Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0760 -- [UNIX/Linux][RedHat] Moderate: kdelibs security update 9 October 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: kdelibs Publisher: Red Hat Operating System: Red Hat Enterprise Linux AS/ES/WS 4 Red Hat Enterprise Linux AS/ES/WS 5 UNIX variants (UNIX, Linux, OSX) Impact: Cross-site Scripting Denial of Service Provide Misleading Information Inappropriate Access Access: Remote/Unauthenticated CVE Names: CVE-2007-4224 CVE-2007-3820 CVE-2007-1564 CVE-2007-1308 CVE-2007-0537 CVE-2007-0242 Ref: AA-2007.0021 ESB-2007.0322 ESB-2007.0649 ESB-2007.0699 ESB-2007.0759 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-0909.html Comment: This advisory references vulnerabilities in products which run on platforms other than RedHat. It is recommended that administrators running kde check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Moderate: kdelibs security update Advisory ID: RHSA-2007:0909-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0909.html Issue date: 2007-10-08 Updated on: 2007-10-08 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-0242 CVE-2007-0537 CVE-2007-1308 CVE-2007-1564 CVE-2007-3820 CVE-2007-4224 - - --------------------------------------------------------------------- 1. Summary: Updated kdelibs packages that resolve several security flaws are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Problem description: The kdelibs package provides libraries for the K Desktop Environment (KDE). Two cross-site-scripting flaws were found in the way Konqueror processes certain HTML content. This could result in a malicious attacker presenting misleading content to an unsuspecting user. (CVE-2007-0242, CVE-2007-0537) A flaw was found in KDE JavaScript implementation. A web page containing malicious JavaScript code could cause Konqueror to crash. (CVE-2007-1308) A flaw was found in the way Konqueror handled certain FTP PASV commands. A malicious FTP server could use this flaw to perform a rudimentary port-scan of machines behind a user's firewall. (CVE-2007-1564) Two Konqueror address spoofing flaws have been discovered. It was possible for a malicious website to cause the Konqueror address bar to display information which could trick a user into believing they are at a different website than they actually are. (CVE-2007-3820, CVE-2007-4224) Users of KDE should upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 229606 - CVE-2007-0537 konqueror XSS 233592 - CVE-2007-1564 FTP protocol PASV design flaw affects konqueror 234633 - CVE-2007-0242 QT UTF8 improper character expansion 248537 - CVE-2007-3820 Spoofing of URI possible in Konqueror's address bar 251708 - CVE-2007-4224 URL spoof in address bar 299891 - CVE-2007-1308 kdelibs KDE JavaScript denial of service (crash) 6. RPMs required: Red Hat Enterprise Linux AS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm 4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm i386: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm 48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm ia64: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm 3df7ac0ae7500ccc3ce57d6f34bf475a kdelibs-3.3.1-9.el4.ia64.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm 09be826e42e02f1127674a3a0a6c0a3a kdelibs-debuginfo-3.3.1-9.el4.ia64.rpm fe8fe5f994ab48ae8fab363832419204 kdelibs-devel-3.3.1-9.el4.ia64.rpm ppc: 7b134aed54478415a8e4be498be8e919 kdelibs-3.3.1-9.el4.ppc.rpm 464d937764cf050cb37f213dc677ed8d kdelibs-3.3.1-9.el4.ppc64.rpm 779363c80d7de0d18ccaf00281e39cea kdelibs-debuginfo-3.3.1-9.el4.ppc.rpm 64d7f0d7f599f0fd79f2b255f2930731 kdelibs-debuginfo-3.3.1-9.el4.ppc64.rpm d134d0d0233a59b060b3befd9f12ae14 kdelibs-devel-3.3.1-9.el4.ppc.rpm s390: f3655e6c3230a2afc0e24569b1226cf9 kdelibs-3.3.1-9.el4.s390.rpm 67679bb530d305e872c466d8756e4f2b kdelibs-debuginfo-3.3.1-9.el4.s390.rpm 21c32310827a4e7572be6750bd16e6ca kdelibs-devel-3.3.1-9.el4.s390.rpm s390x: f3655e6c3230a2afc0e24569b1226cf9 kdelibs-3.3.1-9.el4.s390.rpm b79978750768f1786f90bbfb5fe50c88 kdelibs-3.3.1-9.el4.s390x.rpm 67679bb530d305e872c466d8756e4f2b kdelibs-debuginfo-3.3.1-9.el4.s390.rpm f8f34ccf13d54e3d7fa515546870eb96 kdelibs-debuginfo-3.3.1-9.el4.s390x.rpm 9f9d7f3481582d30eff7b9b826a14ebe kdelibs-devel-3.3.1-9.el4.s390x.rpm x86_64: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm 45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm 28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: SRPMS: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm 4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm i386: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm 48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm x86_64: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm 45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm 28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: SRPMS: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm 4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm i386: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm 48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm ia64: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm 3df7ac0ae7500ccc3ce57d6f34bf475a kdelibs-3.3.1-9.el4.ia64.