Ubuntu Security Notice 2817-1 - It was discovered that IcedTea Web incorrectly handled applet URLs. A remote attacker could possibly use this issue to inject applets into the .appletTrustSettings configuration file and bypass user approval. Andrea Palazzo discovered that IcedTea Web incorrectly determined the origin of unsigned applets. A remote attacker could possibly use this issue to bypass user approval, or to trick the user into approving applet execution. Various other issues were also addressed.
0c95df3ba385830931e81928cf6357437d5124af42b0969aee880229cde673d0
============================================================================
Ubuntu Security Notice USN-2817-1
November 24, 2015
icedtea-web vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in IcedTea Web.
Software Description:
- icedtea-web: A web browser plugin to execute Java applets
Details:
It was discovered that IcedTea Web incorrectly handled applet URLs. A
remote attacker could possibly use this issue to inject applets into the
.appletTrustSettings configuration file and bypass user approval.
(CVE-2015-5234)
Andrea Palazzo discovered that IcedTea Web incorrectly determined the
origin of unsigned applets. A remote attacker could possibly use this issue
to bypass user approval, or to trick the user into approving applet
execution. (CVE-2015-5235)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.10:
icedtea-7-plugin 1.5.3-0ubuntu0.15.10.1
Ubuntu 15.04:
icedtea-7-plugin 1.5.3-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:
icedtea-6-plugin 1.5.3-0ubuntu0.14.04.1
icedtea-7-plugin 1.5.3-0ubuntu0.14.04.1
After a standard system update you need to restart your browser to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-2817-1
CVE-2015-5234, CVE-2015-5235
Package Information:
https://launchpad.net/ubuntu/+source/icedtea-web/1.5.3-0ubuntu0.15.10.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.5.3-0ubuntu0.15.04.1
https://launchpad.net/ubuntu/+source/icedtea-web/1.5.3-0ubuntu0.14.04.1