icedtea-web (1.5.3-1+deb8u1) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-10181:
    It was found that in icedtea-web executable code could be injected in a JAR
    file without compromising the signature verification. An attacker could use
    this flaw to inject code in a trusted JAR. The code would be executed
    inside the sandbox.
  * Fix CVE-2019-10182:
    It was found that icedtea-web did not properly sanitize paths from <jar/>
    elements in JNLP files. An attacker could trick a victim into running a
    specially crafted application and use this flaw to upload arbitrary files
    to arbitrary locations in the context of the user.
  * Fix CVE-2019-10185:
    It was found that icedtea-web was vulnerable to a zip-slip attack during
    auto-extraction of a JAR file. An attacker could use this flaw to write
    files to arbitrary locations. This could also be used to replace the main
    running application and, possibly, break out of the sandbox.

 -- Markus Koschany <apo@debian.org>  Mon, 09 Sep 2019 20:26:24 +0200

icedtea-web (1.5.3-1) jessie; urgency=medium

  * New upstream release, fixes CVE-2015-5235 and CVE-2015-5234

 -- Moritz Mühlenhoff <jmm@debian.org>  Thu, 17 Mar 2016 15:01:35 +0100

icedtea-web (1.5-2+deb8u1) jessie; urgency=medium

  * Non-maintainer upload.
  * Fix alternatives handling in icedtea-netx.postinst.in
    (closes: #778631).

 -- Gilles Filippini <pini@debian.org>  Sun, 22 Mar 2015 18:22:24 +0100

icedtea-web (1.5-2) unstable; urgency=medium

  * Build-depend on iceweasel-dev. Closes: #752838.
  * Stop building the icedtea-6-plugin package: Closes: #750640.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 30 Jun 2014 15:00:58 +0200

icedtea-web (1.5-1) sid; urgency=medium

  * IcedTea-Web 1.5 release.
  * Build using dh-autoreconf.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 07 Apr 2014 17:38:58 +0200

icedtea-web (1.4.2-1) unstable; urgency=high

  * IcedTea-Web 1.4.2 release.
    - Security Updates- CVE-2012-4540: Heap-based buffer overflow after
      triggering event.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 05 Feb 2014 21:11:35 +0100

icedtea-web (1.4.1-1ubuntu1) trusty; urgency=low

  * Merge with Debian; remaining changes:
    - Regenerate the control file.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 19 Oct 2013 17:51:32 +0200

icedtea-web (1.4.1-1) unstable; urgency=low

  * IcedTea-Web 1.4.1 release.
  * Build for AArch64.
  * Don't build icedtea-6-plugin on KFreeBSD.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 19 Oct 2013 17:20:43 +0200

icedtea-web (1.4-3.1) unstable; urgency=low

  * Non-maintainer upload.
  * Add CVE-2013-4349.diff patch.
    CVE-2013-4349: Fix IcedTeaScriptableJavaObject::invoke off-by-one
    heap-based buffer overflow after triggering event attached to applets.
    (Closes: #723118)

 -- Salvatore Bonaccorso <carnil@debian.org>  Sat, 28 Sep 2013 10:00:03 +0200

icedtea-web (1.4-3) unstable; urgency=low

  * Update from the 1.4 branch:
    - Fix PR1465, java.io.FileNotFoundException while trying to download
      a JAR file.
    - Fix PR1473, javaws should not depend on name of local file.
    - Fix PR854, resizing an applet several times causes 100% CPU load.
      Closes: #707729.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 04 Jul 2013 11:01:08 +0200

icedtea-web (1.4-2) unstable; urgency=low

  * Fix icedtea-web for use with OpenJDK 7u25.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 03 Jul 2013 17:34:23 +0200

icedtea-web (1.4-1) unstable; urgency=low

  * IcedTea-Web 1.4 release.
  * Stop building the icedtea6-plugin transitional package.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 09 May 2013 18:26:47 +0200

icedtea-web (1.3.2-1) unstable; urgency=high

  * IcedTea-Web 1.3.2 release.
  * Security Updates:
    - CVE-2013-1927: fixed gifar vulnerability.
    - CVE-2013-1926: Class-loader incorrectly shared for applets with same
      relative-path.
  * Common:
    - Added new option in itw-settings which allows users to set JVM arguments
      when plugin is initialized.
  * NetX:
    - PR580: http://www.horaoficial.cl/ loads improperly.
  * Plugin:
    - PR1260: IcedTea-Web should not rely on GTK.
    - PR1157: Applets can hang browser after fatal exception.
  * Refresh patches.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Apr 2013 00:45:29 +0200

icedtea-web (1.3.1-3) unstable; urgency=low

  * Team upload.
  * Remove mips and mipsel from architectures.  (Closes: #701091)

 -- Niels Thykier <niels@thykier.net>  Thu, 21 Feb 2013 21:30:08 +0100

icedtea-web (1.3.1-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Don't forget to remove the itweb-settings alternative.  (Closes: #668444)

 -- Andreas Beckmann <anbe@debian.org>  Sat, 02 Feb 2013 13:09:09 +0100

icedtea-web (1.3.1-2) unstable; urgency=low

  * Team upload.
  * Rebuild with Java7 as "default" to fix the Java7 variant of
    the Java plugin.  Thanks to Bálint Réczey for the report.
    (Closes: #693623)

 -- Niels Thykier <niels@thykier.net>  Thu, 20 Dec 2012 16:06:38 +0100

icedtea-web (1.3.1-1) unstable; urgency=high

  * IcedTea-Web 1.3.1 release.
  * Security Updates
    - CVE-2012-4540: Heap-based buffer overflow after triggering event
      attached to applet.
  * Common
    - PR1161: X509VariableTrustManager does not work correctly with OpenJDK7.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 08 Nov 2012 12:39:11 +0100

icedtea-web (1.3-2) unstable; urgency=high

  * Configure with --disable-docs (the developer docs aren't shipped
    anyway). Works around the build failure on s390.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 06 Sep 2012 23:03:51 +0200

icedtea-web (1.3-1) unstable; urgency=high

  * IcedTea-Web 1.3 release.
  * Security updates:
    - CVE-2012-3422: Potential read from an uninitialized memory location.
    - CVE-2012-3423: Incorrect handling of not 0-terminated strings.
  * NetX fixes:
    - PR898: signed applications with big jnlp-file doesn't start (webstart
      affect like "frozen").
    - PR811: javaws is not handling urls with spaces (and other characters
      needing encoding) correctly.
  * Plugin fixes:
    - PR820: IcedTea-Web 1.1.3 crashing Firefox when loading Citrix XenApp.
    - PR863: Error passing strings to applet methods in Chromium.
    - PR895: IcedTea-Web searches for missing classes on each loadClass or
      findClass.
    - PR861: Allow loading from non codebase hosts. Allow code to connect
      to hosting server.
    - PR518: NPString.utf8characters not guaranteed to be nul-terminated.
    - PR722: META-INF/ unsigned entries should be ignored in signing.
    - PR855: AppletStub getDocumentBase() doesn't return full URL.
    - PR1011: Folders treated as jar files in archive tag.
    - PR1106: Buffer overflow in plugin table.
    - PR975: Plugin should not include classpaths specified in jar manifests
      when using jnlp_href.
    - PR588: Cookies not written from cookie jar to browser cookies.
  * Common fixes:
    - PR918: java applet windows uses a low resulution black/white icon.
    - Disambiguate signed applet security prompt from certificate warning.
    - PR955: regression: SweetHome3D fails to run.

  * For Ubuntu quantal, set priorities for alternatives higher than for
    OpenJDK 6.
  * Call update-alternatives when the existing priority for the alternative
    is lower than the current one.
  * icedtea-netx: Don't set the alternatives to a OpenJDK which is not
    installed. Closes: #681269.
  * Allow building the plugin for OpenJDK 6 using OpenJDK 7.
  * Build with hardening defaults.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 06 Sep 2012 15:15:52 +0200

icedtea-web (1.2-2) unstable; urgency=low

  * Fix interpreter path and classpath for OpenJDK7. Closes: #663895.
  * Update to the 1.2 release branch 20120409.
    - Fix PR895 (IcedTea-Web searches for missing classes on each
      loadClass or findClass).

 -- Matthias Klose <doko@ubuntu.com>  Mon, 09 Apr 2012 16:15:17 +0200

icedtea-web (1.2-1ubuntu1) precise; urgency=low

  * Regenerate the control file.

 -- Matthias Klose <doko@ubuntu.com>  Fri, 09 Mar 2012 02:09:38 +0100

icedtea-web (1.2-1) unstable; urgency=low

  * IcedTea-Web 1.2 release.
  * Security updates:
    - CVE-2011-2513: Home directory path disclosure to untrusted applications.
    - CVE-2011-2514: Java Web Start security warning dialog manipulation.
    - CVE-2011-3377: IcedTea-Web: second-level domain subdomains and
      suffix domain SOP bypass.
  * Make icedtea-netx-common multi-arch installable.

 -- Matthias Klose <doko@ubuntu.com>  Fri, 09 Mar 2012 01:13:55 +0100

icedtea-web (1.2~pre3-3) unstable; urgency=low

  * Really use OpenJDK 7 for the icedtea-7 plugin. Closes: #662239.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 04 Mar 2012 23:47:57 +0100

icedtea-web (1.2~pre3-2) unstable; urgency=low

  * Fix another quoting issue. Closes: #662039.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 04 Mar 2012 13:18:02 +0100

icedtea-web (1.2~pre3-1ubuntu1) precise; urgency=low

  * Regenerate the control file.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 03 Mar 2012 12:35:35 +0100

icedtea-web (1.2~pre3-1) unstable; urgency=low

  * Update to hg 20120303, taken from the icedtea-web-1.2 release branch.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 03 Mar 2012 12:30:45 +0100

icedtea-web (1.2~pre2-1ubuntu2) precise; urgency=low

  * debian/rules: Fix quoting issue.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 27 Feb 2012 14:38:24 +0100

icedtea-web (1.2~pre2-1ubuntu1) precise; urgency=low

  * icedtea-netx-common: Drop dependency on OpenJDK. Closes: #661428.
  * Robustify maintainer scripts. Closes: #661424.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 27 Feb 2012 10:53:13 +0100

icedtea-web (1.2~pre2-1) unstable; urgency=low

  * Regenerate the control file.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 26 Feb 2012 17:48:03 +0100

icedtea-web (1.2~pre2-0ubuntu1) precise; urgency=low

  * Update to hg 20120226, taken from the icedtea-web-1.2 release branch.
  * Fix icedtea-7-plugin update.
  * Apply proposed patch for PR820, crashes with Firefox 10.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 26 Feb 2012 17:26:04 +0100

icedtea-web (1.2~pre1-0ubuntu1) precise; urgency=low

  * Update to hg 20120203, taken from the icedtea-web-1.2 release branch.
  * Build separate plugin packages for OpenJDK 6 and OpenJDK 7, needed
    to provide the path to the runtime and the mime description in the plugin.
    Closes: #646843.
  * Use icedtea-<jre version>-plugin as the name for both plugin packages.
  * Remove icedtea-web-1.1.4-npapi-fix.patch, fixed upstream.
  * Pass -n to gzip when compressing manpages to be Multi-Arch: same safe.
  * Build multiarch packages.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 04 Feb 2012 18:19:46 +0100

icedtea-web (1.1.4-1) unstable; urgency=medium

  * New upstream release with security fix :
    - RH742515, CVE-2011-3377: IcedTea-Web: second-level domain subdomains
      and suffix domain SOP bypass

  [ Sylvestre Ledru ]
  * Fix a typo in the description. (Closes: #644538)

  [ Damien Raude-Morvan ]
  * Compress manpages. (Closes: #642975)

 -- Damien Raude-Morvan <drazzib@debian.org>  Fri, 11 Nov 2011 12:21:32 +0100

icedtea-web (1.1.3-2) unstable; urgency=low

  * Team upload
  * Sync from ubuntu
  * Explicit the dependency on the OpenJDK (Closes: #644045, #644094)
  * itweb-settings manpage added

 -- Sylvestre Ledru <sylvestre@debian.org>  Tue, 04 Oct 2011 13:17:52 +0200

icedtea-web (1.1.3-1ubuntu1) oneiric; urgency=low

  * Fix non multiarch installation.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 29 Sep 2011 15:46:00 +0200

icedtea-web (1.1.3-1) unstable; urgency=low

  * New upstream release:
    - Plug-in: PR782: Support building against npapi-sdk as well.
    - Common: PR794: IcedTea-Web does not work if a Web Start app jar has a
      Class-Path element in the manifest (e.g. Elluminate)
  * d/javaws.policy: Use AllPermission for netx.jar (as in Oracle JDK).
  * Add myself as Uploader.

 -- Damien Raude-Morvan <drazzib@debian.org>  Thu, 29 Sep 2011 00:18:39 +0200

icedtea-web (1.1.2-1) unstable; urgency=low

  * Team upload
  * New upstream release:
    - PR769: IcedTea-Web does not work with some ssl sites with OpenJDK7.
    - Javaws cannot use proxy settings from Firefox.
    (Closes: #640748, #640736, #641038)
  * Drop the dependency on xulrunner (Closes: #636514, #606234, #601779)
  * Fix FTBFS due to the switch to multiarch (Closes: #641798)

  [ Damien Raude-Morvan ]
  * Switch to 3.0 (quilt) format.
  * d/javaws.policy: Allow RuntimePermission for javaws to access
    sun.security.util package.
  * d/patches/javaws_change_java_policy.diff: Loading of javaws.policy.
  * d/rules: Install javaws.policy into /etc/icedtea-web/.

 -- Sylvestre Ledru <sylvestre@debian.org>  Thu, 22 Sep 2011 10:48:22 +0200

icedtea-web (1.1.1-1ubuntu2) oneiric; urgency=low

  * Updates from the 1.1 branch:
    - PR749: sun.applet.PluginStreamHandler#handleMessage(String) really slow.
    - PR768: Signed applets/Web Start apps don't work with OpenJDK7 and up.

 -- Matthias Klose <doko@ubuntu.com>  Tue, 16 Aug 2011 22:00:46 +0200

icedtea-web (1.1.1-1ubuntu1) oneiric; urgency=low

  * Rebuild the control file.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 16 Jul 2011 13:43:28 +0200

icedtea-web (1.1.1-1) unstable; urgency=high

  * Upload to unstable.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 16 Jul 2011 13:19:00 +0200

icedtea-web (1.1.1-0ubuntu1) natty-security; urgency=high

  * IcedTea-Web 1.1.1 release.
    - CVE-2011-2513: Home directory path disclosure to untrusted applications.
    - CVE-2011-2514: Java Web Start security warning dialog manipulation.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 16 Jul 2011 12:51:46 +0200

icedtea-web (1.1-1ubuntu1) oneiric; urgency=low

  * Rebuild the control file.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 09 Jun 2011 12:03:52 +0200

icedtea-web (1.1-1) unstable; urgency=low

  * IcedTea-Web 1.1 release.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 09 Jun 2011 11:58:59 +0200

icedtea-web (1.1~20110608-1ubuntu1) oneiric; urgency=low

  * Rebuild the control file.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 09 Jun 2011 10:39:20 +0200

icedtea-web (1.1~20110608-1) unstable; urgency=low

  * Update to hg 20110608, taken from the icedtea-web-1.1 release branch.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 08 Jun 2011 22:11:08 +0200

icedtea-web (1.1~20110530-1ubuntu1) oneiric; urgency=low

  * Regenerate the control file.
  * Add other browsers as an alternative to firefox depends. LP: #766559.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 30 May 2011 22:25:14 +0200

icedtea-web (1.1~20110530-1) unstable; urgency=low

  * Update to hg 20110530, taken from the icedtea-web-1.1 release branch.

 -- Matthias Klose <doko@ubuntu.com>  Mon, 30 May 2011 22:08:47 +0200

icedtea-web (1.1~20110510-1) unstable; urgency=low

  * Update to hg 20110510, taken from the icedtea-web-1.1 release branch.
  * Adjust conflicts to the OpenJDK version in unstable.
    Closes: #627779, #626605.
  * Make transitional package architecture independent. Closes: #627745.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 25 May 2011 14:29:42 +0200

icedtea-web (1.1~20110421-1) unstable; urgency=low

  * Update to hg 20110421, taken from the icedtea-web-1.1 release branch.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 21 Apr 2011 19:20:32 +0200

icedtea-web (1.1~20110420-1) experimental; urgency=low

  * Upload to experimental.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 20 Apr 2011 14:33:31 +0200

icedtea-web (1.1~20110420-0ubuntu1) natty; urgency=low

  * Update to hg 20110420.
    - Removes non-distributable pdf documents.
  * Update debian/copyright.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 20 Apr 2011 14:05:16 +0200

icedtea-web (1.1~20110406-0ubuntu2) natty; urgency=low

  * Reapply xulrunner → firefox-dev change from 1.1~20110320-0ubuntu2, which
    were overwritten in the previous upload.

