Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2004.0622 -- RHSA-2004:412-01 Updated kdelibs and kdebase packages correct security issues 5 October 2004 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kdelibs and kdebase Publisher: Red Hat Operating System: Red Hat Enterprise Linux AS/ES/WS 3 Red Hat Desktop version 3 Red Hat Enterprise Linux AS/ES/WS 2.1 Red Hat Linux Advanced Workstation 2.1 Linux variants UNIX variants Impact: Overwrite Arbitrary Files Denial of Service Access Privileged Data Provide Misleading Information Access: Remote/Unauthenticated Existing Account CVE Names: CAN-2004-0746 CAN-2004-0721 CAN-2004-0689 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Updated kdelibs and kdebase packages correct security issues Advisory ID: RHSA-2004:412-01 Issue date: 2004-10-04 Updated on: 2004-10-04 Product: Red Hat Enterprise Linux CVE Names: CAN-2004-0689 CAN-2004-0746 CAN-2004-0721 - - --------------------------------------------------------------------- 1. Summary: Updated kdelib and kdebase packages that resolve multiple security issues are now available. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The kdelibs packages include libraries for the K Desktop Environment. The kdebase packages include core applications for the K Desktop Environment. Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue. WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue. A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue. All users of KDE are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 128693 - CAN-2004-0689 Predictable temporary filenames 128462 - CAN-2004-0721 Konqueror frame injection spoofing 6. RPMs required: Red Hat Enterprise Linux AS (Advanced Server) version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm 34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm i386: 2b9a999a24dd42549fac4e39790b8c17 arts-2.2.2-13.i386.rpm d6aebf57668023cb684b81236c32ce71 kdelibs-2.2.2-13.i386.rpm 20114a97ed08c90c3ecd41d1b462b6bf kdelibs-devel-2.2.2-13.i386.rpm 5ca2b715621e0cdec5e3cfc647739d3f kdelibs-sound-2.2.2-13.i386.rpm 65522ae63db9a60ec3b021099fa267ed kdelibs-sound-devel-2.2.2-13.i386.rpm ia64: 198791b6c87c082383e8824f744a8c41 arts-2.2.2-13.ia64.rpm f0c10dff06590e9b3d4470a4f8b1f624 kdelibs-2.2.2-13.ia64.rpm f8c9cebea143dcf5450cd8ca0105d724 kdelibs-devel-2.2.2-13.ia64.rpm e2218bf3c2da78612dcaf84775f2b940 kdelibs-sound-2.2.2-13.ia64.rpm 2172bffd9baeb6ba3919c9510a8f8c61 kdelibs-sound-devel-2.2.2-13.ia64.rpm Red Hat Linux Advanced Workstation 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kdebase-2.2.2-12.src.rpm 1b2d27e8c9b4fbcc6f14b8b5d8f211de kdebase-2.2.2-12.src.rpm ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm 34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm ia64: 198791b6c87c082383e8824f744a8c41 arts-2.2.2-13.ia64.rpm 95e7fac336a7858e13eb38f47ae5f135 kdebase-2.2.2-12.ia64.rpm 36592e521a13904f8c4c0f5341d39f95 kdebase-devel-2.2.2-12.ia64.rpm f0c10dff06590e9b3d4470a4f8b1f624 kdelibs-2.2.2-13.ia64.rpm f8c9cebea143dcf5450cd8ca0105d724 kdelibs-devel-2.2.2-13.ia64.rpm e2218bf3c2da78612dcaf84775f2b940 kdelibs-sound-2.2.2-13.ia64.rpm 2172bffd9baeb6ba3919c9510a8f8c61 kdelibs-sound-devel-2.2.2-13.ia64.rpm Red Hat Enterprise Linux ES version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kdebase-2.2.2-12.src.rpm 1b2d27e8c9b4fbcc6f14b8b5d8f211de kdebase-2.2.2-12.src.rpm ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm 34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm i386: 2b9a999a24dd42549fac4e39790b8c17 arts-2.2.2-13.i386.rpm 2e4e89ab276d4783fca6effbb86abd45 kdebase-2.2.2-12.i386.rpm 3b7bdc19f63b066f030b02de2fd36fe6 kdebase-devel-2.2.2-12.i386.rpm d6aebf57668023cb684b81236c32ce71 kdelibs-2.2.2-13.i386.rpm 20114a97ed08c90c3ecd41d1b462b6bf kdelibs-devel-2.2.2-13.i386.rpm 5ca2b715621e0cdec5e3cfc647739d3f kdelibs-sound-2.2.2-13.i386.rpm 65522ae63db9a60ec3b021099fa267ed kdelibs-sound-devel-2.2.2-13.i386.rpm Red Hat Enterprise Linux WS version 2.1: SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kdebase-2.2.2-12.src.rpm 1b2d27e8c9b4fbcc6f14b8b5d8f211de kdebase-2.2.2-12.src.rpm ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/kdelibs-2.2.2-13.src.rpm 34cd7c8777facff45a8e5eeed312b3b4 kdelibs-2.2.2-13.src.rpm i386: 2b9a999a24dd42549fac4e39790b8c17 arts-2.2.2-13.i386.rpm 2e4e89ab276d4783fca6effbb86abd45 kdebase-2.2.2-12.i386.rpm 3b7bdc19f63b066f030b02de2fd36fe6 kdebase-devel-2.2.2-12.i386.rpm d6aebf57668023cb684b81236c32ce71 kdelibs-2.2.2-13.i386.rpm 20114a97ed08c90c3ecd41d1b462b6bf kdelibs-devel-2.2.2-13.i386.rpm 5ca2b715621e0cdec5e3cfc647739d3f kdelibs-sound-2.2.2-13.i386.rpm 65522ae63db9a60ec3b021099fa267ed kdelibs-sound-devel-2.2.2-13.i386.rpm Red Hat Enterprise Linux AS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm 135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm i386: 6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm 2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm 266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm ia64: 841744faecd1ee54f3790a123395e999 kdebase-3.1.3-5.4.ia64.rpm ad4280e59a322ebda1801b5624a6bd2a kdebase-devel-3.1.3-5.4.ia64.rpm f939dede59e2b87af5f8d32fb41bd7f2 kdelibs-3.1.3-6.6.ia64.rpm 0ea7d0872f7b9aaec7343fab3214791e kdelibs-devel-3.1.3-6.6.ia64.rpm ppc: e658798e8a2b5b7e1c63261f4e401a0c kdebase-3.1.3-5.4.ppc.rpm 9fe876d61e6cbee4450eb1790d666b88 kdebase-devel-3.1.3-5.4.ppc.rpm 478bbcde19aa9dfd6047d775b9b3fd97 kdelibs-3.1.3-6.6.ppc.rpm d74c96bbdc599a943a0d73015487f1de kdelibs-devel-3.1.3-6.6.ppc.rpm s390: 62c50a1e7fa5950240cb2df7821a2cc1 kdebase-3.1.3-5.4.s390.rpm 6c19f7ec956aa49f2f5a2d425bd93da1 kdebase-devel-3.1.3-5.4.s390.rpm c41cb46b8353ab23344901df9eb7d813 kdelibs-3.1.3-6.6.s390.rpm e0fd226e4c616aa6f661184f837cbf26 kdelibs-devel-3.1.3-6.6.s390.rpm s390x: 59899ed9813ae1b6f23756f600322a86 kdebase-3.1.3-5.4.s390x.rpm 075a689d597dc89b3afea95cb16c7c69 kdebase-devel-3.1.3-5.4.s390x.rpm 759d0d56fb3837b3bbca0bf74c6edd9a kdelibs-3.1.3-6.6.s390x.rpm 8b26c56fcaa2bfa353a23ed80cf0de87 kdelibs-devel-3.1.3-6.6.s390x.rpm x86_64: 272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm 57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm 1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm Red Hat Desktop version 3: SRPMS: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm 135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm i386: 6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm 2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm 266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm x86_64: 272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm 57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm 1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm Red Hat Enterprise Linux ES version 3: SRPMS: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm 135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm i386: 6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm 2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm 266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm ia64: 841744faecd1ee54f3790a123395e999 kdebase-3.1.3-5.4.ia64.rpm ad4280e59a322ebda1801b5624a6bd2a kdebase-devel-3.1.3-5.4.ia64.rpm f939dede59e2b87af5f8d32fb41bd7f2 kdelibs-3.1.3-6.6.ia64.rpm 0ea7d0872f7b9aaec7343fab3214791e kdelibs-devel-3.1.3-6.6.ia64.rpm x86_64: 272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm 57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm 1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm Red Hat Enterprise Linux WS version 3: SRPMS: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kdebase-3.1.3-5.4.src.rpm e4d4e63c66ce9c682c85dc250e1e679d kdebase-3.1.3-5.4.src.rpm ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/kdelibs-3.1.3-6.6.src.rpm 135f069e313d3cbf6483e08711958ee3 kdelibs-3.1.3-6.6.src.rpm i386: 6d952551a98d11f296032defd42392bc kdebase-3.1.3-5.4.i386.rpm 2693da75dd6670f631dab884775881cc kdebase-devel-3.1.3-5.4.i386.rpm 266c7d206975aaaeddf4a611674e866e kdelibs-3.1.3-6.6.i386.rpm bafda78112a389994916b0b0ced83ee2 kdelibs-devel-3.1.3-6.6.i386.rpm ia64: 841744faecd1ee54f3790a123395e999 kdebase-3.1.3-5.4.ia64.rpm ad4280e59a322ebda1801b5624a6bd2a kdebase-devel-3.1.3-5.4.ia64.rpm f939dede59e2b87af5f8d32fb41bd7f2 kdelibs-3.1.3-6.6.ia64.rpm 0ea7d0872f7b9aaec7343fab3214791e kdelibs-devel-3.1.3-6.6.ia64.rpm x86_64: 272944753852fad10e47b9aad38af42a kdebase-3.1.3-5.4.x86_64.rpm a9473976663eeecc906887e1c2dcfcb8 kdebase-devel-3.1.3-5.4.x86_64.rpm 57fb61c68d0aeca7b998d36cd6597541 kdelibs-3.1.3-6.6.x86_64.rpm 1b75fa2f076385cd5d9f0d977a921c03 kdelibs-devel-3.1.3-6.6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package 7. References: http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact.html Copyright 2004 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBYW78XlSAg2UNWIIRAkkiAJ9iuKmNQs5GZQ7+wfwucIs3wNQSYgCgmYal 4Boz0IrYVs6TlcZnARA+tvg= =5kp7 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBQWHnZCh9+71yA2DNAQKF+QP9FUDjVbcOE4Un9xpeXe6agvkU9M8ApBGj aW3ymer5MCfyOp8oINW5OaeujgheyAR57yN1jx7Z/wbeQk5qNIkkZHY78pH0DV5o 8SHIh9Bw79hhPPIfbv88Sbg2dQGDMf9PXKZ2I1xJ52lXrSM6K+1pVNLioyMRIzk/ l7RjhW/sbdU= =Zyos -----END PGP SIGNATURE-----