Sicherheit: Preisgabe von Informationen in IcedTea-Web

Lesezeichen hinzufügen

--===============9092485622324413694==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="ZwgA9U+XZDXt4+m+"
Content-Disposition: inline

--ZwgA9U+XZDXt4+m+
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-1178-1
July 27, 2011

icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS

Summary:

An attacker could discover a user's name or confuse a user into granting
unintended access to files.

Software Description:
- icedtea-web: An implementation of the Java Network Launching Protocol (JNLP)
- openjdk-6: Open Source Java implementation
- openjdk-6b18: Open Source Java implementation

Details:

Omair Majid discovered that an unsigned Web Start application
or applet could determine the path to the cache directory used
to store downloaded class and jar files by querying class loader
properties. This could allow a remote attacker to discover a user's
name and home directory path. (CVE-2011-2513)

Omair Majid discovered that an unsigned Web Start application could
manipulate the content of the security warning dialog message to show
different file names in prompts. This could allow a remote attacker
to confuse a user into granting access to a different file than they
believe they are granting access to. This issue only affected Ubuntu
11.04. (CVE-2011-2514)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
icedtea-netx 1.1.1-0ubuntu1~11.04.1
icedtea-plugin 1.1.1-0ubuntu1~11.04.1

Ubuntu 10.10:
icedtea6-plugin 6b20-1.9.9-0ubuntu1~10.10.2

Ubuntu 10.04 LTS:
icedtea6-plugin 6b20-1.9.9-0ubuntu1~10.04.2

After a standard system update you need to restart any Java applications
or applets to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1178-1
CVE-2011-2513, CVE-2011-2514

Package Information:
https://launchpad.net/ubuntu/+source/icedtea-web/1.1.1-0ubuntu1~11.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.9-0ubuntu1~10.10.2
https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.8-0ubuntu1~10.10.2+1.8.9
https://launchpad.net/ubuntu/+source/openjdk-6/6b20-1.9.9-0ubuntu1~10.04.2
https://launchpad.net/ubuntu/+source/openjdk-6b18/6b18-1.8.8-0ubuntu1~10.04.2+1.8.9

--ZwgA9U+XZDXt4+m+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJOMJ/mAAoJEC8Jno0AXoH0ciMQAJH8DZgQ2EKgoZ1G2GfKvqGx
z5iXGagExs1pQWpK0ZVTAFbLKKyiZS4ruqu8lpD5RyJ1Ijeec9RO3/XU7r1uMoAR
pDA1+MRwELSbAtHkFY54uKbrQ1ZaIUdtLG84kH813/5SXZulJ/pjIJv0p0qa1oTe
wLrtmY6GCv0jOJ1f0C6KyjFrYX2u4LNjR5FtffmqquMCUETFb4nwttFOuGoxSYU3
ha0RVO8+rYUmBZD6tHIs7Bbo4HC0fYo3FqSTV1dmbbtpamZLygYTF9rvAiN+j0xL
M64PxV4VSkzk3n6+MM92muhpB/1I2Z7doLr4zKsQlpubrKbpvP0vyT7KoTUUe+bd
nomwHngxdGuDA9Lb7sqcI74rZoiskrkMnnXygq7Nm0AaymC1CJNMiouqcyYND+Jb
nSDi2R76x7zSoRLziJayNNRHq9LlDqbgUEQztZSJV+CzPYXKa+mEIPi2EvjCcBBx
pKOO6bAjYRRy4mvIuJzNO/3UEzxlwSR7FltzSu8yR8hWr3+FzQ30tSzqAd3OqlTS
EVAOwc+ksaOQzAWdeHp8QLHILbatxAX6zG9ctdMzcuYjCaCXZ+04utDiTG2zRbt0
tmiMlsvO0QwjIPFoOP7CWIWq1JFG/NwJIgdNxjDChaojF+VQzASy8AKd3H7iLU3S
Ubdc9gHQ9nn1ws1loC3e
=OamF
-----END PGP SIGNATURE-----

--ZwgA9U+XZDXt4+m+--

--===============9092485622324413694==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============9092485622324413694==--