Thursday, April 18, 2013

[USN-1804-1] IcedTea-Web vulnerabilities

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCgAGBQJRcJZhAAoJEFHb3FjMVZVzTrsP/AukRaKTCixLlkYU/oh8LBZO
bFouX0WtF8ze+DJX6Pda/Zy3+FKjH0FcyPNPJJwYo4qgWn635VO8eXbj7avtdowb
YWvk5JE7MiMxv/buR/JFHQH7VonW1khLzyKLak/JQDtlm/YW4QsKXRXcjmXqzv2e
HT4RnMOtkjsfW2ONyDsv5KUVwox07K4ZL0EGkKu27PONY2tgDWQPIW5HNoih3GZ8
QEluQbtFoGLcyRLPs4KWPxXKM2LVb/uXZLNJJ5MqbjPJs7Bu8ZB0saF6gz/VDtny
aOnXsLcrhvpaqJWsEyX2uUijPGWh6studjOebFEaJdqy/lKkv7szs1ucPNj4j53F
ASPTmDS5O4lztpvI9QsOL+iod7U6rffQFSv+LQcSjEoxN8/Dme8yiwo4qyrYoRA1
M6aagHXE79MVEjZdGNx1Ws4d5rdibBDBMD7guGlC+sFvkLsVfG+hsoqozJ8Rwmet
On7Iik4a3jzRInFb7Ows75NnD6iGLuY/Wmf5BR+4Is0TLyVJm9NhTFfKG4TGCqEo
/0w9HLj9SXmaUw5PyIJthqTxVo3qR3U0j84y0SEUEJ8NZK5tG5W8fryXcf3KDu1c
koddzD34t2iZ2y6jIp874JcGVfDhYC8i70TnmJYPJm9t7QtcU71KYjEe2EjLdDQp
uqmJP6qFzhF8Z+Q9PZoL
=fdcx
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-1804-1
April 18, 2013

icedtea-web vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS

Summary:

Two security issues were fixed in IcedTea-Web.

Software Description:
- icedtea-web: A web browser plugin to execute Java applets

Details:

Jiri Vanek discovered that IcedTea-Web would use the same classloader for
applets from different domains. A remote attacker could exploit this to
expose sensitive information or potentially manipulate applets from other
domains. (CVE-2013-1926)

It was discovered that IcedTea-Web did not properly verify JAR files and
was susceptible to the GIFAR attack. If a user were tricked into opening a
malicious website, a remote attacker could potentially exploit this to
execute code under certain circumstances. (CVE-2013-1927)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.10:
icedtea-netx 1.3.2-1ubuntu0.12.10.1

Ubuntu 12.04 LTS:
icedtea-netx 1.2.3-0ubuntu0.12.04.1

Ubuntu 11.10:
icedtea-netx 1.2.3-0ubuntu0.11.10.1

Ubuntu 10.04 LTS:
icedtea-netx 1.2.3-0ubuntu0.10.04.1

After a standard system update you need to restart your browser to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1804-1
CVE-2013-1926, CVE-2013-1927

Package Information:
https://launchpad.net/ubuntu/+source/icedtea-web/1.3.2-1ubuntu0.12.10.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2.3-0ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2.3-0ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2.3-0ubuntu0.10.04.1

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)