Date: Fri, 15 Nov 2002 16:37:45 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2002-047.0] Linux: KDE SSL and XSS vulnerabilities
--4zI0WCX1RcnW9Hbu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: [email protected][email protected][email protected][email protected]
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: KDE SSL and XSS vulnerabilities
Advisory number: CSSA-2002-047.0
Issue date: 2002 November 15
Cross reference:
______________________________________________________________________________
1. Problem Description
Konqueror's cross site scripting (XSS) protection fails to
initialize the domains on sub-(i)frames correctly. As a
result, Javascript can access any foreign subframe which is
defined in the HTML source.
KDE's SSL implementation fails to check the basic constraints
on certificates and as a result may accept certificates as
valid that were signed by an issuer who was not authorized to
do so.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to kdelibs2-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
prior to kdelibs2-doc-2.2.1-6.1.i386.rpm
OpenLinux 3.1.1 Workstation prior to kdelibs2-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
prior to kdelibs2-doc-2.2.1-6.1.i386.rpm
OpenLinux 3.1 Server prior to kdelibs2-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
prior to kdelibs2-doc-2.2.1-6.1.i386.rpm
OpenLinux 3.1 Workstation prior to kdelibs2-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
prior to kdelibs2-doc-2.2.1-6.1.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-047.0/RPMS
4.2 Packages
a03fb8e34fde83b1a4f83124c2e4b041 kdelibs2-2.2.1-6.1.i386.rpm
6c4fc3be168073d33b7f62603b03e1a0 kdelibs2-devel-2.2.1-6.1.i386.rpm
0d16a2303715af4e5cee545a3f5fa5e4 kdelibs2-devel-static-2.2.1-6.1.i386.rpm
f8a1574f0b3d97c0272d935f0140ec3a kdelibs2-doc-2.2.1-6.1.i386.rpm
4.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-047.0/SRPMS
4.5 Source Packages
2632e383fd006e4307b8d46b2755bfe1 kdelibs2-2.2.1-6.1.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-047.0/RPMS
5.2 Packages
510eeadb0430c083de57d6901e3b7ff4 kdelibs2-2.2.1-6.1.i386.rpm
37f6a6eafc2d62edac6e753effafaf69 kdelibs2-devel-2.2.1-6.1.i386.rpm
c870729596c35e570a1a376879694051 kdelibs2-devel-static-2.2.1-6.1.i386.rpm
ab5617edf321f2c97a297b59eb2353d5 kdelibs2-doc-2.2.1-6.1.i386.rpm
5.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-047.0/SRPMS
5.5 Source Packages
23ef26f4c6d6f5a8110ad14ab35d97f3 kdelibs2-2.2.1-6.1.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-047.0/RPMS
6.2 Packages
f89476e89a490a817f9b9cb1d9f0d45e kdelibs2-2.2.1-6.1.i386.rpm
5e9b87afe1f433695900cf472b72b8ff kdelibs2-devel-2.2.1-6.1.i386.rpm
639d81f339d580246b47192dee39f323 kdelibs2-devel-static-2.2.1-6.1.i386.rpm
46bd0251cae1f20a1e9cf2968ec6b28b kdelibs2-doc-2.2.1-6.1.i386.rpm
6.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-047.0/SRPMS
6.5 Source Packages
b8db0bed5301c62f0c23a7299764daac kdelibs2-2.2.1-6.1.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-047.0/RPMS
7.2 Packages
c644ccee63d98f51c3c75153dac8f72b kdelibs2-2.2.1-6.1.i386.rpm
a9a6672a59132b7da2276fc84af4239e kdelibs2-devel-2.2.1-6.1.i386.rpm
ab1314c35f6a696f8ffc242f47c132a8 kdelibs2-devel-static-2.2.1-6.1.i386.rpm
97bda2eff3c2ed28d69c89f0f9e71e5d kdelibs2-doc-2.2.1-6.1.i386.rpm
7.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-047.0/SRPMS
7.5 Source Packages
81ffd01431cb6b64f110790a515f6cee kdelibs2-2.2.1-6.1.src.rpm
8. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0970http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1151http://www.kde.org/info/security/advisory-20020908-2.txthttp://www.kde.org/info/security/advisory-20020818-1.txt
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr868329, fz525911,
fz525926, erg712110, erg712107, erg712111, sr869190, fz526085,
erg712129.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
______________________________________________________________________________
--4zI0WCX1RcnW9Hbu
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3Vk1kACgkQbluZssSXDTHqeACg7GUsS6sWon0evOjdMXwHeU0c
isgAmgOkZJS+delpTC8S/4ytgPVqpx30
=vJDj
-----END PGP SIGNATURE-----
--4zI0WCX1RcnW9Hbu--