------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#24 ------------------------------------------------------------
Name: kdelibs Date: 2007-04-05 Severity: Medium Warning #: 2007-#24 ------------------------------------------------------------ Product Background =================== KDE Core Libraries Problem Background =================== The KDE FTP ioslave parses the host address in the PASV response of a FTP server response. mark from bindshell.net pointed out that this could be exploited via JavaScript for automated port scanning. Impact ========= Untrusted sites or sites that allow Javascript injection could cause Konqueror or other web browsers based on KHTML to perform port scanning. Problem Packages =================== Package: kdelibs Repo: extra Group: kde Unsafe: <= 3.5.6-6 Safe: Only patched This bug is related to #6595 (ALSW #13); the first part of the patch was applied to addres previous issue, but the second part of patch (in file kioslave/ftp/ftp.cc ) wasn't added. Package Fix =================== Apply the patch ftp://ftp.kde.org/pub/kde/security_patches/CVE-2007-1564-kdelibs-3.5.6.diff First part of this patch is applied on http://cvs.archlinux.org/cgi-bin/viewcvs.cgi/kde/kdelibs/post-3.5.6.diff?rev=1.3&cvsroot=Extra&only_with_tag=CURRENT&content-type=text/vnd.viewcvs-markup <http://cvs.archlinux.org/cgi-bin/viewcvs.cgi/kde/kdelibs/post-3.5.6.diff?rev=1.3&cvsroot=Extra&only_with_tag=CURRENT&content-type=text/vnd.viewcvs-markup> =================== Unofficial ArchLinux Security Bug Tracker: http://jjdanimoth.netsons.org/alsw.html Reference(s) =================== http://www.kde.org/info/security/advisory-20070326-1.txt
signature.asc
Description: OpenPGP digital signature
_______________________________________________ arch mailing list [email protected] http://archlinux.org/mailman/listinfo/arch
