<<< Date Index >>>     <<< Thread Index >>>

MDKSA-2004:047 - Updated kdelibs packages fix URI handling vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           kdelibs
 Advisory ID:            MDKSA-2004:047
 Date:                   May 18th, 2004

 Affected versions:      10.0, 9.2
 ______________________________________________________________________

 Problem Description:

 A vulnerability in the Opera web browser was identified by iDEFENSE;
 the same type of vulnerability exists in KDE.  The telnet, rlogin, ssh,
 and mailto URI handlers do not check for '-' at the beginning of the
 hostname passed, which makes it possible to pass an option to the
 programs started by the handlers.  This can allow remote attackers to
 create or truncate arbitrary files.
 
 The updated packages contain patches provided by the KDE team to fix
 this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
  http://www.securityfocus.com/archive/1/363225
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 5834d2544ea362a8b1a89df573d37a5e  
10.0/RPMS/kdelibs-common-3.2-36.2.100mdk.i586.rpm
 c3f3605f848c79040202b741d504be5b  
10.0/RPMS/libkdecore4-3.2-36.2.100mdk.i586.rpm
 ba2f23077a06234e3ea8abff508c3491  
10.0/RPMS/libkdecore4-devel-3.2-36.2.100mdk.i586.rpm
 eabd0014c180f29e2df40ad669cb8727  10.0/SRPMS/kdelibs-3.2-36.2.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 e1da8eb3974deedab1a88cadde9a8485  
amd64/10.0/RPMS/kdelibs-common-3.2-36.2.100mdk.amd64.rpm
 dbfdb75e9e4d21df70ced100d58f95e9  
amd64/10.0/RPMS/lib64kdecore4-3.2-36.2.100mdk.amd64.rpm
 1af32502b0dff3cd0dc4d384aa3b9429  
amd64/10.0/RPMS/lib64kdecore4-devel-3.2-36.2.100mdk.amd64.rpm
 eabd0014c180f29e2df40ad669cb8727  
amd64/10.0/SRPMS/kdelibs-3.2-36.2.100mdk.src.rpm

 Mandrakelinux 9.2:
 1600ba6398e53148f4ae46a36c1014ac  
9.2/RPMS/kdelibs-common-3.1.3-35.2.92mdk.i586.rpm
 a1725a29836ae4fedc94a259bfea2957  
9.2/RPMS/libkdecore4-3.1.3-35.2.92mdk.i586.rpm
 88eaf9cd1ea992bfc455425344faa500  
9.2/RPMS/libkdecore4-devel-3.1.3-35.2.92mdk.i586.rpm
 664aa0ba51c942d0b437bbaf9623e4c0  9.2/SRPMS/kdelibs-3.1.3-35.2.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 323f3915da6a05de388b9e89b6739055  
amd64/9.2/RPMS/kdelibs-common-3.1.3-35.2.92mdk.amd64.rpm
 adf904eaa80f7f1b34e7f51cd177a08d  
amd64/9.2/RPMS/lib64kdecore4-3.1.3-35.2.92mdk.amd64.rpm
 3ae0b390d54151105c33e93af4d686de  
amd64/9.2/RPMS/lib64kdecore4-devel-3.1.3-35.2.92mdk.amd64.rpm
 664aa0ba51c942d0b437bbaf9623e4c0  
amd64/9.2/SRPMS/kdelibs-3.1.3-35.2.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 A list of FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

 Please be aware that sometimes it takes the mirrors a few hours to
 update.

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesecure.net/en/advisories/

 Mandrakesoft has several security-related mailing list services that
 anyone can subscribe to.  Information on these lists can be obtained by
 visiting:

  http://www.mandrakesecure.net/en/mlist.php

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFAqofRmqjQ0CJFipgRAvUTAKCGhyz5+TMaCICGICevtuwBXczRegCdEqj0
i4hRpEzGTYJMZaa2/TRsPIE=
=rRHf
-----END PGP SIGNATURE-----