---

Home Security

Advisories: May 17, 2005

By

Conectiva Linux

CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE : kde
SUMMARY : Fixes for multiple KDE security vulnerabilities
DATE : 2005-05-17 09:56:00 ID : CLA-2005:953

RELEVANT
RELEASES : 9, 10

DESCRIPTION
KDE[1] is a very popular graphical desktop environment available
for GNU/Linux and other operating systems.

This announcement fixes the following vulnerabilities:

1.Local denial of service vulnerability[2] in DCOP daemon
A local user can lock up the dcopserver of any other user on the
same host by stalling the DCOP authentication process. This can
cause a significant reduction in desktop functionality for the
affected users including, but not limited to, the inability to
browse the internet and the inability to start new
applications.

2.Homograph vulnerability[3] in Konqueror
IDN allows a website to use a wide range of international
characters in its domain name. Unfortunately, some of these
characters have a strong resemblance to other characters, so called
homographs. This lack of visual difference can be abused by
attackers to trick users into visiting malicious websites that
resemble a well known and trusted website in order to obtain
personal information such as credit card details.

3.Symlink vulnerability[4] in dcopidlng script
The dcopidlng script is vulnerable to symlink attacks, potentially
allowing a local attacker to overwrite arbitrary files of a user
when that user compiles KDE or third party KDE applications that
use the dcopidlng script as part of their build process.

4.Weak input validation vulnerable[5] in kimgio
kimgio contains a PCX image file format reader that does not
properly perform input validation. A source code audit performed by
the KDE security team discovered several vulnerabilities in the PCX
and other image file format readers, some of them exploitable to
execute arbitrary code.

5.Arbitraty code execution vulnerability[6] in Kommander
Kommander executes without user confirmation data files from
possibly untrusted locations. As they contain scripts, the user
might accidentally run arbitrary code.

SOLUTION
It is recommended that all users of the KDE desktop, including
those who use other desktop and only use certain KDE components
such as Konqueror, upgrade their KDE packages.

IMPORTANT: in order to close the vulnerbilities, all KDE
applications have to be restarted.

REFERENCES
1.http://www.kde.org
2.http://www.kde.org/info/security/advisory-20050316-1.txt

3.http://www.kde.org/info/security/advisory-20050316-2.txt

4.http://www.kde.org/info/security/advisory-20050316-3.txt

5.http://www.kde.org/info/security/advisory-20050421-1.txt

6.http://www.kde.org/info/security/advisory-20050420-1.txt

UPDATED PACKAGES

ftp://atualizacoes.conectiva.com.br/10/SRPMS/kdelibs3-3.3.2-63233U10_6cl.src.rpm


ftp://atualizacoes.conectiva.com.br/10/SRPMS/kdewebdev-3.3.2-72796U10_3cl.src.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdewebdev-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kfilereplace-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kimagemapeditor-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/klinkstatus-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/klinkstatus-help-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kommander-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kommander-help-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kxsldbg-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kxsldbg-help-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-devel-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-help-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-css-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-html-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-javascript-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/quanta-reference-php-3.3.2-72796U10_3cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kde-base-icons-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs-artsinterface-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs-docbook-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs3-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs3-devel-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdelibs3-devel-static-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-b3-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-highcolor-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-light-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-marble-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-qt-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-riscos-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/kdetheme-system-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/libknewstuff1-3.3.2-63233U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/SRPMS/kdelibs3-3.1.5-28927U90_7cl.src.rpm


ftp://atualizacoes.conectiva.com.br/9/SRPMS/quanta-3.1-27553U90_2cl.src.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/quanta-3.1-27553U90_2cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/quanta-doc-3.1-27553U90_2cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/quanta-kommander-3.1-27553U90_2cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs-artsinterface-3.1.5-28927U90_7cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs-docbook-3.1.5-28927U90_7cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs3-3.1.5-28927U90_7cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/kdelibs3-devel-3.1.5-28927U90_7cl.i386.rpm

ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

  • run: apt-get update
  • after that, execute: apt-get upgrade

Detailed instructions regarding the use of apt and upgrade
examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en

Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

Fedora Core

Fedora Update Notification
FEDORA-2005-373
2005-05-17

Product : Fedora Core 3
Name : squid
Version : 2.5.STABLE9
Release : 1.FC3.6
Summary : The Squid proxy caching server.

