Source: netbeans Version: 8.1+dfsg3-1 Severity: important Tags: security upstream fixed-upstream Control: fixed -1 8.2+dfsg1-1
Hi, the following vulnerability was published for netbeans. CVE-2016-5537[0]: | Unspecified vulnerability in the NetBeans component in Oracle Fusion | Middleware 8.1 allows local users to affect confidentiality, | integrity, and availability via unknown vectors. NOTE: the previous | information is from the October 2016 CPU. Oracle has not commented on | third-party claims that this issue is a directory traversal | vulnerability which allows local users with certain permissions to | write to arbitrary files and consequently gain privileges via a .. | (dot dot) in a archive entry in a ZIP file imported as a project. There is a POC at [1]. It was apparently fixed in 8.2, which now warns if a file wants to be written outsite the project root, which can be confirmed or denied via the dialog. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-5537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5537 [1] https://marc.info/?l=bugtraq&m=147711715824574&w=2 Regards, Salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
