Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security Update: [CSSA-2002-047.0] Linux: KDE SSL and XSS vulnerabilities

From: security () caldera com
Date: Fri, 15 Nov 2002 16:37:45 -0800

To: bugtraq () securityfocus com announce () lists caldera com security-alerts () linuxsecurity com full-disclosure () 
lists netsys com

______________________________________________________________________________

                        SCO Security Advisory

Subject:                Linux: KDE SSL and XSS vulnerabilities
Advisory number:        CSSA-2002-047.0
Issue date:             2002 November 15
Cross reference:
______________________________________________________________________________


1. Problem Description

        Konqueror's cross site scripting (XSS) protection fails to
        initialize the domains on sub-(i)frames correctly. As a
        result, Javascript can access any foreign subframe which is
        defined in the HTML source.

        KDE's SSL implementation fails to check the basic constraints
        on certificates and as a result may accept certificates as
        valid that were signed by an issuer who was not authorized to
        do so.


2. Vulnerable Supported Versions

        System                          Package
        ----------------------------------------------------------------------

        OpenLinux 3.1.1 Server          prior to kdelibs2-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.1.i386.rpm

        OpenLinux 3.1.1 Workstation     prior to kdelibs2-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.1.i386.rpm

        OpenLinux 3.1 Server            prior to kdelibs2-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.1.i386.rpm

        OpenLinux 3.1 Workstation       prior to kdelibs2-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-devel-static-2.2.1-6.1.i386.rpm
                                        prior to kdelibs2-doc-2.2.1-6.1.i386.rpm


3. Solution

        The proper solution is to install the latest packages. Many
        customers find it easier to use the Caldera System Updater, called
        cupdate (or kcupdate under the KDE environment), to update these
        packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

        4.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-047.0/RPMS

        4.2 Packages

        a03fb8e34fde83b1a4f83124c2e4b041        kdelibs2-2.2.1-6.1.i386.rpm
        6c4fc3be168073d33b7f62603b03e1a0        kdelibs2-devel-2.2.1-6.1.i386.rpm
        0d16a2303715af4e5cee545a3f5fa5e4        kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        f8a1574f0b3d97c0272d935f0140ec3a        kdelibs2-doc-2.2.1-6.1.i386.rpm

        4.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm

        4.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-047.0/SRPMS

        4.5 Source Packages

        2632e383fd006e4307b8d46b2755bfe1        kdelibs2-2.2.1-6.1.src.rpm


5. OpenLinux 3.1.1 Workstation

        5.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-047.0/RPMS

        5.2 Packages

        510eeadb0430c083de57d6901e3b7ff4        kdelibs2-2.2.1-6.1.i386.rpm
        37f6a6eafc2d62edac6e753effafaf69        kdelibs2-devel-2.2.1-6.1.i386.rpm
        c870729596c35e570a1a376879694051        kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        ab5617edf321f2c97a297b59eb2353d5        kdelibs2-doc-2.2.1-6.1.i386.rpm

        5.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm

        5.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-047.0/SRPMS

        5.5 Source Packages

        23ef26f4c6d6f5a8110ad14ab35d97f3        kdelibs2-2.2.1-6.1.src.rpm


6. OpenLinux 3.1 Server

        6.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-047.0/RPMS

        6.2 Packages

        f89476e89a490a817f9b9cb1d9f0d45e        kdelibs2-2.2.1-6.1.i386.rpm
        5e9b87afe1f433695900cf472b72b8ff        kdelibs2-devel-2.2.1-6.1.i386.rpm
        639d81f339d580246b47192dee39f323        kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        46bd0251cae1f20a1e9cf2968ec6b28b        kdelibs2-doc-2.2.1-6.1.i386.rpm

        6.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm

        6.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-047.0/SRPMS

        6.5 Source Packages

        b8db0bed5301c62f0c23a7299764daac        kdelibs2-2.2.1-6.1.src.rpm


7. OpenLinux 3.1 Workstation

        7.1 Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-047.0/RPMS

        7.2 Packages

        c644ccee63d98f51c3c75153dac8f72b        kdelibs2-2.2.1-6.1.i386.rpm
        a9a6672a59132b7da2276fc84af4239e        kdelibs2-devel-2.2.1-6.1.i386.rpm
        ab1314c35f6a696f8ffc242f47c132a8        kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        97bda2eff3c2ed28d69c89f0f9e71e5d        kdelibs2-doc-2.2.1-6.1.i386.rpm

        7.3 Installation

        rpm -Fvh kdelibs2-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-devel-static-2.2.1-6.1.i386.rpm
        rpm -Fvh kdelibs2-doc-2.2.1-6.1.i386.rpm

        7.4 Source Package Location

        ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-047.0/SRPMS

        7.5 Source Packages

        81ffd01431cb6b64f110790a515f6cee        kdelibs2-2.2.1-6.1.src.rpm


8. References

        Specific references for this advisory:

                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0970
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1151
                http://www.kde.org/info/security/advisory-20020908-2.txt
                http://www.kde.org/info/security/advisory-20020818-1.txt

        SCO security resources:
                http://www.sco.com/support/security/index.html

        This security fix closes SCO incidents sr868329, fz525911,
        fz525926, erg712110, erg712107, erg712111, sr869190, fz526085,
        erg712129.


9. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.

______________________________________________________________________________

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: