Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-2514

Published: 20 July 2011

The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to trick victims into granting access to local files by modifying the content of the Java Web Start Security Warning dialog box to represent a different filename than the file for which access will be granted.

From the Ubuntu Security Team

Omair Majid discovered that an unsigned Web Start application could manipulate the content of the security warning dialog message to show different file names in prompts. This could allow a remote attacker to confuse a user into granting access to a different file than they believe they are granting access to. This issue only affected Ubuntu 11.04.

Priority

Medium

Status

Package Release Status
icedtea-web
Launchpad, Ubuntu, Debian
upstream
Released (1.1.1)
hardy Does not exist

lucid Not vulnerable
(1.2-2ubuntu0.10.04.1)
maverick Does not exist

natty
Released (1.1.1-0ubuntu1~11.04.1)
oneiric Not vulnerable
(1.1.1-1ubuntu1)
openjdk-6
Launchpad, Ubuntu, Debian
upstream
Released (1.9.9)
hardy
Released (6b27-1.12.3-0ubuntu1~08.04.1)
lucid
Released (6b20-1.9.9-0ubuntu1~10.04.2)
maverick
Released (6b20-1.9.9-0ubuntu1~10.10.2)
natty Not vulnerable
(uses icedtea-web)
oneiric Not vulnerable
(uses icedtea-web)
openjdk-6b18
Launchpad, Ubuntu, Debian
upstream
Released (1.8.9)
hardy Does not exist

lucid
Released (6b18-1.8.8-0ubuntu1~10.04.2+1.8.9)
maverick
Released (6b18-1.8.8-0ubuntu1~10.10.2+1.8.9)
natty Not vulnerable
(uses icedtea-web)
oneiric Not vulnerable
(uses icedtea-web)