kde kjs vulnerabiity?
David Eisenstein
deisenst at gtw.net
Fri Feb 3 02:27:11 UTC 2006
On Fri, 3 Feb 2006, David Houlder wrote:
> Hi...
>
> Am I right in thinking that this...
> http://www.kde.org/info/security/advisory-20060119-1.txt
> ...currently affects FC3?
> Thanks
>
You are correct. Thanks for bringing it up. A bug report has already
been entered into Bugzilla (ticket #178606) for this vulnerability. This
is also known as "CVE-2006-0019 kjs encodeuri/ decodeuri heap overflow
vulnerability." The Red Hat Security Team rated this as a critical
vulnerability in their postings.
See:
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178606>
This CVE-2006-0019 vulnerability appears to only affect FC2 and FC3, and
not RHL 7.3, RHL 9, nor FC1.
There have evidentally been a whole number of other KDE security bugs
appear for all 5 distros that Fedora Legacy maintains since the last time
Fedora Legacy has issued any KDE errata in Febr., 2005. See
<https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123541>
for a list of potential vulnerabilities that we have for KDE at the
moment. These bugs will affect multiple KDE .src.rpm's for the 5 distros
we work with. I have started a Tracker ticket (Bug #179804) to track
each .src.rpm package separately.
Marc Deslauriers indicated that it would probably be best to address all
of those vulnerabilities at once instead of just this CVE-2006-0010
vulnerability by itself (which affects the kdelibs .src.rpm).
Am planning to start working up some .src.rpm packages for our community
to look at in Bugzilla within a few days for RHL7.3, RHL9, FC1, FC2, and
FC2. Am currently working up a spreadsheet to help with the process,
which I intend to post to the KDE Tracker bug when it is completed, so we
can have one Bug Ticket open per affected .src.rpm package.
If anyone would like to help in applying patches to .src.rpm's for some
of the distros, I would welcome the help!
Thanks.
Warm regards,
David
More information about the fedora-legacy-list
mailing list