kdelibs security update
Security Advisory: Important
Updated kdelibs packages that resolve security issues in Konqueror are now
available for Red Hat Enterprise Linux 4.
This update has been rated as having important security impact by the
Red Hat Security Response Team.
The kdelibs packages include libraries for the K Desktop Environment.
Two flaws were found in the sandbox environment used to run Java-applets in
the Konqueror web browser. If a user has Java enabled in Konqueror and
visits a malicious website, the website could run a carefully crafted
Java-applet and obtain escalated privileges allowing reading and writing of
arbitrary files with the privileges of the victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-1145 to this issue.
A flaw was discovered in the FTP kioslave. KDE applications such as
Konqueror could be forced to execute arbitrary FTP commands via a carefully
crafted ftp URL. The URL could also be crafted in such a way as to send an
arbitrary email via SMTP. An attacker could make use of this flaw if a
victim visits a malicious web site. The Common Vulnerabilities and
Exposures project has assigned the name CAN-2004-1165 to this issue.
Users should update to these erratum packages which contain backported
patches to correct these issues.
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
Vulmon