1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
- --------------------------------------------------------------------------- |
6 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01 |
7 |
- --------------------------------------------------------------------------- |
8 |
|
9 |
GLSA: 200311-01 |
10 |
package: kde-base/kdebase |
11 |
summary: KDM vulnerabilities |
12 |
severity: normal |
13 |
Gentoo bug: 29406 |
14 |
date: 2003-11-15 |
15 |
CVE: CAN-2003-0690 CAN-2003-0692 |
16 |
exploit: local / remote |
17 |
affected: <=3.1.3 |
18 |
fixed: >=3.1.4 |
19 |
|
20 |
DESCRIPTION: |
21 |
|
22 |
Firstly, versions of KDM <= 3.1.3 are vulnerable to a privilege escalation |
23 |
bug with a specific configuration of PAM modules. Users who do not use PAM |
24 |
with KDM and users who use PAM with regular Unix crypt/MD5 based |
25 |
authentication methods are not affected. |
26 |
|
27 |
Secondly, KDM uses a weak cookie generation algorithm. It is advised that |
28 |
users upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable |
29 |
source of entropy to improve security. |
30 |
|
31 |
Please look at http://www.kde.org/info/security/advisory-20030916-1.txt for |
32 |
the KDE Security Advisory and source patch locations for older versions of |
33 |
KDE. |
34 |
|
35 |
SOLUTION: |
36 |
|
37 |
Users are encouraged to perform an 'emerge --sync' and upgrade the package to |
38 |
the latest available version. KDE 3.1.4 is recommended and should be marked |
39 |
stable for most architectures. Specific steps to upgrade: |
40 |
|
41 |
emerge --sync |
42 |
emerge '>=kde-base/kde-3.1.4' |
43 |
emerge clean |
44 |
|
45 |
-----BEGIN PGP SIGNATURE----- |
46 |
Version: GnuPG v1.2.3 (Darwin) |
47 |
|
48 |
iD8DBQE/vG2Wnt0v0zAqOHYRAr5xAKCedNRDPeH8sbW3EyX6OOSHJOL6VQCgr0ul |
49 |
fnlFstGhIw3hMdoQIp07/SI= |
50 |
=QD6a |
51 |
-----END PGP SIGNATURE----- |