| Description: | Summary:
The remote host is missing an update for the 'kdebase' package(s) announced via the SSA:2007-264-01 advisory.
Vulnerability Insight:
New kdebase packages are available for Slackware 12.0 to fix security issues.
A long URL padded with spaces could be used to display a false URL in
Konqueror's addressbar, and KDM when used with no-password login could
be tricked into logging a different user in without a password. This
is not the way KDM is configured in Slackware by default, somewhat
mitigating the impact of this issue.
More details about the issues may be found here:
[links moved to references]
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/kdebase-3.5.7-i486-3_slack12.0.tgz:
Patched Konqueror to prevent 'spoofing' the URL
(i.e. displaying a URL other than the one associated with the page displayed)
For more information, see:
[links moved to references]
Patched KDM issue: 'KDM can be tricked into performing a password-less
login even for accounts with a password set under certain circumstances,
namely autologin to be configured and 'shutdown with password' enabled.'
For more information, see:
[links moved to references]
(* Security fix *)
patches/packages/kdelibs-3.5.7-i486-3_slack12.0.tgz:
Patched Konqueror's supporting libraries to prevent addressbar spoofing.
For more information, see:
[link moved to references]
(* Security fix *)
+--------------------------+
Affected Software/OS:
'kdebase' package(s) on Slackware 12.0.
Solution:
Please install the updated package(s).
CVSS Score:
6.8
CVSS Vector:
AV:L/AC:L/Au:S/C:C/I:C/A:C
|
