Mandrake Local Security Checks : Mandriva Security Advisory MDVSA-2010:098 (kdenetwork4)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.67426

Categoría: Mandrake Local Security Checks

Título: Mandriva Security Advisory MDVSA-2010:098 (kdenetwork4)

Resumen: NOSUMMARY

Descripción: Description:
The remote host is missing an update to kdenetwork4
announced via advisory MDVSA-2010:098.

A vulnerability has been discovered and fixed in kget (kdenetwork4):

The name attribute of the file element of metalink files is not
properly sanitized before being used to download files. If a user
is tricked into downloading from a specially crafted metalink file,
this can be exploited to download files to directories outside of
the intended download directory via directory traversal attacks
(CVE-2010-1000).

Packages for 2009.0 are provided due to the Extended Maintenance
Program.

The corrected packages solves these problems.

Affected: 2009.0, 2009.1, 2010.0

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2010:098
http://www.kde.org/info/security/advisory-20100513-1.txt

Risk factor : High

CVSS Score:
5.8

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2010-1000
BugTraq ID: 40141
http://www.securityfocus.com/bid/40141
Bugtraq: 20100513 Secunia Research: KDE KGet metalink "name" Directory Traversal Vulnerability (Google Search)
http://www.securityfocus.com/archive/1/511281/100/0/threaded
Bugtraq: 20100514 Re: Secunia Research: KDE KGet Insecure File Operation Vulnerability (Google Search)
http://www.securityfocus.com/archive/1/511294/100/0/threaded
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051692.html
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058580.html
http://www.mandriva.com/security/advisories?name=MDVSA-2010:098
http://secunia.com/secunia_research/2010-69/
http://marc.info/?l=oss-security&m=127378789518426&w=2
http://osvdb.org/64690
http://securitytracker.com/id?1023984
http://secunia.com/advisories/39528
http://secunia.com/advisories/39787
http://secunia.com/advisories/42423
SuSE Security Announcement: SUSE-SR:2010:024 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html
http://www.ubuntu.com/usn/USN-938-1
http://www.vupen.com/english/advisories/2010/1142
http://www.vupen.com/english/advisories/2010/1144
http://www.vupen.com/english/advisories/2010/3096
http://www.vupen.com/english/advisories/2011/1101
XForce ISS Database: kde-name-directory-traversal(58628)
https://exchange.xforce.ibmcloud.com/vulnerabilities/58628

Copyright Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.67426
Categoría:	Mandrake Local Security Checks
Título:	Mandriva Security Advisory MDVSA-2010:098 (kdenetwork4)
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing an update to kdenetwork4 announced via advisory MDVSA-2010:098. A vulnerability has been discovered and fixed in kget (kdenetwork4): The name attribute of the file element of metalink files is not properly sanitized before being used to download files. If a user is tricked into downloading from a specially crafted metalink file, this can be exploited to download files to directories outside of the intended download directory via directory traversal attacks (CVE-2010-1000). Packages for 2009.0 are provided due to the Extended Maintenance Program. The corrected packages solves these problems. Affected: 2009.0, 2009.1, 2010.0 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2010:098 http://www.kde.org/info/security/advisory-20100513-1.txt Risk factor : High CVSS Score: 5.8
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2010-1000 BugTraq ID: 40141 http://www.securityfocus.com/bid/40141 Bugtraq: 20100513 Secunia Research: KDE KGet metalink "name" Directory Traversal Vulnerability (Google Search) http://www.securityfocus.com/archive/1/511281/100/0/threaded Bugtraq: 20100514 Re: Secunia Research: KDE KGet Insecure File Operation Vulnerability (Google Search) http://www.securityfocus.com/archive/1/511294/100/0/threaded http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051692.html http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058580.html http://www.mandriva.com/security/advisories?name=MDVSA-2010:098 http://secunia.com/secunia_research/2010-69/ http://marc.info/?l=oss-security&m=127378789518426&w=2 http://osvdb.org/64690 http://securitytracker.com/id?1023984 http://secunia.com/advisories/39528 http://secunia.com/advisories/39787 http://secunia.com/advisories/42423 SuSE Security Announcement: SUSE-SR:2010:024 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html http://www.ubuntu.com/usn/USN-938-1 http://www.vupen.com/english/advisories/2010/1142 http://www.vupen.com/english/advisories/2010/1144 http://www.vupen.com/english/advisories/2010/3096 http://www.vupen.com/english/advisories/2011/1101 XForce ISS Database: kde-name-directory-traversal(58628) https://exchange.xforce.ibmcloud.com/vulnerabilities/58628
Copyright	Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com