Bulletin d'alerte Debian

DSA-361-2 kdelibs, kdelibs-crypto -- Plusieurs failles de sécurité

Date du rapport :
1 août 2003
Paquets concernés :
kdelibs, kdelibs-crypto
Vulnérabilité :
Oui
Références dans la base de données de sécurité :
Dans la base de données de suivi des bogues (chez SecurityFocus) : Identifiant BugTraq 7520, Identifiant BugTraq 8297.
Dans le dictionnaire CVE du Mitre : CVE-2003-0459, CVE-2003-0370.
Plus de précisions :

Deux failles de sécurité ont été découvertes dans kdelibs :

  • CAN-2003-0459 : Konqueror pour KDE 3.1.2 et antérieur n'enlève pas les informations d'identification dans les URL du type utilisateur:mot_de_passe@nom_de_machine dans l'en-tête HTTP-Referer, ce qui pouvait permettre à des sites web distants de voler ces informations depuis les pages qui pointent sur eux.
  • CAN-2003-0370 : Konqueror Embedded et KDE 2.2.2 et antérieur ne valide pas le champ « nom commun » (Common Name (CN)) pour les certificats X.509 ce qui pouvait permettre à des attaquants distants de récupérer les certificats via une attaque de l'homme au milieu.

Ces failles de sécurité sont décrites dans les annonces de sécurité KDE suivantes :

http://www.kde.org/info/sécurité/annonce-20030729-1.txt http://www.kde.org/info/sécurité/annonce-20030602-1.txt

Pour la distribution stable (Woody), ces problèmes ont été corrigés dans la version 2.2.2-13.woody.8 de kdelibs et 2.2.2-6woody2 de kdelibs-crypto.

Pour la distribution instable (Sid), ces problèmes ont été corrigés dans la version 4:3.1.3-1 de kdelibs. La distribution instable ne possède pas de paquet séparé kdelibs-crypto.

Nous vous recommandons de mettre à jour vos paquets kdelibs et kdelibs-crypto.

Corrigé dans :

Debian GNU/Linux 3.0 (woody)

Source :
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.8.dsc
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.8.diff.gz
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs-crypto_2.2.2-6woody2.dsc
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs-crypto_2.2.2-6woody2.diff.gz
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs-crypto_2.2.2.orig.tar.gz
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.8_all.deb
Alpha:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_alpha.deb
ARM:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_arm.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_ia64.deb
HPPA:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_hppa.deb
Motorola 680x0:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_m68k.deb
Big endian MIPS:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_mips.deb
Little endian MIPS:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.

Les sommes MD5 des fichiers indiqués sont disponibles dans la nouvelle annonce de sécurité.