Debian DSA-361-2 : kdelibs, kdelibs-crypto - several vulnerabilities

high Nessus Plugin ID 15198

Synopsis

The remote Debian host is missing a security-related update.

Description

Two vulnerabilities were discovered in kdelibs :

- CAN-2003-0459: KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the 'user:password@host' form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.
- CAN-2003-0370: Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates via a man-in-the-middle attack.

These vulnerabilities are described in the following security advisories from KDE :

-
-

Solution

For the current stable distribution (woody) these problems have been fixed in version 2.2.2-13.woody.8 of kdelibs and 2.2.2-6woody2 of kdelibs-crypto.


We recommend that you update your kdelibs and kdelibs-crypto packages.

See Also

http://www.debian.org/security/2003/dsa-361

Plugin Details

Severity: High

ID: 15198

File Name: debian_DSA-361.nasl

Version: 1.24

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:kdelibs, p-cpe:/a:debian:debian_linux:kdelibs-crypto, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: No exploit is required

Reference Information

CVE: CVE-2003-0370, CVE-2003-0459

BID: 7520, 8297

DSA: 361