Sicherheit: Zwei Probleme in IcedTea-Web

Lesezeichen hinzufügen

--===============3496113983548825940==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="s2ZSL+KKDSLx8OML"
Content-Disposition: inline

--s2ZSL+KKDSLx8OML
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

==========================================================================
Ubuntu Security Notice USN-1521-1
July 31, 2012

icedtea-web vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS

Summary:

The IcedTea-Web Java web browser plugin could be made to crash or
possibly run programs as your login if it opened a specially crafted
applet.

Software Description:
- icedtea-web: A web browser plugin to execute Java applets

Details:

Chamal De Silva discovered that the IcedTea-Web Java web browser
plugin could dereference an uninitialized pointer. A remote attacker
could use this to craft a malicious web page that could cause a
denial of service by crashing the web browser or possibly execute
arbitrary code. (CVE-2012-3422)

Steven Bergom and others discovered that the IcedTea-Web Java web
browser plugin assumed that all strings provided by browsers are NULL
terminated, which is not guaranteed by the NPAPI (Netscape Plugin
Application Programming Interface). A remote attacker could use this
to craft a malicious Java applet that could cause a denial of service
by crashing the web browser, expose sensitive information or possibly
execute arbitrary code. (CVE-2012-3423)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 LTS:
icedtea-6-plugin 1.2-2ubuntu1.1
icedtea-7-plugin 1.2-2ubuntu1.1

Ubuntu 11.10:
icedtea-6-plugin 1.2-2ubuntu0.11.10.2

Ubuntu 11.04:
icedtea-6-plugin 1.2-2ubuntu0.11.04.2

Ubuntu 10.04 LTS:
icedtea-6-plugin 1.2-2ubuntu0.10.04.2

After a standard system update you need to restart your web browser to make
all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1521-1
CVE-2012-3422, CVE-2012-3423

Package Information:
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu1.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.10.2
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.11.04.2
https://launchpad.net/ubuntu/+source/icedtea-web/1.2-2ubuntu0.10.04.2

--s2ZSL+KKDSLx8OML
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCgAGBQJQGF01AAoJEC8Jno0AXoH0cocQAJTU9HJ7k6eLo+3045x0eobu
VToucC/owgi8wzGa29Fsmdg/EE28LYnkujtr6ryZXMQ8ZVwPJeMLoge3Yx7EMZqF
Hw3wWugc65RSKWBrqAPXTul+gz8jxhFSclLFZQ267Yb9KB9rAjX3z1+1gDJnTu4z
FPZRd6VFeNnSlYYQeJTckgjTRJPQbf5fhsmI22fpdSM2VzH4+i1xEkkVYCxPyPHh
SiTEVVtbsBO1+TupzmIJLdjagJclTEMMSYwvgLZ8KSsUfmM95mA2Tx9E6fu8c/9F
O5S+uDddbI3CAXBIOlwhT72jOYtUHy+jfLXe0SkclRFb55+ZzNEC60B4n2+lJ1iB
8sJjxNfRYgG5A4KwUac0HciivXSSv0FfcZEl7bqdHCS8gU+hWmhgsV6wuXewwoXR
YhcyAL+RkAemrx+7FDCS/1SkyDmbDNWFVzp3Z4iUIPco+kAKyYM1oRxACkVPvG9I
s2n2Qoc12ggQTRTSSumcRODhs52hq1Yz/LB13ynxZpVoZ9eoG7qoiwZAoYWIiuGJ
gh0U66QN4UEYwBXOQUI4mq+2D6YW4rH5LuTUO7RtN72aX9CxCoyU4rwpLg+LaKqi
aMJJoBV3ZGm0RgZriIsOaYUC3FjTdjVh6o2+0Pm935bdP1N6V3KcEtoZhAl3eaY0
bf6aRfYy/5BmSu1X7A4N
=Ui5r
-----END PGP SIGNATURE-----

--s2ZSL+KKDSLx8OML--

--===============3496113983548825940==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============3496113983548825940==--