Date: 09 October 2007
References: AA-2007.0021 ESB-2007.0322 ESB-2007.0649 ESB-2007.0699 ESB-2007.0759 ESB-2011.0962
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2007.0760 -- [UNIX/Linux][RedHat]
Moderate: kdelibs security update
9 October 2007
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: kdelibs
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux AS/ES/WS 4
Red Hat Enterprise Linux AS/ES/WS 5
UNIX variants (UNIX, Linux, OSX)
Impact: Cross-site Scripting
Denial of Service
Provide Misleading Information
Inappropriate Access
Access: Remote/Unauthenticated
CVE Names: CVE-2007-4224 CVE-2007-3820 CVE-2007-1564
CVE-2007-1308 CVE-2007-0537 CVE-2007-0242
Ref: AA-2007.0021
ESB-2007.0322
ESB-2007.0649
ESB-2007.0699
ESB-2007.0759
Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-0909.html
Comment: This advisory references vulnerabilities in products which run on
platforms other than RedHat. It is recommended that administrators
running kde check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - ---------------------------------------------------------------------
Red Hat Security Advisory
Synopsis: Moderate: kdelibs security update
Advisory ID: RHSA-2007:0909-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0909.html
Issue date: 2007-10-08
Updated on: 2007-10-08
Product: Red Hat Enterprise Linux
CVE Names: CVE-2007-0242 CVE-2007-0537 CVE-2007-1308
CVE-2007-1564 CVE-2007-3820 CVE-2007-4224
- - ---------------------------------------------------------------------
1. Summary:
Updated kdelibs packages that resolve several security flaws are
now available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
3. Problem description:
The kdelibs package provides libraries for the K Desktop Environment (KDE).
Two cross-site-scripting flaws were found in the way Konqueror processes
certain HTML content. This could result in a malicious attacker presenting
misleading content to an unsuspecting user. (CVE-2007-0242, CVE-2007-0537)
A flaw was found in KDE JavaScript implementation. A web page containing
malicious JavaScript code could cause Konqueror to crash. (CVE-2007-1308)
A flaw was found in the way Konqueror handled certain FTP PASV commands.
A malicious FTP server could use this flaw to perform a rudimentary
port-scan of machines behind a user's firewall. (CVE-2007-1564)
Two Konqueror address spoofing flaws have been discovered. It was
possible for a malicious website to cause the Konqueror address bar to
display information which could trick a user into believing they are at a
different website than they actually are. (CVE-2007-3820, CVE-2007-4224)
Users of KDE should upgrade to these updated packages, which contain
backported patches to correct these issues.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
229606 - CVE-2007-0537 konqueror XSS
233592 - CVE-2007-1564 FTP protocol PASV design flaw affects konqueror
234633 - CVE-2007-0242 QT UTF8 improper character expansion
248537 - CVE-2007-3820 Spoofing of URI possible in Konqueror's address bar
251708 - CVE-2007-4224 URL spoof in address bar
299891 - CVE-2007-1308 kdelibs KDE JavaScript denial of service (crash)
6. RPMs required:
Red Hat Enterprise Linux AS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm
4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm
i386:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm
ia64:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
3df7ac0ae7500ccc3ce57d6f34bf475a kdelibs-3.3.1-9.el4.ia64.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
09be826e42e02f1127674a3a0a6c0a3a kdelibs-debuginfo-3.3.1-9.el4.ia64.rpm
fe8fe5f994ab48ae8fab363832419204 kdelibs-devel-3.3.1-9.el4.ia64.rpm
ppc:
7b134aed54478415a8e4be498be8e919 kdelibs-3.3.1-9.el4.ppc.rpm
464d937764cf050cb37f213dc677ed8d kdelibs-3.3.1-9.el4.ppc64.rpm
779363c80d7de0d18ccaf00281e39cea kdelibs-debuginfo-3.3.1-9.el4.ppc.rpm
64d7f0d7f599f0fd79f2b255f2930731 kdelibs-debuginfo-3.3.1-9.el4.ppc64.rpm
d134d0d0233a59b060b3befd9f12ae14 kdelibs-devel-3.3.1-9.el4.ppc.rpm
s390:
f3655e6c3230a2afc0e24569b1226cf9 kdelibs-3.3.1-9.el4.s390.rpm
67679bb530d305e872c466d8756e4f2b kdelibs-debuginfo-3.3.1-9.el4.s390.rpm
21c32310827a4e7572be6750bd16e6ca kdelibs-devel-3.3.1-9.el4.s390.rpm
s390x:
f3655e6c3230a2afc0e24569b1226cf9 kdelibs-3.3.1-9.el4.s390.rpm
b79978750768f1786f90bbfb5fe50c88 kdelibs-3.3.1-9.el4.s390x.rpm
67679bb530d305e872c466d8756e4f2b kdelibs-debuginfo-3.3.1-9.el4.s390.rpm
f8f34ccf13d54e3d7fa515546870eb96 kdelibs-debuginfo-3.3.1-9.el4.s390x.rpm
9f9d7f3481582d30eff7b9b826a14ebe kdelibs-devel-3.3.1-9.el4.s390x.rpm
x86_64:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm
28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm
4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm
i386:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm
x86_64:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm
28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm
4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm
i386:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm
ia64:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
3df7ac0ae7500ccc3ce57d6f34bf475a kdelibs-3.3.1-9.el4.ia64.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
09be826e42e02f1127674a3a0a6c0a3a kdelibs-debuginfo-3.3.1-9.el4.ia64.rpm
fe8fe5f994ab48ae8fab363832419204 kdelibs-devel-3.3.1-9.el4.ia64.rpm
x86_64:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm
28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
SRPMS:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdelibs-3.3.1-9.el4.src.rpm
4bf1df171502ccaac9c4b9f4af27c5a4 kdelibs-3.3.1-9.el4.src.rpm
i386:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
48f2c42b62fe794d35580947197203f6 kdelibs-devel-3.3.1-9.el4.i386.rpm
ia64:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
3df7ac0ae7500ccc3ce57d6f34bf475a kdelibs-3.3.1-9.el4.ia64.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
09be826e42e02f1127674a3a0a6c0a3a kdelibs-debuginfo-3.3.1-9.el4.ia64.rpm
fe8fe5f994ab48ae8fab363832419204 kdelibs-devel-3.3.1-9.el4.ia64.rpm
x86_64:
d3325980cb2e409fcb69641c9dd50fa6 kdelibs-3.3.1-9.el4.i386.rpm
45ff0822118c370120cffe8f4f438c95 kdelibs-3.3.1-9.el4.x86_64.rpm
fad8465ae0a18ee4a5b7c6b0fed6a5a9 kdelibs-debuginfo-3.3.1-9.el4.i386.rpm
f8fac72a4431ebfd82e863c565aba5d0 kdelibs-debuginfo-3.3.1-9.el4.x86_64.rpm
28d4cbc0fa36755077ade9d68253e6d3 kdelibs-devel-3.3.1-9.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 5 client):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdelibs-3.5.4-13.el5.src.rpm
e6ceb931f57d243382512a4e05987c66 kdelibs-3.5.4-13.el5.src.rpm
i386:
2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm
fcb32b8d69e5a8650a53b5d6ac347e66 kdelibs-apidocs-3.5.4-13.el5.i386.rpm
8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm
x86_64:
2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm
68709b52718e0745e3dbd5bb7a04230b kdelibs-3.5.4-13.el5.x86_64.rpm
3f8d019e0ecfcf919d5b3c55757e6101 kdelibs-apidocs-3.5.4-13.el5.x86_64.rpm
