Mandrakelinux Security Update Advisory
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKSA-2004:022
Date: March 10th, 2004
Affected versions: 9.1
______________________________________________________________________
Problem Description:
Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory:
"The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks."
This issue was fixed in KDE 3.1.3; the updated packages are patched to protect against this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0592
______________________________________________________________________
Updated Packages:
Mandrakelinux 9.1:
14bd813799d4891d520d1f8e7a525476 9.1/RPMS/kdelibs-3.1-58.3.91mdk.i586.rpm
924fc0bec108f94236c97d640774f8c5 9.1/RPMS/kdelibs-common-3.1-58.3.91mdk.i586.rpm
28bfd2897fb91fadcba14864c5ab85fa 9.1/RPMS/kdelibs-devel-3.1-58.3.91mdk.i586.rpm
a02c4dc06c2122241fe2e4abc77e1c67 9.1/RPMS/kdelibs-static-devel-3.1-58.3.91mdk.i586.rpm
00230239edea7418aa01897d23f5dd07 9.1/SRPMS/kdelibs-3.1-58.3.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
7f42212e4e4198af1460865f585a15cf ppc/9.1/RPMS/kdelibs-3.1-58.3.91mdk.ppc.rpm
d3db934d1ad9b0e9e04e9fab43b7f0c9 ppc/9.1/RPMS/kdelibs-common-3.1-58.3.91mdk.ppc.rpm
71b0d44138e874d8089298594a7e30a8 ppc/9.1/RPMS/kdelibs-devel-3.1-58.3.91mdk.ppc.rpm
318a821a280404541a929b8d3d55339e ppc/9.1/RPMS/kdelibs-static-devel-3.1-58.3.91mdk.ppc.rpm
00230239edea7418aa01897d23f5dd07 ppc/9.1/SRPMS/kdelibs-3.1-58.3.91mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to update.
You can view other update advisories for Mandrakelinux at:
[ur]http://www.mandrakesecure.net/en/advisories/[/url]
_______________________________________________________________________
Package name: kdelibs
Advisory ID: MDKSA-2004:022
Date: March 10th, 2004
Affected versions: 9.1
______________________________________________________________________
Problem Description:
Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory:
"The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks."
This issue was fixed in KDE 3.1.3; the updated packages are patched to protect against this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0592
______________________________________________________________________
Updated Packages:
Mandrakelinux 9.1:
14bd813799d4891d520d1f8e7a525476 9.1/RPMS/kdelibs-3.1-58.3.91mdk.i586.rpm
924fc0bec108f94236c97d640774f8c5 9.1/RPMS/kdelibs-common-3.1-58.3.91mdk.i586.rpm
28bfd2897fb91fadcba14864c5ab85fa 9.1/RPMS/kdelibs-devel-3.1-58.3.91mdk.i586.rpm
a02c4dc06c2122241fe2e4abc77e1c67 9.1/RPMS/kdelibs-static-devel-3.1-58.3.91mdk.i586.rpm
00230239edea7418aa01897d23f5dd07 9.1/SRPMS/kdelibs-3.1-58.3.91mdk.src.rpm
Mandrakelinux 9.1/PPC:
7f42212e4e4198af1460865f585a15cf ppc/9.1/RPMS/kdelibs-3.1-58.3.91mdk.ppc.rpm
d3db934d1ad9b0e9e04e9fab43b7f0c9 ppc/9.1/RPMS/kdelibs-common-3.1-58.3.91mdk.ppc.rpm
71b0d44138e874d8089298594a7e30a8 ppc/9.1/RPMS/kdelibs-devel-3.1-58.3.91mdk.ppc.rpm
318a821a280404541a929b8d3d55339e ppc/9.1/RPMS/kdelibs-static-devel-3.1-58.3.91mdk.ppc.rpm
00230239edea7418aa01897d23f5dd07 ppc/9.1/SRPMS/kdelibs-3.1-58.3.91mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to update.
You can view other update advisories for Mandrakelinux at:
[ur]http://www.mandrakesecure.net/en/advisories/[/url]
