[USN-2817-1] IcedTea Web vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Tue Nov 24 18:48:44 UTC 2015

Ubuntu Security Notice USN-2817-1
November 24, 2015

icedtea-web vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 15.10
- Ubuntu 15.04
- Ubuntu 14.04 LTS


Several security issues were fixed in IcedTea Web.

Software Description:
- icedtea-web: A web browser plugin to execute Java applets


It was discovered that IcedTea Web incorrectly handled applet URLs. A
remote attacker could possibly use this issue to inject applets into the
.appletTrustSettings configuration file and bypass user approval.

Andrea Palazzo discovered that IcedTea Web incorrectly determined the
origin of unsigned applets. A remote attacker could possibly use this issue
to bypass user approval, or to trick the user into approving applet
execution. (CVE-2015-5235)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 15.10:
  icedtea-7-plugin                1.5.3-0ubuntu0.15.10.1

Ubuntu 15.04:
  icedtea-7-plugin                1.5.3-0ubuntu0.15.04.1

Ubuntu 14.04 LTS:
  icedtea-6-plugin                1.5.3-0ubuntu0.14.04.1
  icedtea-7-plugin                1.5.3-0ubuntu0.14.04.1

After a standard system update you need to restart your browser to make
all the necessary changes.

  CVE-2015-5234, CVE-2015-5235

Package Information:

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20151124/160a2d21/attachment.sig>

More information about the ubuntu-security-announce mailing list