Debian LTS: DLA-1914-1: icedtea-web security update

    Date 09 Sep 2019
    729
    Posted By LinuxSecurity Advisories
    Several security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP). CVE-2019-10181
    
    Package        : icedtea-web
    Version        : 1.5.3-1+deb8u1
    CVE ID         : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185
    Debian Bug     : 934319
    
    Several security vulnerabilities were found in icedtea-web, an
    implementation of the Java Network Launching Protocol (JNLP).
    
    CVE-2019-10181
    
         It was found that in icedtea-web executable code could be injected
         in a JAR file without compromising the signature verification. An
         attacker could use this flaw to inject code in a trusted JAR. The
         code would be executed inside the sandbox.
    
    CVE-2019-10182
    
         It was found that icedtea-web did not properly sanitize paths from
          elements in JNLP files. An attacker could trick a victim
         into running a specially crafted application and use this flaw to
         upload arbitrary files to arbitrary locations in the context of the
         user.
    
    CVE-2019-10185
    
        It was found that icedtea-web was vulnerable to a zip-slip attack
        during auto-extraction of a JAR file. An attacker could use this
        flaw to write files to arbitrary locations. This could also be used
        to replace the main running application and, possibly, break out of
        the sandbox.
    
    For Debian 8 "Jessie", these problems have been fixed in version
    1.5.3-1+deb8u1.
    
    We recommend that you upgrade your icedtea-web packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/30-do-you-feel-that-the-lawful-access-to-encrypted-data-act-which-aims-to-force-encryption-backdoors-is-a-threat-to-privacy?task=poll.vote&format=json
    30
    radio
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"23","type":"x","order":"1","pct":95.83,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"1","type":"x","order":"2","pct":4.17,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.