Your message dated Tue, 17 Sep 2002 22:54:41 +1000
with message-id <[EMAIL PROTECTED]>
and subject line fixed in kdelibs (4:2.2.2-14) unstable
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 19 Aug 2002 10:50:00 +0000
>From [EMAIL PROTECTED] Mon Aug 19 05:50:00 2002
Return-path: <[EMAIL PROTECTED]>
Received: from cpe-203-51-25-12.nsw.bigpond.net.au (purcell.homeip.net)
[203.51.25.12] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17gk6i-0007PY-00; Mon, 19 Aug 2002 05:50:00 -0500
Received: from [192.168.3.15] (helo=dell.purcell.homeip.net ident=mail)
by purcell.homeip.net with esmtp (Exim 3.35 #1 (Debian))
id 17gk6f-000804-00; Mon, 19 Aug 2002 20:49:57 +1000
Received: from msp by dell.purcell.homeip.net with local (Exim 3.35 #1 (Debian))
id 17gk6W-0000ny-00; Mon, 19 Aug 2002 20:49:48 +1000
X-Debbugs-CC: [EMAIL PROTECTED],debian-kde@lists.debian.org
Subject: Konqueror SSL vunerability
From: "Mark Purcell" <[EMAIL PROTECTED]>
To: "Debian Bug Tracking System" <[EMAIL PROTECTED]>
X-Mailer: reportbug 1.99.50
Date: Mon, 19 Aug 2002 20:49:48 +1000
Message-Id: <[EMAIL PROTECTED]>
Sender: Mark Purcell <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Package: kdelibs3-crypto
Version: 4:2.2.2-6
Severity: critical
Tags: security upstream
http://www.kde.org/info/security/advisory-20020818-1.txt
KDE Security Advisory: Konqueror SSL vulnerability
Original Release Date: 2002-08-18
URL: http://www.kde.org/info/security/advisory-20020818-1.txt
0. References
http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/0
http://online.securityfocus.com/archive/1/287050/2002-08-07/2002-08-13/2
1. Systems affected:
All versions of KDE up to and including KDE 3.0.2
2. Overview:
KDE's SSL implementation fails to check the basic constraints on
certificates and as a result may accept certificates as valid that were signed
by an issuer who was not authorized to do so.
3. Impact:
Users of Konqueror and other SSL enabled KDE software may fall victim
to a malicious man-in-the-middle attack without noticing. In such case the
user will be under the impression that there is a secure connection with a
trusted site while in fact a different site has been connected to.
4. Solution:
Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
well for users that are unable to upgrade to KDE 3.
5. Patch:
A patch for KDE 2.2.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
0e0da738b276567e9ee36aa824e86124 post-2.2.2-kdelibs-kssl.diff
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux dell 2.4.18-bf2.4 #1 Fri Jun 7 06:12:37 UTC 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages kdelibs3-crypto depends on:
pn kdelibs3 Not found.
ii libc6 2.2.5-14 GNU C Library: Shared libraries an
ii libssl0.9.6 0.9.6g-2 SSL shared libraries
ii libstdc++2.10-glibc2.2 1:2.95.4-11 The GNU stdc++ library
ii zlib1g 1:1.1.4-3 compression library - runtime
-- no debconf information
---------------------------------------
Received: (at 157255-done) by bugs.debian.org; 17 Sep 2002 12:55:41 +0000
>From [EMAIL PROTECTED] Tue Sep 17 07:55:41 2002
Return-path: <[EMAIL PROTECTED]>
Received: from cpe-203-51-26-119.nsw.bigpond.net.au (purcell.homeip.net)
[203.51.26.119] (mail)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17rHtE-0002fe-00; Tue, 17 Sep 2002 07:55:41 -0500
Received: from [192.168.3.15] (helo=dell.purcell.homeip.net ident=msp)
by purcell.homeip.net with esmtp (Exim 3.35 #1 (Debian))
id 17rHsw-0000Lj-00
for <[EMAIL PROTECTED]>; Tue, 17 Sep 2002 22:55:22 +1000
From: Mark Purcell <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: fixed in kdelibs (4:2.2.2-14) unstable
Date: Tue, 17 Sep 2002 22:54:41 +1000
User-Agent: KMail/1.4.6
Organization: Debian GNU/Linux
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
kdelibs (4:2.2.2-14) unstable; urgency=low
* And a quick update to send it to unstable; no changes from -13.woody.3.
-- Daniel Stone <[EMAIL PROTECTED]> Wed, 11 Sep 2002 22:29:31
+1000
kdelibs (4:2.2.2-13.woody.3) stable-security; urgency=high
* Sigh. Another DSA.
* Fixes cross-site scripting vulnerability in KHTML.
-- Daniel Stone <[EMAIL PROTECTED]> Wed, 11 Sep 2002 22:24:35
+1000
kdelibs (4:2.2.2-13.woody.2) stable-security; urgency=high
* Non-maintainer upload by security team
* Security upload to fix SSL problems with Konqueror.
* Fix local denial of service attack with aRts. This is NOT a local root
vulnerability, just a stupid, over-excited skript kiddie wanting propz
off SecurityFocus. *sigh*. (closes: #152211)
* Adjusted Build-Depends (i.e. added libstdc++2.10-dev/libstdc++3-dev and
g++)
* Removed setuid bits for artswrapper from lintian overrides
* Added sanity checks to artswrapper so open(), fopen() etc. never
return file descriptors 1 or 2 (reserved for stdout and stderr)
* Applied upstream patch to avoid a local denial of service (hence not
raising the nice level)
* Don't install artswrap setuid root anymore because of the above
-- Martin Schulze <[EMAIL PROTECTED]> Fri, 16 Aug 2002 18:46:10 +0200
