Ubuntu 9.10 / 10.04 LTS / 10.10 : kde4libs vulnerabilities (USN-1110-1)

Ubuntu Security Notice (C) 2011-2014 Canonical, Inc. / NASL script (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

It was discovered that KDE KSSL did not properly verify X.509
certificates when the certificate was issued for an IP address. An
attacker could exploit this to perform a man in the middle attack to
view sensitive information or alter encrypted communications.
(CVE-2011-1094)

Tim Brown discovered that KDE KHTML did not properly escape URLs from
externally generated error pages. An attacker could exploit this to
conduct cross-site scripting attacks. With cross-site scripting
vulnerabilities, if a user were tricked into viewing server output
during a crafted server request, a remote attacker could exploit this
to modify the contents, or steal confidential data (such as
passwords), within the same domain. (CVE-2011-1168).

Solution :

Update the affected kdelibs5, libkhtml5 and / or libkio5 packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 55068 ()

Bugtraq ID: 46789
47304

CVE ID: CVE-2011-1094
CVE-2011-1168