Bug 128462

Summary: CAN-2004-0721 Konqueror frame injection spoofing
Product: Red Hat Enterprise Linux 3 Reporter: Mark J. Cox <mjc>
Component: kdelibsAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: bressers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-04 15:28:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
post-3.0.5b-kdebase-htmlframes.patch
none
post-3.0.5b-kdelibs-htmlframes.patch
none
post-3.1.5-kdebase-htmlframes.patch
none
post-3.1.5-kdelibs-htmlframes.patch
none
post-3.2.3-kdebase-htmlframes.patch
none
post-3.2.3-kdelibs-htmlframes.patch none

Description Mark J. Cox 2004-07-23 08:12:01 UTC 
Konqueror does not properly prevent a frame in one domain from
injecting content into a frame that belongs to another domain, which
facilitates web site spoofing and other attacks, aka the frame
injection vulnerability.

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

        CAN-2004-0721 Affects: 3AS 3ES 3WS 3Desktop
        CAN-2004-0721 Maybe Affects: 2.1AS 2.1AW 2.1ES 2.1WS

As found Jul01
Comment 1 Than Ngo 2004-08-02 13:45:03 UTC 
it's kdelibs. i assign it to correct component
Comment 2 Josh Bressers 2004-08-04 12:47:15 UTC 
This issue does affect RHEL2.1.
Comment 3 Josh Bressers 2004-08-09 20:41:58 UTC 
Created attachment 102541 [details]
post-3.0.5b-kdebase-htmlframes.patch

These are the lastest round of patches that fix some issues upstream discovered
with the old patches.
Comment 4 Josh Bressers 2004-08-09 20:42:25 UTC 
Created attachment 102542 [details]
post-3.0.5b-kdelibs-htmlframes.patch
Comment 5 Josh Bressers 2004-08-09 20:43:01 UTC 
Created attachment 102543 [details]
post-3.1.5-kdebase-htmlframes.patch
Comment 6 Josh Bressers 2004-08-09 20:43:40 UTC 
Created attachment 102544 [details]
post-3.1.5-kdelibs-htmlframes.patch
Comment 7 Josh Bressers 2004-08-09 20:44:27 UTC 
Created attachment 102545 [details]
post-3.2.3-kdebase-htmlframes.patch
Comment 8 Josh Bressers 2004-08-09 20:44:55 UTC 
Created attachment 102546 [details]
post-3.2.3-kdelibs-htmlframes.patch
Comment 9 Than Ngo 2004-08-13 16:28:35 UTC 
kdelibs/kdebase are already built for RHEL3/2.1AS
Comment 10 Josh Bressers 2004-10-04 15:28:46 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-412.html
Comment 11 John Newbigin 2004-10-05 00:26:08 UTC 
Should there be an ERRATA for RHEL2.1AS?  For all other EL versions
there is kdebase & kdelibs.  2.1AS only has kdelibs.
Comment 12 Josh Bressers 2004-10-05 13:39:04 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-412.html
Comment 13 Josh Bressers 2004-10-05 13:45:49 UTC 
The missing files should be available now.  Thanks for catching that.