Aviso de seguridad de Debian

DSA-361-2 kdelibs, kdelibs-crypto -- varias vulnerabilidades

Fecha del informe:

1 de ago de 2003

Paquetes afectados:

Vulnerable:

Sí

Referencias a bases de datos de seguridad:

En la base de datos de Bugtraq (en SecurityFocus): Id. en BugTraq 7520, Id. en BugTraq 8297.
En el diccionario CVE de Mitre: CVE-2003-0459, CVE-2003-0370.

Información adicional:

Se descubrieron dos vulnerabilidades en kdelibs:

CAN-2003-0459: Konqueror para KDE 3.1.2 y anteriores no eliminaba las credenciales de autentificación de URLs de la forma «usuario:clave@máquna» de la cabecera HTTP-Referer, lo que podría permitir a los sitios web remotos robar las credenciales de las páginas que enlazaran con los sitios.
CAN-2003-0370: Konqueror empotrado y KDE 2.2.2 y anteriores no validaban el campo Nombre Común (CN) para los certificados X.509, lo que permitiría a los atacantes remotos aprehender certificados vía un ataque de «hombre en el medio».

Estas vulnerabilidades se describen en los siguientes avisos de seguridad de KDE:

Para la distribución estable actual (woody), estos problemas se han corregido en la versión 2.2.2-13.woody.8 de kdelibs y en la versión 2.2.2-6.woody.2 de kdelibs-crypto.

Para la distribución inestable (sid), estos problemas se han corregido en la versión 4:3.1.3-1. La versión inestable no tiene un paquete independiente para kdelibs-crypto.

Le recomendamos que actualice los paquetes kdelibs y kdelibs-crypto.

Arreglado en:

Debian GNU/Linux 3.0 (woody)

Fuentes:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.8.dsc; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2-13.woody.8.diff.gz; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_2.2.2.orig.tar.gz; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs-crypto_2.2.2-6woody2.dsc; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs-crypto_2.2.2-6woody2.diff.gz; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs-crypto_2.2.2.orig.tar.gz
Componentes independientes de la arquitectura:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-doc_2.2.2-13.woody.8_all.deb
Alpha:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_alpha.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_arm.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_i386.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_ia64.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_hppa.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_m68k.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_mips.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_mipsel.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_powerpc.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_s390.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dev_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-bin_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3-cups_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-alsa_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libarts-dev_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-alsa_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs/libkmid-dev_2.2.2-13.woody.8_sparc.deb; http://security.debian.org/pool/updates/main/k/kdelibs-crypto/kdelibs3-crypto_2.2.2-6woody2_sparc.deb

Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.

Las sumas MD5 de los ficheros que se listan están disponibles en el aviso revisado.