lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <a05210606bbe21efd8a4b@[10.96.0.12]>
Date: Thu, 20 Nov 2003 02:43:52 -0500
From: Rajiv Aaron Manglani <rajiv@...too.org>
To: bugtraq@...urityfocus.com
Subject: GLSA:  kdebase (200311-01)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01
- ---------------------------------------------------------------------------

GLSA:        200311-01
package:     kde-base/kdebase
summary:     KDM vulnerabilities
severity:    normal
Gentoo bug:  29406
date:        2003-11-15
CVE:         CAN-2003-0690 CAN-2003-0692
exploit:     local / remote
affected:    <=3.1.3
fixed:       >=3.1.4

DESCRIPTION:

Firstly, versions of KDM <= 3.1.3 are vulnerable to a privilege escalation
bug with a specific configuration of PAM modules. Users who do not use PAM
with KDM and users who use PAM with regular Unix crypt/MD5 based
authentication methods are not affected.

Secondly, KDM uses a weak cookie generation algorithm. It is advised that
users upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable
source of entropy to improve security.

Please look at http://www.kde.org/info/security/advisory-20030916-1.txt for
the KDE Security Advisory and source patch locations for older versions of
KDE.

SOLUTION:

Users are encouraged to perform an 'emerge --sync' and upgrade the package to
the latest available version. KDE 3.1.4 is recommended and should be marked
stable for most architectures. Specific steps to upgrade:

emerge --sync
emerge '>=kde-base/kde-3.1.4'
emerge clean

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vG2Wnt0v0zAqOHYRAr5xAKCedNRDPeH8sbW3EyX6OOSHJOL6VQCgr0ul
fnlFstGhIw3hMdoQIp07/SI=
=QD6a
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