Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Source

Debian Bug report logs - #934319
CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Package: src:icedtea-web; Maintainer for src:icedtea-web is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Fri, 9 Aug 2019 16:15:05 UTC

Severity: grave

Tags: security, upstream

Found in versions icedtea-web/1.8.2-2, icedtea-web/1.7.2-2

Fixed in version icedtea-web/1.8.3-1

Done: Emmanuel Bourg <ebourg@apache.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#934319; Package src:icedtea-web. (Fri, 09 Aug 2019 16:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 09 Aug 2019 16:15:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: icedtea-web
Severity: grave
Tags: security

Please see https://www.openwall.com/lists/oss-security/2019/07/31/2

Cheers,
        Moritz

Message sent on to Moritz Muehlenhoff <jmm@debian.org>:
Bug#934319. (Fri, 09 Aug 2019 17:06:02 GMT) (full text, mbox, link).

Message #8 received at 934319-submitter@bugs.debian.org (full text, mbox, reply):

Control: tag -1 pending

Hello,

Bug #934319 in icedtea-web reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/icedtea-web/commit/30836c182120405e218b31e6c98e1486e3b6cbf9

------------------------------------------------------------------------
New upstream release (Closes: #934319)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/934319

Added tag(s) pending. Request was from Emmanuel Bourg <noreply@salsa.debian.org> to 934319-submitter@bugs.debian.org. (Fri, 09 Aug 2019 17:06:02 GMT) (full text, mbox, link).

Reply sent to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility. (Fri, 09 Aug 2019 17:21:08 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 09 Aug 2019 17:21:08 GMT) (full text, mbox, link).

Message #15 received at 934319-close@bugs.debian.org (full text, mbox, reply):

Source: icedtea-web
Source-Version: 1.8.3-1

We believe that the bug you reported is fixed in the latest version of
icedtea-web, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 934319@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated icedtea-web package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 09 Aug 2019 18:57:41 +0200
Source: icedtea-web
Architecture: source
Version: 1.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Closes: 934319
Changes:
 icedtea-web (1.8.3-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream release (Closes: #934319)
     - Fixes CVE-2019-10181: Unsigned code injection in a signed JAR file
     - Fixes CVE-2019-10182: Path traversal while processing <jar/> elements
       of JNLP files results in arbitrary file overwrite
     - Fixes CVE-2019-10185: Directory traversal in the nested jar
       auto-extraction leading to arbitrary file overwrite
Checksums-Sha1:
 6bb5c55cf5f0ca5e0fddea3f315922b78b7381ef 2050 icedtea-web_1.8.3-1.dsc
 4836c96c23651a41e87dd1652188c90f1a83c26d 1805036 icedtea-web_1.8.3.orig.tar.xz
 3996749ac40316775fa4e9fc8470845c72e7eada 25624 icedtea-web_1.8.3-1.debian.tar.xz
 d230531a92e3825501775563e7c61b17a861c987 8340 icedtea-web_1.8.3-1_source.buildinfo
Checksums-Sha256:
 d7defb42015373ede092f2b43224a86c239d61aba5e799c908a19b725918e702 2050 icedtea-web_1.8.3-1.dsc
 0acc12aef7cf0dbdd194fee57cdbe8cf81796bdea1ea5af75fe8f8933c9530e4 1805036 icedtea-web_1.8.3.orig.tar.xz
 8e453a944afd6e60246251cd3be441d57ba9ee3aca95a3aaaa8aab46469518ab 25624 icedtea-web_1.8.3-1.debian.tar.xz
 fc21f130e4727e7c5f84044d5687be1ebd96923143dd61471636937133002ec9 8340 icedtea-web_1.8.3-1_source.buildinfo
Files:
 14e6b6402c00577521bc4b8686dca1cb 2050 java optional icedtea-web_1.8.3-1.dsc
 3b48f889e21b08daa6c259b6c8f04467 1805036 java optional icedtea-web_1.8.3.orig.tar.xz
 5b83673e92537251f4d32c7bc3747290 25624 java optional icedtea-web_1.8.3-1.debian.tar.xz
 33e5d250df85911ed817d429b9f30244 8340 java optional icedtea-web_1.8.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAl1Np1kSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsegMP/2B5T+84ouFHSN+kgctt2COVit9WOX+E
LlEuNJXNjKD1CYemycRk7IcnEmLHUu3KUOpEAuy/tiCydj7yfipEv2PsUHo84Zeg
NmmyfV6s7QoQe+2hWMfanGBYxtZLEA3kBQYAf3YCqq64RRmQW3VO4otw0MKkC8mp
+PcGZv7NamWpLKIFYwB7okX+908m21KEuhbVxKfOD1FkmCAY7e06jrPBkw9h0q2n
samJM0PJxFvmEitEuu1s/O7EtqS01+Its8OT8+9yFjdklAP/lCJRmAWlVu4f8pNR
OgJKi99bztMzbi5tOIvqSLiHtwFmmIm/yN6DLfB98HTSPd+nxLdhr4pt3P38Y2iy
n097o5ROvRYlfIcNqne0LgkuDwF3XGV64Z8tTp50HRjQBfqhlJIqNF8miGn50q3T
hcCTjtC0KYLwMD04HbjvMmFiL+VIfCbp6BSjL+pETogjEP3hRI5jBDhr6tkxEfi2
RT4JqNOFATS6OIuz9zqs1pRWnC0vr1V2dBKq2rde2Lq1Yv4i2NKioBcV3JFmhCj3
xgiysr6nzsE7HEs+rd2T4FZP9JPfPNucFunS/2YAWtFA5txTZM8WcpfdDoZ8RDiI
UHbO2ryGXK57yDrOdpixISbvSPg3L0Vjr7EqjL5UaxvJHIRJyDNGDxZhcSqXNdWA
UFERD68cC1TC
=b0eP
-----END PGP SIGNATURE-----

Marked as found in versions icedtea-web/1.8.2-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 09 Aug 2019 19:03:02 GMT) (full text, mbox, link).

Marked as found in versions icedtea-web/1.7.2-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 09 Aug 2019 19:03:03 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 09 Aug 2019 19:03:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Aug 10 09:35:04 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Debian Bug report logs - #934319
CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Vulmon Search

About

Products

Connect

CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Debian Bug report logs - #934319 CVE-2019-10181 CVE-2019-10182 CVE-2019-10185

Vulmon Search

About

Products

Connect

Debian Bug report logs - #934319
CVE-2019-10181 CVE-2019-10182 CVE-2019-10185