Executive Summary
Summary | |
---|---|
Title | New kdelibs packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-155 | First vendor Publication | 2002-08-17 |
Vendor | Debian | Last vendor Modification | 2002-08-17 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Due to a security engineering oversight, the SSL library from KDE, which Konqueror uses, doesn't check whether an intermediate certificate for a connection is signed by the certificate authority as safe for the purpose, but accepts it when it is signed. This makes it possible for anyone with a valid VeriSign SSL site certificate to forge any other VeriSign SSL site certificate, and abuse Konqueror users. A local root exploit using artsd has been discovered which exploited an insecure use of a format string. The exploit wasn't working on a Debian system since artsd wasn't running setuid root. Neither artsd nor artswrapper need to be setuid root anymore since current computer systems are fast enuogh to handle the audio data in time. Theese problems have been fixed in version 2.2.2-13.woody.2 for the current stable stable distribution (woody). The old stable distribution (potato) is not affected, since it doesn't contain KDE packages. The unstable distribution (sid) is not yet fixed, but new packages are expected in the future, the fixed version will be version 2.2.2-14 or higher. We recommend that you upgrade your kdelibs and libarts packages and restart Konquerer. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody |
Original Source
Url : http://www.debian.org/security/2002/dsa-155 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 | |
Os | 4 |
OpenVAS Exploits
Date | Description |
---|---|
2008-01-17 | Name : Debian Security Advisory DSA 155-1 (kdelibs) File : nvt/deb_155_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
59566 | KDE Konqueror CA Certificate Basic Constraints Verification Weakness |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-01-04 | Name : The remote server is affected by a certificate validation vulnerability. File : openssl_0_9_7.nasl - Type : ACT_GATHER_INFO |
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-155.nasl - Type : ACT_GATHER_INFO |
2004-07-31 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2002-058.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2002-221.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2003-003.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:27:32 |
|