--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-8039
2009-07-27 21:07:20
--------------------------------------------------------------------------------
Name : kdelibs
Product : Fedora 11
Version : 4.2.4
Release : 6.fc11
URL : https://kde.org/
Summary : K Desktop Environment 4 - Libraries
Description :
Libraries for the K Desktop Environment 4.
--------------------------------------------------------------------------------
Update Information:
This update fixes several security issues in KHTML (CVE-2009-1725,
CVE-2009-1690, CVE-2009-1687, CVE-2009-1698, CVE-2009-0945, CVE-2009-2537) which
may lead to a denial of service or potentially even arbitrary code execution.
In addition, libplasma was fixed to make Plasmaboard (a virtual keyboard applet)
work, and a bug in a Fedora patch which made builds of the SRPM on single-CPU
machines fail was fixed.
--------------------------------------------------------------------------------
ChangeLog:
* Sun Jul 26 2009 Kevin Kofler - 4.2.4-6
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML ( use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
* Thu Jul 23 2009 Jaroslav Reznik - 4.2.4-5
- CVE-2009-2537 - select length DoS
- correct fixPopupForPlasmaboard.patch
* Wed Jul 8 2009 Kevin Kofler - 4.2.4-4
- fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki)
* Mon Jun 15 2009 Rex Dieter 4.2.4-3
- fixPopupForPlasmaboard.patch
* Mon Jun 1 2009 Lukáš Tinkl - 4.2.4-2
- respun tarball
* Sat May 30 2009 Lukáš Tinkl - 4.2.4-1
- KDE 4.2.4
* Tue May 12 2009 Rex Dieter - 4.2.3-3
- kde4.(sh|csh): drop QT_PLUGINS_PATH munging, kde4-config call (#498809)
* Mon May 4 2009 Than Ngo - 4.2.3-2
- better fix for strcasestr detection
* Sun May 3 2009 Than Ngo - 4.2.3-1
- 4.2.3
* Tue Apr 28 2009 Lukáš Tinkl - 4.2.2-13
- upstream patch to fix GCC4.4 crashes in kjs
(kdebug:189809)
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #513813 - CVE-2009-1725: KHTML: improper handling of numeric character references (ACE, DoS)
https://bugzilla.redhat.com/show_bug.cgi?id=513813
[ 2 ] Bug #505571 - CVE-2009-1690 kdelibs: KHTML Incorrect handling element content once the element was removed (DoS, ACE)
https://bugzilla.redhat.com/show_bug.cgi?id=505571
[ 3 ] Bug #506453 - CVE-2009-1687 kdelibs: Integer overflow in KJS JavaScript garbage collector
https://bugzilla.redhat.com/show_bug.cgi?id=506453
[ 4 ] Bug #506469 - CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)
https://bugzilla.redhat.com/show_bug.cgi?id=506469
[ 5 ] Bug #506703 - CVE-2009-0945 kdegraphics: KSVG NULL-pointer dereference in the SVGList interface implementation (ACE)
https://bugzilla.redhat.com/show_bug.cgi?id=506703
[ 6 ] Bug #512911 - CVE-2009-2537 Konqueror: DoS via large length property of a Select object
https://bugzilla.redhat.com/show_bug.cgi?id=512911
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update kdelibs' at the command line.
For more information, refer to "Managing Software with yum",
available at .
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/security/
--------------------------------------------------------------------------------
_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-announce