You are here
Home > Preporuke > Sigurnosni nedostaci programske biblioteke kdelibs3

Sigurnosni nedostaci programske biblioteke kdelibs3

——————————————————————————–
Fedora Update Notification
FEDORA-2017-01eed6fe8c
2017-03-12 16:20:17.332924
——————————————————————————–

Name : kdelibs3
Product : Fedora 24
Version : 3.5.10
Release : 84.fc24
URL : http://www.kde.org/
Summary : KDE 3 Libraries
Description :
Libraries for KDE 3:
KDE Libraries included: kdecore (KDE core library), kdeui (user interface),
kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking),
kspell (spelling checker), jscript (javascript), kab (addressbook),
kimgio (image manipulation).

——————————————————————————–
Update Information:

This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues:
* CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary system
locations * CVE-2017-6410 (kio): Information Leak when accessing https when
using a malicious PAC file for the KDE 3 compatibility libraries. (Security
updates for KDE Frameworks 5 (kf5-karchive resp. kf5-kio) and for the KDE 4
compatibility libraries (kdelibs 4) have already been submitted.) In addition,
the KDE 3 compatibility version of KCrash was modified to use the DrKonqi from
Plasma 5 rather than from kde-runtime 4. (The original KDE 3 DrKonqi was already
dropped years ago.) The kde-runtime 4 DrKonqi is not installed by default and
will be removed entirely in future Fedora versions, the Plasma 5 version of
DrKonqi can also be used for legacy applications.
——————————————————————————–
References:

[ 1 ] Bug #1427808 – CVE-2017-6410 kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file
https://bugzilla.redhat.com/show_bug.cgi?id=1427808
[ 2 ] Bug #1357410 – CVE-2016-6232 kf5-karchive: Extraction of tar files possible to arbitrary system locations
https://bugzilla.redhat.com/show_bug.cgi?id=1357410
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade kdelibs3’ at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

——————————————————————————–
Fedora Update Notification
FEDORA-2017-4f4eef4791
2017-03-12 16:21:58.067358
——————————————————————————–

Name : kdelibs3
Product : Fedora 25
Version : 3.5.10
Release : 84.fc25
URL : http://www.kde.org/
Summary : KDE 3 Libraries
Description :
Libraries for KDE 3:
KDE Libraries included: kdecore (KDE core library), kdeui (user interface),
kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking),
kspell (spelling checker), jscript (javascript), kab (addressbook),
kimgio (image manipulation).

——————————————————————————–
Update Information:

This kdelibs3 (KDE 3 compatibility libraries) update fixes the security issues:
* CVE-2016-6232 (karchive): Extraction of tar files possible to arbitrary system
locations * CVE-2017-6410 (kio): Information Leak when accessing https when
using a malicious PAC file for the KDE 3 compatibility libraries. (Security
updates for KDE Frameworks 5 (kf5-karchive resp. kf5-kio) and for the KDE 4
compatibility libraries (kdelibs 4) have already been submitted.) In addition,
the KDE 3 compatibility version of KCrash was modified to use the DrKonqi from
Plasma 5 rather than from kde-runtime 4. (The original KDE 3 DrKonqi was already
dropped years ago.) The kde-runtime 4 DrKonqi is not installed by default and
will be removed entirely in future Fedora versions, the Plasma 5 version of
DrKonqi can also be used for legacy applications.
——————————————————————————–
References:

[ 1 ] Bug #1427808 – CVE-2017-6410 kf5-kio, kdelibs: Information Leak when accessing https when using a malicious PAC file
https://bugzilla.redhat.com/show_bug.cgi?id=1427808
[ 2 ] Bug #1357410 – CVE-2016-6232 kf5-karchive: Extraction of tar files possible to arbitrary system locations
https://bugzilla.redhat.com/show_bug.cgi?id=1357410
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade kdelibs3’ at the command line.
For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa ntpd

Otkriveni su sigurnosni nedostaci u programskom paketu ntpd za HP-UX. Otkriveni nedostaci potencijalnim udaljenim napadačima omogućuju izvođenje napada uskraćivanjem usluge,...

Close