![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 24 Jun 1999 15:08:49 -0500
From: yocum@fnal.gov
To: wolff@BitWizard.nl
Subject: [linux-security] Forw: [RHSA-1999:015-01] KDE update for Red Hat Linux 6.0
Rogier,
Until we get the list problem solved I'll just forward on the security notices
directly to you.
Cheers,
Dan
___________________________________________________________________________
Dan Yocum | Phone: (630) 840-8525
Linux/Unix System Administrator | Fax: (630) 840-6345
Computing Division OSS/FSS | email: yocum@fnal.gov .~. L
Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I
P.O. Box 500 | // \\ N
Batavia, IL 60510 | "TANSTAAFL" /( )\ U
________________________________|_________________________________ ^`~'^__X_
------- Forwarded Message
Return-Path: redhat-watch-list-request@redhat.com
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id OAA08361
for <yocum@sapphire.fnal.gov>; Tue, 22 Jun 1999 14:32:45 -0500
Received: (qmail 20814 invoked by uid 501); 22 Jun 1999 20:26:38 -0000
Resent-Date: 22 Jun 1999 20:26:38 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From redhat-watch-list-request@redhat.com Tue Jun 22 16:26:37 1999
X-Authentication-Warning: dionysus.devel.redhat.com: pbrown owned process
doing -bs
Date: Tue, 22 Jun 1999 10:30:34 -0400 (EDT)
From: Preston Brown <pbrown@redhat.com>
X-Sender: pbrown@dionysus.devel.redhat.com
To: redhat-watch-list@redhat.com
Subject: [RHSA-1999:015-01] KDE update for Red Hat Linux 6.0
Message-ID: <Pine.LNX.4.10.9906221028060.24467-100000@dionysus.devel.redhat.com
>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved: djb@redhat.com
Resent-Message-ID: <"Yf46Z1.0.h35.z5_Rt"@lists.redhat.com>
Resent-From: redhat-watch-list@redhat.com
Reply-To: redhat-watch-list@redhat.com
X-Mailing-List: <redhat-watch-list@redhat.com> archive/latest/36
X-Loop: redhat-watch-list@redhat.com
Precedence: list
Resent-Sender: redhat-watch-list-request@redhat.com
X-URL: http://www.redhat.com
- -----BEGIN PGP SIGNED MESSAGE-----
- - ---------------------------------------------------------------------
Red Hat, Inc. Security Advisory
Synopsis: KDE update for Red Hat Linux 6.0
Advisory ID: RHSA-1999:015-01
Issue date: 1999-06-21
Keywords: kde kdm kvt kmail 1.1.1
- - ---------------------------------------------------------------------
1. Topic:
New KDE RPMs are available for Red Hat Linux 6.0. These RPMs upgrade
the 1.1.1pre2 release to 1.1.1 final + fixes. Several security holes
have been closed, and other bugs noted in the original RPMs have been
corrected.
2. BugIDs fixed:
2877 3433
3. Relevant releases/architectures:
Red Hat Linux 6.0, all architectures
4. Obsoleted by:
5. Conflicts with:
6. RPMs required:
Intel: ftp://updates.redhat.com/6.0/i386/
kdeadmin-1.1.1-1.i386.rpm
kdebase-1.1.1-1.i386.rpm
kdegames-1.1.1-1.i386.rpm
kdegraphics-1.1.1-1.i386.rpm
kdelibs-1.1.1-1.i386.rpm
kdemultimedia-1.1.1-1.i386.rpm
kdenetwork-1.1.1-1.i386.rpm
kdesupport-1.1.1-1.i386.rpm
kdetoys-1.1.1-1.i386.rpm
kdeutils-1.1.1-1.i386.rpm
korganizer-1.1.1.i386.rpm
kpilot-3.1b9-1.i386.rpm
Alpha: ftp://updates.redhat.com/6.0/alpha/
kdeadmin-1.1.1-1.alpha.rpm
kdebase-1.1.1-1.alpha.rpm
kdegames-1.1.1-1.alpha.rpm
kdegraphics-1.1.1-1.alpha.rpm
kdelibs-1.1.1-1.alpha.rpm
kdemultimedia-1.1.1-1.alpha.rpm
kdenetwork-1.1.1-1.alpha.rpm
kdesupport-1.1.1-1.alpha.rpm
kdetoys-1.1.1-1.alpha.rpm
kdeutils-1.1.1-1.alpha.rpm
korganizer-1.1.1.alpha.rpm
kpilot-3.1b9-1.alpha.rpm
Sparc: ftp://updates.redhat.com/6.0/sparc
kdeadmin-1.1.1-1.sparc.rpm
kdebase-1.1.1-1.sparc.rpm
kdegames-1.1.1-1.sparc.rpm
kdegraphics-1.1.1-1.sparc.rpm
kdelibs-1.1.1-1.sparc.rpm
kdemultimedia-1.1.1-1.sparc.rpm
kdenetwork-1.1.1-1.sparc.rpm
kdesupport-1.1.1-1.sparc.rpm
kdetoys-1.1.1-1.sparc.rpm
kdeutils-1.1.1-1.sparc.rpm
korganizer-1.1.1.sparc.rpm
kpilot-3.1b9-1.sparc.rpm
7. Problem description:
Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release
available at the time we went into production. There were a number of
configuration and security bugs in the original packages.
kmail, the kde mail reader, had a bug related to decoding mime
attachments in an unsafe manner. Attachments were written using an
easily predictable filename to a temporary directory. This could
could then be be exploited to overwrite arbitrary files owned by the
person using kmail via a symlink attack.
8. Solution:
Upgrade to KDE 1.1.1 final, which fixes a number of bugs present in
the previous release and contains additional patches to correct
security holes in kmail and kvt.
For each RPM for your particular architecture, run:
rpm -Uvh <filename>
where filename is the name of the RPM.
9. Verification:
These packages are PGP signed by Red Hat Inc. for security. Our key
is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm --checksig <filename>
If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nopgp <filename>
10. References:
http://www.geek-girl.com/bugtraq/1999_2/0685.html
This URL describes the kmail security hole.
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBN2+dVtLHqShaOYAxAQF6XAQAqNuA491aBD2rL9ubjMd1iKZCA9wSUzNm
BRZ5akb7ZZZQQStIkTAxyODnNlVlnfO0TYHJ+AwAVo76oM5Kdzq1R51BP+PTxev3
C+Unppug5NkUMB+DOt4Cr/jB+u5VvSIBK/s33/SjdUUWupHIesOf6mi7F27f/Lix
yApeMatgLcE=
=lU2O
- -----END PGP SIGNATURE-----
- ---
Preston Brown
Red Hat, Inc.
pbrown@redhat.com
PGP public key: http://www.redhat.com/~pbrown/pbrown-pgp-pubkey.txt
- --
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.
------- End of Forwarded Message
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null