Bug#856890: marked as done (kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file)
Your message dated Thu, 11 May 2017 09:43:06 +0200
with message-id <[🔎] 20170511074306.mzsbwrfhcbajfiif@lorien.valinor.li>
and subject line Re: Bug#856890: kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
has caused the Debian Bug report #856890,
regarding kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
856890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856890
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 05 Mar 2017 21:48:06 +0100
- Message-id: <148874688626.9152.8846998823811483661.reportbug@eldamar.local>
Source: kde4libs
Version: 4:4.14.26-1
Severity: important
Tags: upstream patch security
Hi,
the following vulnerability was published for kde4libs.
CVE-2017-6410[0]:
| kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls
| the PAC FindProxyForURL function with a full https URL (potentially
| including Basic Authentication credentials, a query string, or
| PATH_INFO), which allows remote attackers to obtain sensitive
| information via a crafted PAC file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
[1] https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559
[2] https://www.kde.org/info/security/advisory-20170228-1.txt
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: kde4libs
Source-Version: 4:4.14.26-2
On Sun, Mar 05, 2017 at 09:48:06PM +0100, Salvatore Bonaccorso wrote:
> Source: kde4libs
> Version: 4:4.14.26-1
> Severity: important
> Tags: upstream patch security
>
> Hi,
>
> the following vulnerability was published for kde4libs.
>
> CVE-2017-6410[0]:
> | kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls
> | the PAC FindProxyForURL function with a full https URL (potentially
> | including Basic Authentication credentials, a query string, or
> | PATH_INFO), which allows remote attackers to obtain sensitive
> | information via a crafted PAC file.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2017-6410
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
> [1] https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559
> [2] https://www.kde.org/info/security/advisory-20170228-1.txt
This was addressed in the last unstable upload with:
* Apply "Sanitize URLs before passing them to FindProxyForURL" (1804c2f)
Remove user/password information
For https: remove path and query
Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
Regards,
Salvatore
--- End Message ---
Reply to: