Bugtraq: [SECURITY] [DSA 518-1] New kdelibs packages fix URI handler vulnerabilities
[SECURITY] [DSA 518-1] New kdelibs packages fix URI handler vulnerabilities
From: Martin Schulze <joey_at_infodrom.org>
Date: Mon, 14 Jun 2004 15:29:31 +0200 (CEST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 518-1 security_at_debian.org
http://www.debian.org/security/ Martin Schulze
June 14th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : kdelibs
Vulnerability : unsanitised input
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0411
iDEFENSE identified a vulnerability in the Opera web browser that
could be used by remote attackers to create or truncate arbitrary
files on the victims machine. The KDE team discovered that a similar
vulnerability exists in KDE.
A remote attacker could entice a user to open a carefully crafted
telnet URI which may either create or truncate a file in the victims
home directory. In KDE 3.2 and later versions the user is first
explicitly asked to confirm the opening of the telnet URI.
For the stable distribution (woody) this problem has been fixed in
version 2.2.2-13.woody.10.
We recommend that you upgrade your KDE libraries.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
