Summary: | <kde-base/kdelibs-{4.12.5-r1,4.13.2-r1}: KMail/KIO POP3 SSL MITM Flaw (CVE-2014-3494) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q2/577 | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-06-18 20:23:14 UTC
@kde team: I figure we might as well wait for 4.13.3 and then just stabilize the lot of that, in place. Unless other KDE team members object, of course. I bumped 4.12.5-r1 (current stable) and 4.13.2-r1 (likely next stable candidate) with the fix. (In reply to Maciej Mrozowski from comment #2) > I bumped 4.12.5-r1 (current stable) and 4.13.2-r1 (likely next stable > candidate) with the fix. I don't see anything in tree. @Agostino Sarubbo *kdelibs-4.12.5-r1 (18 Jun 2014) *kdelibs-4.13.2-r1 (18 Jun 2014) 18 Jun 2014; Maciej Mrozowski (reavertm) +files/kdelibs-4.13.2-CVE-2014-3494.patch, +kdelibs-4.12.5-r1.ebuild, +kdelibs-4.13.2-r1.ebuild, -kdelibs-4.13.2.ebuild: Bug 513726, CVE-2014-3494 (In reply to Frank Krömmelbein from comment #4) > @Agostino Sarubbo > > *kdelibs-4.12.5-r1 (18 Jun 2014) > *kdelibs-4.13.2-r1 (18 Jun 2014) > 18 Jun 2014; Maciej Mrozowski (reavertm) > +files/kdelibs-4.13.2-CVE-2014-3494.patch, +kdelibs-4.12.5-r1.ebuild, > +kdelibs-4.13.2-r1.ebuild, -kdelibs-4.13.2.ebuild: > Bug 513726, CVE-2014-3494 the bug was filed against the wrong package. @kde: is fine to stabilize 4.12.5-r1 ? Arch teams, please test and stabilise kde-base/kdelibs-4.12.5-r1 Target KEYWORDS="amd64 ppc ppc64 x86". Thanks! MitM which only discloses information is B4. Will remove 4.13.{0,1} from tree shortly. (In reply to Chris Reffett from comment #7) > MitM which only discloses information is B4. Will remove 4.13.{0,1} from > tree shortly. Quoting the advisory: > could result in the leakage of sensitive data such as the > authentication details and the contents of emails. Apart the consideration of what the MITM is, I interpret "authentication details" as username/password which is 3 as per https://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3. amd64 stable x86 stable ppc/ppc64 stable Added to existng glsa draft. Cleanup, please! All vulnerable versions removed. Thanks everyone. This issue was resolved and addressed in GLSA 201406-34 at http://security.gentoo.org/glsa/glsa-201406-34.xml by GLSA coordinator Mikle Kolyada (Zlogene). |