[gentoo-announce] GLSA: kdebase (200311-01)

[Rajiv Aaron Manglani <rajiv@gentoo.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ---------------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200311-01
- ---------------------------------------------------------------------------

GLSA:        200311-01
package:     kde-base/kdebase
summary:     KDM vulnerabilities
severity:    normal
Gentoo bug:  29406
date:        2003-11-15
CVE:         CAN-2003-0690 CAN-2003-0692
exploit:     local / remote
affected:    <=3.1.3
fixed:       >=3.1.4

DESCRIPTION:

Firstly, versions of KDM <= 3.1.3 are vulnerable to a privilege escalation
bug with a specific configuration of PAM modules. Users who do not use PAM
with KDM and users who use PAM with regular Unix crypt/MD5 based
authentication methods are not affected.

Secondly, KDM uses a weak cookie generation algorithm. It is advised that
users upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable
source of entropy to improve security.

Please look at http://www.kde.org/info/security/advisory-20030916-1.txt for
the KDE Security Advisory and source patch locations for older versions of
KDE.

SOLUTION:

Users are encouraged to perform an 'emerge --sync' and upgrade the package to
the latest available version. KDE 3.1.4 is recommended and should be marked
stable for most architectures. Specific steps to upgrade:

emerge --sync
emerge '>=kde-base/kde-3.1.4'
emerge clean

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/vG2Wnt0v0zAqOHYRAr5xAKCedNRDPeH8sbW3EyX6OOSHJOL6VQCgr0ul
fnlFstGhIw3hMdoQIp07/SI=
=QD6a
-----END PGP SIGNATURE-----