[Secure-testing-team] Bug#614151: icedtea6-plugin: (PRSC) Please backport fixes for CVE-2011-0025, 4351 to squeeze, lenny

Jonathan Wiltshire jmw at debian.org
Sat Feb 19 23:39:08 UTC 2011 

Package: icedtea6-plugin
Version: 6b11-9.1
Severity: grave
Tags: squeeze lenny security
Justification: user security hole
Usertags: prsc-target-lenny, prsc-target-squeeze

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please backport your fixes for the following CVE reports:

CVE-2010-4351:
The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 before
1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from the checkPermission
method instead of throwing an exception in certain circumstances, which might
allow context-dependent attackers to bypass the intended security policy by
creating instances of ClassLoader.

CVE-2011-0025:
IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not
properly verify signatures for JAR files that (1) are "partially signed" or
(2) signed by multiple entities, which allows remote attackers to trick users
into executing code that appears to come from a trusted source.

To help me keep track of these fixes, please keep 'PRSC' somewhere in the
subject line of your emails.

Thanks,


- -- System Information:
Debian Release: wheezy/sid
  APT prefers oldstable
  APT policy: (500, 'oldstable'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJNYFScAAoJEFOUR53TUkxRTJIP/1mCQssj4dS/PVZTW3cxcqHK
N3zmueTgjrlVcznzg8kG0wj4E81oSXHgCqCqCNldVHyIiJir9yEQJj/dh+5jpO9G
q+PgJRJLqkCrKnoza6MtWGfg4Mn+Bv4fr3AlVaKZYDUaQ4mpLShGBSQJPvfFVpcb
gLjxjK5Kcu7kfi5mNHBzzoGGhi1Q0w+T/xxfmZTyeXuOEwWWEW//o+5r5JVsB0pV
pbmnP5AmselmBad+nYEYxarEd6DJFfF8no8Oh38ukqQojIbUBzqJTdjd2Znxk6iA
3GN4gBPCLpCTdeIavh59riOq+JOjMZHETIA5WR6BbyAPp3RXfc9+Y9RIvNyHSCvu
cuk3wPy7qTAbb4KhH3iZ6LhJwGFKKtZkxb4uq++AQsTpkPlUMKGDOixP31UNUR1l
4DGEs+pC/NlCKal+oCZI+vSsFhBv+otMoXIdZ6onWfYugFDMUcP1gDSVZVAO0g9T
E52NRFGtuJ8Xgi7OfQEmS3YVKz2s5CwaFOSh/JY6rWJfsVvCyC+BeJByKs8P1aVH
8E1OPtFYlYBIL7UbIVE46myGY9ADPca4tpvDVEgzZaWkDbs4HZmcSQzoO3K31EGq
2XreauCtmuItICAl3KKXFg1wXMk6oKYwH0tltswwtQSH32JNwQ3wMa8F1f4Aoy+0
7BJX4qwX2JgNRZ0TuYKS
=xeey
-----END PGP SIGNATURE-----

More information about the Secure-testing-team mailing list