USN-1178-1: IcedTea-Web, OpenJDK 6 vulnerabilities

27 July 2011

icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 11.04
  • Ubuntu 10.10
  • Ubuntu 10.04 LTS

Summary

An attacker could discover a user’s name or confuse a user into granting unintended access to files.

Software Description

  • icedtea-web - An implementation of the Java Network Launching Protocol (JNLP)
  • openjdk-6 - Open Source Java implementation
  • openjdk-6b18 - Open Source Java implementation

Details

Omair Majid discovered that an unsigned Web Start application or applet could determine the path to the cache directory used to store downloaded class and jar files by querying class loader properties. This could allow a remote attacker to discover a user’s name and home directory path. (CVE-2011-2513)

Omair Majid discovered that an unsigned Web Start application could manipulate the content of the security warning dialog message to show different file names in prompts. This could allow a remote attacker to confuse a user into granting access to a different file than they believe they are granting access to. This issue only affected Ubuntu 11.04. (CVE-2011-2514)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 11.04
icedtea-netx - 1.1.1-0ubuntu1~11.04.1
icedtea-plugin - 1.1.1-0ubuntu1~11.04.1
Ubuntu 10.10
icedtea6-plugin - 6b20-1.9.9-0ubuntu1~10.10.2
Ubuntu 10.04 LTS
icedtea6-plugin - 6b20-1.9.9-0ubuntu1~10.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart any Java applications or applets to make all the necessary changes.

References