Date: Thu, 20 Nov 2003 02:43:52 -0500
From: Rajiv Aaron Manglani <[email protected]>
To: [email protected]Subject: GLSA: kdebase (200311-01)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01
- ---------------------------------------------------------------------------
GLSA: 200311-01
package: kde-base/kdebase
summary: KDM vulnerabilities
severity: normal
Gentoo bug: 29406
date: 2003-11-15
CVE: CAN-2003-0690 CAN-2003-0692
exploit: local / remote
affected: <=3.1.3
fixed: >=3.1.4
DESCRIPTION:
Firstly, versions of KDM <= 3.1.3 are vulnerable to a privilege escalation
bug with a specific configuration of PAM modules. Users who do not use PAM
with KDM and users who use PAM with regular Unix crypt/MD5 based
authentication methods are not affected.
Secondly, KDM uses a weak cookie generation algorithm. It is advised that
users upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable
source of entropy to improve security.
Please look at http://www.kde.org/info/security/advisory-20030916-1.txt for
the KDE Security Advisory and source patch locations for older versions of
KDE.
SOLUTION:
Users are encouraged to perform an 'emerge --sync' and upgrade the package to
the latest available version. KDE 3.1.4 is recommended and should be marked
stable for most architectures. Specific steps to upgrade:
emerge --sync
emerge '>=kde-base/kde-3.1.4'
emerge clean
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/vG2Wnt0v0zAqOHYRAr5xAKCedNRDPeH8sbW3EyX6OOSHJOL6VQCgr0ul
fnlFstGhIw3hMdoQIp07/SI=
=QD6a
-----END PGP SIGNATURE-----