PublicDateAtUSN: 2011-07-20 Candidate: CVE-2011-2513 PublicDate: 2014-05-14 00:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2513 https://ubuntu.com/security/notices/USN-1178-1 Description: The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to obtain the username and full path of the home and cache directories by accessing properties of the ClassLoader. Ubuntu-Description: Omair Majid discovered that an unsigned Web Start application or applet could determine the path to the cache directory used to store downloaded class and jar files by querying class loader properties. This could allow a remote attacker to discover a user's name and home directory path. Notes: mdeslaur> in natty+, NetX and the plugin moved to the icedtea-web package Bugs: Priority: low Discovered-by: Assigned-to: CVSS: Patches_sun-java6: upstream_sun-java6: not-affected hardy_sun-java6: not-affected lucid_sun-java6: not-affected maverick_sun-java6: not-affected natty_sun-java6: not-affected oneiric_sun-java6: not-affected devel_sun-java6: DNE Patches_sun-java5: upstream_sun-java5: not-affected hardy_sun-java5: ignored (upstream sun-java5 is EoL) lucid_sun-java5: DNE maverick_sun-java5: DNE natty_sun-java5: DNE oneiric_sun-java5: DNE devel_sun-java5: DNE Patches_openjdk-6: upstream_openjdk-6: released (1.9.9) hardy_openjdk-6: released (6b27-1.12.3-0ubuntu1~08.04.1) lucid_openjdk-6: released (6b20-1.9.9-0ubuntu1~10.04.2) maverick_openjdk-6: released (6b20-1.9.9-0ubuntu1~10.10.2) natty_openjdk-6: not-affected (uses icedtea-web) oneiric_openjdk-6: not-affected (uses icedtea-web) devel_openjdk-6: not-affected (uses icedtea-web) Patches_openjdk-6b18: upstream_openjdk-6b18: released (1.8.9) hardy_openjdk-6b18: DNE lucid_openjdk-6b18: released (6b18-1.8.8-0ubuntu1~10.04.2+1.8.9) maverick_openjdk-6b18: released (6b18-1.8.8-0ubuntu1~10.10.2+1.8.9) natty_openjdk-6b18: not-affected (uses icedtea-web) oneiric_openjdk-6b18: not-affected (uses icedtea-web) devel_openjdk-6b18: not-affected (uses icedtea-web) Patches_icedtea-web: upstream_icedtea-web: released (1.1.1) hardy_icedtea-web: DNE lucid_icedtea-web: not-affected (1.2-2ubuntu0.10.04.1) maverick_icedtea-web: DNE natty_icedtea-web: released (1.1.1-0ubuntu1~11.04.1) oneiric_icedtea-web: not-affected (1.1.1-1ubuntu1) devel_icedtea-web: not-affected (1.1.1-1ubuntu1)