LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-21-2004, 03:39 PM   #1
C0NIk
LQ Newbie
 
Registered: Oct 2003
Posts: 25

Rep: Reputation: 15
KDE Security Advisory: Konqueror Java Vulnerability


when i was searching for a new ver of KDE i found this @ KDE Security link


KDE Security Advisory: Konqueror Java Vulnerability
Original Release Date: 2004-12-20
URL: http://www.kde.org/info/security/adv...20041220-1.txt

0. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2004-1145
http://www.heise.de/security/dienste...sts/java.shtml

1. Systems affected:

All versions of KDE up to KDE 3.3.1 inclusive. KDE 3.3.2 is not
affected.


2. Overview:

Two flaws in the Konqueror webbrowser make it possible to by pass
the sandbox environment which is used to run Java-applets.
One flaw allows access to restricted Java classes via JavaScript,
making it possible to escalate the privileges of the Java-applet.
The other problem is that Konqueror fails to correctly restrict
access to certain Java classes from the Java-applet itself.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-1145 to this issue.


3. Impact:

When a user has Java enabled in Konqueror and visits a malicious
website, the website can run a Java-applet and obtain escalated
privileges allowing reading and writing of arbitrary files with
the privileges of the user.


4. Solution:

Upgrade to KDE 3.3.2

A backport has been made available for older versions which fixes
this vulnerability. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.


5. Patch:

For KDE 3.2.3 a backport of the new Java handling is available from
ftp://ftp.kde.org/pub/kde/security_patches :

7fc001d010c640738ed7d2fe347f002d post-3.2.3-kdelibs-khtml-java.tar.bz2


6. Time line and credits:

24/11/2004 security@kde.org contacted by heise Security
29/11/2004 Fixed in KDE CVS by Koos Vriezen
14/12/2004 Backport for KDE 3.2.3
20/12/2004 KDE Advisory released



 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security: Java plugin vulnerability!! peacebwitchu Linux - Security 0 11-25-2004 06:48 PM
Konqueror and Java problem in KDE 3.2 stonehurstX11 Mandriva 6 04-27-2004 08:22 PM
Slackware Security Advisory php Linux - Security 0 11-04-2003 10:44 PM
OpenSSH - Major Security Vulnerability jeremy Linux - Security 9 06-27-2002 10:36 PM
Red Hat Security Advisory Aussie Linux - Security 0 02-28-2002 01:12 AM


All times are GMT -5. The time now is 06:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration