[Bug 661416] Re: Uncontrolled XMLHTTPRequest vulnerability

Launchpad Bug Tracker 661416 at bugs.launchpad.net
Mon Oct 25 18:22:21 UTC 2010

This bug was fixed in the package kdelibs -

kdelibs (4:3.5.10.dfsg.1-3ubuntu2.10.10.1) maverick-security; urgency=low

  * SECURITY UPDATE: uncontrolled XMLHTTPRequest vulnerability. (LP: #661416)
    - Ark and KMail performs insufficient validation which leads to
      specially crafted archive files, using unknown MIME types, to be
      rendered using a KHTML instance, this can trigger uncontrolled
      XMLHTTPRequests to remote sites.
    - Add debian/patches/security_05_XMLHttpRequest_vulnerability.diff,
      restricts xmlhttprequest to http protocols only.
      This patch has been accidentally dropped in 4:3.5.10.dfsg.1-3ubuntu1.
    - http://www.kde.org/info/security/advisory-20091027-1.txt
    - oCert: #2009-015 http://www.ocert.org/advisories/ocert-2009-015.html
    - CVE n/a
  * Fix FTBFS: disable parallel building.
 -- Felix Geyer <debfx-pkg at fobos.de>   Fri, 15 Oct 2010 21:19:11 +0200

Uncontrolled XMLHTTPRequest vulnerability
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kdelibs in ubuntu.

More information about the kubuntu-bugs mailing list