Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Hi, Konq 3.5.5 contains an XSS vulnerability.
Although this is minor, arches please mark stable 3.5.6 if possible, thanks.
konqueror is part of kdebase i think, so this means kdebase should go stable as well. Question is, will kdebase-3.5.6 work without kdelibs-3.5.6? Is it wise to just stable that part of kde-3.5.6?
Either we stable KDE 3.5.6 altogether or we need to patch konqueror/kdelibs, because Konqueror is just a frontend to khtml/kjs.
You're right, stabilizing konq is not as easy as this, i'm sorry i missed that. So feel free to decide yourself on this issue. Since it's only an XSS, i won't be worried if you decide to wait several weeks before stabilizing it.
I'll wait on Diego's word on it, he knows if 3.5.6 is kind of ready to go or better patch the current one.
I haven't received anything on kde-packagers yet. Does security consider this an high priority vulnerability? If that's the case, we might as well give a try, 3.5.6 didn't have regressions as far as I can see, it's just a big burden for arch teams to do this now, especially with the imminent portage snapshot for 2007.0.
The problem is limited to kdelibs, got a patch out of the SVN, I'm going to commit it as kdelibs-3.5.5-r8.
(In reply to comment #7) > The problem is limited to kdelibs, got a patch out of the SVN, I'm going to > commit it as kdelibs-3.5.5-r8. > So mark stable 3.5.5-r8, i guess?
yah
ppc64 stable
x86 stable!
*** Bug 165719 has been marked as a duplicate of this bug. ***
sparc stable.
[ebuild N ] kde-base/kdelibs-3.5.5-r8 USE="alsa cups fam spell ssl -acl -arts -avahi -debug -doc -jpeg2k -kdeenablefinal -kdehiddenvisibility -kerberos -legacyssl -lua -openexr -tiff -utempter -xinerama -zeroconf" 1) emerges 2) passes collision test 3) works (tested with kde-base/konqueror-3.5.5 USE="kdehiddenvisibility -arts -debug -java -kdeenablefinal -xinerama") QA Notice: the following files are setXid, dyn linked, and using lazy bindings This combination is generally discouraged. Try re-emerging the package: LDFLAGS='-Wl,-z,now' emerge kdelibs LAZY usr/kde/3.5/bin/start_kdeinit Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r6 x86_64) ================================================================= System uname: 2.6.18-gentoo-r6 x86_64 AMD Sempron(tm) Processor 2800+ Gentoo Base System release 1.12.6 Last Sync: Wed, 07 Feb 2007 00:30:08 +0000 ccache version 2.4 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -pipe -O2 -ggdb" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=k8 -pipe -O2 -ggdb" DISTDIR="/opt/distfiles" FEATURES="autoconfig buildpkg ccache collision-protect distlocks fixpackages metadata-transfer multilib-strict parallel-fetch sandbox sfperms splitdebug strict test userfetch" GENTOO_MIRRORS="ftp://10.0.0.3 http://mirror.uni-c.dk/pub/gentoo http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo" LC_ALL="en_GB.UTF-8" LINGUAS="da en en_GB" MAKEOPTS="-j2" PKGDIR="/var/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/var/repositories/gentoo" PORTDIR_OVERLAY="/var/repositories/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X acpi alsa alsa_cards_ali5451 alsa_cards_als4000 alsa_cards_atiixp alsa_cards_atiixp-modem alsa_cards_bt87x alsa_cards_ca0106 alsa_cards_cmipci alsa_cards_emu10k1x alsa_cards_ens1370 alsa_cards_ens1371 alsa_cards_es1938 alsa_cards_es1968 alsa_cards_fm801 alsa_cards_hda-intel alsa_cards_intel8x0 alsa_cards_intel8x0m alsa_cards_maestro3 alsa_cards_trident alsa_cards_usb-audio alsa_cards_via82xx alsa_cards_via82xx-modem alsa_cards_ymfpci alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 authdaemond bash-completion berkdb bitmap-fonts bzip2 cairo cdr cli cracklib crypt cups dbus dlloader dri dvb dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gdbm gif gnome gnutls gpm gstreamer gtk gtk2 hal iconv imap input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdehiddenvisibility kernel_linux lcd_devices_bayrad lcd_devices_cfontz lcd_devices_cfontz633 lcd_devices_glk lcd_devices_hd44780 lcd_devices_lb216 lcd_devices_lcdm001 lcd_devices_mtxorb lcd_devices_ncurses lcd_devices_text ldap libg++ libwww linguas_da linguas_en linguas_en_GB lirc lirc_devices_hauppauge lm_sensors mad maildir midi mikmod mp3 mpeg mysql mythtv ncurses nls nptl nptlonly ntfs ogg oss pam pcre pdf perl pic png ppds pppd python qt3 qt4 quicktime readline reflection reiser4 reiserfs samba sasl sdl session spell spl ssl sysfs syslog tcpd test truetype truetype-fonts type1-fonts udev unichrome unicode usb userland_GNU vhosts video_cards_dummy video_cards_fbdev video_cards_v4l video_cards_vesa video_cards_vga video_cards_via vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ppc stable
alpha/amd64 done
(In reply to comment #7) > The problem is limited to kdelibs, got a patch out of the SVN, I'm going to > commit it as kdelibs-3.5.5-r8. > Perfect, thanks. I won't have obliged a stabilization on all KDE-3.5.6 for an XSS only :)))
hppa is missing. please could you test and mark stable kdelibs-3.5.5-r8, thanks
(In reply to comment #18) > hppa is missing. > > please could you test and mark stable kdelibs-3.5.5-r8, thanks Why does this happen so often? Give me some time, OK? :-\
(In reply to comment #19) > Why does this happen so often? Give me some time, OK? :-\ > We just forgot to CC you initially
(In reply to comment #20) > (In reply to comment #19) > > Why does this happen so often? Give me some time, OK? :-\ > > > > We just forgot to CC you initially Is that an apology or just the answer to an entirely different question? Being four days late to the party is no light matter, I can tell you. Seeing as I will need to partly rebuild kde-3.5.5, I can start testing tomorrow afternoon and hopefully mark kdelibs early in the evening (CET).
(In reply to comment #21) > > Is that an apology or just the answer to an entirely different question? Both > Being > four days late to the party is no light matter, I can tell you. you are not late at all, since you were CCed a few hours ago... stay calm... > > Seeing as I will need to partly rebuild kde-3.5.5, I can start testing tomorrow > afternoon and hopefully mark kdelibs early in the evening (CET). > np
> (In reply to comment #21) > > > > Is that an apology or just the answer to an entirely different question? > > Both Thank you, Raphael. ...Stable for HPPA.
thanks a lot and again, sorry for we having missed you. Do we send a GLSA? I vote a half-yes. It's a XSS "only", but it affects all KDE-based apps on all websites.
i'm actually the only active member of the security team, so i can't apply the policy telling that 2 positive votes include a GLSA. Let's have one half-GLSA btw :)
IA64 done.
finally GLSA 200703-10, sorry for the delay (but low severity)
