Posted on 01/23/2006 8:21:55 AM PST by ShadowAce
Red Hat and Suse have released patches for a critical security hole in their Linux distributions that stem from a vulnerability in the KDE desktop environment.
KDE is a user interface package used with several versions of Unix and Linux. The KDE hole was discovered Thursday and rated critical by both Red Hat and the French Security Incident Response Team (FrSIRT).
It affects the JavaScript engine used in various parts of KDE, including its Konqueror Web browser. The flaw could allow a remote attacker to launch an overflow attack and run arbitrary code on the user's machine, FrSIRT said.
Users could disable JavaScript in Konqueror as a workaround, but some Web sites might not display properly and installing the patches is better, said Suse, which is part of Novell.
The problem affects version 4 of Red Hat Enterprise Linux AS, ES, and WS, and also version 4 of Red Hat Desktop. Red Hat released patches for those products late last week on the Red Hat Network, it said.
The versions of Suse Linux affected are 10.0, 9.3, 9.2 and 9.1, according to a Suse advisory at http://www.novell.com/linux/security/advisories/2006_03_kdelibs3.html/
KDE also released patches for the hole, and an advisory at http://kde.org/info/security/advisory-20060119-1.txt. The flaw affects KDE 3.2.0 up to and including KDE 3.5.0, it said.
The newest version of KDE released in November, KDE 3.5, is apparently not affected. Also not affected are Red Hat Enterprise Linux 3 or 2.1, Red Hat said.
The FrSIRT advisory is at http://www.frsirt.com/english/advisories/2006/0279
Does this make any sense?
Say it ain't so Linus.
I thought only IE had these kind of issues..... ;)
LOL! On a more serious note, though, Linus has nothing to do with KDE. KDE is strictly a user app, and not related to the kernel.
Understand that this is not a "train" that Linus controls.
Nah. But the difference is that the patch was released with the flaw information. MS would wait until the screams from customers would force them to patch.
It Works!
Very low resource overhead too . . . And it looks neat!
"I thought only IE had these kind of issues..... ;"
Nothings perfect. While this is considered "critical" since it can allow another to execute arbitrary code on an affected machine; it is a rather narrow vulnerability. For it to be exploited one would have to visit a web site and use Konquerer as the browser. Now I'm sure a few folks browse with Konquerer, but the vast majority use Firefox, Mozilla, or Opera; non of which are vulnerable to this flaw.
Just the same, I've already downloaded and applied the patch!
Only if the current version of KDE 3.5 is at revision level 1 or higher (3.5.1 or higher). It would have been smarter writing to have been more specific, rather than just referring to the major/minor release numbers.
I think I'm in a very small minority - I know I'm "supposed" to like KDE (more powerful, more configurable) but try as I might, I find GNOME to be more my cup of tea.
On a related topic, now I've found a place where you probably are reading this topic I've a question for all you 'nix users out there: I am considering converting this box to Linux for dedicated Web browsing, but I can not seem to locate a Firewall that works like My two favourite 'Doze apps do (BlackIce Defender and Agnitum Outpost)-namely, they work by not allowing ANY connection to be made unless specifically allowed on each individual basis. I.e., if I click on the FR site, a little box pops up stating "(Application)(Opera Browser) is requesting a connection with such-and-such a site (www.freerepublic.com). |Allow|Deny|Create Rule for| ?"
Then I click on the Create button and the window switches to a box where I can allow the connection to be allowed once, denied once, or allowed/denied automatically every following time. Using this method, NO spyware/adware/malware has been able to infect this machine, and on other sites I can bypass all the ad-muck popups as well which cleans up the browsing effect markedly. Any recommendations?
I am also looking for a newer version of Linux that can run on an older machine, such as an older one with about 64M of memory or so. Hopefully, one that can be configured to run in extreme power-saving mode so I can leave it on continuously without sending My electricity bill through the roof. Damn Small Linux (DSL) works quite well, but it is rather sparse and I would like something with a little more apps to it. Any ideas from all you experts out there?
Hope that helps.
As far as firewall, I have made a conscious effort to NOT comment of existing firewalls, as I created my own. I took an old P120, installed a minimal distro on it (Can't remember it offhand), and manually edited the ipchains file to drop all connections coming in that I did not specifically request.
Nobody ever gets in, and I can get out. It took me about 4-5 lines of code.
As far as a lightweight distro, try Puppy Linux. It contains a fairly decent set of software, and it's a popular distro.
I just remembered--I've heard pretty good things about Devil Linux--a distro made for firewalls and routers. I have had no experience with it, so I don't know how it works, I would doubt that it will work exactly like you are used to, though.
After being in place since at least February 2004, when KDE 3.2 was released. Someone want to explain that "many eyeballs" business to me again?
Again, thanks and feel free to send more info that might be relevant anytime you come across it.
Cheers!
What are you suggesting? "Many eyeballs" translates into instantaneous discovery? How long did the WMF vulnerabilty exist before discovery? Hint: It was much longer than two years.
Actually, my point is quite simple - KDE, like most OSS projects, has a dedicated core of developers who do the vast, vast majority of coding for the project. The chances of someone outside this inner core of developers actually sitting down with the code and looking for bugs are basically non-existent. The projects are too large and too complicated for dillettantes to have much of an impact - the amount of work needed to familiarize yourself with the codebase in order to make meaningful contributions pretty much bars folks from simply dipping in and shotgunning some bug fixes into place. So, effectively, the "many eyeballs" paradigm is simply an illusion in most cases. It sounds nice in theory, but it doesn't really exist in reality.
With FLOSS, any developer can join the project. The project cansupport as many interested developers as want to join. This, plus the motivation of the involved developers being more project-oriented than closed-source developers, and yes--all bugs are shallow in comparison with closed-source projects.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.