-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3414
                  DLA 1914-1: icedtea-web security update
                             10 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           icedtea-web
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Create Arbitrary Files          -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10185 CVE-2019-10182 CVE-2019-10181

Reference:         ESB-2019.2882
                   ESB-2019.2881

Original Bulletin: 
   https://security-tracker.debian.org/tracker/DLA-1914-1

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : icedtea-web
Version        : 1.5.3-1+deb8u1
CVE ID         : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185
Debian Bug     : 934319

Several security vulnerabilities were found in icedtea-web, an
implementation of the Java Network Launching Protocol (JNLP).

CVE-2019-10181

     It was found that in icedtea-web executable code could be injected
     in a JAR file without compromising the signature verification. An
     attacker could use this flaw to inject code in a trusted JAR. The
     code would be executed inside the sandbox.

CVE-2019-10182

     It was found that icedtea-web did not properly sanitize paths from
     <jar/> elements in JNLP files. An attacker could trick a victim
     into running a specially crafted application and use this flaw to
     upload arbitrary files to arbitrary locations in the context of the
     user.

CVE-2019-10185

    It was found that icedtea-web was vulnerable to a zip-slip attack
    during auto-extraction of a JAR file. An attacker could use this
    flaw to write files to arbitrary locations. This could also be used
    to replace the main running application and, possibly, break out of
    the sandbox.

For Debian 8 "Jessie", these problems have been fixed in version
1.5.3-1+deb8u1.

We recommend that you upgrade your icedtea-web packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl12q/1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeS/2Q//ZQBvQ7mrxB077LEbIivjIU72+wuY/wd1VPtS3usD6e0GbyZJQPHCwm0X
qri94JLolCBh/MZelSd5gt4LjWCF5mFy6dUnYfbxQ2u5kMf4ylfbCjc6eJsaDQDV
FmvkWrALyjDtwF8kqTKcZQOfw/5j0oXGhgFO2oysrNuNt2AgwUEaaqqQ9A6JpVN3
ie9MVgoLRzGu0o+aqbZ9x6hkYhU5XIjwrxF5kFHiwFTU8xKuFymwqm0DZiwJgVLA
96t2DzWkWyMykUpUpcB6b4Z4OTPudfxlASnhFiM0KugMQ3absfJIpdeIt5tzgm24
duYEdP9/SulYkM7PHv/335zAI0nezeO3RMaJ9d+/410jNFKkDZdVIR7Wn89dgZeU
r5H0PQq6nah5WPn+vlU/DZLKO+InrPftjxIxDRxGg2Tw9Hp4TGPBWF6UwZzuiPhS
nmZ1Th+V7UPUFopzdYw3P6ydGYZcr7GniSa3LCmEvlmKgxK+iKn3S6JVjq8mSROu
L8D9QzDdvQ6osQQJRE0b3QYA+MvAyEOFRmYhlzIg3XqSJOrr2c51O6c4XjMWI3Lk
EIeOXvtRWcJX0X6KS5KdVd4688oiYCvZ7M8Lzbd+Si/5jpYCqNPBxxCSMiG8ggSY
2Bu9QmEvAS7sNguuuZKIZ9p/VPAP7VAyTFJcMv0urBhxF6Ke6Co=
=2qp1
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXXbju2aOgq3Tt24GAQhgSw/+K1OPCtgyv9qJZJwGGGXGT7X5/6TWeNLb
9tKrqb6s/rtOsekkba8awJsXYtQlnZgFc9g4C3PlvPTUWTiLGNuRUuAq6Y4RHywu
J5MFZ0VIfVaP0pMvpDrTKpqUbB/f2wZKVsGo/pXEOpddxmiDbPNdEws3alZ8ftgq
SPmnLXcjhz1F8HbeSOh/OcMmnVDMEmW8vbcFbqO6ZS4rhY67f2C0UaHHONqukgvP
+bgy/njLAV6tkvFZuT5Ew0OLcQYlNIRCGimtcG+i2AS77Un97OqbOp/lRkZmkQNp
yWgJzA1XfZ4cxIgU/BnwkuVvJ13Umcr6BFjxTiKvrlZoFni8FZHjqEV3Zvu4jlo6
5oavPV8z2b/fBLgjnsGyk7qlXrX8JHRygCogwj46VOF/GRNmdhC0tjxXc0pp07TO
x0RC+0voN+2nwNr5IucNdcnen1QBPcjd3rswsZA6nzHXOnF8P2OvEkEvQ3OoXVEU
Wm0l/PedmTykRaAuA6XrUwYCd++88euyinN5mEn2y4Sfgk5gjpEcqR+LupDtWrLi
GNwES51eulCkpmrdIWeZdglB/mVD0twIeM64pQqZ7xZDkMzPaXM8l1CMm3sqvbfS
2tIes2Oc1gJOewBbTTxvXUiWWd+co6wWQOb8f+9Sk4IpmoeSaIcEEe3rYCPYwBag
BTr4sdRHaIE=
=V58p
-----END PGP SIGNATURE-----