Debian LTS: DLA-952-1: kde4libs security update
Debian LTS: DLA-952-1: kde4libs security update
Several vulnerabilities were discovered in kde4libs, the core libraries for all KDE 4 applications. The Common Vulnerabilities and Exposures project identifies the following problems:
Hash: SHA256 Package : kde4libs Version : 4:4.8.4-4+deb7u3 CVE ID : CVE-2013-2074 CVE-2017-6410 CVE-2017-8422 Debian Bug : 856890 Several vulnerabilities were discovered in kde4libs, the core libraries for all KDE 4 applications. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2017-6410 Itzik Kotler, Yonatan Fridburg and Amit Klein of Safebreach Labs reported that URLs are not sanitized before passing them to FindProxyForURL, potentially allowing a remote attacker to obtain sensitive information via a crafted PAC file. CVE-2017-8422 Sebastian Krahmer from SUSE discovered that the KAuth framework contains a logic flaw in which the service invoking dbus is not properly checked. This flaw allows spoofing the identity of the caller and gaining root privileges from an unprivileged account. CVE-2013-2074 It was discovered that KIO would show web authentication credentials in some error cases. For Debian 7 "Wheezy", these problems have been fixed in version 4:4.8.4-4+deb7u3. We recommend that you upgrade your kde4libs packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS