Debian 9859 Published by

The following security updates has been released for Debian GNU/Linux:

Debian GNU/Linux 8 LTS:
DLA 1914-1: icedtea-web security update

Debian GNU/Linux 10:
DSA 4520-1: trafficserver security update
DSA 4521-1: docker.io security update



DLA 1914-1: icedtea-web security update

Package : icedtea-web
Version : 1.5.3-1+deb8u1
CVE ID : CVE-2019-10181 CVE-2019-10182 CVE-2019-10185
Debian Bug : 934319

Several security vulnerabilities were found in icedtea-web, an
implementation of the Java Network Launching Protocol (JNLP).

CVE-2019-10181

It was found that in icedtea-web executable code could be injected
in a JAR file without compromising the signature verification. An
attacker could use this flaw to inject code in a trusted JAR. The
code would be executed inside the sandbox.

CVE-2019-10182

It was found that icedtea-web did not properly sanitize paths from
elements in JNLP files. An attacker could trick a victim
into running a specially crafted application and use this flaw to
upload arbitrary files to arbitrary locations in the context of the
user.

CVE-2019-10185

It was found that icedtea-web was vulnerable to a zip-slip attack
during auto-extraction of a JAR file. An attacker could use this
flaw to write files to arbitrary locations. This could also be used
to replace the main running application and, possibly, break out of
the sandbox.

For Debian 8 "Jessie", these problems have been fixed in version
1.5.3-1+deb8u1.

We recommend that you upgrade your icedtea-web packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

DSA 4520-1: trafficserver security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4520-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 09, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : trafficserver
CVE ID : CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-9518

Several vulnerabilities were discovered in the HTTP/2 code of Apache
Traffic Server, a reverse and forward proxy server, which could result
in denial of service.

The fixes are too intrusive to backport to the version in the oldstable
distribution (stretch). An upgrade to Debian stable (buster) is
recommended instead.

For the stable distribution (buster), these problems have been fixed in
version 8.0.2+ds-1+deb10u1.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/trafficserver

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

DSA 4521-1: docker.io security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4521-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
September 09, 2019 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : docker.io
CVE ID : CVE-2019-13139 CVE-2019-13509 CVE-2019-14271

Three security vulnerabilities have been discovered in the Docker
container runtime: Insecure loading of NSS libraries in "docker cp"
could result in execution of code with root privileges, sensitive data
could be logged in debug mode and there was a command injection
vulnerability in the "docker build" command.

For the stable distribution (buster), these problems have been fixed in
version 18.09.1+dfsg1-7.1+deb10u1.

We recommend that you upgrade your docker.io packages.

For the detailed security status of docker.io please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/docker.io

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/