[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#157255: marked as done (Konqueror SSL vunerability)



Your message dated Tue, 17 Sep 2002 22:54:41 +1000
with message-id <200209172254.41704.msp@debian.org>
and subject line fixed in kdelibs (4:2.2.2-14) unstable
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Aug 2002 10:50:00 +0000
>From mark@purcell.homeip.net Mon Aug 19 05:50:00 2002
Return-path: <mark@purcell.homeip.net>
Received: from cpe-203-51-25-12.nsw.bigpond.net.au (purcell.homeip.net) [203.51.25.12] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17gk6i-0007PY-00; Mon, 19 Aug 2002 05:50:00 -0500
Received: from [192.168.3.15] (helo=dell.purcell.homeip.net ident=mail)
	by purcell.homeip.net with esmtp (Exim 3.35 #1 (Debian))
	id 17gk6f-000804-00; Mon, 19 Aug 2002 20:49:57 +1000
Received: from msp by dell.purcell.homeip.net with local (Exim 3.35 #1 (Debian))
	id 17gk6W-0000ny-00; Mon, 19 Aug 2002 20:49:48 +1000
X-Debbugs-CC: security@debian.org,debian-kde@lists.debian.org
Subject: Konqueror SSL vunerability
From: "Mark Purcell" <msp@debian.org>
To: "Debian Bug Tracking System" <submit@bugs.debian.org>
X-Mailer: reportbug 1.99.50
Date: Mon, 19 Aug 2002 20:49:48 +1000
Message-Id: <E17gk6W-0000ny-00@dell.purcell.homeip.net>
Sender: Mark Purcell <msp@dell.purcell.homeip.net>
Delivered-To: submit@bugs.debian.org

Package: kdelibs3-crypto
Version: 4:2.2.2-6
Severity: critical
Tags: security upstream

http://www.kde.org/info/security/advisory-20020818-1.txt

KDE Security Advisory: Konqueror SSL vulnerability
Original Release Date: 2002-08-18
URL: http://www.kde.org/info/security/advisory-20020818-1.txt

0. References
        http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/0
        http://online.securityfocus.com/archive/1/287050/2002-08-07/2002-08-13/2

1. Systems affected:

        All versions of KDE up to and including KDE 3.0.2

2. Overview:

        KDE's SSL implementation fails to check the basic constraints on
certificates and as a result may accept certificates as valid that were signed
by an issuer who was not authorized to do so.

3. Impact:

        Users of Konqueror and other SSL enabled KDE software may fall victim
to a malicious man-in-the-middle attack without noticing. In such case the
user will be under the impression that there is a secure connection with a
trusted site while in fact a different site has been connected to.

4. Solution:

        Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
well for users that are unable to upgrade to KDE 3.

5. Patch:
        A patch for KDE 2.2.2 is available from 
ftp://ftp.kde.org/pub/kde/security_patches :

        0e0da738b276567e9ee36aa824e86124  post-2.2.2-kdelibs-kssl.diff


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux dell 2.4.18-bf2.4 #1 Fri Jun 7 06:12:37 UTC 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages kdelibs3-crypto depends on:
pn  kdelibs3                                 Not found.
ii  libc6                        2.2.5-14    GNU C Library: Shared libraries an
ii  libssl0.9.6                  0.9.6g-2    SSL shared libraries
ii  libstdc++2.10-glibc2.2       1:2.95.4-11 The GNU stdc++ library
ii  zlib1g                       1:1.1.4-3   compression library - runtime

-- no debconf information


---------------------------------------
Received: (at 157255-done) by bugs.debian.org; 17 Sep 2002 12:55:41 +0000
>From msp@debian.org Tue Sep 17 07:55:41 2002
Return-path: <msp@debian.org>
Received: from cpe-203-51-26-119.nsw.bigpond.net.au (purcell.homeip.net) [203.51.26.119] (mail)
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 17rHtE-0002fe-00; Tue, 17 Sep 2002 07:55:41 -0500
Received: from [192.168.3.15] (helo=dell.purcell.homeip.net ident=msp)
	by purcell.homeip.net with esmtp (Exim 3.35 #1 (Debian))
	id 17rHsw-0000Lj-00
	for <157255-done@bugs.debian.org>; Tue, 17 Sep 2002 22:55:22 +1000
From: Mark Purcell <msp@debian.org>
To: 157255-done@bugs.debian.org
Subject: fixed in kdelibs (4:2.2.2-14) unstable
Date: Tue, 17 Sep 2002 22:54:41 +1000
User-Agent: KMail/1.4.6
Organization: Debian GNU/Linux
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Message-Id: <200209172254.41704.msp@debian.org>
Delivered-To: 157255-done@bugs.debian.org



kdelibs (4:2.2.2-14) unstable; urgency=low

  * And a quick update to send it to unstable; no changes from -13.woody.3.

 -- Daniel Stone <dstone@trinity.unimelb.edu.au>  Wed, 11 Sep 2002 22:29:31 
+1000

kdelibs (4:2.2.2-13.woody.3) stable-security; urgency=high

  * Sigh. Another DSA.
  * Fixes cross-site scripting vulnerability in KHTML.

 -- Daniel Stone <dstone@trinity.unimelb.edu.au>  Wed, 11 Sep 2002 22:24:35 
+1000

kdelibs (4:2.2.2-13.woody.2) stable-security; urgency=high

  * Non-maintainer upload by security team
  * Security upload to fix SSL problems with Konqueror.
  * Fix local denial of service attack with aRts. This is NOT a local root
    vulnerability, just a stupid, over-excited skript kiddie wanting propz
    off SecurityFocus. *sigh*. (closes: #152211)
  * Adjusted Build-Depends (i.e. added libstdc++2.10-dev/libstdc++3-dev and 
g++)
  * Removed setuid bits for artswrapper from lintian overrides
  * Added sanity checks to artswrapper so open(), fopen() etc. never
    return file descriptors 1 or 2 (reserved for stdout and stderr)
  * Applied upstream patch to avoid a local denial of service (hence not
    raising the nice level)
  * Don't install artswrap setuid root anymore because of the above

 -- Martin Schulze <joey@infodrom.org>  Fri, 16 Aug 2002 18:46:10 +0200




Reply to: