__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Multiple Vulnerabilities in KDE [Red Hat Security Advisory RHSA-2002:220-40] December 4, 2002 20:00 GMT Number N-020 ______________________________________________________________________________ PROBLEM: A number of vulnerabilities have been found that affect various versions of KDE (K Desktop Environment). Vulnerabilities include a remote attacker spoofing certificates of trusted sites through a man-in-the-middle attack, and a local or remote attacker executing arbitrary code through a carefully crafted URL. SOFTWARE: * Red Hat Linux 7.2 * Red Hat Linux 7.3 * Red Hat Linux 8.0 DAMAGE: It is possible by exploiting these vulnerabilities a remote attacker may be able to run code of choice, and obtain root privileges. SOLUTION: Apply patches as stated in Red Hat's bulletin. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. KDE is a graphical desktop environment for ASSESSMENT: the X Window System and is commonly included in Linux systems. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-020.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2002-220.html ______________________________________________________________________________ [***** Start Red Hat Security Advisory RHSA-2002:220-40 *****] Updated KDE packages fix security issues Advisory: RHSA-2002:220-40 Last updated on: 2002-12-04 Affected Products: Red Hat Linux 7.2 Red Hat Linux 7.3 Red Hat Linux 8.0 CVEs (cve.mitre.org): CAN-2002-0838 CAN-2002-0970 CAN-2002-1151 CAN-2002-1152 CAN-2002-1223 CAN-2002-1224 CAN-2002-1247 CAN-2002-1281 CAN-2002-1282 CAN-2002-1306 Security Advisory Details: A number of vulnerabilities have been found that affect various versions of KDE. This errata provides updates which resolve these issues. KDE is a graphical desktop environment for the X Window System. A number of vulnerabilities have been found in various versions of KDE. The SSL capability for Konqueror in KDE 3.0.2 and earlier does not verify the Basic Constraints for an intermediate CA-signed certificate. This allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack. The Common Vulnerabilities and Exposures project has assigned the name CAN-2002-0970 to this issue. Konqueror in KDE 3.0 through 3.0.2 does not properly detect the "secure" flag in an HTTP cookie, which could cause Konqueror to send the cookie across an unencrypted channel, potentially allowing remote attackers to steal the cookie via sniffing. (CAN-2002-1152) The cross-site scripting protection for Konqueror in KDE 2.2.2 and 3.0 through 3.0.3 does not properly initialize the domains on sub-frames and sub-iframes, which can allow remote attackers to execute scripts and steal cookies from subframes that are in other domains. (CAN-2002-1151) kpf is a file sharing utility that can be docked into the KDE kicker bar. It uses a subset of the HTTP protocol internally and acts in a manner very similar to a Web server. A feature added in KDE 3.0.1 accidentally allowed retrieving any file, not limited to the configured shared directory, if it is readable by the user under which kpf runs. (CAN-2002-1224) KGhostview includes a parser from GSview, which is vulnerable to a buffer overflow while parsing a specially crafted .ps input file. (CAN-2002-1223). It also contains code from gv 3.5.x which is vulnerable to another buffer overflow triggered by malformed postscript or Adobe PDF files. (CAN-2002-0838) A vulnerability in the rlogin KIO subsystem (rlogin.protocol) of KDE 2.x 2.1 and later, and KDE 3.x 3.0.4 and earlier, allows local and remote attackers to execute arbitrary code via a carefully crafted URL. The Common Vulnerabilities and Exposures project has assigned the name CAN-2002-1281 to this issue. A similar vulnerability affects KDE version 2.x through the telnet KIO subsystem (telnet.protocol). (CAN-2002-1282) Multiple buffer overflows exist in the KDE LAN browsing implementation; the resLISa daemon contains a buffer overflow vulnerability which could be exploited if the reslisa binary is SUID root. Additionally, the lisa daemon contains a vulnerability which potentially enables any local user, as well any any remote attacker on the LAN who is able to gain control of the LISa port (7741 by default), to obtain root privileges. In Red Hat Linux, reslisa is not SUID root and lisa services are not automatically started. (CAN-2002-1247, CAN-2002-1306) Red Hat Linux 8.0 shipped with KDE 3.0.3 and is therefore vulnerable to CAN-2002-0838, CAN-2002-1151, CAN-2002-1223, CAN-2002-1224, CAN-2002-1247, and CAN-2002-1281. This errata includes new kdelibs and kdenetwork packages which contain patches to correct these issues. Red Hat Linux 7.3 shipped with KDE 3.0.0 and is therefore vulnerable to CAN-2002-0838, CAN-2002-0970, CAN-2002-1151, CAN-2002-1152, CAN-2002-1223, CAN-2002-1247, CAN-2002-1281, and CAN-2002-1306. This errata upgrades Red Hat Linux 7.3 to KDE 3.0.3 with patches to correct these issues. Red Hat Linux 7.2 shipped with KDE version 2.2.2 and is therefore vulnerable to CAN-2002-0838, CAN-2002-0970, CAN-2002-1151, CAN-2002-1223, CAN-2002-1247, and CAN-2002-1306. This errata provides new kdelibs and kdenetwork packages which contain patches to correct these issues. Red Hat Linux 7.2 is also vulnerable to CAN-2002-1281 and CAN-2002-1282 but these vulnerabilities are not fixed by these errata packages. At the present time Red Hat recommends disabling both the rlogin and telnet KIO protocols as a workaround. To disable both protocols, execute these commands: rm /usr/share/services/rlogin.protocol rm /usr/share/services/telnet.protocol Updated packages: Red Hat Linux 7.2 -------------------------------------------------------------------------------- SRPMS: kdegraphics-2.2.2-2.1.src.rpm ea399e31bcca1df0b7aef78c303ca0a7 kdelibs-2.2.2-3.src.rpm 034a08a13b62f72b6a9603f52f16da25 kdenetwork-2.2.2-2.src.rpm 81714c79f92d1e9b6de4b38543a9bc83 i386: arts-2.2.2-3.i386.rpm c9be246b033cd8e17a0777183f060bdc kdegraphics-2.2.2-2.1.i386.rpm 1668cdc5ff3cb4476626287cfff646ac kdegraphics-devel-2.2.2-2.1.i386.rpm 1f7c2cc26b71d0bef278c29259b9e28d kdelibs-2.2.2-3.i386.rpm 1753fcef6366b9c10dae05876855db5f kdelibs-devel-2.2.2-3.i386.rpm 9c21f59d69acb690892fd13b02bd23aa kdelibs-sound-2.2.2-3.i386.rpm 929bf62240d8e8129fb09a965dc4bc75 kdelibs-sound-devel-2.2.2-3.i386.rpm cd858cb38ea684aaf6c22f0093dbbfad kdenetwork-2.2.2-2.i386.rpm 567f7d10e7f11200a1ede4fc48ee6ba8 kdenetwork-ppp-2.2.2-2.i386.rpm 0181fc55d957f081697dec9ab3c4eef4 ia64: arts-2.2.2-3.ia64.rpm 4b7e057bd214027d4c492265b3a71d6a kdegraphics-2.2.2-2.1.ia64.rpm bf45c07ac04d081839934549f9fba336 kdegraphics-devel-2.2.2-2.1.ia64.rpm 07bb5515069e7d63470921b18a338989 kdelibs-2.2.2-3.ia64.rpm 189201842b61ec0eda4cd790e0eb8f9e kdelibs-devel-2.2.2-3.ia64.rpm e325b6fd962803c296320656e7a3579b kdelibs-sound-2.2.2-3.ia64.rpm aa788c8abe086b78cf16ffd0d4d26466 kdelibs-sound-devel-2.2.2-3.ia64.rpm b58b22df69edd4b776ae1df8f641139d kdenetwork-2.2.2-2.ia64.rpm 0f824cdab51bdbafc654081e2d8c9e56 kdenetwork-ppp-2.2.2-2.ia64.rpm 17ed308dac97dff15b511d55316523d9 Red Hat Linux 7.3 -------------------------------------------------------------------------------- SRPMS: arts-1.0.3-0.7.1.src.rpm 47dcc91fe8726cc45f31014a29b35a1c kde-i18n-3.0.3-0.7.3.src.rpm e2dbe16652886c5e938932e9db0b76ab kdeaddons-3.0.3-0.7.src.rpm 1a1bf3945b93dca80460f9d0c496ded2 kdeadmin-3.0.3-0.7.src.rpm 88bd547a198b3b0ce44e4cfdc1b91bd2 kdeartwork-3.0.3-0.7.1.src.rpm 35508697a85ffaba96513085b18e77c7 kdebase-3.0.3-0.7.2.src.rpm 4252b1ec7cd6413b335702d15459f69a kdebindings-3.0.3-0.7.1.src.rpm 2f77233d2019dcfdfaf5ba4e2294f47f kdeedu-3.0.3-0.7.src.rpm 96b1c663ec0839e428b15f52e55a920b kdegames-3.0.3-0.7.src.rpm 43fc3e29f684817f5f91242748e59181 kdegraphics-3.0.3-0.7.2.src.rpm a260fca5c6f4b52ea89c445a386690d0 kdelibs-3.0.3-0.7.2.src.rpm 0bb5c62332785c2daf1f15597d71a890 kdemultimedia-3.0.3-0.7.1.src.rpm 09b000c0e7ac6b2754a74bf3c3ac4fa3 kdenetwork-3.0.3-0.7.2.src.rpm 6d4354214bf9c201a15ee809a9857e13 kdepim-3.0.3-0.7.src.rpm f4f5657c7d14f05d01b00bb853c79c60 kdesdk-3.0.3-0.7.src.rpm 4b4527904b61e185d1805044a84953f1 kdetoys-3.0.3-0.7.src.rpm 430647cf44a607b6ac264060422f0f8d kdeutils-3.0.3-0.7.src.rpm e712ea2315ea0800a3933e1695968a98 kdevelop-2.1.3-0.7.1.src.rpm fb0ca7e6c97ffb3957728689a743b296 qt-3.0.5-7.14.src.rpm 354d1a5d84ba9be926cd445d1f65cab3 i386: ark-3.0.3-0.7.i386.rpm c31ac96ba6d0f3a9ebbb10d20985a5c8 arts-1.0.3-0.7.1.i386.rpm 68f6dcc3c862b8de79092d9aa7618d36 arts-devel-1.0.3-0.7.1.i386.rpm ff569116c2e9f9476b6c967207b7dc57 cervisia-3.0.3-0.7.i386.rpm d35f569dfbfe3c8f64930f4d0b84e63d kaboodle-3.0.3-0.7.1.i386.rpm 6998bef27993940c4cfe628978fd3a22 kamera-3.0.3-0.7.2.i386.rpm