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm 09be826e42e02f1127674a3a0a6c0a3a kdelibs-debuginfo-3.3.1-9.el4.ia64.rpm fe8fe5f994ab48ae8fab363832419204 kdelibs-devel-3.3.1-9.el4.ia64.rpm x86_64: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm 45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm 28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: SRPMS: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm 4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm i386: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm 48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm ia64: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm 3df7ac0ae7500ccc3ce57d6f34bf475a kdelibs-3.3.1-9.el4.ia64.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm 09be826e42e02f1127674a3a0a6c0a3a kdelibs-debuginfo-3.3.1-9.el4.ia64.rpm fe8fe5f994ab48ae8fab363832419204 kdelibs-devel-3.3.1-9.el4.ia64.rpm x86_64: d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm 45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm 28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdelibs-3.5.4-13.el5.src.rpm e6ceb931f57d243382512a4e05987c66 kdelibs-3.5.4-13.el5.src.rpm i386: 2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm fcb32b8d69e5a8650a53b5d6ac347e66 kdelibs-apidocs-3.5.4-13.el5.i386.rpm 8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm x86_64: 2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm 68709b52718e0745e3dbd5bb7a04230b kdelibs-3.5.4-13.el5.x86_64.rpm 3f8d019e0ecfcf919d5b3c55757e6101 kdelibs-apidocs-3.5.4-13.el5.x86_64.rpm 8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm 173697bfc07630bc2828a8aec6adc138 kdelibs-debuginfo-3.5.4-13.el5.x86_64.rpm RHEL Desktop Workstation (v. 5 client): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdelibs-3.5.4-13.el5.src.rpm e6ceb931f57d243382512a4e05987c66 kdelibs-3.5.4-13.el5.src.rpm i386: 8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm 222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm x86_64: 8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm 173697bfc07630bc2828a8aec6adc138 kdelibs-debuginfo-3.5.4-13.el5.x86_64.rpm 222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm 7beda8e6b585f62c52e032c6cdee89ea kdelibs-devel-3.5.4-13.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdelibs-3.5.4-13.el5.src.rpm e6ceb931f57d243382512a4e05987c66 kdelibs-3.5.4-13.el5.src.rpm i386: 2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm fcb32b8d69e5a8650a53b5d6ac347e66 kdelibs-apidocs-3.5.4-13.el5.i386.rpm 8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm 222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm ia64: f5dbf1ec8eceebb294fb9d23b95b4364 kdelibs-3.5.4-13.el5.ia64.rpm cc7710e3dc78bfdccf3ada21f8fbb9de kdelibs-apidocs-3.5.4-13.el5.ia64.rpm 2b4c5c7219a48aea1834015035fccfbd kdelibs-debuginfo-3.5.4-13.el5.ia64.rpm e64135af218a2b089ce7005fed87a04b kdelibs-devel-3.5.4-13.el5.ia64.rpm ppc: 29bd915319ed22e56e0d137253cc852b kdelibs-3.5.4-13.el5.ppc.rpm 46615b20f403cbeb477f86c46c67ac44 kdelibs-3.5.4-13.el5.ppc64.rpm eecf5dc5a052e5defdd3a6816d5b9ae2 kdelibs-apidocs-3.5.4-13.el5.ppc.rpm ea2e4697883a77d5bedfad55ed662ec9 kdelibs-debuginfo-3.5.4-13.el5.ppc.rpm 63065e25fd7d07a7650c21bc24ae285e kdelibs-debuginfo-3.5.4-13.el5.ppc64.rpm 7c556ec7f4c29086ce2dcdee62f5fd14 kdelibs-devel-3.5.4-13.el5.ppc.rpm 2be63373a24d12f1206fe81de6e2c1e9 kdelibs-devel-3.5.4-13.el5.ppc64.rpm s390x: 230dcdb2da9a862e102b32168c792885 kdelibs-3.5.4-13.el5.s390.rpm 0bfb7027d74d2e5d1d4128aa29673227 kdelibs-3.5.4-13.el5.s390x.rpm e750100c621dcc5143b22c47a9e3ca0b kdelibs-apidocs-3.5.4-13.el5.s390x.rpm c7e610193fcb2219e344e6529f473570 kdelibs-debuginfo-3.5.4-13.el5.s390.rpm ac0617c7269a39e793409db486e5a314 kdelibs-debuginfo-3.5.4-13.el5.s390x.rpm 612e4e315bbb301dfc449d9c270f293e kdelibs-devel-3.5.4-13.el5.s390.rpm e7937888bf5d32ba188396ee82bf2fd1 kdelibs-devel-3.5.4-13.el5.s390x.rpm x86_64: 2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm 68709b52718e0745e3dbd5bb7a04230b kdelibs-3.5.4-13.el5.x86_64.rpm 3f8d019e0ecfcf919d5b3c55757e6101 kdelibs-apidocs-3.5.4-13.el5.x86_64.rpm 8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm 173697bfc07630bc2828a8aec6adc138 kdelibs-debuginfo-3.5.4-13.el5.x86_64.rpm 222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm 7beda8e6b585f62c52e032c6cdee89ea kdelibs-devel-3.5.4-13.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0242 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1308 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1564 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFHCebKXlSAg2UNWIIRAgG+AJ9AiWwUiSB+1AYF6gC4rFMZAlvzQgCgnvDw GZzAI8Yhuu/XrZRWA4myHso= =wJQp - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRwq0zCh9+71yA2DNAQKbMAP+NpvSgLWHI0ElmwqOFDhmiN4Bhh+zQFDf wkgbFhWyD7FLyzfC8Z6HOq8srbhJ8nN88Bu4cfkBx3wpWnXT3vRXLTG+/Qu4rTyG KBhBGpAprGewfC0vYQzrqfBOezs4/YpqDNkfkO+d2jsw/edHKHF8j98yPUQNpdqy g4dxkkWSzZM= =/OnB -----END PGP SIGNATURE-----