Bug 74739 - Vulnerabilities in KDE
Summary: Vulnerabilities in KDE
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: kdelibs
Version: 2.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: wdovlrrw
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-10-01 10:42 UTC by Mark J. Cox
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-10-01 10:43:04 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2002:221 0 normal SHIPPED_LIVE Important: kdelibs security update 2002-10-01 04:00:00 UTC

Description Mark J. Cox 2002-10-01 10:42:58 UTC
The SSL capability for Konqueror in KDE 3.0.2 and earlier does not verify
the Basic Constraints for an intermediate CA-signed certificate, which
allows remote attackers to spoof the certificates of trusted sites via a
man-in-the-middle attack (CAN-2002-0970)

The cross-site scripting protection for Konqueror in KDE 2.2.2 and 3.0
through 3.0.3 does not properly initialize the domains on sub-frames and
sub-iframes, which can allow remote attackers to execute script and steal
cookies from subframes that are in other domains. (CAN-2002-1151)

Red Hat Advanced Server 2.1 provides KDE version 2.2.2 and is therefore
vulnerable to both these issues.

Comment 1 Ngo Than 2002-10-10 10:48:28 UTC
It's fixed in kdelibs-2.2.2-3, which is still waiting for QA


Note You need to log in before you can comment on or make changes to this bug.