You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@netbeans.apache.org by Matthias Bläsing <ma...@apache.org> on 2020/03/29 20:57:17 UTC
[CVE-2019-17561] "Apache NetBeans" autoupdate system does not fully
validate code signatures.
CVE-ID
------
CVE-2019-17561
Summary
-------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures.
Versions Affected:
------------------
- All Apache NetBeans versions up to and including 11.2
- NetBeans releases before the Apache transition started may be
also affected
Description:
------------
The "Apache NetBeans" autoupdate system does not fully validate
code signatures. An attacker could modify the downloaded nbm and
include additional code.
Mitigation:
-----------
- Disable autoupdates
- Install only plugins from trusted sources and validate the
downloads by checking signatures and/or comparing checksums
from trusted sources
- Update to NetBeans 11.3 by downloading the release, verifying the
signature and manually installing it
Credit:
-------
The investigation was triggered by a proof-of-concept submitted by
Emilian Bold
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@netbeans.apache.org
For additional commands, e-mail: announce-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists