Executive Summary
Summary | |
---|---|
Title | kdelibs security update |
Informations | |||
---|---|---|---|
Name | RHSA-2011:0464 | First vendor Publication | 2011-04-21 |
Vendor | RedHat | Last vendor Modification | 2011-04-21 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated kdelibs packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, noarch, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, noarch, x86_64 3. Description: The kdelibs packages provide libraries for the K Desktop Environment (KDE). A cross-site scripting (XSS) flaw was found in the way KHTML, the HTML layout engine used by KDE applications such as the Konqueror web browser, displayed certain error pages. A remote attacker could use this flaw to perform a cross-site scripting attack against victims by tricking them into visiting a specially-crafted URL. (CVE-2011-1168) A flaw was found in the way kdelibs checked the user specified hostname against the name in the server's SSL certificate. A man-in-the-middle attacker could use this flaw to trick an application using kdelibs into mistakenly accepting a certificate as if it was valid for the host, if that certificate was issued for an IP address to which the user specified hostname was resolved to. (CVE-2011-1094) Note: As part of the fix for CVE-2011-1094, this update also introduces stricter handling for wildcards used in servers' SSL certificates. Users should upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 632114 - CVE-2011-1094 kdelibs: SSL certificate for IP address accepted as valid for hosts that resolve to the IP 695398 - CVE-2011-1168 kdelibs: partially universal XSS in Konqueror error pages |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2011-0464.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13867 | |||
Oval ID: | oval:org.mitre.oval:def:13867 | ||
Title: | USN-1110-1 -- kde4libs vulnerabilities | ||
Description: | kde4libs: KDE 4 core applications An attacker could send crafted input to Konqueror to view sensitive information. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1110-1 CVE-2011-1094 CVE-2011-1168 | Version: | 5 |
Platform(s): | Ubuntu 10.10 Ubuntu 9.10 Ubuntu 10.04 | Product(s): | kde4libs |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21872 | |||
Oval ID: | oval:org.mitre.oval:def:21872 | ||
Title: | RHSA-2011:0464: kdelibs security update (Moderate) | ||
Description: | Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0464-01 CVE-2011-1094 CVE-2011-1168 | Version: | 29 |
Platform(s): | Red Hat Enterprise Linux 6 | Product(s): | kdelibs |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23600 | |||
Oval ID: | oval:org.mitre.oval:def:23600 | ||
Title: | ELSA-2011:0464: kdelibs security update (Moderate) | ||
Description: | Cross-site scripting (XSS) vulnerability in the KHTMLPart::htmlError function in khtml/khtml_part.cpp in Konqueror in KDE SC 4.4.0 through 4.6.1 allows remote attackers to inject arbitrary web script or HTML via the URI in a URL corresponding to an unavailable web site. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0464-01 CVE-2011-1094 CVE-2011-1168 | Version: | 13 |
Platform(s): | Oracle Linux 6 | Product(s): | kdelibs |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27884 | |||
Oval ID: | oval:org.mitre.oval:def:27884 | ||
Title: | DEPRECATED: ELSA-2011-0464 -- kdelibs security update (moderate) | ||
Description: | [6:4.3.4-11.2] - rebase the fix for CVE-2011-1094 [6:4.3.4-11.1] - fixes CVE-2011-1094, CVE-2011-1168 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-0464 CVE-2011-1094 CVE-2011-1168 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | kdelibs |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-06-06 | Name : RedHat Update for kdelibs RHSA-2011:0464-01 File : nvt/gb_RHSA-2011_0464-01_kdelibs.nasl |
2011-05-10 | Name : Ubuntu Update for kde4libs USN-1110-1 File : nvt/gb_ubuntu_USN_1110_1.nasl |
2011-04-22 | Name : Fedora Update for libextractor FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_libextractor_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdemultimedia FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdemultimedia_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdenetwork FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdenetwork_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdepimlibs FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdepimlibs_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdeplasma-addons FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeplasma-addons_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdesdk FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdesdk_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdetoys FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdetoys_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdeutils FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeutils_fc14.nasl |
2011-04-22 | Name : Fedora Update for koffice FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_koffice_fc14.nasl |
2011-04-22 | Name : Fedora Update for kphotoalbum FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kphotoalbum_fc14.nasl |
2011-04-22 | Name : Fedora Update for krename FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_krename_fc14.nasl |
2011-04-22 | Name : Fedora Update for darktable FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_darktable_fc14.nasl |
2011-04-22 | Name : Fedora Update for libgexiv2 FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_libgexiv2_fc14.nasl |
2011-04-22 | Name : Fedora Update for merkaartor FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_merkaartor_fc14.nasl |
