Saturday, September 22, 2007

Security Update : KDEBASE + KDELIBS

Slackware security team has released two updates on KDE packages, related to kdebase and kdelibs. Here are the changelogs:
Fri Sep 21 18:13:09 CDT 2007
patches/packages/kdebase-3.5.7-i486-3_slack12.0.tgz:
Patched Konqueror to prevent "spoofing" the URL
(i.e. displaying a URL other than the one associated with the page displayed)
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3820
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
Patched KDM issue: "KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances, namely autologin to be configured and "shutdown with password" enabled."
For more information, see:
http://www.kde.org/info/security/advisory-20070919-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4569
(* Security fix *)

patches/packages/kdelibs-3.5.7-i486-3_slack12.0.tgz:
Patched Konqueror's supporting libraries to prevent addressbar spoofing.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
(* Security fix *)