[SECURITY] [DLA 1914-1] icedtea-web security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1914-1] icedtea-web security update
From: Markus Koschany <apo@debian.org>
Date: Mon, 9 Sep 2019 21:46:05 +0200
Message-id: <[🔎] 1e665402-5a9e-3ca3-672c-b7bbf79bbf46@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : icedtea-web
Version        : 1.5.3-1+deb8u1
CVE ID         : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185
Debian Bug     : 934319

Several security vulnerabilities were found in icedtea-web, an
implementation of the Java Network Launching Protocol (JNLP).

CVE-2019-10181

     It was found that in icedtea-web executable code could be injected
     in a JAR file without compromising the signature verification. An
     attacker could use this flaw to inject code in a trusted JAR. The
     code would be executed inside the sandbox.

CVE-2019-10182

     It was found that icedtea-web did not properly sanitize paths from
     <jar/> elements in JNLP files. An attacker could trick a victim
     into running a specially crafted application and use this flaw to
     upload arbitrary files to arbitrary locations in the context of the
     user.

CVE-2019-10185

    It was found that icedtea-web was vulnerable to a zip-slip attack
    during auto-extraction of a JAR file. An attacker could use this
    flaw to write files to arbitrary locations. This could also be used
    to replace the main running application and, possibly, break out of
    the sandbox.

For Debian 8 "Jessie", these problems have been fixed in version
1.5.3-1+deb8u1.

We recommend that you upgrade your icedtea-web packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl12q/1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS/2Q//ZQBvQ7mrxB077LEbIivjIU72+wuY/wd1VPtS3usD6e0GbyZJQPHCwm0X
qri94JLolCBh/MZelSd5gt4LjWCF5mFy6dUnYfbxQ2u5kMf4ylfbCjc6eJsaDQDV
FmvkWrALyjDtwF8kqTKcZQOfw/5j0oXGhgFO2oysrNuNt2AgwUEaaqqQ9A6JpVN3
ie9MVgoLRzGu0o+aqbZ9x6hkYhU5XIjwrxF5kFHiwFTU8xKuFymwqm0DZiwJgVLA
96t2DzWkWyMykUpUpcB6b4Z4OTPudfxlASnhFiM0KugMQ3absfJIpdeIt5tzgm24
duYEdP9/SulYkM7PHv/335zAI0nezeO3RMaJ9d+/410jNFKkDZdVIR7Wn89dgZeU
r5H0PQq6nah5WPn+vlU/DZLKO+InrPftjxIxDRxGg2Tw9Hp4TGPBWF6UwZzuiPhS
nmZ1Th+V7UPUFopzdYw3P6ydGYZcr7GniSa3LCmEvlmKgxK+iKn3S6JVjq8mSROu
L8D9QzDdvQ6osQQJRE0b3QYA+MvAyEOFRmYhlzIg3XqSJOrr2c51O6c4XjMWI3Lk
EIeOXvtRWcJX0X6KS5KdVd4688oiYCvZ7M8Lzbd+Si/5jpYCqNPBxxCSMiG8ggSY
2Bu9QmEvAS7sNguuuZKIZ9p/VPAP7VAyTFJcMv0urBhxF6Ke6Co=
=2qp1
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1915-1] ghostscript security update
Next by Date: [SECURITY] [DLA 1916-1] opensc security update
Previous by thread: [SECURITY] [DLA 1915-1] ghostscript security update
Next by thread: [SECURITY] [DLA 1916-1] opensc security update
Index(es):
- Date
- Thread