[dot] Security: Multiple KDE Security Advisories
Dot Stories
stories at kdenews.org
Mon Dec 13 18:31:26 CET 2004
URL: http://dot.kde.org/1102957275/
From: Waldo Bastian <bastian at kde.org>
Dept: secure-your-shoelaces
Date: Monday 13/Dec/2004, @18:01
Security: Multiple KDE Security Advisories
==========================================
Three security advisories have been issued by the KDE Security Team
[security at kde.org] over the last few days for three distinct
vulnerabilities that have been found in KDE: Plain Text Password
Exposure [http://www.kde.org/info/security/advisory-20041209-1.txt],
KFax libtiff Vulnerabilities
[http://www.kde.org/info/security/advisory-20041209-2.txt] and a
Konqueror Window Injection Vulnerability
[http://www.kde.org/info/security/advisory-20041213-1.txt].
The most serious one is the libtiff vulnerability in KFax. Until
recently KFax used to include a private copy of libtiff. As a result
KFax has not been able to take advantage of several recent security
fixes in libtiff [http://www.securityfocus.net/advisories/7364]. KFax in
KDE 3.3.2 has been fixed so that it no longer requires a private copy of
libtiff. Due to the complexity of this change there are no source
patches for older versions available, we do expect vendors to provide
fixed KFax packages for older KDE versions though.
The password exposure vulnerability primarily concerns passwords
for SMB shares, as previously reported by SEC Consult
[http://www.sec-consult.com/index.php?id=118]. The Konqueror window
injection vulnerability addresses a problem raised by Secunia
[http://secunia.com/advisories/13254/] and last week reported by
Slashdot [http://it.slashdot.org/article.pl?sid=04/12/09/0053205].
An overview of all the KDE security advisories can be found on
http://www.kde.org/info/security/ [http://www.kde.org/info/security/].
More information about the dot-stories
mailing list