yocum@fnal.gov
1999-Jun-24 20:08 UTC
Forw: [RHSA-1999:015-01] KDE update for Red Hat Linux 6.0
Rogier, Until we get the list problem solved I'll just forward on the security notices directly to you. Cheers, Dan ___________________________________________________________________________ Dan Yocum | Phone: (630) 840-8525 Linux/Unix System Administrator | Fax: (630) 840-6345 Computing Division OSS/FSS | email: yocum@fnal.gov .~. L Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I P.O. Box 500 | // \\ N Batavia, IL 60510 | "TANSTAAFL" /( )\ U ________________________________|_________________________________ ^`~'^__X_ ------- Forwarded Message Return-Path: redhat-watch-list-request@redhat.com Received: from lists.redhat.com (lists.redhat.com [199.183.24.247]) by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id OAA08361 for <yocum@sapphire.fnal.gov>; Tue, 22 Jun 1999 14:32:45 -0500 Received: (qmail 20814 invoked by uid 501); 22 Jun 1999 20:26:38 -0000 Resent-Date: 22 Jun 1999 20:26:38 -0000 Resent-Cc: recipient list not shown: ; MBOX-Line: From redhat-watch-list-request@redhat.com Tue Jun 22 16:26:37 1999 X-Authentication-Warning: dionysus.devel.redhat.com: pbrown owned process doing -bs Date: Tue, 22 Jun 1999 10:30:34 -0400 (EDT) From: Preston Brown <pbrown@redhat.com> X-Sender: pbrown@dionysus.devel.redhat.com To: redhat-watch-list@redhat.com Subject: [RHSA-1999:015-01] KDE update for Red Hat Linux 6.0 Message-ID: <Pine.LNX.4.10.9906221028060.24467-100000@dionysus.devel.redhat.com>MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved: djb@redhat.com Resent-Message-ID: <"Yf46Z1.0.h35.z5_Rt"@lists.redhat.com> Resent-From: redhat-watch-list@redhat.com Reply-To: redhat-watch-list@redhat.com X-Mailing-List: <redhat-watch-list@redhat.com> archive/latest/36 X-Loop: redhat-watch-list@redhat.com Precedence: list Resent-Sender: redhat-watch-list-request@redhat.com X-URL: http://www.redhat.com - -----BEGIN PGP SIGNED MESSAGE----- - - --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: KDE update for Red Hat Linux 6.0 Advisory ID: RHSA-1999:015-01 Issue date: 1999-06-21 Keywords: kde kdm kvt kmail 1.1.1 - - --------------------------------------------------------------------- 1. Topic: New KDE RPMs are available for Red Hat Linux 6.0. These RPMs upgrade the 1.1.1pre2 release to 1.1.1 final + fixes. Several security holes have been closed, and other bugs noted in the original RPMs have been corrected. 2. BugIDs fixed: 2877 3433 3. Relevant releases/architectures: Red Hat Linux 6.0, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Intel: ftp://updates.redhat.com/6.0/i386/ kdeadmin-1.1.1-1.i386.rpm kdebase-1.1.1-1.i386.rpm kdegames-1.1.1-1.i386.rpm kdegraphics-1.1.1-1.i386.rpm kdelibs-1.1.1-1.i386.rpm kdemultimedia-1.1.1-1.i386.rpm kdenetwork-1.1.1-1.i386.rpm kdesupport-1.1.1-1.i386.rpm kdetoys-1.1.1-1.i386.rpm kdeutils-1.1.1-1.i386.rpm korganizer-1.1.1.i386.rpm kpilot-3.1b9-1.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/ kdeadmin-1.1.1-1.alpha.rpm kdebase-1.1.1-1.alpha.rpm kdegames-1.1.1-1.alpha.rpm kdegraphics-1.1.1-1.alpha.rpm kdelibs-1.1.1-1.alpha.rpm kdemultimedia-1.1.1-1.alpha.rpm kdenetwork-1.1.1-1.alpha.rpm kdesupport-1.1.1-1.alpha.rpm kdetoys-1.1.1-1.alpha.rpm kdeutils-1.1.1-1.alpha.rpm korganizer-1.1.1.alpha.rpm kpilot-3.1b9-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.0/sparc kdeadmin-1.1.1-1.sparc.rpm kdebase-1.1.1-1.sparc.rpm kdegames-1.1.1-1.sparc.rpm kdegraphics-1.1.1-1.sparc.rpm kdelibs-1.1.1-1.sparc.rpm kdemultimedia-1.1.1-1.sparc.rpm kdenetwork-1.1.1-1.sparc.rpm kdesupport-1.1.1-1.sparc.rpm kdetoys-1.1.1-1.sparc.rpm kdeutils-1.1.1-1.sparc.rpm korganizer-1.1.1.sparc.rpm kpilot-3.1b9-1.sparc.rpm 7. Problem description: Red Hat Linux 6.0 shipped with KDE 1.1.1pre2, the latest release available at the time we went into production. There were a number of configuration and security bugs in the original packages. kmail, the kde mail reader, had a bug related to decoding mime attachments in an unsafe manner. Attachments were written using an easily predictable filename to a temporary directory. This could could then be be exploited to overwrite arbitrary files owned by the person using kmail via a symlink attack. 8. Solution: Upgrade to KDE 1.1.1 final, which fixes a number of bugs present in the previous release and contains additional patches to correct security holes in kmail and kvt. For each RPM for your particular architecture, run: rpm -Uvh <filename> where filename is the name of the RPM. 9. Verification: These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp <filename> 10. References: http://www.geek-girl.com/bugtraq/1999_2/0685.html This URL describes the kmail security hole. - -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN2+dVtLHqShaOYAxAQF6XAQAqNuA491aBD2rL9ubjMd1iKZCA9wSUzNm BRZ5akb7ZZZQQStIkTAxyODnNlVlnfO0TYHJ+AwAVo76oM5Kdzq1R51BP+PTxev3 C+Unppug5NkUMB+DOt4Cr/jB+u5VvSIBK/s33/SjdUUWupHIesOf6mi7F27f/Lix yApeMatgLcE=lU2O - -----END PGP SIGNATURE----- - --- Preston Brown Red Hat, Inc. pbrown@redhat.com PGP public key: http://www.redhat.com/~pbrown/pbrown-pgp-pubkey.txt - -- To unsubscribe: mail redhat-watch-list-request@redhat.com with "unsubscribe" as the Subject. ------- End of Forwarded Message