Re: [debian-knoppix] KDE 3.1.1a WAS: OpenSSL 0.9.7b
On April 18, 2003 10:23 am, Shawn McMahon wrote:
> On Thu, Apr 17, 2003 at 09:49:57PM -0400, Gilles Pelletier said:
> > And what's a bug fix supposed to mean when OpenSSL workings are
> > hidden from the user: either it works or it doesn't. If it
> > doesn't it's a security hole.
>
> It is entirely possible (and, unfortunately, even likely) that
> everything appears to work from the user's standpoint, but that
> there are in fact holes in the security.
That's why I'm wondering if OpenSSL is really honest when they talk
about bug fixes instead of SECURITY fixes.
> It's also unlikely that all the
> problems in OpenSSL have been discovered by the white hats yet.
And not only in OpenSSL, of course. Here's the latest about KDE:
1. Systems affected:
All KDE 2 and KDE 3 versions up to and including KDE 3.1.1.
2. Overview:
KDE uses Ghostscript software for processing of PostScript (PS)
and PDF files in a way that allows for the execution of arbitrary
commands that can be contained in such files.
An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and
privileges
when the victim opens this malicious file for viewing or when the
victim browses a directory containing such malicious file and has
file previews enabled.
An attacker can provide malicious files remotely to a victim in an
e-mail, as part of a webpage, via an ftp server and possible other
means.
3. Impact:
The vulnerabilities potentially enable local or remote attackers
to compromise the privacy of a vicitim's data and to execute
arbitrary
shell commands with the victim's privileges, such as erasing files or
accessing or modifying data.
http://www.kde.org/info/security/advisory-20030409-1.txt
-------------
So it seems like a serious threat. Still, while this new release came
out on April 9th, the first advisory from a distro seems to be by
Slackware on the 18th.
http://linuxtoday.com/security/2003041801626SCKESL
Packages for Debian are available at:
ftp://download.uk.kde.org/pub/kde/stable/3.1.1a/Debian/dists/
but are only available for stable and... woody, which is six or a
half-dozen, I believe.
Knoppix was upgraded yesterday and apparently still uses KDE 3.1.1 .
As a relative newbie, I've got a hard time understanding what's going
on. What good is it to use unstable if it's only to get the patches
weeks after stable?
GP
--
La Masse critique
http://pages.infinit.net/mcrit
_______________________________________________
debian-knoppix mailing list
debian-knoppix@linuxtag.org
http://mailman.linuxtag.org/mailman/listinfo/debian-knoppix
Reply to: