Stay Secure with the Latest Linux Advisories

security advisorycritical issueinformation leak

Fedora 25: 2017-03-12 Critical kdelibs3 Update for Leak Issues

This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues: * CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary system locations * CVE-2017-6410 (kio): Information Leak when accessing https when using a malicious PAC file for the KDE 3 compatibility libraries. (Security updates for KDE Frameworks 5 (kf5-karchive resp. kf5-kio) and for the KDE 4. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2017-4f4eef4791 2017-03-12 16:21:58.067358 -------------------------------------------------------------------------------- Name : kdelibs3 Product : Fedora 25 Version : 3.5.10 Release : 84.fc25 URL : https://kde.org/ Summary : KDE 3 Libraries Description : Libraries for KDE 3: KDE Libraries included: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation). -------------------------------------------------------------------------------- Update Information: This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues: * CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary system locations * CVE-2017-6410 (kio): Information Leak when accessing https when using a malicious PAC file for the KDE 3 compatibility libraries. (Security updates for KDE Frameworks 5 (kf5-karchive resp. kf5-kio) and for the KDE 4 compatibility libraries (kdelibs 4) have already been submitted.) In addition, the KDE 3 compatibility version of KCrash was modified to use the DrKonqi from Plasma 5 rather than from kde-runtime 4. (The original KDE 3 DrKonqi was already dropped years ago.) The kde-runtime 4 DrKonqi is not installed by default and will be removed entirely in future Fedora versions, the Plasma 5 version of DrKonqi can also be used for legacyapplications. -------------------------------------------------------------------------------- References: [ 1 ] Bug #1427808 - CVE-2017-6410 kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file https://bugzilla.redhat.com/show_bug.cgi?id=1427808 [ 2 ] Bug #1357410 - CVE-2016-6232 kf5-karchive: Extraction of tar files possible to arbitrary system locations https://bugzilla.redhat.com/show_bug.cgi?id=1357410 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade kdelibs3' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it. To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it. . Tackling stability concerns in kdelibs3 for Fedora 25, particularly focusing on tar extraction flaws and potential data exposure risks.. kdelibs3 update, KDE compatibility, tar extraction, security fixes, Fedora vulnerabilities. . Severity: Critical. LinuxSecurity.com Team

Mar 12, 2017 •Critical Fedora