Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3414 DLA 1914-1: icedtea-web security update 10 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: icedtea-web Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Create Arbitrary Files -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10185 CVE-2019-10182 CVE-2019-10181 Reference: ESB-2019.2882 ESB-2019.2881 Original Bulletin: https://security-tracker.debian.org/tracker/DLA-1914-1 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : icedtea-web Version : 1.5.3-1+deb8u1 CVE ID : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185 Debian Bug : 934319 Several security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP). CVE-2019-10181 It was found that in icedtea-web executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. CVE-2019-10182 It was found that icedtea-web did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. CVE-2019-10185 It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. For Debian 8 "Jessie", these problems have been fixed in version 1.5.3-1+deb8u1. We recommend that you upgrade your icedtea-web packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl12q/1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeS/2Q//ZQBvQ7mrxB077LEbIivjIU72+wuY/wd1VPtS3usD6e0GbyZJQPHCwm0X qri94JLolCBh/MZelSd5gt4LjWCF5mFy6dUnYfbxQ2u5kMf4ylfbCjc6eJsaDQDV FmvkWrALyjDtwF8kqTKcZQOfw/5j0oXGhgFO2oysrNuNt2AgwUEaaqqQ9A6JpVN3 ie9MVgoLRzGu0o+aqbZ9x6hkYhU5XIjwrxF5kFHiwFTU8xKuFymwqm0DZiwJgVLA 96t2DzWkWyMykUpUpcB6b4Z4OTPudfxlASnhFiM0KugMQ3absfJIpdeIt5tzgm24 duYEdP9/SulYkM7PHv/335zAI0nezeO3RMaJ9d+/410jNFKkDZdVIR7Wn89dgZeU r5H0PQq6nah5WPn+vlU/DZLKO+InrPftjxIxDRxGg2Tw9Hp4TGPBWF6UwZzuiPhS nmZ1Th+V7UPUFopzdYw3P6ydGYZcr7GniSa3LCmEvlmKgxK+iKn3S6JVjq8mSROu L8D9QzDdvQ6osQQJRE0b3QYA+MvAyEOFRmYhlzIg3XqSJOrr2c51O6c4XjMWI3Lk EIeOXvtRWcJX0X6KS5KdVd4688oiYCvZ7M8Lzbd+Si/5jpYCqNPBxxCSMiG8ggSY 2Bu9QmEvAS7sNguuuZKIZ9p/VPAP7VAyTFJcMv0urBhxF6Ke6Co= =2qp1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXXbju2aOgq3Tt24GAQhgSw/+K1OPCtgyv9qJZJwGGGXGT7X5/6TWeNLb 9tKrqb6s/rtOsekkba8awJsXYtQlnZgFc9g4C3PlvPTUWTiLGNuRUuAq6Y4RHywu J5MFZ0VIfVaP0pMvpDrTKpqUbB/f2wZKVsGo/pXEOpddxmiDbPNdEws3alZ8ftgq SPmnLXcjhz1F8HbeSOh/OcMmnVDMEmW8vbcFbqO6ZS4rhY67f2C0UaHHONqukgvP +bgy/njLAV6tkvFZuT5Ew0OLcQYlNIRCGimtcG+i2AS77Un97OqbOp/lRkZmkQNp yWgJzA1XfZ4cxIgU/BnwkuVvJ13Umcr6BFjxTiKvrlZoFni8FZHjqEV3Zvu4jlo6 5oavPV8z2b/fBLgjnsGyk7qlXrX8JHRygCogwj46VOF/GRNmdhC0tjxXc0pp07TO x0RC+0voN+2nwNr5IucNdcnen1QBPcjd3rswsZA6nzHXOnF8P2OvEkEvQ3OoXVEU Wm0l/PedmTykRaAuA6XrUwYCd++88euyinN5mEn2y4Sfgk5gjpEcqR+LupDtWrLi GNwES51eulCkpmrdIWeZdglB/mVD0twIeM64pQqZ7xZDkMzPaXM8l1CMm3sqvbfS 2tIes2Oc1gJOewBbTTxvXUiWWd+co6wWQOb8f+9Sk4IpmoeSaIcEEe3rYCPYwBag BTr4sdRHaIE= =V58p -----END PGP SIGNATURE-----