Description :
Squid is a high-performance proxy caching server for Web clients,
supporting FTP, gopher, and HTTP data objects. Unlike traditional
caching software, Squid handles all requests in a single,
non-blocking, I/O-driven process. Squid keeps meta data and
especially hot objects cached in RAM, caches DNS lookups, supports
non-blocking DNS lookups, and implements negative caching of failed
requests.

Squid consists of a main server program squid, a Domain Name
System lookup program (dnsserver), a program for retrieving FTP
data (ftpget), and some management and client tools.

  • Mon May 16 2005 Jay Fenlason <fenlason@redhat.com>
    7:2.5.STABLE9-1.FC3.6

    • More upstream patches, including ones for
      bz#157456 CAN-2005-1519 DNS lookups unreliable on untrusted
      networks
      bz#156162 CVE-1999-0710 cachemgr.cgi access control bypass
    • The following bugs had already been fixed, but the
      announcements were lost
      bz#156711 CAN-2005-1390 HTTP Request Smuggling Vulnerabilities
      bz#156703 CAN-2005-1389 HTTP Response Splitting Vulnerabilities
      (Both fixed by squid-7:2.5.STABLE8-1.FC3.1)
      bz#151419 Unexpected access control results on configuration errors
      (Fixed by 7:2.5.STABLE9-1.FC3.2)
      bz#152647#squid-2.5.STABLE9-1.FC3.4.x86_64.rpm is broken (fixed by
      7:2.5.STABLE9-1.FC3.5)
      bz#141938 squid ldap authentification broken (Fixed by
      7:2.5.STABLE7-1.FC3)
  • Fri Apr 1 2005 Jay Fenlason <fenlason@redhat.com>
    7:2.5.STABLE9-1.FC3.5

    • More upstream patches, including a new version of the -2GB
      patch that doesn’t break diskd.

This update can be downloaded from:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

c94ce8b9fc2ae09b867fa73a4036901b
SRPMS/squid-2.5.STABLE9-1.FC3.6.src.rpm
6862c9189f1686280b95a31501ce5283
x86_64/squid-2.5.STABLE9-1.FC3.6.x86_64.rpm
5e96af43a684836da7e88279a5643b1a
x86_64/debug/squid-debuginfo-2.5.STABLE9-1.FC3.6.x86_64.rpm
81f8f55caf7f423054356ae57c2d02f9
i386/squid-2.5.STABLE9-1.FC3.6.i386.rpm
e912773d9f9889686a70debe1c1146c8
i386/debug/squid-debuginfo-2.5.STABLE9-1.FC3.6.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the ‘up2date’ command.

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200505-13

http://security.gentoo.org/

Severity: High
Title: FreeRADIUS: Buffer overflow and SQL injection
vulnerability
Date: May 17, 2005
Bugs: #91736
ID: 200505-13

Synopsis

The FreeRADIUS server is vulnerable to a buffer overflow and an
SQL injection attack, possibly allowing the compromise of the
system.

Background

FreeRADIUS is an open source RADIUS authentication server
implementation.

Affected packages

     Package                /  Vulnerable  /                Unaffected

  1  net-dialup/freeradius     < 1.0.2-r3                  >= 1.0.2-r3

Description

Primoz Bratanic discovered that the sql_escape_func function of
FreeRADIUS may be vulnerable to a buffer overflow (BID 13541). He
also discovered that FreeRADIUS fails to sanitize user-input before
using it in a SQL query, possibly allowing SQL command injection
(BID 13540).

Impact

By supplying carefully crafted input, a malicious user could
cause a buffer overflow or an SQL injection, possibly leading to
the execution of arbitrary code or disclosure and the modification
of sensitive data.

Workaround

There are no known workarounds at this time.

Resolution

All FreeRADIUS users should upgrade to the latest available
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-dialup/freeradius-1.0.2-r3"

References

[ 1 ] BugTraq ID 13540

http://www.securityfocus.com/bid/13540/

[ 2 ] BugTraq ID 13541

http://www.securityfocus.com/bid/13541/

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200505-13.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux

Mandriva Linux Security Update Advisory

Package name: mozilla
Advisory ID: MDKSA-2005:088-1
Date: May 17th, 2005
Original Advisory Date: May 13th, 2005
Affected versions: 10.2

Problem Description:

The previously-released firefox updates were no longer able to
download extensions for firefox due to strict version checking.
This update fixes the problem by changing the version firefox
reports from 1.0.2 to 1.0.4, allowing for extensions to be
downloaded again.

Updated Packages:

Mandrakelinux 10.2:
c17cfdac1f0e6d6e04f784109981099f
10.2/RPMS/libnspr4-1.0.2-6.1.102mdk.i586.rpm
ff9f5cf04cf3f639251ecb822080a148
10.2/RPMS/libnspr4-devel-1.0.2-6.1.102mdk.i586.rpm
3518a675a8085a5a5408828c6b8f9032
10.2/RPMS/libnss3-1.0.2-6.1.102mdk.i586.rpm
b130975adbbd0b4e65a723beab7e4a6d
10.2/RPMS/libnss3-devel-1.0.2-6.1.102mdk.i586.rpm
3ac683081b3980636177b4148c7ef6f1
10.2/RPMS/mozilla-firefox-1.0.2-6.1.102mdk.i586.rpm
39b1cff4c003f13deffc4e0e154e96ef
10.2/RPMS/mozilla-firefox-devel-1.0.2-6.1.102mdk.i586.rpm
bee109a3f8187d72515b258c3f363f9d
10.2/SRPMS/mozilla-firefox-1.0.2-6.1.102mdk.src.rpm

Mandrakelinux 10.2/X86_64:
cdf2b4920ec3bde200fa85f3549c85fe
x86_64/10.2/RPMS/lib64nspr4-1.0.2-6.1.102mdk.x86_64.rpm
3028ed182c82aef9b4fec35bcd4a8740
x86_64/10.2/RPMS/lib64nspr4-devel-1.0.2-6.1.102mdk.x86_64.rpm
2b613cb20ac8b05e236f6ab54fd04d9c
x86_64/10.2/RPMS/lib64nss3-1.0.2-6.1.102mdk.x86_64.rpm
7d7c19e234bb1eb6d1ea967cc200a5b2
x86_64/10.2/RPMS/lib64nss3-devel-1.0.2-6.1.102mdk.x86_64.rpm
4bde441472f480f76c6eebab741f877c
x86_64/10.2/RPMS/mozilla-firefox-1.0.2-6.1.102mdk.x86_64.rpm
9bda0e91ca36218f97ffa21b03cc6e00
x86_64/10.2/RPMS/mozilla-firefox-devel-1.0.2-6.1.102mdk.x86_64.rpm

bee109a3f8187d72515b258c3f363f9d
x86_64/10.2/SRPMS/mozilla-firefox-1.0.2-6.1.102mdk.src.rpm

To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

Red Hat Linux

Red Hat Security Advisory

Synopsis: Moderate: ncpfs security update
Advisory ID: RHSA-2005:371-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-371.html

Issue date: 2005-05-17
Updated on: 2005-05-17
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0013

1. Summary:

An updated ncpfs package is now available.

This update has been rated as having moderate security impact by
the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 –
i386, ia64
Red Hat Linux Advanced Workstation 2.1 – ia64
Red Hat Enterprise Linux ES version 2.1 – i386

3. Problem description:

Ncpfs is a file system that understands the Novell NetWare(TM)
NCP protocol.

A bug was found in the way ncpfs handled file permissions. ncpfs
did not sufficiently check if the file owner matched the user
attempting to access the file, potentially violating the file
permissions. The Common Vulnerabilities and Exposures project
(cve.mitre.org/) has assigned
the name CAN-2005-0013 to this issue.

All users of ncpfs are advised to upgrade to this updated
package, which contains backported fixes for this issue.

4. Solution:

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.
Only those RPMs which are currently installed will be updated.
Those RPMs which are not installed but included in the list will
not be updated. Note that you can also use wildcards (*.rpm) if
your current directory only contains the
desired RPMs.

Please note that this update is also available via Red Hat
Network. Many people find this an easier way to apply updates. To
use Red Hat Network, launch the Red Hat Update Agent with the
following command:

up2date

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.

5. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:

ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ncpfs-2.2.0.18-6.EL2.src.rpm

97fc82b06243d3344766a6c83d7ce2cc ncpfs-2.2.0.18-6.EL2.src.rpm

i386:
8000785605e0093e0a51689a63fa56c9
ipxutils-2.2.0.18-6.EL2.i386.rpm
d38e5b535f4fc5a14d456a13b22c0532 ncpfs-2.2.0.18-6.EL2.i386.rpm

ia64:
1a46f4110cccbcebfc679f1371774c88
ipxutils-2.2.0.18-6.EL2.ia64.rpm
4e5a20f0012d01b177762ed8c557105f ncpfs-2.2.0.18-6.EL2.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:

ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/ncpfs-2.2.0.18-6.EL2.src.rpm

97fc82b06243d3344766a6c83d7ce2cc ncpfs-2.2.0.18-6.EL2.src.rpm

ia64:
1a46f4110cccbcebfc679f1371774c88
ipxutils-2.2.0.18-6.EL2.ia64.rpm
4e5a20f0012d01b177762ed8c557105f ncpfs-2.2.0.18-6.EL2.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:

ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ncpfs-2.2.0.18-6.EL2.src.rpm

97fc82b06243d3344766a6c83d7ce2cc ncpfs-2.2.0.18-6.EL2.src.rpm

i386:
8000785605e0093e0a51689a63fa56c9
ipxutils-2.2.0.18-6.EL2.i386.rpm
d38e5b535f4fc5a14d456a13b22c0532 ncpfs-2.2.0.18-6.EL2.i386.rpm

These packages are GPG signed by Red Hat for security. Our key
and details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

6. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0013

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More
contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

Red Hat Security Advisory

Synopsis: Important: kdelibs security update
Advisory ID: RHSA-2005:393-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-393.html

Issue date: 2005-05-17
Updated on: 2005-05-17
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-1046

1. Summary:

Updated kdelibs packages that fix a flaw in kimgio input
validation are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact
by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 – i386, ia64, ppc, s390,
s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 – i386, x86_64
Red Hat Enterprise Linux ES version 4 – i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 – i386, ia64, x86_64

3. Problem description:

KDE is a graphical desktop environment for the X Window System.
Konqueror is the file manager for the K Desktop Environment.

A source code audit performed by the KDE security team
discovered several vulnerabilities in the PCX and other image file
format readers.

A buffer overflow was found in the kimgio library for KDE 3.4.0.
An attacker could create a carefully crafted PCX image in such a
way that it would cause kimgio to execute arbitrary code when
processing the image. The Common Vulnerabilities and Exposures
project (cve.mitre.org/) has
assigned the name CAN-2005-1046 to this issue.

All users of kdelibs should upgrade to these updated packages,
which contain a backported security patch to correct these
issues.

