Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -2 articles for you...
87
security advisoryremote exploitcriticalDebian: DSA 777-1 Critical: Mozilla Frame Injection Attack Fix
Updated package.. - --------------------------------------------------------------------------Debian Security Advisory DSA 777-1
Aug 17, 2005
•Critical
Debian
87
security advisorysoftware updatedebianDebian DSA-775-1 Critical: Mozilla Frame Injection Spoofing
Updated package.. - --------------------------------------------------------------------------Debian Security Advisory DSA 775-1
Aug 15, 2005
•Critical
Debian
89
security advisoryfedorakdebaseFedora: FEDORA-2004-293 Severe: Kdebase Multiple Issues
Several KDE vulnerabilities.. --------------------------------------------------------------------- Fedora Update Notification FEDORA-2004-293 2004-09-08 --------------------------------------------------------------------- Product : Fedora Core 2 Name : kdebase Version : 3.2.2 Release : 6.FC2 Summary : K Desktop Environment - core files Description : Core applications for the K Desktop Environment. Included are: kdm (replacement for xdm), kwin (window manager), konqueror (filemanager, web browser, ftp client, ...), konsole (xterm replacement), kpanel (application starter and desktop pager), kaudio (audio server), kdehelp (viewer for kde help files, info and man pages), kthememgr (system for managing alternate theme packages) plus other KDE components (kcheckpass, kikbd, kscreensaver, kcontrol, kfind, kfontmanager, kmenuedit). --------------------------------------------------------------------- Update Information: Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue. WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue. A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of adifferent browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue. All users of KDE are advised to upgrade to these packages, which contain backported patches from the KDE team for these issues. --------------------------------------------------------------------- * Mon Sep 06 2004 Than Ngo 6:3.2.2-6.FC2 - fix a bug in keyboard layout with xorg.x11, bug #121950 - fix df problem on AFS * Wed Sep 01 2004 Than Ngo 6:3.2.2-5.FC2 - Konqueror Frame Injection Vulnerability, CAN-2004-0721 --------------------------------------------------------------------- This update can be downloaded from: 80f87d426b760776fc7fc03653ad30a6 SRPMS/kdebase-3.2.2-6.FC2.src.rpm 6bbf33f60b428bc3f2e0fac4fa09b64f x86_64/kdebase-3.2.2-6.FC2.x86_64.rpm 8eb7ca6d4dd1557114980885744ecdfd x86_64/kdebase-devel-3.2.2-6.FC2.x86_64.rpm 4e9b9094fc7abd21083de2c17b9f51f0 x86_64/debug/kdebase-debuginfo-3.2.2-6.FC2.x86_64.rpm a05b23c8202566417a5bc2d3a3a5cd88 i386/kdebase-3.2.2-6.FC2.i386.rpm bc6d4263395d4af1a4b89503ff4a8e28 i386/kdebase-devel-3.2.2-6.FC2.i386.rpm 1835604099fdd8c8ed532f5c15709c0d i386/debug/kdebase-debuginfo-3.2.2-6.FC2.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. --------------------------------------------------------------------- . Secure your KDE on Fedora Core 2 by backing up, updating packages, applying patches, reconfiguring settings, and monitoring updates regularly for safety. KDESecurity,FedoraUpdates,KDEVulnerabilities,LocalAttacker,FrameInjection. . LinuxSecurity.com Team
Sep 08, 2004
Fedora
89
security advisoryFedorakdelibsFedora: kdelibs Update Notification, Critical: Session Fixation Threat
Several KDE vulnerabilities.. --------------------------------------------------------------------- Fedora Update Notification FEDORA-2004-290 2004-09-08 --------------------------------------------------------------------- Product : Fedora Core 1 Name : kdelibs Version : 3.1.4 Release : 7 Summary : K Desktop Environment - Libraries Description : Libraries for the K Desktop Environment: KDE Libraries included: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation). --------------------------------------------------------------------- Update Information: Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue. WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue. A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue. All users of KDE are advised to upgrade to these erratum packages, which containbackported patches from the KDE team for these issues. --------------------------------------------------------------------- * Wed Sep 01 2004 Than Ngo 6:3.1.4-7 - Konqueror Frame Injection Vulnerability CAN-2004-0721 - Konqueror Cross-Domain Cookie Injection CAN-2004-0746 * Wed Jul 28 2004 Than Ngo 6:3.1.4-6 - temporary directory vulnerability, CAN-2004-0689 --------------------------------------------------------------------- This update can be downloaded from: 008938cbdcd2153b84d2dda1cbcbf887 SRPMS/kdelibs-3.1.4-7.src.rpm eb7ea45f4d74c1445336bcef9761f02f x86_64/kdelibs-3.1.4-7.x86_64.rpm 09e622613f98b001d548815e0e8a8a1e x86_64/kdelibs-devel-3.1.4-7.x86_64.rpm 5b239bdfa7ccadb00fe6eca14b4c0593 x86_64/debug/kdelibs-debuginfo-3.1.4-7.x86_64.rpm 61cef6ddcc8a103f0aae6d7c8a31e224 i386/kdelibs-3.1.4-7.i386.rpm 987c650d14f71dc848cce75f8bf4dc3a i386/kdelibs-devel-3.1.4-7.i386.rpm b2831db469e778da7a7d4073d6cb5517 i386/debug/kdelibs-debuginfo-3.1.4-7.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. --------------------------------------------------------------------- . Several security flaws detected in Fedora's kdelibs affecting KDE libraries' operations. Performing an upgrade is highly recommended to mitigate possible risks.. KDE Libraries,Fedora Security,Session Fixation,Cross-Site Scripting,Directory Traversal. . Severity: Critical. LinuxSecurity.com Team
Sep 08, 2004
•Critical
Fedora
89
security advisoryFedorakdelibsFedora Core 2: 2004-291 Moderate: kde Frame Injection and Cookie Issues
Several KDE vulnerabilities.. --------------------------------------------------------------------- Fedora Update Notification FEDORA-2004-291 2004-09-08 --------------------------------------------------------------------- Product : Fedora Core 2 Name : kdelibs Version : 3.2.2 Release : 8.FC2 Summary : K Desktop Environment - Libraries Description : Libraries for the K Desktop Environment: KDE Libraries included: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation). --------------------------------------------------------------------- Update Information: Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0689 to this issue. WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0721 to this issue. A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window. The Common Vulnerabilities and Exposures project has assigned the name CAN-2004-0746 to this issue. All users of KDE are advised to upgrade to these packages, which containbackported patches from the KDE team for these issues. --------------------------------------------------------------------- * Wed Sep 01 2004 Than Ngo 6:3.2.2-8.FC2 - Konqueror Frame Injection Vulnerability CAN-2004-0721 - Konqueror Cross-Domain Cookie Injection CAN-2004-0746 * Wed Jul 28 2004 Than Ngo 6:3.2.2-7 - DCOPServer Temporary Filename Vulnerability, CAN-2004-0690 - temporary directory vulnerability, CAN-2004-0689 --------------------------------------------------------------------- This update can be downloaded from: 1f58d8b1b9a5598e249f9cca9dfd989d SRPMS/kdelibs-3.2.2-8.FC2.src.rpm b5106d0e1e28796c79df11a798d1e1bb x86_64/kdelibs-3.2.2-8.FC2.x86_64.rpm 9460641c334c4e448cd94f20dfda49fd x86_64/kdelibs-devel-3.2.2-8.FC2.x86_64.rpm 82353b5f48c540655dbec591ff6afa28 x86_64/debug/kdelibs-debuginfo-3.2.2-8.FC2.x86_64.rpm bbe4cd8f2842be7209f7821d8548926a i386/kdelibs-3.2.2-8.FC2.i386.rpm 9d25c78e9ae1e911411c47f8f4aaae2f i386/kdelibs-devel-3.2.2-8.FC2.i386.rpm 3cb3189b5c72aa10fef2bfb99b2059d2 i386/debug/kdelibs-debuginfo-3.2.2-8.FC2.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. --------------------------------------------------------------------- . Examine several vulnerabilities within the KDE desktop environment that were addressed with backported patches tailored for Fedora Core 2. Ensure to stay updated on mitigating measures.. KDE Vulnerabilities,Fedora Update,Security Patches,Local Attack Prevention. . Severity: Important. LinuxSecurity.com Team
Sep 08, 2004
•Important
Fedora
99
security advisorycriticalKDESlackware 10.0: 2004-247-01 Critical: KDE Frame Injection Issue
New kdelibs and kdebase packages are available for Slackware 9.1, 10.0, and -current to fix security issues. More details about this issues may be found in the Common Vulnerabilities and Exposures (CVE) database: . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] kde (SSA:2004-247-01) New kdelibs and kdebase packages are available for Slackware 9.1, 10.0, and -current to fix security issues. More details about this issues may be found in the Common Vulnerabilities and Exposures (CVE) database: https://www.cve.org/CVERecord?id=CAN-2004-0689 https://www.cve.org/CVERecord?id=CAN-2004-0690 https://www.cve.org/CVERecord?id=CAN-2004-0721 https://www.cve.org/CVERecord?id=CAN-2004-0746 Here are the details from the Slackware 10.0 ChangeLog: +--------------------------+ Fri Sep 3 13:13:09 PDT 2004 patches/packages/kdebase-3.2.3-i486-2.tgz: Patched frame injection vulnerability in Konqueror. For more details, see: https://www.cve.org/CVERecord?id=CAN-2004-0721 (* Security fix *) patches/packages/kdelibs-3.2.3-i486-2.tgz: Patched unsafe temporary directory usage, cross-domain cookie injection vulnerability for certain country specific domains, and frame injection vulnerability in Konqueror. For more details, see: https://www.cve.org/CVERecord?id=CAN-2004-0689 https://www.cve.org/CVERecord?id=CAN-2004-0690 https://www.cve.org/CVERecord?id=CAN-2004-0721 https://www.cve.org/CVERecord?id=CAN-2004-0746 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Updated packages for Slackware 9.1: ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kdebase-3.1.4-i486-2.tgz ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/kdelibs-3.1.4-i486-3.tgz Updated packages for Slackware 10.0: Updated packages for Slackware -current: MD5 signatures: +-------------+ Slackware 9.1 packages: 296fc0b2d31c5914b08ab54332312cf9 kdebase-3.1.4-i486-2.tgz c0de072389daeb6bd8a1cde2ed1dc8ef kdelibs-3.1.4-i486-3.tgz Slackware 10.0 packages: 528edca97f8d6c412742fa8f817abd76 kdebase-3.2.3-i486-2.tgz 8eabfa597ea805ceb457933d36e144be kdelibs-3.2.3-i486-2.tgz Slackware -current packages: 528edca97f8d6c412742fa8f817abd76 kdebase-3.2.3-i486-2.tgz 8eabfa597ea805ceb457933d36e144be kdelibs-3.2.3-i486-2.tgz Installation instructions: +------------------------+ Upgrade the packages as root: # upgradepkg kdebase-3.2.3-i486-2.tgz kdelibs-3.2.3-i486-2.tgz +-----+ . Enhance the security of kdelibs and kdebase on Slackware to mitigate severe vulnerabilities impacting various editions.. KDE Security Fix, Slackware Critical Update, kdelibs Patch, KDE Package Management. . Severity: Critical. LinuxSecurity.com Team
Sep 04, 2004
•Critical
Slackware
91
security advisorydenial of servicegentooGentoo: GLSA-200408-13 Normal: kdebase And kdelibs Multiple Issues
KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection. [More...]. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: kdebase, kdelibs: Multiple security issues Date: August 12, 2004 Bugs: #60068 ID: 200408-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection. Background ========= KDE is a powerful Free Software graphical desktop environment for Linux and Unix-like Operating Systems. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 kde-base/kdebase < 3.2.3-r1 > = 3.2.3-r1 2 kde-base/kdelibs < 3.2.3-r1 > = 3.2.3-r1 ------------------------------------------------------------------- 2 affected packages on all of their supported architectures. ------------------------------------------------------------------- Description ========== KDE contains three security issues: * Insecure handling of temporary files when running KDE applications outside of the KDE environment * DCOPServer creates temporary files in an insecure manner * The Konqueror browser allows websites to load webpages into a target frame of any other open frame-basedwebpage Impact ===== An attacker could exploit these vulnerabilities to create or overwrite files with the permissions of another user, compromise the account of users running a KDE application and insert arbitrary frames into an otherwise trusted webpage. Workaround ========= There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of kdebase. Resolution ========= All KDE users should upgrade to the latest versions of kdelibs and kdebase: # emerge sync # emerge -pv "> =kde-base/kdebase-3.2.3-r1" # emerge "> =kde-base/kdebase-3.2.3-r1" # emerge -pv "> =kde-base/kdelibs-3.2.3-r1" # emerge "> =kde-base/kdelibs-3.2.3-r1" References ========= [ 1 ] KDE Advisory: Temporary Directory Vulnerability https://kde.org/info/security/advisory-20040811-1.txt [ 2 ] KDE Advisory: DCOPServer Temporary Filename Vulnerability https://kde.org/info/security/advisory-20040811-2.txt [ 3 ] KDE Advisory: Konqueror Frame Injection Vulnerability https://kde.org/info/security/advisory-20040811-3.txt Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/200408-13 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to
Aug 12, 2004
Gentoo
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!