[Mac_crypto] [Fink-announce] KDE Security Advisory

R. A. Hettinga mac_crypto@vmeng.com
Thu, 10 Apr 2003 10:46:20 -0400

Previous message: [Mac_crypto] [e-gold-list] Hushmail - what a shame
Next message: [Mac_crypto] ecash signature scheme?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--- begin forwarded text

From: Benjamin Reed <ranger@befunk.com>
To: fink-announce@lists.sourceforge.net
Subject: [Fink-announce] KDE Security Advisory
Sender: fink-announce-admin@lists.sourceforge.net
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/fink-announce>,
	<mailto:fink-announce-request@lists.sourceforge.net?subject=subscribe>
Date: Thu, 10 Apr 2003 09:57:35 -0400

Overview
--------

KDE uses Ghostscript software for processing of PostScript (PS) and PDF
files in a way that allows for the execution of arbitrary commands that
can be contained in such files.

An attacker can prepare a malicious PostScript or PDF file which will
provide the attacker with access to the victim's account and privileges
when the victim opens this malicious file for viewing or when the victim
browses a directory containing such malicious file and has file previews
enabled.

An attacker can provide malicious files remotely to a victim in an
e-mail, as part of a webpage, via an ftp server and possible other means.

More specifics can be found in the KDE security advisory at:

   http://www.kde.org/info/security/advisory-20030409-1.txt

Solution
--------

Updated packages for kdelibs, kdebase, and kdegraphics have been checked
into Fink unstable:

   kdelibs3-ssl   3.1.1-6
   kdebase3-ssl   3.1.1-6
   kdelibs3       3.1.1-6
   kdebase3       3.1.1-6
   kdegraphics3   3.1.1-5

All users of the unstable tree are encouraged to upgrade as soon as
possible.  After an initial smoke test, the KDE 3.1.1 packages will be
moved to stable tomorrow, the morning of the 11th (EST).  New binaries
will be built as soon as possible, most likely within the next two
weeks.  Users of the stable tree are encouraged to update as soon as
these packages are available to help find any remaining problems that
might come up so that we can get binaries built.

Users of the unstable tree can update immediately by running:

   fink selfupdate-cvs; fink update-all

Users of the stable tree will be able to update tomorrow morning after
10:00 EST.

Personal Note on the Timetable
------------------------------

I will be out of town Saturday April 12th to Sunday April 20th, with
limited, if any, internet access.  I will move KDE 3.1.1 to stable as
soon as possible on Friday morning, but will only have a limited ability
to fight fires during the week after release.  I'm fairly confident in
these latest KDE updates and don't anticipate problems, but in any
software release as big as KDE, problems are bound to come up.  Please
be patient, this security update is forcing my hand to releasing these a
week and a half before I was truly ready, but it's important to get
these changes out.

-------------------------------------------------------
This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger 
for complex code. Debugging C/C++ programs can leave you feeling lost and 
disoriented. TotalView can help you find your way. Available on major UNIX 
and Linux platforms. Try it free. www.etnus.com
_______________________________________________
Fink-announce mailing list
Fink-announce@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fink-announce

--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Previous message: [Mac_crypto] [e-gold-list] Hushmail - what a shame
Next message: [Mac_crypto] ecash signature scheme?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]