RedHat has issued an advisory on July 31: https://access.redhat.com/errata/RHSA-2019:2003 The issue was also announced on oss-security: https://www.openwall.com/lists/oss-security/2019/07/31/2 Mageia 6 and Mageia 7 are also affected.
Whiteboard: (none) => MGA7TOO, MGA6TOO
Hi, Done for Cauldron and Mga7. For Mga6, the patches do not apply. Best regards, Nico.
CC: (none) => nicolas.salguero
It probably doesn't make a difference, since RedHat has 1.7.x, but here's the commit with their patches: https://git.centos.org/rpms/icedtea-web/c/fc1eb6ada20c59d4b9260c89b1cfc51924c2b965?branch=c7 If those don't work for 1.6.2, maybe we can update it for Mageia 6?
Package list for Mageia 7 update: icedtea-web-1.8-2.1.mga7 icedtea-web-javadoc-1.8-2.1.mga7 icedtea-web-devel-1.8-2.1.mga7 from icedtea-web-1.8-2.1.mga7.src.rpm
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOOVersion: Cauldron => 7
Suggested advisory: ======================== The updated packages fix security issues: It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. (CVE-2019-10181) It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. (CVE-2019-10182) It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. (CVE-2019-10185) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10181 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10182 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10185 https://access.redhat.com/errata/RHSA-2019:2003 https://www.openwall.com/lists/oss-security/2019/07/31/2 ======================== Updated packages in 6/core/updates_testing: ======================== icedtea-web-1.7.2-1.mga6 icedtea-web-javadoc-1.7.2-1.mga6 icedtea-web-devel-1.7.2-1.mga6 from SRPMS: icedtea-web-1.7.2-1.mga6.src.rpm Updated packages in 7/core/updates_testing: ======================== icedtea-web-1.8-2.1.mga7 icedtea-web-javadoc-1.8-2.1.mga7 icedtea-web-devel-1.8-2.1.mga7 from SRPMS: icedtea-web-1.8-2.1.mga7.src.rpm
CVE: (none) => CVE-2019-10181, CVE-2019-10182, CVE-2019-10185Status: NEW => ASSIGNEDAssignee: java => qa-bugs
Source RPM: icedtea-web-1.8.2-1.mga8.src.rpm => icedtea-web-1.8-2.mga7.src.rpm
There is a problem for Mageia 6
Assignee: qa-bugs => nicolas.salguero
Problem solved with icedtea-web-1.7.2-4.mga6. So: Suggested advisory: ======================== The updated packages fix security issues: It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. (CVE-2019-10181) It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. (CVE-2019-10182) It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. (CVE-2019-10185) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10181 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10182 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10185 https://access.redhat.com/errata/RHSA-2019:2003 https://www.openwall.com/lists/oss-security/2019/07/31/2 ======================== Updated packages in 6/core/updates_testing: ======================== icedtea-web-1.7.2-4.mga6 icedtea-web-javadoc-1.7.2-4.mga6 icedtea-web-devel-1.7.2-4.mga6 from SRPMS: icedtea-web-1.7.2-4.mga6.src.rpm Updated packages in 7/core/updates_testing: ======================== icedtea-web-1.8-2.1.mga7 icedtea-web-javadoc-1.8-2.1.mga7 icedtea-web-devel-1.8-2.1.mga7 from SRPMS: icedtea-web-1.8-2.1.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugs
This is running cinnamon. I need a Plasma person to try Konqueror which is listed as still able to run icedtea. Installed icedtea-web-1.8.2.1 as part of my java testing on MGA7. Sincere Firefox no longer enables it I had to pick on other browsers. Midori - worked in several cases Epiphany - worked in anothe case, but not in the Midori one. Makes me want to drink Mi...... Seems to be working considering limited browser support.
Whiteboard: MGA6TOO => MGA6TOO MGA7-64-OKCC: (none) => brtians1
MGA6-64 Plasma on Lenovo B50 No installation issues. Found link to test in bug 16755, used konqueror to different sites listed on https://javatester.org/othertesters.html All seemed to work OK. I am not sure whether this is a onclusive test ????
CC: (none) => herman.viaene
MGA6 - 32 bit It installed clean. I'm unable to confirm whether it works or not with Midori. I think it is mostly a browser issue, but my testing indicated it might work, that's the best I can say. Tentative ok. I think this tool is pretty much dead.
[brian@localhost ~]$ java -version openjdk version "1.8.0_222" OpenJDK Runtime Environment (build 1.8.0_222-b10) OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode) [brian@localhost ~]$ uname -a Linux localhost 4.14.137-desktop-1.mga6 #1 SMP Wed Aug 7 11:51:54 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [brian@localhost ~]$ I tried a few, but his is an interesting test. It does work. http://josm.openstreetmap.de/download/josm.jnlp
Whiteboard: MGA6TOO MGA7-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK
Whiteboard: MGA6TOO MGA7-64-OK MGA6-64-OK => MGA6TOO MGA7-64-OK MGA6-64-OK MGA6-32-OK
Validating. Suggested advisory in Comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0242.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED