Date: 18 May 2004 22:01:53 -0000
From: Mandrake Linux Security Team <[email protected]>
To: [email protected]Subject: MDKSA-2004:047 - Updated kdelibs packages fix URI handling vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKSA-2004:047
Date: May 18th, 2004
Affected versions: 10.0, 9.2
______________________________________________________________________
Problem Description:
A vulnerability in the Opera web browser was identified by iDEFENSE;
the same type of vulnerability exists in KDE. The telnet, rlogin, ssh,
and mailto URI handlers do not check for '-' at the beginning of the
hostname passed, which makes it possible to pass an option to the
programs started by the handlers. This can allow remote attackers to
create or truncate arbitrary files.
The updated packages contain patches provided by the KDE team to fix
this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411http://www.securityfocus.com/archive/1/363225
______________________________________________________________________
Updated Packages:
Mandrakelinux 10.0:
5834d2544ea362a8b1a89df573d37a5e 10.0/RPMS/kdelibs-common-3.2-36.2.100mdk.i586.rpm
c3f3605f848c79040202b741d504be5b 10.0/RPMS/libkdecore4-3.2-36.2.100mdk.i586.rpm
ba2f23077a06234e3ea8abff508c3491 10.0/RPMS/libkdecore4-devel-3.2-36.2.100mdk.i586.rpm
eabd0014c180f29e2df40ad669cb8727 10.0/SRPMS/kdelibs-3.2-36.2.100mdk.src.rpm
Mandrakelinux 10.0/AMD64:
e1da8eb3974deedab1a88cadde9a8485 amd64/10.0/RPMS/kdelibs-common-3.2-36.2.100mdk.amd64.rpm
dbfdb75e9e4d21df70ced100d58f95e9 amd64/10.0/RPMS/lib64kdecore4-3.2-36.2.100mdk.amd64.rpm
1af32502b0dff3cd0dc4d384aa3b9429 amd64/10.0/RPMS/lib64kdecore4-devel-3.2-36.2.100mdk.amd64.rpm
eabd0014c180f29e2df40ad669cb8727 amd64/10.0/SRPMS/kdelibs-3.2-36.2.100mdk.src.rpm
Mandrakelinux 9.2:
1600ba6398e53148f4ae46a36c1014ac 9.2/RPMS/kdelibs-common-3.1.3-35.2.92mdk.i586.rpm
a1725a29836ae4fedc94a259bfea2957 9.2/RPMS/libkdecore4-3.1.3-35.2.92mdk.i586.rpm
88eaf9cd1ea992bfc455425344faa500 9.2/RPMS/libkdecore4-devel-3.1.3-35.2.92mdk.i586.rpm
664aa0ba51c942d0b437bbaf9623e4c0 9.2/SRPMS/kdelibs-3.1.3-35.2.92mdk.src.rpm
Mandrakelinux 9.2/AMD64:
323f3915da6a05de388b9e89b6739055 amd64/9.2/RPMS/kdelibs-common-3.1.3-35.2.92mdk.amd64.rpm
adf904eaa80f7f1b34e7f51cd177a08d amd64/9.2/RPMS/lib64kdecore4-3.1.3-35.2.92mdk.amd64.rpm
3ae0b390d54151105c33e93af4d686de amd64/9.2/RPMS/lib64kdecore4-devel-3.1.3-35.2.92mdk.amd64.rpm
664aa0ba51c942d0b437bbaf9623e4c0 amd64/9.2/SRPMS/kdelibs-3.1.3-35.2.92mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
update.
You can view other update advisories for Mandrakelinux at:
http://www.mandrakesecure.net/en/advisories/
Mandrakesoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFAqofRmqjQ0CJFipgRAvUTAKCGhyz5+TMaCICGICevtuwBXczRegCdEqj0
i4hRpEzGTYJMZaa2/TRsPIE=
=rRHf
-----END PGP SIGNATURE-----