Mandriva Linux Security Advisory 2010-028 - KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a \\'\\0\\' (NUL) character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. KDE Konqueror allows remote attackers to cause a denial of service (memory consumption) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692. The gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc in FreeBSD 6.4 and 7.2, NetBSD 5.0, and OpenBSD 4.5 allows context-dependent attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a large precision value in the format argument to a printf function, related to an array overrun. The updated packages have been patched to correct these issues.
bcbed668507255178c552af90eaf168b462be20aa49012dc6e3325cff54e5b26
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:028
http://www.mandriva.com/security/
_______________________________________________________________________
Package : kdelibs4
Date : January 27, 2010
Affected: 2010.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities was discovered and corrected in kdelibs4:
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
\'\0\' (NUL) character in a domain name in the Subject Alternative
Name field of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a crafted certificate
issued by a legitimate Certification Authority, a related issue to
CVE-2009-2408 (CVE-2009-2702).
KDE Konqueror allows remote attackers to cause a denial of service
(memory consumption) via a large integer value for the length property
of a Select object, a related issue to CVE-2009-1692 (CVE-2009-2537).
The gdtoa (aka new dtoa) implementation in gdtoa/misc.c in
libc in FreeBSD 6.4 and 7.2, NetBSD 5.0, and OpenBSD 4.5 allows
context-dependent attackers to cause a denial of service (application
crash) or possibly have unspecified other impact via a large precision
value in the format argument to a printf function, related to an
array overrun. (CVE-2009-0689).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.0:
33710e4c127e3f066d4ee4dbb48c489b 2010.0/i586/kdelibs4-core-4.3.2-11.14mdv2010.0.i586.rpm
729ae2fa1575e10820480d0bea2629a1 2010.0/i586/kdelibs4-devel-4.3.2-11.14mdv2010.0.i586.rpm
5c2e90329653954110f1385bc404ea1f 2010.0/i586/libkde3support4-4.3.2-11.14mdv2010.0.i586.rpm
5255f87e774bea4fa38d2fd0397a82bd 2010.0/i586/libkdecore5-4.3.2-11.14mdv2010.0.i586.rpm
e40f53bb3caee308f0ab81d5f091a5db 2010.0/i586/libkdefakes5-4.3.2-11.14mdv2010.0.i586.rpm
e027288fdb8d917f934641ea934432c7 2010.0/i586/libkdesu5-4.3.2-11.14mdv2010.0.i586.rpm
e9ca80075872c1e68ca1f5ddeb9ce2a4 2010.0/i586/libkdeui5-4.3.2-11.14mdv2010.0.i586.rpm
9d9b22a86b5b0684801cf652afb6791a 2010.0/i586/libkdnssd4-4.3.2-11.14mdv2010.0.i586.rpm
b70ed737e0f857d68d9fefb3fad2cfa1 2010.0/i586/libkfile4-4.3.2-11.14mdv2010.0.i586.rpm
27bfe29c5952d58c1eaf2bb130668d2c 2010.0/i586/libkhtml5-4.3.2-11.14mdv2010.0.i586.rpm
a2e2456a104d6085479229bc3edf3370 2010.0/i586/libkimproxy4-4.3.2-11.14mdv2010.0.i586.rpm
b152961f2b3c06134ae0ca2bdabe77b0 2010.0/i586/libkio5-4.3.2-11.14mdv2010.0.i586.rpm
1e8d3dc384c46afb23bb4dace40df5f6 2010.0/i586/libkjs4-4.3.2-11.14mdv2010.0.i586.rpm
64736a9db93696bf4e1658cc9cbed0f5 2010.0/i586/libkjsapi4-4.3.2-11.14mdv2010.0.i586.rpm
fd005b1db52fbe95b163428e9f1edd43 2010.0/i586/libkjsembed4-4.3.2-11.14mdv2010.0.i586.rpm
5eb298a371bb5fc31494856a2cddd3a6 2010.0/i586/libkmediaplayer4-4.3.2-11.14mdv2010.0.i586.rpm
3013d74cdf48c0e6e0c55f8af5bf83a0 2010.0/i586/libknewstuff2_4-4.3.2-11.14mdv2010.0.i586.rpm
2c31f4c0fa71ec35ec5a5f0e68ff4847 2010.0/i586/libknotifyconfig4-4.3.2-11.14mdv2010.0.i586.rpm
361a0aa31fb34f77d99a3b2bcc08d06b 2010.0/i586/libkntlm4-4.3.2-11.14mdv2010.0.i586.rpm
f383eeec52164d5122ea6125b2e9b02f 2010.0/i586/libkparts4-4.3.2-11.14mdv2010.0.i586.rpm
0d8db89b62359ac9fe6c61661987708f 2010.0/i586/libkpty4-4.3.2-11.14mdv2010.0.i586.rpm
9bfd72866126f8fbae7b15af580385d5 2010.0/i586/libkrosscore4-4.3.2-11.14mdv2010.0.i586.rpm
9c5d90d57dbacadd0472c167a3c7a6a5 2010.0/i586/libkrossui4-4.3.2-11.14mdv2010.0.i586.rpm
2fbe8d729b997df8105edf5595e5fc5f 2010.0/i586/libktexteditor4-4.3.2-11.14mdv2010.0.i586.rpm
8396960aaa8c205602b4d48bff64f1cb 2010.0/i586/libkunittest4-4.3.2-11.14mdv2010.0.i586.rpm
a50fa982912201b0785ee37b6e776fc3 2010.0/i586/libkutils4-4.3.2-11.14mdv2010.0.i586.rpm
6caf366e3455479e9d95fee1a1a36bcc 2010.0/i586/libnepomuk4-4.3.2-11.14mdv2010.0.i586.rpm
8250fed72d654f5c61cd9cb4d868e06d 2010.0/i586/libplasma3-4.3.2-11.14mdv2010.0.i586.rpm
a6201c4800f363cba18afdfd8a9fbc15 2010.0/i586/libsolid4-4.3.2-11.14mdv2010.0.i586.rpm
2a6d763d74f0d420429a1943fc8f288b 2010.0/i586/libthreadweaver4-4.3.2-11.14mdv2010.0.i586.rpm
efa77a322ba85ef9fe3382173a73d96f 2010.0/SRPMS/kdelibs4-4.3.2-11.14mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
628c96841b4fe1ae8f60d091fa14f4a8 2010.0/x86_64/kdelibs4-core-4.3.2-11.14mdv2010.0.x86_64.rpm
49b2d3b07b9972a4ce96c7165365877b 2010.0/x86_64/kdelibs4-devel-4.3.2-11.14mdv2010.0.x86_64.rpm
653348d413757079608374479aabf7af 2010.0/x86_64/lib64kde3support4-4.3.2-11.14mdv2010.0.x86_64.rpm
310b1c2d870c6b49b24359ef3f48c5b2 2010.0/x86_64/lib64kdecore5-4.3.2-11.14mdv2010.0.x86_64.rpm
2204c6207c7d9832f1c9b08e44bab933 2010.0/x86_64/lib64kdefakes5-4.3.2-11.14mdv2010.0.x86_64.rpm
