Please stabilize kde-base/kdelibs-4.10.2-r1 on amd64, ppc, ppc64, x86 No arches cc'ed, sec team please take care of that From the closed kde-packagers ml (which is why this is initially restricted dev-only, can imho be removed in a few days): ---- Packagers, You might consider hot-patching your kdelibs with this. The code that conceivably might display a user password has been in kdelibs since 2009-07-08 Probably means whatever kdelibs 4.x you are shipping needs this fix. ---------- Forwarded Message ---------- Subject: [kdelibs/KDE/4.10] kioslave/http: Don't show passwords contained in HTTP URLs in error messages Date: Wednesday, May 08, 2013, 11:38:51 PM From: Grégory Oestreicher <greg@kamago.net> To: kde-commits@kde.org Git commit 65d736dab592bced4410ccfa4699de89f78c96ca by Grégory Oestreicher. Committed on 08/05/2013 at 23:16. Pushed by goestreicher into branch 'KDE/4.10'. Don't show passwords contained in HTTP URLs in error messages BUG: 319428
amd64/x86/ppc/ppc64 stable. Old removed. @security please vote
This is public.
@security: please make the bug public.
GLSA vote: yes
should this bug be closed? <kde-base/kdelibs-4.10.2-r1 is not in tree anymore.
(In reply to Till Schäfer from comment #5) > should this bug be closed? <kde-base/kdelibs-4.10.2-r1 is not in tree > anymore. It'll eventually be closed when the GLSA is sent out.
CVE-2013-2074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2074): kioslave/http/http.cpp in KIO in kdelibs 4.10.3 and earlier allows attackers to discover credentials via a crafted request that triggers an "internal server error," which includes the username and password in an error message.
GLSA Vote: Yes Created a New GLSA request.
This issue was resolved and addressed in GLSA 201406-34 at http://security.gentoo.org/glsa/glsa-201406-34.xml by GLSA coordinator Mikle Kolyada (Zlogene).