| ||||||||||||||||
Slackware alert SSA:2007-264-01 (kdebase)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] kdebase, kdelibs (SSA:2007-264-01) New kdebase packages are available for Slackware 12.0 to fix security issues. A long URL padded with spaces could be used to display a false URL in Konqueror's addressbar, and KDM when used with no-password login could be tricked into logging a different user in without a password. This is not the way KDM is configured in Slackware by default, somewhat mitigating the impact of this issue. More details about the issues may be found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225 http://www.kde.org/info/security/advisory-20070919-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225 Here are the details from the Slackware 12.0 ChangeLog: +--------------------------+ patches/packages/kdebase-3.5.7-i486-3_slack12.0.tgz: Patched Konqueror to prevent "spoofing" the URL (i.e. displaying a URL other than the one associated with the page displayed) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225 Patched KDM issue: "KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances, namely autologin to be configured and "shutdown with password" enabled." For more information, see: http://www.kde.org/info/security/advisory-20070919-1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569 (* Security fix *) patches/packages/kdelibs-3.5.7-i486-3_slack12.0.tgz: Patched Konqueror's supporting libraries to prevent addressbar spoofing. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ HINT: Getting slow download speeds from ftp.slackware.com? Give slackware.osuosl.org a try. This is another primary FTP site for Slackware that can be considerably faster than downloading directly from ftp.slackware.com. Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating additional FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated packages for Slackware 12.0: ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patc... ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patc... MD5 signatures: +-------------+ Slackware 12.0 packages: 467ac64778e2a72334b4ac13ff6f3e98 kdebase-3.5.7-i486-3_slack12.0.tgz 13d4eeb321c922503e8edc49f40e95f4 kdelibs-3.5.7-i486-3_slack12.0.tgz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg kdelibs-3.5.7-i486-3_slack12.0.tgz kdebase-3.5.7-i486-3_slack12.0.tgz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFG9GLiakRjwEAQIjMRAlo6AJ9UB1nu6CSM1n3JIwVGJr7AcCW5UgCfWOlD wZ7TdNQ1JD1PHmmPlikILmA= =J2a8 -----END PGP SIGNATURE----- (Log in to post comments)
|
||||||||||||||||