4. Solution:

Before applying this update, make sure that all
previously-released errata relevant to your system have been
applied. Use Red Hat Network to download and update your packages.
To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to
the following Web page for the System Administration or
Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm

bce4c06fafe21d3efe6861baccdb336f kdelibs-3.3.1-3.10.src.rpm

i386:
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
663a4623ae7b79383c901ddd604f40c1
kdelibs-devel-3.3.1-3.10.i386.rpm

ia64:
d71ca353358cc55e8b095909b33a384a kdelibs-3.3.1-3.10.ia64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
6a6aee95de4b0e2c648cb333230e956c
kdelibs-devel-3.3.1-3.10.ia64.rpm

ppc:
08f0b8a2dd54fcc21fd32bd713b10625 kdelibs-3.3.1-3.10.ppc.rpm
2a5859b0b379c8cd5019e312afb75d13 kdelibs-3.3.1-3.10.ppc64.rpm
933042fd45c59372b1ed3dab95cb8608
kdelibs-devel-3.3.1-3.10.ppc.rpm

s390:
7528c1d9e4bd655f1dbb29b0f784bd03 kdelibs-3.3.1-3.10.s390.rpm
6cbfdb4ed57dd476416a4626b234878a
kdelibs-devel-3.3.1-3.10.s390.rpm

s390x:
d6c32e2c18773a37c24c0764c26ff8da kdelibs-3.3.1-3.10.s390x.rpm
7528c1d9e4bd655f1dbb29b0f784bd03 kdelibs-3.3.1-3.10.s390.rpm
9f7ad40ee12f4fdf898320d61943108d
kdelibs-devel-3.3.1-3.10.s390x.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26
kdelibs-devel-3.3.1-3.10.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm

bce4c06fafe21d3efe6861baccdb336f kdelibs-3.3.1-3.10.src.rpm

i386:
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
663a4623ae7b79383c901ddd604f40c1
kdelibs-devel-3.3.1-3.10.i386.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26
kdelibs-devel-3.3.1-3.10.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm

bce4c06fafe21d3efe6861baccdb336f

i386:
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
663a4623ae7b79383c901ddd604f40c1
kdelibs-devel-3.3.1-3.10.i386.rpm

ia64:
d71ca353358cc55e8b095909b33a384a kdelibs-3.3.1-3.10.ia64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
6a6aee95de4b0e2c648cb333230e956c
kdelibs-devel-3.3.1-3.10.ia64.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26
kdelibs-devel-3.3.1-3.10.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/kdelibs-3.3.1-3.10.src.rpm

bce4c06fafe21d3efe6861baccdb336f kdelibs-3.3.1-3.10.src.rpm

i386:
663a4623ae7b79383c901ddd604f40c1
kdelibs-devel-3.3.1-3.10.i386.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm

ia64:
d71ca353358cc55e8b095909b33a384a kdelibs-3.3.1-3.10.ia64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
6a6aee95de4b0e2c648cb333230e956c
kdelibs-devel-3.3.1-3.10.ia64.rpm

x86_64:
d732485d3f1c19f0caa1e3c93acacd1d kdelibs-3.3.1-3.10.x86_64.rpm
f3fd454b5cc31b9b64160fef728f8e2b kdelibs-3.3.1-3.10.i386.rpm
84cba787f9f5c96b6ef205a269864d26
kdelibs-devel-3.3.1-3.10.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key
and details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

6. References:

http://bugs.kde.org/102328
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1046

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More
contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

Red Hat Security Advisory

Synopsis: Moderate: cyrus-imapd security update
Advisory ID: RHSA-2005:408-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2005-408.html

Issue date: 2005-05-17
Updated on: 2005-05-17
Product: Red Hat Enterprise Linux
CVE Names: CAN-2005-0546

1. Summary:

Updated cyrus-imapd packages that fix several buffer overflow
security issues are now available.

This update has been rated as having moderate security impact by
the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 – i386, ia64, ppc, s390,
s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 – i386, x86_64
Red Hat Enterprise Linux ES version 4 – i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 – i386, ia64, x86_64

3. Problem description:

The cyrus-imapd package contains the core of the Cyrus IMAP
server.

Several buffer overflow bugs were found in cyrus-imapd. It is
possible that an authenticated malicious user could cause the imap
server to crash. Additionally, a peer news admin could potentially
execute arbitrary code on the imap server when news is received
using the fetchnews command. The Common Vulnerabilities and
Exposures project (cve.mitre.org/) has assigned the name
CAN-2005-0546 to this issue.

