Mageia 2020-0475: kdeconnect-kde security update
Summary
For the pairing procedure, the GUI component only presented the friendly 'deviceName' to identify peer devices, which is completely under attacker control. Furthermore the 'deviceName' is transmitted in cleartext in UDP broadcast messages for all other nodes in the network segment to see. Therefore malicious devices can attempt to confuse users by requesting a
References
- https://bugs.mageia.org/show_bug.cgi?id=27700
- https://www.openwall.com/lists/oss-security/2020/11/30/1
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7S5MEH3CXBXVT2KJAPUZFFUHVVXK6BN7/
Resolution
MGASA-2020-0475 - Updated kdeconnect-kde packages improve security
SRPMS
- 7/core/kdeconnect-kde-1.3.4-2.2.mga7