| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Mar 2003 15:30:38 -0800
From: security@....com
To: bugtraq@...urityfocus.com, announce@...ts.caldera.com,
security-alerts@...uxsecurity.com
Subject: Security Update: [CSSA-2003-012.0] Linux: KDE rlogin.protocol and telnet.protocol url kio Vulnerability
To: bugtraq@...urityfocus.com announce@...ts.caldera.com security-alerts@...uxsecurity.com
______________________________________________________________________________
SCO Security Advisory
Subject: Linux: KDE rlogin.protocol and telnet.protocol url kio Vulnerability
Advisory number: CSSA-2003-012.0
Issue date: 2003 March 14
Cross reference:
______________________________________________________________________________
1. Problem Description
From the KDE.org 20021111-1 advisory: The implementation of
the rlogin protocol in all of the affected systems, and the
implementation of the telnet protocol in affected KDE 2 systems,
allows a carefully crafted url in an html page, html email or
other kio-enabled application to execute arbitrary commands on
the system using the victim's account on the vulnerable machine.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to kdelibs2-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
prior to kdelibs2-doc-2.2.1-6.3.i386.rpm
OpenLinux 3.1.1 Workstation prior to kdelibs2-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
prior to kdelibs2-doc-2.2.1-6.3.i386.rpm
OpenLinux 3.1 Server prior to kdelibs2-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
prior to kdelibs2-doc-2.2.1-6.3.i386.rpm
OpenLinux 3.1 Workstation prior to kdelibs2-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-2.2.1-6.3.i386.rpm
prior to kdelibs2-devel-static-2.2.1-6.3.i386.rpm
prior to kdelibs2-doc-2.2.1-6.3.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-012.0/RPMS
4.2 Packages
8129d823e229783c726199a844318eee kdelibs2-2.2.1-6.3.i386.rpm
e631a15683fe15eb297a06e51287bfdd kdelibs2-devel-2.2.1-6.3.i386.rpm
76c004779dde39b01b8576ff96c6b137 kdelibs2-devel-static-2.2.1-6.3.i386.rpm
18e3123ff2f9123c7617ade65748f57f kdelibs2-doc-2.2.1-6.3.i386.rpm
4.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-012.0/SRPMS
4.5 Source Packages
9b04bfe2743d6a4ccf5a8ca50f719189 kdelibs2-2.2.1-6.3.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-012.0/RPMS
5.2 Packages
26afc4798aca1790d98e81535a883d0d kdelibs2-2.2.1-6.3.i386.rpm
a96af03f963bfd9a7611746054eeb5a4 kdelibs2-devel-2.2.1-6.3.i386.rpm
8b10782ead46deae8dc51e34851f2118 kdelibs2-devel-static-2.2.1-6.3.i386.rpm
61818a0d965eaa44142f9461bb0a580f kdelibs2-doc-2.2.1-6.3.i386.rpm
5.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-012.0/SRPMS
5.5 Source Packages
e8a17de26c5fcfd5b44c2aab0e7e1e42 kdelibs2-2.2.1-6.3.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-012.0/RPMS
6.2 Packages
c2bf490ca7443c62c45a0dce907f9943 kdelibs2-2.2.1-6.3.i386.rpm
0e43fb5811697dbd3d25084b31481b00 kdelibs2-devel-2.2.1-6.3.i386.rpm
dd14c0db0ec3b7125bafe4e530e90a4a kdelibs2-devel-static-2.2.1-6.3.i386.rpm
60b6d0eccef454ecdc238a31a6688a1a kdelibs2-doc-2.2.1-6.3.i386.rpm
6.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2003-012.0/SRPMS
6.5 Source Packages
43823df287464c1c186607df1cb603db kdelibs2-2.2.1-6.3.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-012.0/RPMS
7.2 Packages
b5e6c49e354b1bf4483fd29f0ecf7a9e kdelibs2-2.2.1-6.3.i386.rpm
9c9a8af55257d002e0edbaab4f3ebf67 kdelibs2-devel-2.2.1-6.3.i386.rpm
be537a8de06e5754e56e1e27ea73ff8f kdelibs2-devel-static-2.2.1-6.3.i386.rpm
8b4ff42cd09a6278c8275628e68b31b9 kdelibs2-doc-2.2.1-6.3.i386.rpm
7.3 Installation
rpm -Fvh kdelibs2-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-devel-static-2.2.1-6.3.i386.rpm
rpm -Fvh kdelibs2-doc-2.2.1-6.3.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2003-012.0/SRPMS
7.5 Source Packages
928a9ef51baae6b352b343df75e86cb9 kdelibs2-2.2.1-6.3.src.rpm
8. References
Specific references for this advisory:
http://www.kde.org/info/security/advisory-20021111-1.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1282
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr872190, fz526739,
erg712167.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
10. Acknowledgements
KDE.org discovered and researched this vulnerability.
______________________________________________________________________________
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists