---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-290
2004-09-08
---------------------------------------------------------------------

Product     : Fedora Core 1
Name        : kdelibs
Version     : 3.1.4
Release     : 7
Summary     : K Desktop Environment - Libraries
Description :
Libraries for the K Desktop Environment:
KDE Libraries included: kdecore (KDE core library), kdeui (user interface),
kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking),
kspell (spelling checker), jscript (javascript), kab (addressbook),
kimgio (image manipulation).

---------------------------------------------------------------------
Update Information:

Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create
temporary directories with predictable names. A local attacker could
prevent KDE applications from functioning correctly, or overwrite files
owned by other users by creating malicious symlinks. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2004-0689
to this issue.

WESTPOINT internet reconnaissance services has discovered that the KDE web
browser Konqueror allows websites to set cookies for certain country
specific secondary top level domains. An attacker within one of the
affected domains could construct a cookie which would be sent to all other
websites within the domain leading to a session fixation attack. This
issue does not affect popular domains such as .co.uk, .co.in, or .com. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2004-0721 to this issue.

A frame injection spoofing vulnerability has been discovered in the
Konqueror web browser. This issue could allow a malicious website to show
arbitrary content in a named frame of a different browser window. The
Common Vulnerabilities and Exposures project has assigned the name
CAN-2004-0746 to this issue.

All users of KDE are advised to upgrade to these erratum packages,
which contain backported patches from the KDE team for these issues.

---------------------------------------------------------------------
* Wed Sep 01 2004 Than Ngo <than@redhat.com> 6:3.1.4-7

- Konqueror Frame Injection Vulnerability CAN-2004-0721
- Konqueror Cross-Domain Cookie Injection CAN-2004-0746

* Wed Jul 28 2004 Than Ngo <than@redhat.com> 6:3.1.4-6

- temporary directory vulnerability, CAN-2004-0689


---------------------------------------------------------------------
This update can be downloaded from:
    

008938cbdcd2153b84d2dda1cbcbf887  SRPMS/kdelibs-3.1.4-7.src.rpm
eb7ea45f4d74c1445336bcef9761f02f  x86_64/kdelibs-3.1.4-7.x86_64.rpm
09e622613f98b001d548815e0e8a8a1e  x86_64/kdelibs-devel-3.1.4-7.x86_64.rpm
5b239bdfa7ccadb00fe6eca14b4c0593  
x86_64/debug/kdelibs-debuginfo-3.1.4-7.x86_64.rpm
61cef6ddcc8a103f0aae6d7c8a31e224  i386/kdelibs-3.1.4-7.i386.rpm
987c650d14f71dc848cce75f8bf4dc3a  i386/kdelibs-devel-3.1.4-7.i386.rpm
b2831db469e778da7a7d4073d6cb5517  
i386/debug/kdelibs-debuginfo-3.1.4-7.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

Fedora: kdelibs several vulnerabilities (Core 1)

September 8, 2004
Several KDE vulnerabilities.

Summary

Libraries for the K Desktop Environment:

KDE Libraries included: kdecore (KDE core library), kdeui (user interface),

kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking),

kspell (spelling checker), jscript (javascript), kab (addressbook),

kimgio (image manipulation).

Update Information:

Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue.

WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue.

A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue.

All users of KDE are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues.

* Wed Sep 01 2004 Than Ngo <than@redhat.com> 6:3.1.4-7

- Konqueror Frame Injection Vulnerability CAN-2004-0721 - Konqueror Cross-Domain Cookie Injection CAN-2004-0746

* Wed Jul 28 2004 Than Ngo <than@redhat.com> 6:3.1.4-6

- temporary directory vulnerability, CAN-2004-0689


This update can be downloaded from:


008938cbdcd2153b84d2dda1cbcbf887 SRPMS/kdelibs-3.1.4-7.src.rpm eb7ea45f4d74c1445336bcef9761f02f x86_64/kdelibs-3.1.4-7.x86_64.rpm 09e622613f98b001d548815e0e8a8a1e x86_64/kdelibs-devel-3.1.4-7.x86_64.rpm 5b239bdfa7ccadb00fe6eca14b4c0593 x86_64/debug/kdelibs-debuginfo-3.1.4-7.x86_64.rpm 61cef6ddcc8a103f0aae6d7c8a31e224 i386/kdelibs-3.1.4-7.i386.rpm 987c650d14f71dc848cce75f8bf4dc3a i386/kdelibs-devel-3.1.4-7.i386.rpm b2831db469e778da7a7d4073d6cb5517 i386/debug/kdelibs-debuginfo-3.1.4-7.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Change Log

References

Fedora Update Notification FEDORA-2004-290 2004-09-08 Product : Fedora Core 1 Name : kdelibs Version : 3.1.4 Release : 7 Summary : K Desktop Environment - Libraries Description : Libraries for the K Desktop Environment: KDE Libraries included: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation).

Update Instructions

Severity
Product : Fedora Core 1
Name : kdelibs
Version : 3.1.4
Release : 7
Summary : K Desktop Environment - Libraries

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved