Vulnerabilities > CVE-2019-10185 - Path Traversal vulnerability in multiple products

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
icedtea-web-project
debian
opensuse
CWE-22
nessus

Summary

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2003.NASL
    descriptionAn update for icedtea-web is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127645
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127645
    titleRHEL 7 : icedtea-web (RHSA-2019:2003)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2003. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127645);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2019-10181", "CVE-2019-10182", "CVE-2019-10185");
      script_xref(name:"RHSA", value:"2019:2003");
    
      script_name(english:"RHEL 7 : icedtea-web (RHSA-2019:2003)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for icedtea-web is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The IcedTea-Web project provides a Java web browser plug-in and an
    implementation of Java Web Start, which is based on the Netx project.
    It also contains a configuration tool for managing deployment settings
    for the plug-in and Web Start implementations. IcedTea-Web now also
    contains PolicyEditor - a simple tool to configure Java policies.
    
    Security Fix(es) :
    
    * icedtea-web: path traversal while processing elements of JNLP files
    results in arbitrary file overwrite (CVE-2019-10182)
    
    * icedtea-web: directory traversal in the nested jar auto-extraction
    leading to arbitrary file overwrite (CVE-2019-10185)
    
    * icedtea-web: unsigned code injection in a signed JAR file
    (CVE-2019-10181)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2003"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10181"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10182"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10185"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10181");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web-javadoc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2003";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"icedtea-web-1.7.1-2.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"icedtea-web-debuginfo-1.7.1-2.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"icedtea-web-devel-1.7.1-2.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"icedtea-web-javadoc-1.7.1-2.el7_6")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icedtea-web / icedtea-web-debuginfo / icedtea-web-devel / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1914.NASL
    descriptionSeveral security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP). CVE-2019-10181 It was found that in icedtea-web executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. CVE-2019-10182 It was found that icedtea-web did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. CVE-2019-10185 It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id128618
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128618
    titleDebian DLA-1914-1 : icedtea-web security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2003.NASL
    descriptionFrom Red Hat Security Advisory 2019:2003 : An update for icedtea-web is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127611
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127611
    titleOracle Linux 7 : icedtea-web (ELSA-2019-2003)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1911.NASL
    descriptionThis update for icedtea-web to version 1.7.2 fixes the following issues : Security issues fixed : - CVE-2019-10181: Fixed an unsigned code injection in a signed JAR file (bsc#1142835) - CVE-2019-10182: Fixed a path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite (bsc#1142825). - CVE-2019-10185: Fixed a directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (bsc#1142832). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id128003
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128003
    titleopenSUSE Security Update : icedtea-web (openSUSE-2019-1911)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1905.NASL
    descriptionAccording to the versions of the icedtea-web package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.(CVE-2019-10181) - It was found that icedtea-web did not properly sanitize paths from i1/4oejar/i1/4z elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.(CVE-2019-10182) - It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.(CVE-2019-10185) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-16
    plugin id128828
    published2019-09-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128828
    titleEulerOS 2.0 SP5 : icedtea-web (EulerOS-SA-2019-1905)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2004.NASL
    descriptionAn update for icedtea-web is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127646
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127646
    titleRHEL 8 : icedtea-web (RHSA-2019:2004)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2003.NASL
    descriptionAn update for icedtea-web is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-04-16
    modified2020-04-10
    plugin id135312
    published2020-04-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135312
    titleCentOS 7 : icedtea-web (CESA-2019:2003)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2004.NASL
    descriptionFrom Red Hat Security Advisory 2019:2004 : An update for icedtea-web is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127612
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127612
    titleOracle Linux 8 : icedtea-web (ELSA-2019-2004)

Redhat

advisories
  • bugzilla
    id1725928
    titleCVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commenticedtea-web-devel is earlier than 0:1.7.1-2.el7_6
            ovaloval:com.redhat.rhsa:tst:20192003001
          • commenticedtea-web-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20192003002
        • AND
          • commenticedtea-web-javadoc is earlier than 0:1.7.1-2.el7_6
            ovaloval:com.redhat.rhsa:tst:20192003003
          • commenticedtea-web-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417004
        • AND
          • commenticedtea-web is earlier than 0:1.7.1-2.el7_6
            ovaloval:com.redhat.rhsa:tst:20192003005
          • commenticedtea-web is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417002
    rhsa
    idRHSA-2019:2003
    released2019-07-31
    severityImportant
    titleRHSA-2019:2003: icedtea-web security update (Important)
  • bugzilla
    id1725928
    titleCVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commenticedtea-web is earlier than 0:1.7.1-17.el8_0
            ovaloval:com.redhat.rhsa:tst:20192004001
          • commenticedtea-web is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417002
        • AND
          • commenticedtea-web-javadoc is earlier than 0:1.7.1-17.el8_0
            ovaloval:com.redhat.rhsa:tst:20192004003
          • commenticedtea-web-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417004
    rhsa
    idRHSA-2019:2004
    released2019-07-31
    severityImportant
    titleRHSA-2019:2004: icedtea-web security update (Important)
rpms
  • icedtea-web-0:1.7.1-2.el7_6
  • icedtea-web-debuginfo-0:1.7.1-2.el7_6
  • icedtea-web-devel-0:1.7.1-2.el7_6
  • icedtea-web-javadoc-0:1.7.1-2.el7_6
  • icedtea-web-0:1.7.1-17.el8_0
  • icedtea-web-javadoc-0:1.7.1-17.el8_0