[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fedora] Schwachstelle in KTorrent vor Version 3.1.4 - FEDORA-2008-9167

To: win-sec-ssc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: [Fedora] Schwachstelle in KTorrent vor Version 3.1.4 - FEDORA-2008-9167
From: WiN Site Security Contacts <win-sec-ssc@xxxxxxxxxxxxxxxxx>
Date: Mon, 27 Oct 2008 16:56:54 +0100 (CET)

-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

  Schwachstellen im kTorrent Webinterface

  KTorrent beinhaltet mehrere Schwachstellen im Webinterface, die sich
  fuer Angriffe auf das Programm ausnutzen lassen. Ein entfernter
  Angreifer kann manipulierte HTTP-Post Requests an das System schicken 
  und so beliebige torrent-Dateien auf das betroffene System laden.

  Eine weitere Schwachstelle fuehrt dazu, dass Benutzereingaben nicht
  ausreichend gefiltert werden bevor sie an den PHP-Interpreter
  weitergeleitet werden. Dies kann entfernten Angreifer ermoeglichen
  beliebige PHP-Befehle mit den Rechten der Anwendung auszufuehren.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket ktorrent

  Fedora 9

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  https://www.redhat.com/archives/fedora-package-announce/2008-October/msg00781.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
   Michael Groening, DFN-CERT
- -- 

Michael Groening (Incident Response Team), +49 40 808077-555

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany,  CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen                https://www.cert.dfn.de/autowarn


- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-9167
2008-10-24 22:46:35
- --------------------------------------------------------------------------------

Name        : ktorrent
Product     : Fedora 9
Version     : 3.1.4
Release     : 1.fc9
URL         : http://ktorrent.pwsp.net/
Summary     : A BitTorrent program for KDE
Description :
KTorrent is a BitTorrent program for KDE. Its main features are native KDE
integration, download of torrent files, upload speed capping, internet
searching using various search engines, UDP Trackers and UPnP support.

- --------------------------------------------------------------------------------
Update Information:

Another bugfix release for the 3.1 series is out. This fixes several bugs :  * A
crash caused by a SIGBUS, when diskspace preallocation is disabled  * High CPU
usage when DNS lookups fail in the UDP tracker code  * Several security issues
in the webinterface plugin
- --------------------------------------------------------------------------------
ChangeLog:

* Thu Oct 23 2008 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> - 3.1.4-1
- - ktorrent-3.1.4
* Tue Oct 14 2008 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> - 3.1.3-4
- - KDEDInit could not launch .../ktorrent (#451559, kde#157853)
* Mon Oct 13 2008 Roland Wolters <wolters.liste@xxxxxxx> - 3.1.3-3
- - Update to upstream version 3.1.3
* Fri Aug  8 2008 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> - 3.1.2-1
- - ktorrent-3.1.2
* Sun Jul 13 2008 Roland Wolters <wolters.liste@xxxxxxx> - 3.1-5
- - Update to version 3.1
* Wed May 14 2008 Roland Wolters <wolters.liste@xxxxxxx> - 3.0.2-3
- - bugfix update to version 3.0.2
- - some spec file fixes due to an update error
* Mon Apr 28 2008 Rex Dieter <rdieter@xxxxxxxxxxxxxxxxx> - 3.0.1-4
- - %postun: remove extraneous scriplets
- - -devel: own %{_kde4_includedir}/libbtcore/ (and subdirs)
- - -devel: Requires: kdelibs4-devel
- - drop: Requires: oxygen-icon-theme (kde4 runtime already does)
- - Requires(post,postun): xdg-utils
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #451559 - KDEInit could not launch /usr/bin/ktorrent
        https://bugzilla.redhat.com/show_bug.cgi?id=451559
  [ 2 ] Bug #468233 - ktorrent not up to date
        https://bugzilla.redhat.com/show_bug.cgi?id=468233
- --------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update ktorrent' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
- --------------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBSQXkxkhXCWfrVVdXAQE+DAf8DxE0JL31wnL1mHM7xLhKwD0PvIwKGyfY
tbr2/vNAw7K0e+d2yY7nZEiEf9kxZtqRHeDhRFXiu2KM+nkfhGysP+elbj6yO2OA
RCIlT7bMfEqb96tGCFfqbsC1jFEfnOmqYGTekSzYanOiPVnmv07QdpLl+qg7Wrin
cUFKdJcQJFU13wtv8shgUT3Fq0RfUfF64SuHaDB9nfxRDZRM1K2sxWB5Cw1/VWUp
BH2E18zNuYnm3VAmBgVlN9igEaZncxxAavcSUVKbrs24KBgm/cv88l3aTZnZpn5w
0wVHxfJZhs8DodzMg/y4rCSz+3/qngs9v/nvbn65mch5Im8C3/bW9g==
=XodX
-----END PGP SIGNATURE-----

Prev by Date: [Sun] Schwachstelle im Sun Java System LDAP Java Development Kit - 242246
Next by Date: [HP-UX] UPDATE: Schwachstelle in HP Insight Diagnostics - HPSBMA02373 - SSRT071467
Previous by thread: [Sun] Schwachstelle im Sun Java System LDAP Java Development Kit - 242246
Next by thread: [HP-UX] UPDATE: Schwachstelle in HP Insight Diagnostics - HPSBMA02373 - SSRT071467
Index(es):
- Date
- Thread