Note: This is an archival copy of Security Sun Alert 200361 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000254.1.
Article ID : 1000254.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Sun Linux 5.0 Security Vulnerability With SSL Enabled Software May Allow "Man-in-the-Middle" Attack on KDE Software

Category
Security

Release Phase
Resolved

Bug Id
4877203

Date of Resolved Release
21-JUL-2003

Impact

A vulnerability in the K Desktop Environment's (KDE) Secure-Socket Layer (SSL) implementation makes it possible for unprivileged local and remote users of Konqueror and other SSL enabled KDE software to experience a "man-in-the-middle" attack.

This issue is described in Red Hat Advisory RHSA-2003-192, available at: https://rhn.redhat.com/errata/RHSA-2003-192.html and CAN-2003-0370, available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0370


Contributing Factors

This issue can occur in the following releases:

Sun Linux

  • Sun Linux 5.0 (LX50) with KDE versions 2.2.2 or earlier

Sun Linux 5.0 is currently shipped with the Sun LX50 Server. To determine the versions of Sun Linux and KDE, use the following commands: 

    # cat /etc/release
Sun Linux release 5.0 (White Rabbit)
# rpm -q kdelibs
kdelibs-2.2.2-8

A "man-in-the-middle" attack occurs when an unauthorized user "sniffs" packets from the network, modifies them and then inserts them back into the network. This occurs when two network elements are communicating.

Note: KDE is a graphical desktop environment for the X Window System. Konqueror is an application that works as a file manager and web browser in KDE. For more information, see http://www.kde.org


Symptoms

There are no predictable symptoms that would indicate the above described issue has been exploited.


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

Sun Linux

Sun Linux 5.0 (LX50) with all of the following packages:

  • arts-2.2.2-8.i386.rpm or later
  • kdelibs-2.2.2-8.i386.rpm or later
  • kdelibs-devel-2.2.2-8.i386.rpm or later
  • kdelibs-sound-2.2.2-8.i386.rpm or later
  • kdelibs-sound-devel-2.2.2-8.i386.rpm or later

For SRPM:

  • xpdf-0.92-9.src.rpm

The above packages are available at: ftp://ftp.cobalt.sun.com/pub/products/sunlinux/5.0/en/updates/i386/RPMS

The above SRPM package is available at: ftp://ftp.cobalt.sun.com/pub/products/sunlinux/5.0/en/updates/i386/SRPMS



Modification History

Product
Sun Linux 5.0







































Attachments
This solution has no attachment