From: Preston Brown <pbrownat_private> -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: KDE update for Red Hat Linux 6.0 Advisory ID: RHSA-1999:015-01 Issue date: 1999-06-21 Keywords: kde kdm kvt kmail 1.1.1 - --------------------------------------------------------------------- 1. Topic: New KDE RPMs are available for Red Hat Linux 6.0. These RPMs upgrade the 1.1.1pre2 release to 1.1.1 final + fixes. Several security holes have been closed, and other bugs noted in the original RPMs have been corrected. 2. BugIDs fixed: 2877 3433 3. Relevant releases/architectures: Red Hat Linux 6.0, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Intel: ftp://updates.redhat.com/6.0/i386/ kdeadmin-1.1.1-1.i386.rpm kdebase-1.1.1-1.i386.rpm kdegames-1.1.1-1.i386.rpm kdegraphics-1.1.1-1.i386.rpm kdelibs-1.1.1-1.i386.rpm kdemultimedia-1.1.1-1.i386.rpm kdenetwork-1.1.1-1.i386.rpm kdesupport-1.1.1-1.i386.rpm kdetoys-1.1.1-1.i386.rpm kdeutils-1.1.1-1.i386.rpm korganizer-1.1.1.i386.rpm kpilot-3.1b9-1.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/ kdeadmin-1.1.1-1.alpha.rpm kdebase-1.1.1-1.alpha.rpm kdegames-1.1.1-1.alpha.rpm kdegraphics-1.1.1-1.alpha.rpm kdelibs-1.1.1-1.alpha.rpm kdemultimedia-1.1.1-1.alpha.rpm kdenetwork-1.1.1-1.alpha.rpm kdesupport-1.1.1-1.alpha.rpm kdetoys-1.1.1-1.alpha.rpm kdeutils-1.1.1-1.alpha.rpm korganizer-1.1.1.alpha.rpm kpilot-3.1b9-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.0/sparc kdeadmin-1.1.1-1.sparc.rpm kdebase-1.1.1-1.sparc.rpm kdegames-1.1.1-1.sparc.rpm kdegraphics-1.1.1-1.sparc.rpm kdelibs-1.1.1-1.sparc.rpm kdemultimedia-1.1.1-1.sparc.rpm kdenetwork-1.1.1-1.sparc.rpm kdesupport-1.1.1-1.sparc.rpm kdetoys-1.1.1-1.sparc.rpm kdeutils-1.1.1-1.sparc.rpm korganizer-1.1.1.sparc.rpm kpilot-3.1b9-1.sparc.rpm 7. Problem description: Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release available at the time we went into production. There were a number of configuration and security bugs in the original packages. kmail, the kde mail reader, had a bug related to decoding mime attachments in an unsafe manner. Attachments were written using an easily predictable filename to a temporary directory. This could could then be be exploited to overwrite arbitrary files owned by the person using kmail via a symlink attack. 8. Solution: Upgrade to KDE 1.1.1 final, which fixes a number of bugs present in the previous release and contains additional patches to correct security holes in kmail and kvt. For each RPM for your particular architecture, run: rpm -Uvh <filename> where filename is the name of the RPM. 9. Verification: These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp <filename> 10. References: http://www.geek-girl.com/bugtraq/1999_2/0685.html This URL describes the kmail security hole. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN2+dVtLHqShaOYAxAQF6XAQAqNuA491aBD2rL9ubjMd1iKZCA9wSUzNm BRZ5akb7ZZZQQStIkTAxyODnNlVlnfO0TYHJ+AwAVo76oM5Kdzq1R51BP+PTxev3 C+Unppug5NkUMB+DOt4Cr/jB+u5VvSIBK/s33/SjdUUWupHIesOf6mi7F27f/Lix yApeMatgLcE= =lU2O -----END PGP SIGNATURE----- --- Preston Brown Red Hat, Inc. pbrownat_private PGP public key: http://www.redhat.com/~pbrown/pbrown-pgp-pubkey.txt -- To unsubscribe: mail redhat-watch-list-requestat_private with "unsubscribe" as the Subject. -- To unsubscribe: mail -s unsubscribe redhat-announce-list-requestat_private < /dev/null
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:50:21 PDT