8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm
173697bfc07630bc2828a8aec6adc138 kdelibs-debuginfo-3.5.4-13.el5.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kdelibs-3.5.4-13.el5.src.rpm
e6ceb931f57d243382512a4e05987c66 kdelibs-3.5.4-13.el5.src.rpm
i386:
8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm
222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm
x86_64:
8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm
173697bfc07630bc2828a8aec6adc138 kdelibs-debuginfo-3.5.4-13.el5.x86_64.rpm
222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm
7beda8e6b585f62c52e032c6cdee89ea kdelibs-devel-3.5.4-13.el5.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kdelibs-3.5.4-13.el5.src.rpm
e6ceb931f57d243382512a4e05987c66 kdelibs-3.5.4-13.el5.src.rpm
i386:
2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm
fcb32b8d69e5a8650a53b5d6ac347e66 kdelibs-apidocs-3.5.4-13.el5.i386.rpm
8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm
222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm
ia64:
f5dbf1ec8eceebb294fb9d23b95b4364 kdelibs-3.5.4-13.el5.ia64.rpm
cc7710e3dc78bfdccf3ada21f8fbb9de kdelibs-apidocs-3.5.4-13.el5.ia64.rpm
2b4c5c7219a48aea1834015035fccfbd kdelibs-debuginfo-3.5.4-13.el5.ia64.rpm
e64135af218a2b089ce7005fed87a04b kdelibs-devel-3.5.4-13.el5.ia64.rpm
ppc:
29bd915319ed22e56e0d137253cc852b kdelibs-3.5.4-13.el5.ppc.rpm
46615b20f403cbeb477f86c46c67ac44 kdelibs-3.5.4-13.el5.ppc64.rpm
eecf5dc5a052e5defdd3a6816d5b9ae2 kdelibs-apidocs-3.5.4-13.el5.ppc.rpm
ea2e4697883a77d5bedfad55ed662ec9 kdelibs-debuginfo-3.5.4-13.el5.ppc.rpm
63065e25fd7d07a7650c21bc24ae285e kdelibs-debuginfo-3.5.4-13.el5.ppc64.rpm
7c556ec7f4c29086ce2dcdee62f5fd14 kdelibs-devel-3.5.4-13.el5.ppc.rpm
2be63373a24d12f1206fe81de6e2c1e9 kdelibs-devel-3.5.4-13.el5.ppc64.rpm
s390x:
230dcdb2da9a862e102b32168c792885 kdelibs-3.5.4-13.el5.s390.rpm
0bfb7027d74d2e5d1d4128aa29673227 kdelibs-3.5.4-13.el5.s390x.rpm
e750100c621dcc5143b22c47a9e3ca0b kdelibs-apidocs-3.5.4-13.el5.s390x.rpm
c7e610193fcb2219e344e6529f473570 kdelibs-debuginfo-3.5.4-13.el5.s390.rpm
ac0617c7269a39e793409db486e5a314 kdelibs-debuginfo-3.5.4-13.el5.s390x.rpm
612e4e315bbb301dfc449d9c270f293e kdelibs-devel-3.5.4-13.el5.s390.rpm
e7937888bf5d32ba188396ee82bf2fd1 kdelibs-devel-3.5.4-13.el5.s390x.rpm
x86_64:
2cf541a483fe1fbda5f2894f429dd029 kdelibs-3.5.4-13.el5.i386.rpm
68709b52718e0745e3dbd5bb7a04230b kdelibs-3.5.4-13.el5.x86_64.rpm
3f8d019e0ecfcf919d5b3c55757e6101 kdelibs-apidocs-3.5.4-13.el5.x86_64.rpm
8141ec4f62dfc46e73e2d76f317599cc kdelibs-debuginfo-3.5.4-13.el5.i386.rpm
173697bfc07630bc2828a8aec6adc138 kdelibs-debuginfo-3.5.4-13.el5.x86_64.rpm
222f3e3b226bae96dd7083e6e47c4350 kdelibs-devel-3.5.4-13.el5.i386.rpm
7beda8e6b585f62c52e032c6cdee89ea kdelibs-devel-3.5.4-13.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0242
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1308
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1564
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224
http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFHCebKXlSAg2UNWIIRAgG+AJ9AiWwUiSB+1AYF6gC4rFMZAlvzQgCgnvDw
GZzAI8Yhuu/XrZRWA4myHso=
=wJQp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRwq0zCh9+71yA2DNAQKbMAP+NpvSgLWHI0ElmwqOFDhmiN4Bhh+zQFDf
wkgbFhWyD7FLyzfC8Z6HOq8srbhJ8nN88Bu4cfkBx3wpWnXT3vRXLTG+/Qu4rTyG
KBhBGpAprGewfC0vYQzrqfBOezs4/YpqDNkfkO+d2jsw/edHKHF8j98yPUQNpdqy
g4dxkkWSzZM=
=/OnB
-----END PGP SIGNATURE-----
|