Säkerhetsbulletin från Debian
DSA-155-1 kdelibs -- problem med personlig integritet i Konqueror
- Rapporterat den:
- 2002-08-17
- Berörda paket:
- kdelibs
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Bugtraq-databasen (hos SecurityFocus): BugTraq-id 5410.
I Mitres CVE-förteckning: CVE-2002-0970. - Ytterligare information:
-
På grund av en miss i säkerhetskoden kontrollerar inte SSL-biblioteket från KDE, vilket Konqueror använder, att ett mellanliggande certifikat för en anslutning är underskrivet av den certifikatauktoritet såsom säkert för dess ändamål, utan godtar det har någon underskrift. Detta gör det möjligt för alla med giltiga SSL-platscertifikat från VeriSign att fejka andra VeriSign-SSL-platscertifikat och utnyttja användare av Konqueror.
En lokal rootsårbarhet som kommer av en osäker användning av en formatsträng i artsd har upptäckts. Koden som utnyttjar sårbarheten fungerar inte på ett Debiansystem eftersom artsd inte körs med setuid root. Varken artsd eller artswrapper behöver längre vara setuid root eftersom nuvarande datorsystem är snabba nog att hantera ljuddata i tid.
Dessa problem har rättats i version 2.2.2-13.woody.2 för den nuvarande stabila utgåvan (Woody). Den gamla stabila utgåvan (Potato) påverkas inte eftersom den inte innehåller några KDE-paket. Den instabila utgåvan (Sid) har ännu inte rättas, men nya paket förväntas i framtida paket, den rättade versionen kommer vara 2.2.2-14 eller högre.
Vi rekommenderar att ni uppgraderar era kdelibs- och libarts-paket samt startar om Konqueror.
- Rättat i:
-
Debian GNU/Linux 3.0 (woody)
- Källkod:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.2.dsc
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.2.diff.gz
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.2.diff.gz
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.2_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_alpha.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_arm.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_i386.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_ia64.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_ia64.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_hppa.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_m68k.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_mips.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_mipsel.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_powerpc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_s390.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.2_sparc.deb
- http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.2_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.