CAN-2004-1165: FTP command injection bug
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kdelibs (Debian) |
Fix Released
|
Unknown
|
|||
kdelibs (Ubuntu) |
Fix Released
|
High
|
Andreas Mueller |
Bug Description
Automatically imported from Debian bug report #285128 http://
In Debian Bug tracker #285128, Dato Simó (dato) wrote : Re: missing bits for the transition | #2 |
# -|
# -|--> to be merged (sure?) ====> yes
### These two bugs are the same vulnerability, and that the bug
### really belongs to kdelibs, not konqueror/kdebase.
#285128: CAN-2004-1165: FTP command injection bug
reassign 285128 kdelibs
severity 285128 grave
#287201: KIOSlave FTP client can be made to send email
merge 285128 287201
stop here, and happy new year for you too
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Beauty, brains, availability, personality: pick any two.
Debian Bug Importer (debzilla) wrote : | #3 |
Automatically imported from Debian bug report #285128 http://
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Fri, 10 Dec 2004 14:51:51 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2004-1165: FTP command injection bug
--tKW2IUtsqtDRztdT
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: konqueror
Version: 3.3.1
Tags: security
Severity: serious
CAN-2004-1165 is about a security hole in konqueror that allows
arbitrary ftp commands to be inserted in a URL via URL-encoded newlines.
Details about this hole are here:
http://
The advisory says that it affects version >=3D 3.3.1, so perhaps our
3.2.3-1/2.3.3-1 in t-p-u/testing are not vulnerable. I've not checked.
--=20
see shy jo
--tKW2IUtsqtDRztdT
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBuf5Wd8H
E9zg0VsPJ4emLLf
=kf+Z
-----END PGP SIGNATURE-----
--tKW2IUtsqtDRz
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Thu, 30 Dec 2004 15:16:26 +0100
From: Adeodato =?iso-8859-
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: CAN-2004-1165: FTP command injection bug
tag 285128 sarge sid
stop here
* Joey Hess [Fri, 10 Dec 2004 14:51:51 -0500]:
> The advisory says that it affects version >= 3.3.1, so perhaps our
> 3.2.3-1/2.3.3-1 in t-p-u/testing are not vulnerable. I've not checked.
just for the record: yes, 3.2 is vulnerable. upstream released patches
for both the 3.3.x and 3.2.x series.
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Old men are fond of giving good advice to console themselves for their
inability to set a bad example.
-- La Rochefoucauld, "Maxims"
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Sat, 1 Jan 2005 11:57:55 +0100
From: Adeodato =?iso-8859-
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: missing bits for the transition
# -|
# -|--> to be merged (sure?) ====> yes
### These two bugs are the same vulnerability, and that the bug
### really belongs to kdelibs, not konqueror/kdebase.
#285128: CAN-2004-1165: FTP command injection bug
reassign 285128 kdelibs
severity 285128 grave
#287201: KIOSlave FTP client can be made to send email
merge 285128 287201
stop here, and happy new year for you too
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Beauty, brains, availability, personality: pick any two.
Debian Bug Importer (debzilla) wrote : | #7 |
*** Bug 11467 has been marked as a duplicate of this bug. ***
Andreas Mueller (amu) wrote : | #8 |
already fixed in warty & hoary
In Debian Bug tracker #285128, Dato Simó (dato) wrote : Re: Final polishing of the KDE 3.3 transition | #9 |
#> we'll go with lowering to 'important', with an attached explanation.
#285128: kdelibs: CAN-2004-1165: FTP command injection bug
severity 285128 important
#286516: kdebase: CAN-2004-1158: Konqueror Window Injection Vuln.
severity 286516 important
#286521: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability
severity 286521 important
thanks mate, see you again after the transition
In agreement with the Release Team, I'm downgrading the severity of
the above three security bugs in KDE to important, so that KDE 3.3 can
enter sarge. See this thread [1] for more info.
[1] http://
The severity will be restored right after the transition, and uploads
to sid will shortly follow. Just to say what is going to happen:
kdebase 3.3.1-4 will be uploaded first (along with a arts 1.3.2-2, not
security related). While buildds churn these two, a kdelibs 3.3.2-1
upload to sid will be prepared, and uploaded as soon as kdebase+arts
is built in all arches.
We need to upload kdelibs 3.3.2 since the fix for CAN-2004-1145 (the
Java Vulnerability) is not easily backportable to 3.3.1. Having
kdelibs 3.3.2 with the rest of packages being at 3.3.1 is a safe mix;
in any case, we will test prior to uploading and the urgency won't be
set to high.
Cheers,
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: 10,000 Maniacs - don't talk
Don't worry about what anybody else is going to do. The best way to
predict the future is to invent it.
-- Alan Kay
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Mon, 3 Jan 2005 12:12:10 +0100
From: Adeodato =?iso-8859-
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>, <email address hidden>, <email address hidden>, <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition
#> we'll go with lowering to 'important', with an attached explanation.
#285128: kdelibs: CAN-2004-1165: FTP command injection bug
severity 285128 important
#286516: kdebase: CAN-2004-1158: Konqueror Window Injection Vuln.
severity 286516 important
#286521: kdelibs: CAN-2004-1145: Konqueror Java Vulnerability
severity 286521 important
thanks mate, see you again after the transition
In agreement with the Release Team, I'm downgrading the severity of
the above three security bugs in KDE to important, so that KDE 3.3 can
enter sarge. See this thread [1] for more info.
[1] http://
The severity will be restored right after the transition, and uploads
to sid will shortly follow. Just to say what is going to happen:
kdebase 3.3.1-4 will be uploaded first (along with a arts 1.3.2-2, not
security related). While buildds churn these two, a kdelibs 3.3.2-1
upload to sid will be prepared, and uploaded as soon as kdebase+arts
is built in all arches.
We need to upload kdelibs 3.3.2 since the fix for CAN-2004-1145 (the
Java Vulnerability) is not easily backportable to 3.3.1. Having
kdelibs 3.3.2 with the rest of packages being at 3.3.1 is a safe mix;
in any case, we will test prior to uploading and the urgency won't be
set to high.
Cheers,
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Listening to: 10,000 Maniacs - don't talk
Don't worry about what anybody else is going to do. The best way to
predict the future is to invent it.
-- Alan Kay
In Debian Bug tracker #285128, Dato Simó (dato) wrote : | #11 |
# severity 285128 important
# severity 286516 important
# severity 286521 important
# thanks mate, see you again after the transition
# <vorlon> dato: would you care to bump those security bugs back up to RC severity?
severity 285128 grave
severity 286516 grave
severity 286521 grave
thanks. vorlon: done
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Don't be irreplaceable, if you can't be replaced, you can't be promoted.
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Tue, 4 Jan 2005 09:48:48 +0100
From: Adeodato =?iso-8859-
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Final polishing of the KDE 3.3 transition
# severity 285128 important
# severity 286516 important
# severity 286521 important
# thanks mate, see you again after the transition
# <vorlon> dato: would you care to bump those security bugs back up to RC severity?
severity 285128 grave
severity 286516 grave
severity 286521 grave
thanks. vorlon: done
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Don't be irreplaceable, if you can't be replaced, you can't be promoted.
In Debian Bug tracker #285128, Dato Simó (dato) wrote : setting package to kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev kdelibs4-doc ... ... ... ... ... ... ... ... | #13 |
# Automatically generated email from bts, devscripts version 2.8.6
package kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev kdelibs4-doc
tags 263430 + pending
tags 285128 + pending
tags 286521 + pending
tags 287097 + pending
tags 287201 + pending
tags 287566 + pending
tags 288653 + pending
tags 289164 + pending
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Sun, 9 Jan 2005 01:22:56 +0100
From: Adeodato Simó <email address hidden>
To: <email address hidden>
Subject: setting package to kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev
kdelibs4-doc ... ... ... ... ... ... ... ...
# Automatically generated email from bts, devscripts version 2.8.6
package kdelibs kdelibs kdelibs-bin kdelibs-data kdelibs4 kdelibs4-dev kdelibs4-doc
tags 263430 + pending
tags 285128 + pending
tags 286521 + pending
tags 287097 + pending
tags 287201 + pending
tags 287566 + pending
tags 288653 + pending
tags 289164 + pending
In Debian Bug tracker #285128, Dato Simó (dato) wrote : meaning of 'pending' | #15 |
Since I've been asked by a RM how 'pending' these security fixes were
(#285128: CAN-2004-1165: FTP command injection bug, #286521: kdelibs:
CAN-2004-1145: Konqueror Java Vulnerability), here is an upadte: the
packages are mostly ready, and shall be uploaded as soon as kdebase
3.3.1-4 is successfully built in all arches:
http://
Currently, only a mipsel build is missing.
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
You cannot achieve the impossible without attempting the absurd.
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Tue, 11 Jan 2005 17:54:11 +0100
From: Adeodato =?iso-8859-
To: <email address hidden>, <email address hidden>
Subject: meaning of 'pending'
Since I've been asked by a RM how 'pending' these security fixes were
(#285128: CAN-2004-1165: FTP command injection bug, #286521: kdelibs:
CAN-2004-1145: Konqueror Java Vulnerability), here is an upadte: the
packages are mostly ready, and shall be uploaded as soon as kdebase
3.3.1-4 is successfully built in all arches:
http://
Currently, only a mipsel build is missing.
