| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
- --------------------------------------------------------------------------- |
| 6 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01 |
| 7 |
- --------------------------------------------------------------------------- |
| 8 |
|
| 9 |
GLSA: 200311-01 |
| 10 |
package: kde-base/kdebase |
| 11 |
summary: KDM vulnerabilities |
| 12 |
severity: normal |
| 13 |
Gentoo bug: 29406 |
| 14 |
date: 2003-11-15 |
| 15 |
CVE: CAN-2003-0690 CAN-2003-0692 |
| 16 |
exploit: local / remote |
| 17 |
affected: <=3.1.3 |
| 18 |
fixed: >=3.1.4 |
| 19 |
|
| 20 |
DESCRIPTION: |
| 21 |
|
| 22 |
Firstly, versions of KDM <= 3.1.3 are vulnerable to a privilege escalation |
| 23 |
bug with a specific configuration of PAM modules. Users who do not use PAM |
| 24 |
with KDM and users who use PAM with regular Unix crypt/MD5 based |
| 25 |
authentication methods are not affected. |
| 26 |
|
| 27 |
Secondly, KDM uses a weak cookie generation algorithm. It is advised that |
| 28 |
users upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable |
| 29 |
source of entropy to improve security. |
| 30 |
|
| 31 |
Please look at http://www.kde.org/info/security/advisory-20030916-1.txt for |
| 32 |
the KDE Security Advisory and source patch locations for older versions of |
| 33 |
KDE. |
| 34 |
|
| 35 |
SOLUTION: |
| 36 |
|
| 37 |
Users are encouraged to perform an 'emerge --sync' and upgrade the package to |
| 38 |
the latest available version. KDE 3.1.4 is recommended and should be marked |
| 39 |
stable for most architectures. Specific steps to upgrade: |
| 40 |
|
| 41 |
emerge --sync |
| 42 |
emerge '>=kde-base/kde-3.1.4' |
| 43 |
emerge clean |
| 44 |
|
| 45 |
-----BEGIN PGP SIGNATURE----- |
| 46 |
Version: GnuPG v1.2.3 (Darwin) |
| 47 |
|
| 48 |
iD8DBQE/vG2Wnt0v0zAqOHYRAr5xAKCedNRDPeH8sbW3EyX6OOSHJOL6VQCgr0ul |
| 49 |
fnlFstGhIw3hMdoQIp07/SI= |
| 50 |
=QD6a |
| 51 |
-----END PGP SIGNATURE----- |
Archives