Please note that this bug is restricted to the security team. kde-base/kdelibs-4.6.1-r2 (current ~arch) contains the patch already. kde-base/kdelibs-4.4.5-r4 contains the patch, but has no keywords yet (awaiting some build testing). From: Jeff Mitchell <mitchell@kde.org> To: kde-packager@kde.org, KDE Security Team <security@kde.org>, Tim Brown <timb@nth-dimension.org.uk>, Maks Orlovich <maksim@kde.org> Date: Today 15:17:13 Hello packagers, Tim Brown of Nth Dimension reported a vulnerability on Konqueror's error pages that could allow a XSS attack. It has been assigned CVE-2011-1168. Maksim Orlovich has provided the patch from the KDE side. After discussion we have decided to make the patches public from today, but to keep the details embargoed until KDE and Nth Security issue their respective security advisories, which will take place on April 11th -- two weeks from today. The commits fixing the issue are the following: 4.4: afaaf24 4.5: da03cc0 4.6: 8b06e2c trunk: aaa8c42 You can get patches here: 4.4: http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=52a3a464960be6c9b05f593e3d424a5b80560d03&hp=77dc792cb2e2c79e3872060d23c1913304ff8427&f=khtml/khtml_part.cpp 4.5: http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=5d4b9b5a197f191b641712782479ff45b95c8b49&hp=6af7d4a0f525cfb7c70c0c613794afff86b81ba9&f=khtml/khtml_part.cpp 4.6: http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=fda41ceaa6e5ce7cbb50312cbe12be7a6f056c79&hp=d4098c3eadb0e3238643be749073dd54c22a5bbc&f=khtml/khtml_part.cpp trunk: http://quickgit.kde.org/?p=kdelibs.git&a=blobdiff_plain&h=ec89b0c8083989afb52ebde714e1fe757ab2e387&hp=35c1d30a781646138b5d74a00508390e1df707e7&f=khtml/khtml_part.cpp Thanks, Jeff _______________________________________________ Kde-packager mailing list Kde-packager@kde.org https://mail.kde.org/mailman/listinfo/kde-packager
(In reply to comment #0) > Please note that this bug is restricted to the security team. > > kde-base/kdelibs-4.6.1-r2 (current ~arch) contains the patch already. > kde-base/kdelibs-4.4.5-r4 contains the patch, but has no keywords yet (awaiting > some build testing). > Thank you, Andreas. Let us know when you are ready and we can pull in the arch testers.
I just re-added the keywords to kde-base/kdelibs-4.4.5-r4 as build tests passed fine (thanks guys!) and filed a stablereq (bug 361015, blocking this one).
Stabilization of kde-base/kdelibs-4.4.5-r4 is complete and bug 361015 is only still open because it is assigned to security. Advisories have been published: http://www.kde.org/info/security/advisory-20110411-1.txt http://www.nth-dimension.org.uk/downloads.php?id=82 IMHO no need to keep this classified anymore.
(In reply to comment #3) > Stabilization of kde-base/kdelibs-4.4.5-r4 is complete and bug 361015 is only > still open because it is assigned to security. > > IMHO no need to keep this classified anymore. Great, thanks and agreed. Closing NO GLSA since it is a XSS vulnerability.