[SECURITY] [DLA 952-1] kde4libs security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 952-1] kde4libs security update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Thu, 25 May 2017 18:25:15 +0200
Message-id: <[🔎] 3f2fb8f1-a882-8b28-257a-00570647bad5@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : kde4libs
Version        : 4:4.8.4-4+deb7u3
CVE ID         : CVE-2013-2074 CVE-2017-6410 CVE-2017-8422
Debian Bug     : 856890

Several vulnerabilities were discovered in kde4libs, the core libraries
for all KDE 4 applications. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2017-6410

    Itzik Kotler, Yonatan Fridburg and Amit Klein of Safebreach Labs
    reported that URLs are not sanitized before passing them to
    FindProxyForURL, potentially allowing a remote attacker to obtain
    sensitive information via a crafted PAC file.

CVE-2017-8422

    Sebastian Krahmer from SUSE discovered that the KAuth framework
    contains a logic flaw in which the service invoking dbus is not
    properly checked. This flaw allows spoofing the identity of the
    caller and gaining root privileges from an unprivileged account.

CVE-2013-2074

    It was discovered that KIO would show web authentication
    credentials in some error cases.

For Debian 7 "Wheezy", these problems have been fixed in version
4:4.8.4-4+deb7u3.

We recommend that you upgrade your kde4libs packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlknBWcACgkQnUbEiOQ2
gwKyIQ/+JPU478kM5PoPZwPsRf2zhsY8iWwzHWYB26vfHkQ3GGx74uqCT5To75Z3
rrgcOMEujdzopuQsv/fTbDk0Gp5CadjaQ3Nj0SqvyR+I/peVdVR5e5v12A4jpvD/
ri+D/Ze3EY809Nsglcg0S1WSZx/fbnXApaxDDU3hoYzvZHG2U3lTeRut7Sb2MKjf
as64wuO/4X3GxvPo9t0fiODLb/fIRbc0iD3ZUUzt9RweyG56Tj6tS9FFsMK4MhRx
J7UXskh8Ky4qjxyhb69LKR9v3e5L60wFvI4B4QYjVlEXfhBBAR8EYOVXJD3qt0cZ
KVn1Ew50DSjkAC/P6fKajSc0ZKfjZw+QyjgZIB2FgvxHEA+ZC1m1aNMiZ042VJuc
gVAaYxnZKysmdzRVZ3HAJ4WAbUnF88ZzjPus86JJ+IdHtVitahgpXG6CJkBmqQTB
7QMOYE9VvesFw8rGzqjLjm+bWlxQw8cDv0fdXw0CMbteuHz3mbTYsn9zdG4WSMmt
chalXy/s2XAnHXiKdVpJlA1G/vfNtIGzpdRPLUh55DSAen695973zR/KZKGLA/xl
qBhRGKYOye3aI0HtzwFa650UXzysx1oi+UWoZm5uXcHC42to5QX2z9nl/g/G94JB
NCAZdTt8b2zsbeRL6ftcHukf+TiA+RpZWmSTirhR+6H0uxGnaqs=
=tYwX
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 951-1] samba security update
Next by Date: [SECURITY] [DLA 953-1] graphicsmagick security update
Previous by thread: [SECURITY] [DLA 951-1] samba security update
Next by thread: [SECURITY] [DLA 953-1] graphicsmagick security update
Index(es):
- Date
- Thread