Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: Fri, 14 Mar 2003 15:30:38 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2003-012.0] Linux: KDE rlogin.protocol and telnet.protocol url kio Vulnerability

--R3G7APHDIzY6R/pk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: [email protected] [email protected] [email protected]

______________________________________________________________________________

			SCO Security Advisory

Subject:		Linux: KDE rlogin.protocol and telnet.protocol url kio Vulnerability
Advisory number: 	CSSA-2003-012.0
Issue date: 		2003 March 14
Cross reference:
______________________________________________________________________________


1. Problem Description

	From the KDE.org 20021111-1 advisory: The implementation of
	the rlogin protocol in all of the affected systems, and the
	implementation of the telnet protocol in affected KDE 2 systems,
	allows a carefully crafted url in an html page, html email or
	other kio-enabled application to execute arbitrary commands on
	the system using the victim's account on the vulnerable machine.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to kdelibs2-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
					prior to kdelibs2-doc-2.2.1-6.3.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to kdelibs2-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
					prior to kdelibs2-doc-2.2.1-6.3.i386.rpm

	OpenLinux 3.1 Server		prior to kdelibs2-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
					prior to kdelibs2-doc-2.2.1-6.3.i386.rpm

	OpenLinux 3.1 Workstation	prior to kdelibs2-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
					prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
					prior to kdelibs2-doc-2.2.1-6.3.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-012.0/RPMS

	4.2 Packages

	8129d823e229783c726199a844318eee	kdelibs2-2.2.1-6.3.i386.rpm
	e631a15683fe15eb297a06e51287bfdd	kdelibs2-devel-2.2.1-6.3.i386.rpm
	76c004779dde39b01b8576ff96c6b137	kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	18e3123ff2f9123c7617ade65748f57f	kdelibs2-doc-2.2.1-6.3.i386.rpm

	4.3 Installation

	rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-012.0/SRPMS

	4.5 Source Packages

	9b04bfe2743d6a4ccf5a8ca50f719189	kdelibs2-2.2.1-6.3.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-012.0/RPMS

	5.2 Packages

	26afc4798aca1790d98e81535a883d0d	kdelibs2-2.2.1-6.3.i386.rpm
	a96af03f963bfd9a7611746054eeb5a4	kdelibs2-devel-2.2.1-6.3.i386.rpm
	8b10782ead46deae8dc51e34851f2118	kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	61818a0d965eaa44142f9461bb0a580f	kdelibs2-doc-2.2.1-6.3.i386.rpm

	5.3 Installation

	rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-012.0/SRPMS

	5.5 Source Packages

	e8a17de26c5fcfd5b44c2aab0e7e1e42	kdelibs2-2.2.1-6.3.src.rpm


6. OpenLinux 3.1 Server

	6.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-012.0/RPMS

	6.2 Packages

	c2bf490ca7443c62c45a0dce907f9943	kdelibs2-2.2.1-6.3.i386.rpm
	0e43fb5811697dbd3d25084b31481b00	kdelibs2-devel-2.2.1-6.3.i386.rpm
	dd14c0db0ec3b7125bafe4e530e90a4a	kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	60b6d0eccef454ecdc238a31a6688a1a	kdelibs2-doc-2.2.1-6.3.i386.rpm

	6.3 Installation

	rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

	6.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-012.0/SRPMS

	6.5 Source Packages

	43823df287464c1c186607df1cb603db	kdelibs2-2.2.1-6.3.src.rpm


7. OpenLinux 3.1 Workstation

	7.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-012.0/RPMS

	7.2 Packages

	b5e6c49e354b1bf4483fd29f0ecf7a9e	kdelibs2-2.2.1-6.3.i386.rpm
	9c9a8af55257d002e0edbaab4f3ebf67	kdelibs2-devel-2.2.1-6.3.i386.rpm
	be537a8de06e5754e56e1e27ea73ff8f	kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	8b4ff42cd09a6278c8275628e68b31b9	kdelibs2-doc-2.2.1-6.3.i386.rpm

	7.3 Installation

	rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
	rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm

	7.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-012.0/SRPMS

	7.5 Source Packages

	928a9ef51baae6b352b343df75e86cb9	kdelibs2-2.2.1-6.3.src.rpm


8. References

	Specific references for this advisory:

		http://www.kde.org/info/security/advisory-20021111-1.txt
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1281
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1282

	SCO security resources:

		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr872190, fz526739,
	erg712167.


9. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


10. Acknowledgements

	KDE.org discovered and researched this vulnerability.

______________________________________________________________________________

--R3G7APHDIzY6R/pk
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj5yZh4ACgkQbluZssSXDTFqKQCgtKuxzJd+sTeM77znQHkQkD2X
+egAnRP6XmO77cGcuXP3zEefZWXrsBTR
=ATNq
-----END PGP SIGNATURE-----

--R3G7APHDIzY6R/pk--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: