Skip to navigation

Security Advisory kdelibs security update

Advisory: RHSA-2004:074-06
Type: Security Advisory
Severity: Important
Issued on: 2004-03-10
Last updated on: 2004-03-10
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
CVEs (cve.mitre.org): CVE-2003-0592

Details

Updated kdelibs packages that fix a flaw in cookie path handling are now
available.

Konqueror is a file manager and Web browser for the K Desktop Environment
(KDE).

Flaws have been found in the cookie path handling between a number of Web
browsers and servers. The HTTP cookie standard allows a Web server
supplying a cookie to a client to specify a subset of URLs on the origin
server to which the cookie applies. Web servers such as Apache do not
filter returned cookies and assume that the client will only send back
cookies for requests that fall within the server-supplied subset of URLs.
However, by supplying URLs that use path traversal (/../) and character
encoding, it is possible to fool many browsers into sending a cookie to a
path outside of the originally-specified subset.

KDE version 3.1.3 and later include a patch to Konquerer that disables the
sending of cookies to the server if the URL contains such encoded
traversals. Red Hat Enterprise Linux 2.1 shipped with KDE 2.2.2 and
is therefore vulnerable to this issue.

Users of Konquerer are advised to upgrade to these erratum packages, which
contain a backported patch for this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)

SRPMS:
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
 
IA-32:
arts-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 8781f1ac18fe2813d02d68c7400e473f
kdelibs-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 0ee66509b9a38c09391023ebd6ac30e8
kdelibs-devel-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: c78b1cfb2e706eb2f5e72a28b082a721
kdelibs-sound-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: fcef6a959c6e6160a4c7aad50de9febc
kdelibs-sound-devel-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 67c63b68c11a0e405119bba4abeba065
 
IA-64:
arts-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: 4df427579dfeece2d72c6b231b5ae2c8
kdelibs-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: a03eb69624de617a078f121cb21b43b4
kdelibs-devel-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: 5a6c7b7f60be4071cb4d384051484683
kdelibs-sound-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: 78ab2ac813c560892b5036a97afe8522
kdelibs-sound-devel-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: be6b0755d5f4d87b5cbdcb1aecf0c37d
 
Red Hat Enterprise Linux ES (v. 2.1)

SRPMS:
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
 
IA-32:
arts-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 8781f1ac18fe2813d02d68c7400e473f
kdelibs-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 0ee66509b9a38c09391023ebd6ac30e8
kdelibs-devel-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: c78b1cfb2e706eb2f5e72a28b082a721
kdelibs-sound-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: fcef6a959c6e6160a4c7aad50de9febc
kdelibs-sound-devel-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 67c63b68c11a0e405119bba4abeba065
 
Red Hat Enterprise Linux WS (v. 2.1)

SRPMS:
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
 
IA-32:
arts-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 8781f1ac18fe2813d02d68c7400e473f
kdelibs-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 0ee66509b9a38c09391023ebd6ac30e8
kdelibs-devel-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: c78b1cfb2e706eb2f5e72a28b082a721
kdelibs-sound-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: fcef6a959c6e6160a4c7aad50de9febc
kdelibs-sound-devel-2.2.2-10.i386.rpm
File outdated by:  RHSA-2006:0720
    MD5: 67c63b68c11a0e405119bba4abeba065
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor

SRPMS:
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
kdelibs-2.2.2-10.src.rpm
File outdated by:  RHSA-2006:0720
    MD5: 569378266546fb3aa833e3052f983917
 
IA-64:
arts-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: 4df427579dfeece2d72c6b231b5ae2c8
kdelibs-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: a03eb69624de617a078f121cb21b43b4
kdelibs-devel-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: 5a6c7b7f60be4071cb4d384051484683
kdelibs-sound-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: 78ab2ac813c560892b5036a97afe8522
kdelibs-sound-devel-2.2.2-10.ia64.rpm
File outdated by:  RHSA-2006:0720
    MD5: be6b0755d5f4d87b5cbdcb1aecf0c37d
 

Bugs fixed (see bugzilla for more information)

116805 - CAN-2003-0592 cookie path traversal in Konquerer


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/