedtea-web packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"40","type":"x","order":"1","pct":48.78,"resources":[]},{"id":"88","title":"Should be more technical","votes":"13","type":"x","order":"2","pct":15.85,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"29","type":"x","order":"3","pct":35.37,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.