MDKSA-2004:047 - Updated kdelibs packages fix URI handling vulnerabilities
Posted on: 05/19/2004 04:44 AM

Updated kdelibs packages has been released for Mandrakelinux
_______________________________________________________________________

Mandrakelinux Security Update Advisory
_______________________________________________________________________

Package name: kdelibs
Advisory ID: MDKSA-2004:047
Date: May 18th, 2004

Affected versions: 10.0, 9.2
______________________________________________________________________

Problem Description:

A vulnerability in the Opera web browser was identified by iDEFENSE; the same type of vulnerability exists in KDE. The telnet, rlogin, ssh, and mailto URI handlers do not check for '-' at the beginning of the hostname passed, which makes it possible to pass an option to the programs started by the handlers. This can allow remote attackers to create or truncate arbitrary files.

The updated packages contain patches provided by the KDE team to fix this problem.

_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
http://www.securityfocus.com/archive/1/363225
______________________________________________________________________

Updated Packages:

Mandrakelinux 10.0:
5834d2544ea362a8b1a89df573d37a5e 10.0/RPMS/kdelibs-common-3.2-36.2.100mdk.i586.rpm
c3f3605f848c79040202b741d504be5b 10.0/RPMS/libkdecore4-3.2-36.2.100mdk.i586.rpm
ba2f23077a06234e3ea8abff508c3491 10.0/RPMS/libkdecore4-devel-3.2-36.2.100mdk.i586.rpm
eabd0014c180f29e2df40ad669cb8727 10.0/SRPMS/kdelibs-3.2-36.2.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
e1da8eb3974deedab1a88cadde9a8485 amd64/10.0/RPMS/kdelibs-common-3.2-36.2.100mdk.amd64.rpm
dbfdb75e9e4d21df70ced100d58f95e9 amd64/10.0/RPMS/lib64kdecore4-3.2-36.2.100mdk.amd64.rpm
1af32502b0dff3cd0dc4d384aa3b9429 amd64/10.0/RPMS/lib64kdecore4-devel-3.2-36.2.100mdk.amd64.rpm
eabd0014c180f29e2df40ad669cb8727 amd64/10.0/SRPMS/kdelibs-3.2-36.2.100mdk.src.rpm

Mandrakelinux 9.2:
1600ba6398e53148f4ae46a36c1014ac 9.2/RPMS/kdelibs-common-3.1.3-35.2.92mdk.i586.rpm
a1725a29836ae4fedc94a259bfea2957 9.2/RPMS/libkdecore4-3.1.3-35.2.92mdk.i586.rpm
88eaf9cd1ea992bfc455425344faa500 9.2/RPMS/libkdecore4-devel-3.1.3-35.2.92mdk.i586.rpm
664aa0ba51c942d0b437bbaf9623e4c0 9.2/SRPMS/kdelibs-3.1.3-35.2.92mdk.src.rpm

Mandrakelinux 9.2/AMD64:
323f3915da6a05de388b9e89b6739055 amd64/9.2/RPMS/kdelibs-common-3.1.3-35.2.92mdk.amd64.rpm
adf904eaa80f7f1b34e7f51cd177a08d amd64/9.2/RPMS/lib64kdecore4-3.1.3-35.2.92mdk.amd64.rpm
3ae0b390d54151105c33e93af4d686de amd64/9.2/RPMS/lib64kdecore4-devel-3.1.3-35.2.92mdk.amd64.rpm
664aa0ba51c942d0b437bbaf9623e4c0 amd64/9.2/SRPMS/kdelibs-3.1.3-35.2.92mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

A list of FTP mirrors can be obtained from:

http://www.mandrakesecure.net/en/ftp.php

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98

Please be aware that sometimes it takes the mirrors a few hours to update.

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesecure.net/en/advisories/

Mandrakesoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:

http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

security_linux-mandrake.com


Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/mdksa_2004047__updated_kdelibs_packages_fix_uri_handling_vulnerabilities.html)