e0e6b4869bef5c93628532d1957193fe karm-3.0.3-0.7.i386.rpm 9434391849bf3ecaa98e729565634a21 kcalc-3.0.3-0.7.i386.rpm 59d8f61a6d57eb83fb29ea4ec9fb7e0d kcharselect-3.0.3-0.7.i386.rpm b5b049e944cf27d481f40a05c64c124f kcoloredit-3.0.3-0.7.2.i386.rpm 4f67d858333d89be5959a6fd70197b2c kdeaddons-kate-3.0.3-0.7.i386.rpm 7fe44981d9f0da00fd85d6dcdcd1e464 kdeaddons-kicker-3.0.3-0.7.i386.rpm 154fd03b6325fc249b9d2db9f5c1bd3c kdeaddons-knewsticker-3.0.3-0.7.i386.rpm 7b958fa5c3aa0a15e5a8f82c6acac846 kdeaddons-konqueror-3.0.3-0.7.i386.rpm 950f242a09d7bdf3ba77bd7ca6adcb23 kdeaddons-noatun-3.0.3-0.7.i386.rpm 7d3fef5e022b4480ae662c20c48ac965 kdeadmin-3.0.3-0.7.i386.rpm bfe34d25e617c3e25dc2faf77e716621 kdeartwork-3.0.3-0.7.1.i386.rpm 047c77f35776c564bca14cc4ffd146c4 kdeartwork-kworldclock-3.0.3-0.7.1.i386.rpm e59d14917ab3c03c897c3f92b53a758a kdeartwork-locolor-3.0.3-0.7.1.i386.rpm 96bed63324f3c40ef57bc7aaf32caef9 kdeartwork-screensavers-3.0.3-0.7.1.i386.rpm 1a7c3633b753ca8effe5dfc046fd6ec5 kdebase-3.0.3-0.7.2.i386.rpm 2001ffaf4fcb9d56b25bff8f5b5d6c85 kdebase-devel-3.0.3-0.7.2.i386.rpm db9f97bd5b5721fdd2062d0aa2965547 kdebindings-3.0.3-0.7.1.i386.rpm e33ee4cd2e9301915787b2f4720af43c kdebindings-devel-3.0.3-0.7.1.i386.rpm 344b64d1bca10210db411b32e01fb0f4 kdebindings-kmozilla-3.0.3-0.7.1.i386.rpm 8feb90886d6ac404a42207b20ff523c5 kdegames-3.0.3-0.7.i386.rpm 2c954338900c6894fbe1c45496bae318 kdegames-devel-3.0.3-0.7.i386.rpm e25d0a4def322accb91d3aa2aa1dafd0 kdelibs-3.0.3-0.7.2.i386.rpm 9a3d319eaadf9b0ff620c445eb6918e5 kdelibs-devel-3.0.3-0.7.2.i386.rpm 0f369a42384ace153710e585ce47e86e kdemultimedia-arts-3.0.3-0.7.1.i386.rpm fe9794772b4c717fd7ac8ee94ab31b1b kdemultimedia-devel-3.0.3-0.7.1.i386.rpm 94571620f5161cf37097534c63a9bf4b kdemultimedia-kfile-3.0.3-0.7.1.i386.rpm d5b599eeeedcb46954024e231aaf66f1 kdemultimedia-libs-3.0.3-0.7.1.i386.rpm 135e008d033b7e78b45b8f4fe0250569 kdenetwork-devel-3.0.3-0.7.2.i386.rpm c53b4d182818205944fcf3612942c318 kdenetwork-libs-3.0.3-0.7.2.i386.rpm bb71a42d167e8539ecfd75156879f70c kdepasswd-3.0.3-0.7.i386.rpm d65f4adea754e9ab38887c18f7cc4a8e kdepim-3.0.3-0.7.i386.rpm 8d833c32134f1ed60ee1fbc08262008e kdepim-cellphone-3.0.3-0.7.i386.rpm a12608b4aa87f056aa95fa7aca7a1273 kdepim-devel-3.0.3-0.7.i386.rpm 33b650a7088f065acc38f8b2558c7b67 kdepim-pilot-3.0.3-0.7.i386.rpm e137e8621fca2328d919b9735adbd719 kdesdk-gimp-3.0.3-0.7.i386.rpm 708568ca332d5cb4c545da99090c74db kdesdk-kapptemplate-3.0.3-0.7.i386.rpm 915cb23acd612fb8879d8feb6d8e2cac kdesdk-kbabel-3.0.3-0.7.i386.rpm 83c195e1f5e5932138d489bb3dc14663 kdesdk-kbugbuster-3.0.3-0.7.i386.rpm 228345769dd1cf1d3379906b215af9e2 kdesdk-kmtrace-3.0.3-0.7.i386.rpm 38f2efa7b18452a63bf0fde26bb78803 kdesdk-kompare-3.0.3-0.7.i386.rpm 9147d3be6cfb04f569c4f83e69c34d5e kdesdk-kspy-3.0.3-0.7.i386.rpm 60f394c650b46645e1f9b1c5852727f8 kdessh-3.0.3-0.7.i386.rpm 8f1eda9703316c6638187b86e1c8c1e3 kdetoys-3.0.3-0.7.i386.rpm 938c1325cb89c9dc49932f4ee55d7f48 kdeutils-laptop-3.0.3-0.7.i386.rpm 4e0458b14e321cddb9820803516a3c4d kdevelop-2.1.3-0.7.1.i386.rpm 828d671341da74f98207ccec83dd894d kdf-3.0.3-0.7.i386.rpm a43492502f9724ef88e3757bd573c026 kdict-3.0.3-0.7.2.i386.rpm 7ce89dde28bc8ae992395c24f2136905 kdvi-3.0.3-0.7.2.i386.rpm 6a32f99fcf3f144a0ba79363dfe2c996 kedit-3.0.3-0.7.i386.rpm 93fe10821b08641e964f1e3957e32d37 keduca-3.0.3-0.7.i386.rpm 8a900a4900eb3c91bee96854c38f5896 kfax-3.0.3-0.7.2.i386.rpm 632d3c454dbde139231dff3154af7af1 kfile-pdf-3.0.3-0.7.2.i386.rpm 117c2803b365681a1bf91f682d725149 kfile-png-3.0.3-0.7.2.i386.rpm 2bec4e9cde3695289ba6a237e47a9407 kfloppy-3.0.3-0.7.i386.rpm 4c47d387dde4e63558d48bf84c72688c kfract-3.0.3-0.7.2.i386.rpm 7b74f1789b2dcfbde592ee812c12b19a kgeo-3.0.3-0.7.i386.rpm b699923f0c3df235f4bd68c370452081 kghostview-3.0.3-0.7.2.i386.rpm 3c2d55f5bdc429f89f110d10bb64b58d khexedit-3.0.3-0.7.i386.rpm 91655d96af4ca3a1ca9f50e4e7e90bc4 kiconedit-3.0.3-0.7.2.i386.rpm 02c425ba7942358fd36be81db609088e kit-3.0.3-0.7.2.i386.rpm 26db442ffbbaa1553c5c138a209207ae kjots-3.0.3-0.7.i386.rpm 91fecfdefae0415b27339394d0f73be5 klettres-3.0.3-0.7.i386.rpm a0842ee9d0239070816f693ae4fdc2f6 kljettool-3.0.3-0.7.i386.rpm 7ad3798fce63da97f8f96f3bbba8a3d4 klpq-3.0.3-0.7.i386.rpm 4d747945f02676ffb75c978a57addb00 klprfax-3.0.3-0.7.i386.rpm 937ea72d67edb7cea2f8cf68fe1e6ec3 kmail-3.0.3-0.7.2.i386.rpm e9ee917df07ea4a6d5c53e3a0bfe5f16 kmessedwords-3.0.3-0.7.i386.rpm d175e65b4af6524d0672c0df3d3fffa2 kmid-3.0.3-0.7.1.i386.rpm 8cc3f07f5f2cc1c276af643b08233c22 kmidi-3.0.3-0.7.1.i386.rpm d5e79b13a53f09cc015e622911dc8fb4 kmix-3.0.3-0.7.1.i386.rpm dbec374bda1a631d3b886207204522fc knewsticker-3.0.3-0.7.2.i386.rpm a020d8cd85bb2056789993eea951cecd knode-3.0.3-0.7.2.i386.rpm 48c293f3b92b2115b20b967671530964 knotes-3.0.3-0.7.i386.rpm d87ffc5428a2bf0d05dba1be73e16cbd koncd-3.0.3-0.7.1.i386.rpm e3f31e79286cd764cc7cf23f8c79129d kooka-3.0.3-0.7.2.i386.rpm c1140b9165e173bc386367c887f3596c korn-3.0.3-0.7.2.i386.rpm 88575c727577d629583b8db993e049ec kpaint-3.0.3-0.7.2.i386.rpm efed4a1469974d3ef0eea80c83993050 kpf-3.0.3-0.7.2.i386.rpm b497fb2b80940ef02a1f56ed098fc326 kppp-3.0.3-0.7.2.i386.rpm 3b65942be18126d51756ec33bb0ebebc kregexpeditor-3.0.3-0.7.i386.rpm 3c2c96eeb45e2882431c2ac8fa13b0ec kregexpeditor-devel-3.0.3-0.7.i386.rpm c0973f7501ec7e0cccafcae0b16deae1 kruler-3.0.3-0.7.2.i386.rpm db88094cba76479eb3eb0c3c17f52398 kscd-3.0.3-0.7.1.i386.rpm 2a299ae6cf5ad38552c00fe661732c6e ksirc-3.0.3-0.7.2.i386.rpm 929eb08ad90c06942db4f2ded6be06eb ksnapshot-3.0.3-0.7.2.i386.rpm 11a8bb6c42df541d6b22ded6a9e3f060 kstars-3.0.3-0.7.i386.rpm 33085a4aba5134d5f16dad8b6f889837 ktalkd-3.0.3-0.7.2.i386.rpm b6f5bd8a53b07c8bd65fa009ba12afcf ktimer-3.0.3-0.7.i386.rpm 2c8dae3e5fa5d4a7d18d6497fa01b353 ktouch-3.0.3-0.7.i386.rpm 91363efc95c0db868eb57ed89c4285fb kuickshow-3.0.3-0.7.2.i386.rpm 