Mandrake Local Security Checks : Mandriva Update for kdelibs4 MDVSA-2011:071 (kdelibs4)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.831371

Categoría: Mandrake Local Security Checks

Título: Mandriva Update for kdelibs4 MDVSA-2011:071 (kdelibs4)

Resumen: The remote host is missing an update for the 'kdelibs4'; package(s) announced via the referenced advisory.

Descripción: Summary:
The remote host is missing an update for the 'kdelibs4'
package(s) announced via the referenced advisory.

Vulnerability Insight:
A vulnerability has been found and corrected in kdelibs4:

kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not
properly verify that the server hostname matches the domain name of
the subject of an X.509 certificate, which allows man-in-the-middle
attackers to spoof arbitrary SSL servers via a certificate issued by
a legitimate Certification Authority for an IP address, a different
vulnerability than CVE-2009-2702 (CVE-2011-1094).

Additionally it was discovered that kdelibs4 for 2009.0 was using an
old private copy of the ca-bundle.crt file containing the root CA
certs, this has now been resolved so that it uses the system wide
and up to date /etc/pki/tls/certs/ca-bundle.crt file last updated
with the MDVSA-2011:068 advisory.

Packages for 2009.0 are provided as of the Extended Maintenance
Program. The updated packages have been patched to correct this issue.

Affected Software/OS:
kdelibs4 on Mandriva Linux 2009.0,
Mandriva Linux 2009.0/X86_64,
Mandriva Linux 2010.0,
Mandriva Linux 2010.0/X86_64,
Mandriva Linux 2010.1,
Mandriva Linux 2010.1/X86_64

Solution:
Please Install the Updated Packages.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2009-2702
http://www.mandriva.com/security/advisories?name=MDVSA-2009:330
http://www.mandriva.com/security/advisories?name=MDVSA-2011:162
http://secunia.com/advisories/36468
http://www.vupen.com/english/advisories/2009/2532
Common Vulnerability Exposure (CVE) ID: CVE-2011-1094
44108
http://secunia.com/advisories/44108
46789
http://www.securityfocus.com/bid/46789
ADV-2011-0913
http://www.vupen.com/english/advisories/2011/0913
ADV-2011-0990
http://www.vupen.com/english/advisories/2011/0990
MDVSA-2011:071
http://www.mandriva.com/security/advisories?name=MDVSA-2011:071
USN-1110-1
http://www.ubuntu.com/usn/USN-1110-1
[oss-security] 20110308 KDE SSL name check issue
http://openwall.com/lists/oss-security/2011/03/08/13
[oss-security] 20110308 Re: KDE SSL name check issue
http://openwall.com/lists/oss-security/2011/03/08/20
https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7
kdelibs-ssl-security-bypass(65986)
https://exchange.xforce.ibmcloud.com/vulnerabilities/65986

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.831371
Categoría:	Mandrake Local Security Checks
Título:	Mandriva Update for kdelibs4 MDVSA-2011:071 (kdelibs4)
Resumen:	The remote host is missing an update for the 'kdelibs4'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'kdelibs4' package(s) announced via the referenced advisory. Vulnerability Insight: A vulnerability has been found and corrected in kdelibs4: kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702 (CVE-2011-1094). Additionally it was discovered that kdelibs4 for 2009.0 was using an old private copy of the ca-bundle.crt file containing the root CA certs, this has now been resolved so that it uses the system wide and up to date /etc/pki/tls/certs/ca-bundle.crt file last updated with the MDVSA-2011:068 advisory. Packages for 2009.0 are provided as of the Extended Maintenance Program. The updated packages have been patched to correct this issue. Affected Software/OS: kdelibs4 on Mandriva Linux 2009.0, Mandriva Linux 2009.0/X86_64, Mandriva Linux 2010.0, Mandriva Linux 2010.0/X86_64, Mandriva Linux 2010.1, Mandriva Linux 2010.1/X86_64 Solution: Please Install the Updated Packages. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-2702 http://www.mandriva.com/security/advisories?name=MDVSA-2009:330 http://www.mandriva.com/security/advisories?name=MDVSA-2011:162 http://secunia.com/advisories/36468 http://www.vupen.com/english/advisories/2009/2532 Common Vulnerability Exposure (CVE) ID: CVE-2011-1094 44108 http://secunia.com/advisories/44108 46789 http://www.securityfocus.com/bid/46789 ADV-2011-0913 http://www.vupen.com/english/advisories/2011/0913 ADV-2011-0990 http://www.vupen.com/english/advisories/2011/0990 MDVSA-2011:071 http://www.mandriva.com/security/advisories?name=MDVSA-2011:071 USN-1110-1 http://www.ubuntu.com/usn/USN-1110-1 [oss-security] 20110308 KDE SSL name check issue http://openwall.com/lists/oss-security/2011/03/08/13 [oss-security] 20110308 Re: KDE SSL name check issue http://openwall.com/lists/oss-security/2011/03/08/20 https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7 kdelibs-ssl-security-bypass(65986) https://exchange.xforce.ibmcloud.com/vulnerabilities/65986
Copyright	Copyright (C) 2011 Greenbone AG