 -- Martin Pitt <martin.pitt@ubuntu.com>  Tue, 19 Apr 2011 08:47:28 +0200

icedtea-web (1.1~20110406-0ubuntu1) natty; urgency=low

  * Fix typo in icedtea-netx postinst to install the javaws alternative.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 06 Apr 2011 13:10:44 +0200

icedtea-web (1.1~20110320-0ubuntu2) natty; urgency=low

  * Switch build-depends to firefox-dev for natty. xulrunner is
    being demoted from main  (LP: #740815)
    - update debian/rules
    - update debian/control

 -- Chris Coulson <chris.coulson@canonical.com>  Mon, 04 Apr 2011 11:07:15 +0100

icedtea-web (1.1~20110320-0ubuntu1) natty; urgency=low

  * Update to hg 20110320.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 24 Feb 2011 12:57:25 +0100

icedtea-web (1.0~20110122-1) experimental; urgency=low

  * Upload to experimental.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 23 Jan 2011 13:53:14 +0100

icedtea-web (1.0~20110122-0lucid1) lucid; urgency=low

  * Update to hg 20110122.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 22 Jan 2011 21:21:29 +0100

icedtea-web (1.0~20101223-0ubuntu3) natty; urgency=low

  * Fix the armel build.

 -- Matthias Klose <doko@ubuntu.com>  Fri, 24 Dec 2010 12:31:32 +0100

icedtea-web (1.0~20101223-0ubuntu2) natty; urgency=low

  * Build the plugin on armel.

 -- Matthias Klose <doko@ubuntu.com>  Fri, 24 Dec 2010 11:51:37 +0100

icedtea-web (1.0~20101223-0ubuntu1) natty; urgency=low

  * Update to hg 20101223.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 23 Dec 2010 14:20:21 +0100

icedtea-web (1.0~20101127-0ubuntu1) natty; urgency=low

  * Update to hg 20101127.
  * icedtea-plugin: Add versioned conflict/replaces with icedtea6-plugin
    (<< 6b21.0~20101127~). LP: #673524.

 -- Matthias Klose <doko@ubuntu.com>  Sat, 27 Nov 2010 11:51:06 +0100

icedtea-web (1.0~20101124-0ubuntu1) natty; urgency=low

  * Update to hg 20101124.
  * Fix xulrunner dependencies for natty.
  * Build-depend on pkg-config and libgtk2.0-dev.

 -- Matthias Klose <doko@ubuntu.com>  Wed, 24 Nov 2010 13:23:28 +0100

icedtea-web (1.0~20101021-0ubuntu6) natty; urgency=low

  * Fix link flag ordering issues
    - add debian/patches/001_fix_pluginappletviewer_linkage.patch
    - add debian/patches/series
    - update debian/rules
    - update debian/control{.in}
  * Change xulrunner build-dep to xulrunner-2.0-dev for Natty and rebuild
    against the latest version. Change binary dependency to
    xulrunner-2.0 | firefox (>= 4.0~b7), because eventually, xulrunner will
    not be installed by default and we don't want to force Firefox users to
    install it
    - update debian/rules
    - update debian/control

 -- Chris Coulson <chris.coulson@canonical.com>  Tue, 23 Nov 2010 21:19:01 +0000

icedtea-web (1.0~20101021-0ubuntu4) natty; urgency=low

  * Add a versioned build dependency on openjdk-6-jdk (>= 6b20-1.10~pre2).

 -- Matthias Klose <doko@ubuntu.com>  Fri, 22 Oct 2010 00:23:34 +0200

icedtea-web (1.0~20101021-0ubuntu3) natty; urgency=low

  * Build icedtea6-plugin on amd64, i386 and powerpc only.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 21 Oct 2010 23:54:17 +0200

icedtea-web (1.0~20101021-0ubuntu2) natty; urgency=low

  * Fix version of the transitional icedtea6-plugin package.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 21 Oct 2010 23:48:49 +0200

icedtea-web (1.0~20101021-0ubuntu1) natty; urgency=low

  * Initial release, split out from openjdk-6.

 -- Matthias Klose <doko@ubuntu.com>  Thu, 21 Oct 2010 08:07:41 +0200