8b1ad52acabfa8ed28ae12efc6a7b0f7 kview-3.0.3-0.7.2.i386.rpm 253c465d92fb923ec23dde728b3ef1e6 kviewshell-3.0.3-0.7.2.i386.rpm d41fb35ce2f805abffd42e2347029f13 kviewshell-devel-3.0.3-0.7.2.i386.rpm d3bc4f4b7c9c1516340a3b3f5c874439 kvoctrain-3.0.3-0.7.i386.rpm 4232a7548dad0e40f3b7e93d51951b5e kxmlrpcd-3.0.3-0.7.2.i386.rpm 9e393ddfc49472320dbcaa394bfbfc52 libkscan-3.0.3-0.7.2.i386.rpm 71a0d83c0b8a1049d200743cac7be748 libkscan-devel-3.0.3-0.7.2.i386.rpm 40169395af0b83079f550087f88bf17b lisa-3.0.3-0.7.2.i386.rpm 107b12e7ec4f43c41a83c44a8c1728f6 noatun-3.0.3-0.7.1.i386.rpm 402c7189e0e9fa0dd4e79a6d41e061bb qt-3.0.5-7.14.i386.rpm 960b252e140edd4fde5df0c33c32f724 qt-designer-3.0.5-7.14.i386.rpm 89e26bf00fd8c606673144ddfe613d9b qt-devel-3.0.5-7.14.i386.rpm 279ff020001cd6605346256a030f3e28 qt-MySQL-3.0.5-7.14.i386.rpm 042a38aabf9ff94bad8fd025035805c2 qt-ODBC-3.0.5-7.14.i386.rpm 84238622cf26b074764229a89cb507db qt-PostgreSQL-3.0.5-7.14.i386.rpm 6ea56e8b818aa41913de389e36a8cc10 qt-static-3.0.5-7.14.i386.rpm aa7ad857e20ce146caf0f9cb53220ce7 qt-Xt-3.0.5-7.14.i386.rpm 8945494c65048dbb61dd413c44800945 Red Hat Linux 8.0 -------------------------------------------------------------------------------- SRPMS: kde-i18n-3.0.3-2.src.rpm 382b75abdf9a6283816619bb6614f2a5 kdebase-3.0.3-14.src.rpm eb94d5dcf07bfc59bc25af2e4c8b365d kdegraphics-3.0.3-5.src.rpm 461fd60d1643e1c31a278234aafdb871 kdelibs-3.0.3-8.3.src.rpm 89bacf26defe3ff0c3ce42c2cbd01ac3 kdenetwork-3.0.3-3.2.src.rpm 9a239e421bb3a3f9d9d3d10f834081b2 i386: kamera-3.0.3-5.i386.rpm 1760f7c313bbaf68ba245e277dc0e311 kcoloredit-3.0.3-5.i386.rpm 446cf584b68467d9b963ac772fafcbbb kdebase-3.0.3-14.i386.rpm dae6d36badd1d95e2c158f1b0fbc4a8b kdebase-devel-3.0.3-14.i386.rpm 8c89468704d83340dcd2d4e8c3701241 kdelibs-3.0.3-8.3.i386.rpm 60301f8226f8a7446046153722483712 kdelibs-devel-3.0.3-8.3.i386.rpm b9e1c80782bfa0757e4464fb948d1dc2 kdenetwork-devel-3.0.3-3.2.i386.rpm 06ce97289ab90412d186e19fc615ea0f kdenetwork-libs-3.0.3-3.2.i386.rpm d3c939799ab6930fcb2d1f21fa108bf7 kdict-3.0.3-3.2.i386.rpm 003adc9a793b09e7a628d5731970ddb3 kdvi-3.0.3-5.i386.rpm 32619c7f1cfa9923975554ca6398120b kfax-3.0.3-5.i386.rpm 6cd4586916cd0d1188516d26060115c9 kfile-pdf-3.0.3-5.i386.rpm e5589af68b5a603e907b5f1bfb2490a2 kfile-png-3.0.3-5.i386.rpm e9a05f7b8d2568fc75c184c9426a58d2 kfract-3.0.3-5.i386.rpm 13bdd632276190ab9a33aff390d626ab kghostview-3.0.3-5.i386.rpm 53b7219215d58dc474a134619c4ce27b kiconedit-3.0.3-5.i386.rpm 3bddeec68060feab62c78556e7e921b0 kit-3.0.3-3.2.i386.rpm 90bb1850c6360a87a30a88028f08c265 kmail-3.0.3-3.2.i386.rpm d7fc1e03db312bccd31215b647b86e25 knewsticker-3.0.3-3.2.i386.rpm 461b07e357650696f18a8b4f765c7882 knode-3.0.3-3.2.i386.rpm 3a513107098e7352a7739468c46aa3aa kooka-3.0.3-5.i386.rpm 8a5598ce40edd6659d7894126847c50d korn-3.0.3-3.2.i386.rpm 9cc380ecfbd57870450474d3d24a6a68 kpaint-3.0.3-5.i386.rpm dacfc37a044a4a8f7ab641112d1e73d2 kpf-3.0.3-3.2.i386.rpm 77e766459f3f5fe35433591ef940a3fc kppp-3.0.3-3.2.i386.rpm 7107a712a1fb3fbdc421905db2278c72 kruler-3.0.3-5.i386.rpm 0cdd8d4aca4ef9073d20cbf8aba1a0d4 ksirc-3.0.3-3.2.i386.rpm ea39efb6deee4db448ad0967cd0a35c2 ksnapshot-3.0.3-5.i386.rpm 0ded9db8efba14db92c46cc389fc35fe ktalkd-3.0.3-3.2.i386.rpm 3d5914e0e082ed8f8a1308a1df9cd834 kuickshow-3.0.3-5.i386.rpm 4ebb9ccd7db8a147f09754972fe9c4f7 kview-3.0.3-5.i386.rpm 689c7ec6268931fdc2d578a9bc93b06a kviewshell-3.0.3-5.i386.rpm 738ab6d68860a7c276e0557c137cc1e4 kviewshell-devel-3.0.3-5.i386.rpm 81aa7b525199ec9aee14d709193804fd kxmlrpcd-3.0.3-3.2.i386.rpm 069eaeab2380daf632f605321ebe9938 libkscan-3.0.3-5.i386.rpm 3a362ce3349312972cbb16248df1df37 libkscan-devel-3.0.3-5.i386.rpm 1cb0fad25b6f82fec9cd95f285c10980 lisa-3.0.3-3.2.i386.rpm 526dccfd590c76ff657dcf981cf4a44c Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. Bugs fixed: (see bugzilla for more information) 73412 - KDE screensaver just blanks screen 74071 - Better way to handle desktop file renames 75085 - Banner of Taiwan References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0838 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0970 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1151 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1152 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1247 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1281 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1282 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1306 http://marc.theaimsgroup.com/?l=bugtraq&m=102977530005148 http://www.kde.org/info/security/advisory-20020908-1.txt http://www.kde.org/info/security/advisory-20020908-2.txt http://www.kde.org/info/security/advisory-20021008-1.txt http://www.kde.org/info/security/advisory-20021008-2.txt http://www.kde.org/info/security/advisory-20021111-1.txt http://www.kde.org/info/security/advisory-20021111-2.txt Keywords: flaw:buf, flaw:css, flaw:design, flaw:infoleak, flaw:spoof -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey.html#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg -v filename Note that you need RPM >= 3.0 to check GnuPG keys. [***** End Red Hat Security Advisory RHSA-2002:220-40 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-010: Web-Based Enterprise Management on Solaris 8 Installs Insecure Files N-011: Cumulative Patch for Internet Information Service N-012: Windows 2000 Default Permissions Could Allow Trojan Horse Program N-013: ISC Remote Vulnerabilities in BIND4 and BIND8 N-014: Trojan Horse tcpdump and libpcap Distributions N-015: SGI IRIX lpd Daemon Vulnerabilities via sendmail and dns N-016: Buffer Overrun in Microsoft Data Access Components (MDAC) N-017: Cisco PIX Multiple Vulnerabilities N-018: Microsoft Cumulative Patch for Internet Explorer N-019: Samba Encrypted Password Buffer Overrun Vulnerability