Debian LTS: DLA-952-1: kde4libs security update

Several vulnerabilities were discovered in kde4libs, the core libraries for all KDE 4 applications. The Common Vulnerabilities and Exposures project identifies the following problems:

Hash: SHA256

Package        : kde4libs
Version        : 4:4.8.4-4+deb7u3
CVE ID         : CVE-2013-2074 CVE-2017-6410 CVE-2017-8422
Debian Bug     : 856890

Several vulnerabilities were discovered in kde4libs, the core libraries
for all KDE 4 applications. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2017-6410

    Itzik Kotler, Yonatan Fridburg and Amit Klein of Safebreach Labs
    reported that URLs are not sanitized before passing them to
    FindProxyForURL, potentially allowing a remote attacker to obtain
    sensitive information via a crafted PAC file.

CVE-2017-8422

    Sebastian Krahmer from SUSE discovered that the KAuth framework
    contains a logic flaw in which the service invoking dbus is not
    properly checked. This flaw allows spoofing the identity of the
    caller and gaining root privileges from an unprivileged account.

CVE-2013-2074

    It was discovered that KIO would show web authentication
    credentials in some error cases.

For Debian 7 "Wheezy", these problems have been fixed in version
4:4.8.4-4+deb7u3.

We recommend that you upgrade your kde4libs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS