(RHSA-2019:2004) Important: icedtea-web security update

2019-07-31T21:40:05
ID RHSA-2019:2004
Type redhat
Reporter RedHat
Modified 2019-07-31T21:47:04

Description

The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies.

Security Fix(es):

  • icedtea-web: path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182)

  • icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185)

  • icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.