SEP
11
2002

Konqueror Cross Site Scripting Vulnerability

The KDE Project released two security advisories today.
The first advisory is about a vulnerability in handling secure cookies, which has been fixed already in the KDE 3.0.3 release. Another vulnerability was discovered last week on Bugtraq, which is related to the cross site scripting protection in Konqueror. A patch and an updated kdelibs package was released today to fix both problems. The KDE 3.0.3 Info page was updated as well. It is recommended to upgrade immediately.

Comments

Will there be a patch for the Cross Scripting Vulnerability for version other than 2.2.2 or 3.0.3, i.e. 3.0?

Thanks


By Eli Wapniarski at Wed, 2002/09/11 - 5:00am

Oh... By the way... Thanks for providing the patch Secure Cookie Vulnerability. It made my life a whole lot easier.


By Eli Wapniarski at Wed, 2002/09/11 - 5:00am

Did you try that the 3.0.3 patch doesn't apply to 3.0?


By Anonymous at Wed, 2002/09/11 - 5:00am

It isn't needed the bug was introduced between 3.0.2 and 3.0.3 IIRC.

Rich.


By Richard Moore at Wed, 2002/09/11 - 5:00am

Did anyone read the advisory? It reads "Systems affected: KDE 3.0 - 3.0.3".


By Anonymous at Wed, 2002/09/11 - 5:00am

Debian 3.0.3a packages have been uploaded to ktown and should hit mirrors shortly; a 2.2.2 DSA for stable (woody) has been sent to the security team, and a 2.2.2 upload for unstable (sid) will be made within a couple of hours.


By Daniel Stone at Wed, 2002/09/11 - 5:00am

3.0.3a has hit the mirrors, and the 2.2.2 unstable upload has hit sid; the 2.2.2 woody DSA is still building on all the architectures (including m68k, arm, etc). Have at it.


By Daniel Stone at Fri, 2002/09/13 - 5:00am

Msut one recompile everything after installing a new kdelibs?


By David at Wed, 2002/09/11 - 5:00am

> Msut one recompile everything after installing a new kdelibs?

I seriously doubt it (unless you've linked things statically...)

-- Rex


By Rex Dieter at Wed, 2002/09/11 - 5:00am

Definitively no.


By Me at Thu, 2002/09/12 - 5:00am

Does anybody knows why when a Security Bug appears in MS Internet Explorer, soon the same problem emerges in Konqueror.

I mean SSL Certificates, and now Cross Site Scripting.

Is it just casuality?

Seems like if both were based on the same code or something alike.


By Esteban Maringolo at Wed, 2002/09/18 - 5:00am