--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2006-178606 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606 2006-03-01 --------------------------------------------------------------------- Name : kdelibs Versions : rh73: kdelibs-3.0.5a-0.73.7.legacy Versions : rh9: kdelibs-3.1-17.1.legacy Versions : fc1: kdelibs-3.1.4-9.FC1.1.legacy Versions : fc2: kdelibs-3.2.2-14.FC2.2.legacy Versions : fc3: kdelibs-3.4.2-1.fc3.1.legacy Summary : K Desktop Environment - Libraries Description : Libraries for the K Desktop Environment. KDE Libraries include: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (javascript), kab (addressbook), kimgio (image manipulation). --------------------------------------------------------------------- Update Information: Updated kdelibs packages that fix several security issues are now available. The kdelibs package provides libraries for the K Desktop Environment. The International Domain Name (IDN) support in the Konqueror browser allowed remote attackers to spoof domain names using punycode encoded domain names. Such domain names are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0237 to this issue. Sebastian Krahmer discovered a flaw in dcopserver, the KDE Desktop Communication Protocol (DCOP) daemon. A local user could use this flaw to stall the DCOP authentication process, affecting any local desktop users and causing a reduction in their desktop functionality. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0396 to this issue. A buffer overflow was found in the kimgio library for KDE 3.4.0. An attacker could create a carefully crafted PCX image in such a way that it would cause kimgio to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-1046 to this issue. A flaw was discovered affecting Kate, the KDE advanced text editor, and Kwrite. Depending on system settings, it may be possible for a local user to read the backup files created by Kate or Kwrite. The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1920 to this issue. A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution. The Common Vulnerabilities and Exposures project assigned the name CVE-2006-0019 to this issue. Users of KDE should upgrade to these erratum packages, which contain backported patches to correct these issues. --------------------------------------------------------------------- Changelogs rh73: * Thu Feb 23 2006 David Eisenstein <deisenst@xxxxxxx> 6:3.0.5a-0.73.7.legacy - Add patch #26 for CAN-2005-0396, local DCOP denial of service vulnerability. Bugzilla #178606. rh9: * Thu Feb 23 2006 David Eisenstein <deisenst@xxxxxxx> 6:3.0.5a-0.73.7.legacy - Add patch #106 for CAN-2005-0396, local DCOP denial of service vulnerability. Bugzilla #178606. fc1: * Fri Feb 24 2006 David Eisenstein <deisenst@xxxxxxx> 6:3.1.4-9.FC1.1.legacy - Add patch #107 for CAN-2005-0396, local DCOP denial of service vulnerability. Bugzilla #178606. fc2: * Tue Feb 14 2006 David Eisenstein <deisenst@xxxxxxx> 6:3.2.2-14.FC2.2.legacy - Make slight mod to Konqueror IDN patch, changing the paths in the patch, so it will apply correctly. * Tue Feb 14 2006 David Eisenstein <deisenst@xxxxxxx> 6:3.2.2-14.FC2.1.legacy - Applied patch for Konqueror International Domain Name Spoofing, CAN-2005-0237, #178606 - Patch for kimgio input validation errors, CAN-2005-1046, #178606 - Patch for Kate backup file permission leak, CAN-2005-1920, #178606 - Add critical patch for kjs encodeuri/decodeuri heap overflow vulnerability, CVE-2006-0019, #178606. fc3: * Wed Feb 08 2006 David Eisenstein <deisenst@xxxxxxx> 6:3.4.2-1.fc3.1.legacy - Add fix for CVE-2006-0019, kjs encodeuri/decodeuri heap overflow vulnerability Bug #178606. --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 2f2d25474d7f6c68b77e376684f3835cd61123e4 redhat/7.3/updates-testing/i386/kdelibs-3.0.5a-0.73.7.legacy.i386.rpm c153c581d132fc5ae882167d3319f103652043dd redhat/7.3/updates-testing/i386/kdelibs-devel-3.0.5a-0.73.7.legacy.i386.rpm 7ad24efea3cd775ad8bc649128d64875eec1554e redhat/7.3/updates-testing/SRPMS/kdelibs-3.0.5a-0.73.7.legacy.src.rpm rh9: f527dda13ccda9cd86542014e749587548b82a32 redhat/9/updates-testing/i386/kdelibs-3.1-17.1.legacy.i386.rpm 6e22f76a8310051d285d60817066659f4429b633 redhat/9/updates-testing/i386/kdelibs-devel-3.1-17.1.legacy.i386.rpm 7d8b9b30352004864252d7f2a72a877f062adf0f redhat/9/updates-testing/SRPMS/kdelibs-3.1-17.1.legacy.src.rpm fc1: 3de25dd41842099dca0cf142adef2c4fe35bcfce fedora/1/updates-testing/i386/kdelibs-3.1.4-9.FC1.1.legacy.i386.rpm 5d48525f08c39c3f73ca1d547be6aa0335c02a02 fedora/1/updates-testing/i386/kdelibs-devel-3.1.4-9.FC1.1.legacy.i386.rpm 14c5cab3afedd32f05324ced28cd9abda3349ff1 fedora/1/updates-testing/SRPMS/kdelibs-3.1.4-9.FC1.1.legacy.src.rpm fc2: 944bbc21e569bc63544f540783eedf4ecf430d2f fedora/2/updates-testing/i386/kdelibs-3.2.2-14.FC2.2.legacy.i386.rpm 6d15fbaa66fbadf6fa19ce3feb04e4c71ef18dfe fedora/2/updates-testing/i386/kdelibs-devel-3.2.2-14.FC2.2.legacy.i386.rpm 1b2a47dcae3e180dc2b0ccecdff5dca12b914393 fedora/2/updates-testing/SRPMS/kdelibs-3.2.2-14.FC2.2.legacy.src.rpm fc3: 4d217b3e16c4624ff14b9615ab7720efbaaff7e8 fedora/3/updates-testing/i386/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm c861158a8f3734f0ae633fc46cd8705c6d5fc0ad fedora/3/updates-testing/i386/kdelibs-devel-3.4.2-1.fc3.1.legacy.i386.rpm 4d217b3e16c4624ff14b9615ab7720efbaaff7e8 fedora/3/updates-testing/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.i386.rpm 8d37c651ebe27beb56c34383972128a18e8e3c4d fedora/3/updates-testing/x86_64/kdelibs-3.4.2-1.fc3.1.legacy.x86_64.rpm 10cabc626d4c0570999ccd70aa8e248f31b49f8f fedora/3/updates-testing/x86_64/kdelibs-devel-3.4.2-1.fc3.1.legacy.x86_64.rpm bb0dc7875106e2b71d30a5a8f2df6737aee4a80a fedora/3/updates-testing/SRPMS/kdelibs-3.4.2-1.fc3.1.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list