--
Adeodato Sim� EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
You cannot achieve the impossible without attempting the absurd.
In Debian Bug tracker #285128, Debian Qt/KDE Maintainers (debian-qt-kde) wrote : Bug#285128: fixed in kdelibs 4:3.3.2-1 | #17 |
Source: kdelibs
Source-Version: 4:3.3.2-1
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-
to pool/main/
kdelibs-
to pool/main/
kdelibs4-
to pool/main/
kdelibs4-
to pool/main/
kdelibs4_
to pool/main/
kdelibs_
to pool/main/
kdelibs_3.3.2-1.dsc
to pool/main/
kdelibs_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
kdelibs - KDE core libraries metapackage
kdelibs-bin - KDE core binaries
kdelibs-data - KDE core shared data
kdelibs4 - KDE core libraries
kdelibs4-dev - KDE core libraries (development files)
kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes:
kdelibs (4:3.3.2-1) unstable; urgency=medium
.
+++ Changes by Adeodato Simó:
.
* Uploading to unstable. This new upstream version fixes CAN-2004-1145,
"Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
to medium for this reason (the package has been in experimental for some
time, and has been checked to work properly with the rest of 3.3.1
packages).
.
* debian/control:
- make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
.
* debian/
checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
version in sarge. Reverted them for now, will be re-added when OpenOffice
1.1.3 enters sarge (with the proper Conflicts: entry). (Closes: #287097)
.
List of files:
- usr/share/
- usr/share/mimel...
Debian Bug Importer (debzilla) wrote : | #18 |
Message-Id: <email address hidden>
Date: Sun, 16 Jan 2005 17:02:24 -0500
From: Debian Qt/KDE Maintainers <email address hidden>
To: <email address hidden>
Subject: Bug#285128: fixed in kdelibs 4:3.3.2-1
Source: kdelibs
Source-Version: 4:3.3.2-1
We believe that the bug you reported is fixed in the latest version of
kdelibs, which is due to be installed in the Debian FTP archive:
kdelibs-
to pool/main/
kdelibs-
to pool/main/
kdelibs4-
to pool/main/
kdelibs4-
to pool/main/
kdelibs4_
to pool/main/
kdelibs_
to pool/main/
kdelibs_3.3.2-1.dsc
to pool/main/
kdelibs_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Debian Qt/KDE Maintainers <email address hidden> (supplier of updated kdelibs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 16 Jan 2005 20:48:01 +0100
Source: kdelibs
Binary: kdelibs4 kdelibs-bin kdelibs kdelibs4-doc kdelibs-data kdelibs4-dev
Architecture: source i386 all
Version: 4:3.3.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <email address hidden>
Changed-By: Debian Qt/KDE Maintainers <email address hidden>
Description:
kdelibs - KDE core libraries metapackage
kdelibs-bin - KDE core binaries
kdelibs-data - KDE core shared data
kdelibs4 - KDE core libraries
kdelibs4-dev - KDE core libraries (development files)
kdelibs4-doc - KDE core library documentation
Closes: 263430 285128 286521 287097 287201 287566 288653 289164 290190 290191
Changes:
kdelibs (4:3.3.2-1) unstable; urgency=medium
.
+++ Changes by Adeodato Simó:
.
* Uploading to unstable. This new upstream version fixes CAN-2004-1145,
"Konqueror Java Vulnerability", and thus closes: #286521. Urgency set
to medium for this reason (the package has been in experimental for some
time, and has been checked to work properly with the rest of 3.3.1
packages).
.
* debian/control:
- make kdelibs-data replace kjscmd (<< 4:3.3.0), which was missed in the
3.3.1-1 upload and completely forgotten since then. (Closes: #288653)
.
* debian/
checked not to exist in oo.o-mimelnk in sid, but sadly they exist in the
version in sarge. Reverted them for n...
Changed in kdelibs: | |
status: | Unknown → Fix Released |
tag 285128 sarge sid
stop here
* Joey Hess [Fri, 10 Dec 2004 14:51:51 -0500]:
> The advisory says that it affects version >= 3.3.1, so perhaps our
> 3.2.3-1/2.3.3-1 in t-p-u/testing are not vulnerable. I've not checked.
just for the record: yes, 3.2 is vulnerable. upstream released patches
for both the 3.3.x and 3.2.x series.
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
Old men are fond of giving good advice to console themselves for their
inability to set a bad example.
-- La Rochefoucauld, "Maxims"