Jonathan Wiltshire
2011-Feb-19 23:39 UTC
[Secure-testing-team] Bug#614151: icedtea6-plugin: (PRSC) Please backport fixes for CVE-2011-0025, 4351 to squeeze, lenny
Package: icedtea6-plugin Version: 6b11-9.1 Severity: grave Tags: squeeze lenny security Justification: user security hole Usertags: prsc-target-lenny, prsc-target-squeeze -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please backport your fixes for the following CVE reports: CVE-2010-4351: The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader. CVE-2011-0025: IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5 does not properly verify signatures for JAR files that (1) are "partially signed" or (2) signed by multiple entities, which allows remote attackers to trick users into executing code that appears to come from a trusted source. To help me keep track of these fixes, please keep ''PRSC'' somewhere in the subject line of your emails. Thanks, - -- System Information: Debian Release: wheezy/sid APT prefers oldstable APT policy: (500, ''oldstable''), (500, ''unstable''), (500, ''testing''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJNYFScAAoJEFOUR53TUkxRTJIP/1mCQssj4dS/PVZTW3cxcqHK N3zmueTgjrlVcznzg8kG0wj4E81oSXHgCqCqCNldVHyIiJir9yEQJj/dh+5jpO9G q+PgJRJLqkCrKnoza6MtWGfg4Mn+Bv4fr3AlVaKZYDUaQ4mpLShGBSQJPvfFVpcb gLjxjK5Kcu7kfi5mNHBzzoGGhi1Q0w+T/xxfmZTyeXuOEwWWEW//o+5r5JVsB0pV pbmnP5AmselmBad+nYEYxarEd6DJFfF8no8Oh38ukqQojIbUBzqJTdjd2Znxk6iA 3GN4gBPCLpCTdeIavh59riOq+JOjMZHETIA5WR6BbyAPp3RXfc9+Y9RIvNyHSCvu cuk3wPy7qTAbb4KhH3iZ6LhJwGFKKtZkxb4uq++AQsTpkPlUMKGDOixP31UNUR1l 4DGEs+pC/NlCKal+oCZI+vSsFhBv+otMoXIdZ6onWfYugFDMUcP1gDSVZVAO0g9T E52NRFGtuJ8Xgi7OfQEmS3YVKz2s5CwaFOSh/JY6rWJfsVvCyC+BeJByKs8P1aVH 8E1OPtFYlYBIL7UbIVE46myGY9ADPca4tpvDVEgzZaWkDbs4HZmcSQzoO3K31EGq 2XreauCtmuItICAl3KKXFg1wXMk6oKYwH0tltswwtQSH32JNwQ3wMa8F1f4Aoy+0 7BJX4qwX2JgNRZ0TuYKS =xeey -----END PGP SIGNATURE-----