Users of cyrus-imapd are advised to upgrade to these updated
packages, which contain cyrus-imapd version 2.2.12 to correct these
issues.

4. Solution:

Before applying this update, make sure that all
previously-released errata relevant to your system have been
applied. Use Red Hat Network to download and update your packages.
To launch the Red Hat Update Agent, use the following command:

up2date

For information on how to install packages manually, refer to
the following Web page for the System Administration or
Customization guide specific to your system:

http://www.redhat.com/docs/manuals/enterprise/

5. RPMs required:

Red Hat Enterprise Linux AS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

4b3fa71b394dbd0e8c87a29c5a56b286
cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97
cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4
cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de
cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c
cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3
perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

ia64:
47e38551bf642b9f3c950e4d73014963
cyrus-imapd-2.2.12-3.RHEL4.1.ia64.rpm
4c7ca20e0b41290767236bc7cebced40
cyrus-imapd-devel-2.2.12-3.RHEL4.1.ia64.rpm
892adc82d6b337d5b838de06b31f6005
cyrus-imapd-murder-2.2.12-3.RHEL4.1.ia64.rpm
2d15fe37eaa0e6e82294b2fb4448824c
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ia64.rpm
e7d894fce5d9dfe8f17fcdbbd80280ee
cyrus-imapd-utils-2.2.12-3.RHEL4.1.ia64.rpm
0d5ce4154308b7ad7796c9517c1b6fcd
perl-Cyrus-2.2.12-3.RHEL4.1.ia64.rpm

ppc:
0cf0e912e3d10a013f875ca75f6ed117
cyrus-imapd-2.2.12-3.RHEL4.1.ppc.rpm
76e6a47a7b15caf6bdf770d8c8e9ceb2
cyrus-imapd-devel-2.2.12-3.RHEL4.1.ppc.rpm
c70639b4245a12ccc5d7d81cbe8a8262
cyrus-imapd-murder-2.2.12-3.RHEL4.1.ppc.rpm
9aa309aef2579944259cb7ffe8245488
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ppc.rpm
f1c85a497a0e80e1ceaa146b2e78a742
cyrus-imapd-utils-2.2.12-3.RHEL4.1.ppc.rpm
cc16c62094b302d9411f3be1ee38ab09
perl-Cyrus-2.2.12-3.RHEL4.1.ppc.rpm

s390:
f7dc2f55144bb5f4fc608811f80323a0
cyrus-imapd-2.2.12-3.RHEL4.1.s390.rpm
f1b97671e20f3af01272f848b42f254e
cyrus-imapd-devel-2.2.12-3.RHEL4.1.s390.rpm
00103a5a070125fd21b8e474bf321ec1
cyrus-imapd-murder-2.2.12-3.RHEL4.1.s390.rpm
e49e2d04a077d8f7478eb0f0d43fe91e
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.s390.rpm
0918d048e49457ece8c2e772a0ff2a2b
cyrus-imapd-utils-2.2.12-3.RHEL4.1.s390.rpm
9dcb24d38c2bc3f5506a742e526f2ebc
perl-Cyrus-2.2.12-3.RHEL4.1.s390.rpm

s390x:
45b6b8d9c21885c76263dc59b3b8e612
cyrus-imapd-2.2.12-3.RHEL4.1.s390x.rpm
624f870b32646960b4b02b0b38395f0c
cyrus-imapd-devel-2.2.12-3.RHEL4.1.s390x.rpm
3785bb0f2410fbecdd19b0c4d006ad19
cyrus-imapd-murder-2.2.12-3.RHEL4.1.s390x.rpm
3b5acbdc0b46d079e033ecb1c7f5702c
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.s390x.rpm
27a4e0d1eb725896dad32f01bd29ed58
cyrus-imapd-utils-2.2.12-3.RHEL4.1.s390x.rpm
2f229a87ffcf945db5fece6ef5f1882b
perl-Cyrus-2.2.12-3.RHEL4.1.s390x.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9
cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7
cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684
cyrus-imapd-murder-2.2.12-3.RHEL4.1.x86_64.rpm
723ffd10890a8c6ca91496a3d0f66511
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb
cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba
perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux Desktop version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

4b3fa71b394dbd0e8c87a29c5a56b286
cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97
cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4
cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de
cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c
cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3
perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9
cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7
cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684 723ffd10890a8c6ca91496a3d0f66511
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb
cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba
perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux ES version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

4b3fa71b394dbd0e8c87a29c5a56b286
cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97
cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4
cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de
cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c
cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3
perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

ia64:
47e38551bf642b9f3c950e4d73014963
cyrus-imapd-2.2.12-3.RHEL4.1.ia64.rpm
4c7ca20e0b41290767236bc7cebced40
cyrus-imapd-devel-2.2.12-3.RHEL4.1.ia64.rpm
892adc82d6b337d5b838de06b31f6005
cyrus-imapd-murder-2.2.12-3.RHEL4.1.ia64.rpm
2d15fe37eaa0e6e82294b2fb4448824c
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ia64.rpm
e7d894fce5d9dfe8f17fcdbbd80280ee
cyrus-imapd-utils-2.2.12-3.RHEL4.1.ia64.rpm
0d5ce4154308b7ad7796c9517c1b6fcd
perl-Cyrus-2.2.12-3.RHEL4.1.ia64.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9
cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7
cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684
cyrus-imapd-murder-2.2.12-3.RHEL4.1.x86_64.rpm
723ffd10890a8c6ca91496a3d0f66511
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb
cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba
perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

Red Hat Enterprise Linux WS version 4:

SRPMS:

ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

4b3fa71b394dbd0e8c87a29c5a56b286
cyrus-imapd-2.2.12-3.RHEL4.1.src.rpm

i386:
68c478ca17ecb402c8d6044a08fbbf97
cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
b0e73a633a3f420cb7c1b3201bbb6ab4
cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
0b417a838fde38c48e118bbae7adb5de
cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
60d37f09e9b5db67a90b26d899eef10e
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
125973b27ff9c214fdcade6adfbbab4c
cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
adf11c07b7572a803fba0694b10a9bf3
perl-Cyrus-2.2.12-3.RHEL4.1.i386.rpm

ia64:
47e38551bf642b9f3c950e4d73014963
cyrus-imapd-2.2.12-3.RHEL4.1.ia64.rpm
4c7ca20e0b41290767236bc7cebced40
cyrus-imapd-devel-2.2.12-3.RHEL4.1.ia64.rpm
892adc82d6b337d5b838de06b31f6005
cyrus-imapd-murder-2.2.12-3.RHEL4.1.ia64.rpm
2d15fe37eaa0e6e82294b2fb4448824c
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.ia64.rpm
e7d894fce5d9dfe8f17fcdbbd80280ee
cyrus-imapd-utils-2.2.12-3.RHEL4.1.ia64.rpm
0d5ce4154308b7ad7796c9517c1b6fcd
perl-Cyrus-2.2.12-3.RHEL4.1.ia64.rpm

x86_64:
66c83d5825b3487300365d4d5d6f65f9
cyrus-imapd-2.2.12-3.RHEL4.1.x86_64.rpm
bae570996e911c09e130cfafbd006ae7
cyrus-imapd-devel-2.2.12-3.RHEL4.1.x86_64.rpm
a665893a93037f024419f31b0647d684
cyrus-imapd-murder-2.2.12-3.RHEL4.1.x86_64.rpm
723ffd10890a8c6ca91496a3d0f66511
cyrus-imapd-nntp-2.2.12-3.RHEL4.1.x86_64.rpm
03b502fd34bc8a1c3bcfcc4d7b987dfb
cyrus-imapd-utils-2.2.12-3.RHEL4.1.x86_64.rpm
f785bfaab819a7fba7ecee0313c85dba
perl-Cyrus-2.2.12-3.RHEL4.1.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key
and details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

6. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0546

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More
contact details at https://www.redhat.com/security/team/contact/

Copyright 2005 Red Hat, Inc.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.