2011-04-22 | Name : Fedora Update for oxygen-icon-theme FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_oxygen-icon-theme_fc14.nasl |
2011-04-22 | Name : Fedora Update for pyexiv2 FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_pyexiv2_fc14.nasl |
2011-04-22 | Name : Fedora Update for qtpfsgui FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_qtpfsgui_fc14.nasl |
2011-04-22 | Name : Fedora Update for rawstudio FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_rawstudio_fc14.nasl |
2011-04-22 | Name : Fedora Update for shotwell FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_shotwell_fc14.nasl |
2011-04-22 | Name : Fedora Update for strigi FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_strigi_fc14.nasl |
2011-04-22 | Name : Fedora Update for ufraw FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_ufraw_fc14.nasl |
2011-04-22 | Name : Mandriva Update for kdelibs4 MDVSA-2011:075 (kdelibs4) File : nvt/gb_mandriva_MDVSA_2011_075.nasl |
2011-04-22 | Name : Fedora Update for kdegraphics FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdegraphics_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdelibs FEDORA-2011-5183 File : nvt/gb_fedora_2011_5183_kdelibs_fc13.nasl |
2011-04-22 | Name : Fedora Update for exiv2 FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_exiv2_fc14.nasl |
2011-04-22 | Name : Fedora Update for geeqie FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_geeqie_fc14.nasl |
2011-04-22 | Name : Fedora Update for gipfel FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gipfel_fc14.nasl |
2011-04-22 | Name : Fedora Update for gnome-commander FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gnome-commander_fc14.nasl |
2011-04-22 | Name : Fedora Update for gpscorrelate FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gpscorrelate_fc14.nasl |
2011-04-22 | Name : Fedora Update for gthumb FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_gthumb_fc14.nasl |
2011-04-22 | Name : Fedora Update for hugin FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_hugin_fc14.nasl |
2011-04-22 | Name : Fedora Update for immix FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_immix_fc14.nasl |
2011-04-22 | Name : Fedora Update for kde-l10n FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kde-l10n_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdeaccessibility FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeaccessibility_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdeadmin FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeadmin_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdeartwork FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeartwork_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdebase-runtime FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebase-runtime_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdebase-workspace FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebase-workspace_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdebase FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebase_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdebindings FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdebindings_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdeedu FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdeedu_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdegames FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdegames_fc14.nasl |
2011-04-22 | Name : Fedora Update for kdelibs FEDORA-2011-5200 File : nvt/gb_fedora_2011_5200_kdelibs_fc14.nasl |
2011-04-11 | Name : Mandriva Update for kdelibs4 MDVSA-2011:071 (kdelibs4) File : nvt/gb_mandriva_MDVSA_2011_071.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2011-101-02 kdelibs File : nvt/esoft_slk_ssa_2011_101_02.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
73060 | KDE kdelibs KDE KSSL kio/kio/tcpslavebase.cpp X.509 Certificate Authority (CA... |
71876 | KDE Konqueror khtml/khtml_part.cpp KHTMLPart::htmlError() Function Error Page... KDE Konqueror contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the URL when it is displayed via the error page upon submission to the 'HTMLPart::htmlError()' function in 'khtml/khtml_part.cpp'. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-34.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_kdelibs4-110325.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_kdelibs4-110325.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0464.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110421_kdelibs_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2011-06-13 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1110-1.nasl - Type : ACT_GATHER_INFO |
2011-05-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2011-101-02.nasl - Type : ACT_GATHER_INFO |
2011-05-27 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO |
2011-05-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_kdelibs4-110418.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_kdelibs4-110324.nasl - Type : ACT_GATHER_INFO |
2011-04-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0464.nasl - Type : ACT_GATHER_INFO |
2011-04-22 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2011-5221.nasl - Type : ACT_GATHER_INFO |
2011-04-22 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2011-5200.nasl - Type : ACT_GATHER_INFO |
2011-04-21 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-075.nasl - Type : ACT_GATHER_INFO |
2011-04-11 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-071.nasl - Type : ACT_GATHER_INFO |
2011-04-04 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_kdelibs4-110324.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:54:37 |
|