Konqueror Cross Site Scripting Vulnerability

The KDE Project released two security advisories today.
The first advisory is about a vulnerability in handling secure cookies, which has been fixed already in the KDE 3.0.3 release. Another vulnerability was discovered last week on Bugtraq, which is related to the cross site scripting protection in Konqueror. A patch and an updated kdelibs package was released today to fix both problems. The KDE 3.0.3 Info page was updated as well. It is recommended to upgrade immediately.

Dot Categories: 

Comments

by Eli Wapniarski (not verified)

Will there be a patch for the Cross Scripting Vulnerability for version other than 2.2.2 or 3.0.3, i.e. 3.0?

Thanks

Oh... By the way... Thanks for providing the patch Secure Cookie Vulnerability. It made my life a whole lot easier.

Did you try that the 3.0.3 patch doesn't apply to 3.0?

It isn't needed the bug was introduced between 3.0.2 and 3.0.3 IIRC.

Rich.

Did anyone read the advisory? It reads "Systems affected: KDE 3.0 - 3.0.3".

by Daniel Stone (not verified)

Debian 3.0.3a packages have been uploaded to ktown and should hit mirrors shortly; a 2.2.2 DSA for stable (woody) has been sent to the security team, and a 2.2.2 upload for unstable (sid) will be made within a couple of hours.

by Daniel Stone (not verified)

3.0.3a has hit the mirrors, and the 2.2.2 unstable upload has hit sid; the 2.2.2 woody DSA is still building on all the architectures (including m68k, arm, etc). Have at it.

by David (not verified)

Msut one recompile everything after installing a new kdelibs?

by Rex Dieter (not verified)

> Msut one recompile everything after installing a new kdelibs?

I seriously doubt it (unless you've linked things statically...)

-- Rex

by Me (not verified)

Definitively no.

by Esteban Maringolo (not verified)

Does anybody knows why when a Security Bug appears in MS Internet Explorer, soon the same problem emerges in Konqueror.

I mean SSL Certificates, and now Cross Site Scripting.

Is it just casuality?

Seems like if both were based on the same code or something alike.