[SECURITY] [DLA 367-1] kdelibs security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 367-1] kdelibs security update
From: Raphael Hertzog <hertzog@debian.org>
Date: Thu, 10 Dec 2015 13:00:57 +0100
Message-id: <[🔎] 20151210120057.GA11797@home.ouaza.com>
Mail-followup-to: Raphael Hertzog <hertzog@debian.org>, debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : kdelibs
Version        : 3.5.10.dfsg.1-5+deb6u1
CVE ID         : CVE-2015-7543

It has been reported that kdelibs uses the insecure mktemp() function
to create the temporary directory it uses to host user-specific sockets.
It is thus possible for another user to hijack this temporary directory
and gain socket accesses it should not have.

In Debian 6 “Squeeze”, this issue has been addressed in kdelibs
3.5.10.dfsg.1-5+deb6u1 with the use of the safer mkdtemp() function.
We recommend that you upgrade your kdelibs packages.

Other Debian releases have newer versions of the libraries (kdelibs4) that
are not affected by this problem.

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: [SECURITY] [DLA 366-1] arts security update
Next by Date: [SECURITY] [DLA 368-1] grub2 security update
Previous by thread: [SECURITY] [DLA 366-1] arts security update
Next by thread: [SECURITY] [DLA 368-1] grub2 security update
Index(es):
- Date
- Thread