MDKSA-2004:022: Updated kdelibs packages fix cookie theft vulnerability
Posted on: 03/10/2004 01:18 PM
Mandrakelinux Security Update Advisory
Package name: kdelibs
Advisory ID: MDKSA-2004:022
Date: March 10th, 2004
Affected versions: 9.1
Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory:
"The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks."
This issue was fixed in KDE 3.1.3; the updated packages are patched to protect against this vulnerability.
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to update.
You can view other update advisories for Mandrakelinux at: