[sflack-security] kdebase, kdelibs (SFSA:2007-264-01) • The Sflack Linux Project

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


[sflack-security]  kdebase, kdelibs (SFSA:2007-264-01)

New kdebase packages are available for Sflack 12.0 to fix security issues.

A long URL padded with spaces could be used to display a false URL in
Konqueror's addressbar, and KDM when used with no-password login could
be tricked into logging a different user in without a password.  This
is not the way KDM is configured in Sflack by default, somewhat
mitigating the impact of this issue.

More details about the issues may be found here:

     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
     http://www.kde.org/info/security/advisory-20070919-1.txt
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225


Here are the details from the Sflack 12.0 ChangeLog:
+--------------------------+
patches/packages/kdebase-3.5.7-x86_64-3_sflack12.0.tgz:
   Patched Konqueror to prevent "spoofing" the URL
   (i.e. displaying a URL other than the one associated with the page displayed)
   For more information, see:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
   Patched KDM issue:  "KDM can be tricked into performing a password-less
   login even for accounts with a password set under certain circumstances,
   namely autologin to be configured and "shutdown with password" enabled."
   For more information, see:
     http://www.kde.org/info/security/advisory-20070919-1.txt
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569
   (* Security fix *)
patches/packages/kdelibs-3.5.7-x86_64-3_sflack12.0.tgz:
   Patched Konqueror's supporting libraries to prevent addressbar spoofing.
   For more information, see:
     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
   (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at Evolva Telecom
(http://evolva.ro) and serghei.net (http://serghei.net)
for donating additional FTP and rsync hosting
to the Sflack project!   :-)

Also see the "Get Sflack" section on http://sflack.com for
additional mirror sites near you.

Updated packages for Sflack 12.0:
ftp://ftp.sflack.com/pub/sflack/sflack-12.0/patches/packages/kdebase-3.5.7-x86_64-3_sflack12.0.tgz
ftp://ftp.sflack.com/pub/sflack/sflack-12.0/patches/packages/kdelibs-3.5.7-x86_64-3_sflack12.0.tgz


MD5 signatures:
+-------------+

Sflack 12.0 packages:
1388bba85ba1b610c1f9f7df0bc3b05b  kdebase-3.5.7-x86_64-3_sflack12.0.tgz
7ed805406ee61011b92b1cf07c15cbfb  kdelibs-3.5.7-x86_64-3_sflack12.0.tgz


Installation instructions:
+------------------------+

Upgrade the packages as root:
# upgradepkg kdelibs-3.5.7-x86_64-3_sflack12.0.tgz kdebase-3.5.7-x86_64-3_sflack12.0.tgz


+-----+

Sflack Linux Security Team
http://sflack.com/gpg-key
security at sflack.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG9PiPw79R6/xskD8RAspFAKDyj4GIfhO7X0pVpKjJ1UH5y7dkPwCeN0C7
xJoflHV7rl3i/YRBgGBoaoQ=
=r/xc
-----END PGP SIGNATURE-----
Correlati
