Accepted icedtea-web 1.5.3-1+deb8u1 (source amd64 all) into oldoldstable

To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
Subject: Accepted icedtea-web 1.5.3-1+deb8u1 (source amd64 all) into oldoldstable
From: Markus Koschany <apo@debian.org>
Date: Mon, 09 Sep 2019 18:50:14 +0000
Message-id: <[🔎] E1i7Oju-0007LQ-W2@seger.debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 09 Sep 2019 20:26:24 +0200
Source: icedtea-web
Binary: icedtea-netx icedtea-plugin icedtea-netx-common icedtea-7-plugin
Architecture: source amd64 all
Version: 1.5.3-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: OpenJDK Team <openjdk@lists.launchpad.net>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 icedtea-7-plugin - web browser plugin based on OpenJDK and IcedTea to execute Java a
 icedtea-netx - NetX - implementation of the Java Network Launching Protocol (JNL
 icedtea-netx-common - NetX - implementation of the Java Network Launching Protocol (JNL
 icedtea-plugin - web browser plugin to execute Java applets (dependency package)
Changes:
 icedtea-web (1.5.3-1+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2019-10181:
     It was found that in icedtea-web executable code could be injected in a JAR
     file without compromising the signature verification. An attacker could use
     this flaw to inject code in a trusted JAR. The code would be executed
     inside the sandbox.
   * Fix CVE-2019-10182:
     It was found that icedtea-web did not properly sanitize paths from <jar/>
     elements in JNLP files. An attacker could trick a victim into running a
     specially crafted application and use this flaw to upload arbitrary files
     to arbitrary locations in the context of the user.
   * Fix CVE-2019-10185:
     It was found that icedtea-web was vulnerable to a zip-slip attack during
     auto-extraction of a JAR file. An attacker could use this flaw to write
     files to arbitrary locations. This could also be used to replace the main
     running application and, possibly, break out of the sandbox.
Checksums-Sha1:
 e26a157737e25c70c6acc4d553c17f24b7f0f3e5 2736 icedtea-web_1.5.3-1+deb8u1.dsc
 4b8f157fd5090fd862a549e1c1fbb82f9a6f12b4 1593900 icedtea-web_1.5.3.orig.tar.gz
 5d55012a734871fe73eec096485bca19759b759c 20488 icedtea-web_1.5.3-1+deb8u1.debian.tar.xz
 f64163c4870df940ac3e6a882c36f76dac734470 25438 icedtea-netx_1.5.3-1+deb8u1_amd64.deb
 5c145b7e7a3dbc922e2ee62e033915bf85e6bddc 200516 icedtea-7-plugin_1.5.3-1+deb8u1_amd64.deb
 4f0d9952c37db5e35534380b9c4d1d77e5165049 1131930 icedtea-netx-common_1.5.3-1+deb8u1_all.deb
 4dabc37fe4247eca48eabad7696955f48e825355 9076 icedtea-plugin_1.5.3-1+deb8u1_all.deb
Checksums-Sha256:
 53c1d9469b4d6d73f8f88cb94509eb44b77aceca57e85e68f4b2d0328c6d5973 2736 icedtea-web_1.5.3-1+deb8u1.dsc
 9b4b4477711930cb1d40bde752b17492fe8462a9c0cbd89bfe2c361b64d466b9 1593900 icedtea-web_1.5.3.orig.tar.gz
 8b8b170dd6e50179818cf3edbb442dea3d844a7d1c3efe7f053650c5ee4e00cb 20488 icedtea-web_1.5.3-1+deb8u1.debian.tar.xz
 3210874fc7e57ec217b549e37528042d8e62559c445e72eb7efa1e0b8f021c5f 25438 icedtea-netx_1.5.3-1+deb8u1_amd64.deb
 53467b9f1e673ac82a84289530136ede466aa428565ebb457d0859720970b4bd 200516 icedtea-7-plugin_1.5.3-1+deb8u1_amd64.deb
 bf9df6009cbe0bf6d37bbf3d3f5933d98a457629fe74364e2765cf126dc573be 1131930 icedtea-netx-common_1.5.3-1+deb8u1_all.deb
 432e8841658e5a5d0e1e3a4fd56f8c0d7f0645cafc6ad659e51c4586174c3d6b 9076 icedtea-plugin_1.5.3-1+deb8u1_all.deb
Files:
 d3fef072c30c4db2f58d80f0ebb14e82 2736 java extra icedtea-web_1.5.3-1+deb8u1.dsc
 72d288739968732a4efa0e0664391fde 1593900 java extra icedtea-web_1.5.3.orig.tar.gz
 600e9be96246b8b6c63ec07c325abf14 20488 java extra icedtea-web_1.5.3-1+deb8u1.debian.tar.xz
 7434962c82802ef3ef60e35dfd682121 25438 java extra icedtea-netx_1.5.3-1+deb8u1_amd64.deb
 7ced8ab4ef0a892e0188e8148454f476 200516 web extra icedtea-7-plugin_1.5.3-1+deb8u1_amd64.deb
 a26bff474cacf7aaa75eb274c1e0732c 1131930 java extra icedtea-netx-common_1.5.3-1+deb8u1_all.deb
 48781c9d312148bf9d09dcf8bd0f515e 9076 web extra icedtea-plugin_1.5.3-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl12mvhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk3eIP/2PZEPv5Nxo+bFVgoTgheoBJ00Zo8g0v2/0B
qBH0GUx4+UDrqKrHN+iktddPq+a9HnKwavTQAQv1VbieQ8o1GNRfn61zj6OPpIDE
BW3ysM7ePFLHwJg84/hc+fpjp4PqXjhh6bN2SY1VY64KGmfBqIofoxVZv1KFbK0o
0D7HtlL+uYOinYJA9acogAqv9b79aQ0epmO9R+bYFoaxllBHfBjgdc+r3f2lBmef
MYOKvtSVKcdXeHyhRGo3PYeWos0gt4hOJ2WXTC24Ss+6gNk/JcMIrF1REeQwXaM9
2kA56J1kkmMQOcI4V3nK4mfToyYw2FCZYOYK+Wj/Cv8Fnjbx3JUYn+HdSR8ShdHl
FbyMlztC/0PgBWgohEz2S5/wmKpsE9JywWhieZBvVZcrugF0IYMbOtFuw5qwzCub
R0JGmgk5r10bAylHq0juGDd9XwRGV4Vy4b1IhpAskB54+g38wQ+9437g23zyT8nQ
BHdosipJuqo5yo40IZiDFYI5xwGrdIOxX08jLIItyupnnSihvWSq+uRI0Pb4zwIZ
Qq5bqA8SdjzcyrL3cgMm+GjL8iqzFV9yNz1QA2ygskDgVUTyUfvI7luyYQrQCTwU
T+5kNzFV8OR1HQkK4tgVOozStwSBMkpW+xd5TKS2ltS2DZ2dqTRPd0UEE7qP3T0P
lluGLTLq
=AZbs
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Accepted ghostscript 9.26a~dfsg-0+deb8u5 (source all amd64) into oldoldstable
Next by Date: Accepted opensc 0.16.0-3+deb8u1 (source amd64) into oldoldstable
Previous by thread: Accepted ghostscript 9.26a~dfsg-0+deb8u5 (source all amd64) into oldoldstable
Next by thread: Accepted opensc 0.16.0-3+deb8u1 (source amd64) into oldoldstable
Index(es):
- Date
- Thread