ded542c4f600ec4ee9578a84eecba90d 2010.0/x86_64/lib64kdesu5-4.3.2-11.14mdv2010.0.x86_64.rpm
61e898c4a9986d30c9fb5df8cab0c6a2 2010.0/x86_64/lib64kdeui5-4.3.2-11.14mdv2010.0.x86_64.rpm
2c1372cf3ceb6ccc2b576fd2391f265e 2010.0/x86_64/lib64kdnssd4-4.3.2-11.14mdv2010.0.x86_64.rpm
5c9c1bc90773a78df10e0c31b7c415a2 2010.0/x86_64/lib64kfile4-4.3.2-11.14mdv2010.0.x86_64.rpm
154c30e99ce9c2d956fd9bab69a32eb8 2010.0/x86_64/lib64khtml5-4.3.2-11.14mdv2010.0.x86_64.rpm
6b4fd189b0068c859653f1c0a95d169a 2010.0/x86_64/lib64kimproxy4-4.3.2-11.14mdv2010.0.x86_64.rpm
599dbbf7689d9ea31991d6b9ce86e0fa 2010.0/x86_64/lib64kio5-4.3.2-11.14mdv2010.0.x86_64.rpm
2e31f04cb9871f6fa54033281c9fbcfd 2010.0/x86_64/lib64kjs4-4.3.2-11.14mdv2010.0.x86_64.rpm
ba8d5f97e0d2cc07ac379d12160dc710 2010.0/x86_64/lib64kjsapi4-4.3.2-11.14mdv2010.0.x86_64.rpm
dac95aac7d233a11f3b920819d120c96 2010.0/x86_64/lib64kjsembed4-4.3.2-11.14mdv2010.0.x86_64.rpm
3acd8d0df72a1206091397e3f30dc23e 2010.0/x86_64/lib64kmediaplayer4-4.3.2-11.14mdv2010.0.x86_64.rpm
8d45de302d9197e5956f4559523939ce 2010.0/x86_64/lib64knewstuff2_4-4.3.2-11.14mdv2010.0.x86_64.rpm
2218d8ca6ab9c49c5302377cbf3fb6d6 2010.0/x86_64/lib64knotifyconfig4-4.3.2-11.14mdv2010.0.x86_64.rpm
b0f7f7966ecacb227bdf8e5a6f7ec1f4 2010.0/x86_64/lib64kntlm4-4.3.2-11.14mdv2010.0.x86_64.rpm
df1c765779d67ef5ed75259888f1a399 2010.0/x86_64/lib64kparts4-4.3.2-11.14mdv2010.0.x86_64.rpm
13a37eefc1eaf718817ab9d4a61ad0d5 2010.0/x86_64/lib64kpty4-4.3.2-11.14mdv2010.0.x86_64.rpm
77db36915eac2265b955c9730fdc6611 2010.0/x86_64/lib64krosscore4-4.3.2-11.14mdv2010.0.x86_64.rpm
47f9b8a7070adc1028f3b8dcdf14ed26 2010.0/x86_64/lib64krossui4-4.3.2-11.14mdv2010.0.x86_64.rpm
8cd7275deff482953895f7d71f232160 2010.0/x86_64/lib64ktexteditor4-4.3.2-11.14mdv2010.0.x86_64.rpm
5c5b666d4ae0fb58c0d6e012c7522161 2010.0/x86_64/lib64kunittest4-4.3.2-11.14mdv2010.0.x86_64.rpm
d67c086990110f1fac519f7d3948b053 2010.0/x86_64/lib64kutils4-4.3.2-11.14mdv2010.0.x86_64.rpm
c9692f6851972ba9fbc9dd1773891db5 2010.0/x86_64/lib64nepomuk4-4.3.2-11.14mdv2010.0.x86_64.rpm
36674939e5e7ffb36427fbc504e097a8 2010.0/x86_64/lib64plasma3-4.3.2-11.14mdv2010.0.x86_64.rpm
29087c6119008e740c13e4ac48d6a4d0 2010.0/x86_64/lib64solid4-4.3.2-11.14mdv2010.0.x86_64.rpm
775291372adee37558c25d9b0f3e0348 2010.0/x86_64/lib64threadweaver4-4.3.2-11.14mdv2010.0.x86_64.rpm
efa77a322ba85ef9fe3382173a73d96f 2010.0/SRPMS/kdelibs4-4.3.2-11.14mdv2010.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLYAPjmqjQ0CJFipgRAlWCAJ45g7YqrzFHMj4n1CTe7bDmTtElDQCg9tEz
jCRztpSQwDQQjyfD+MvizBM=
=SRaf
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed