Mandrake security alert: Updated kdelibs packages fix cookie theft vulnerability
Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator.
-----BEGIN PGP SIGNED MESSAGE-----
Mandrakelinux Security Update Advisory
Package name: kdelibs
Advisory ID: MDKSA-2004:022
Date: March 10th, 2004
Affected versions: 9.1
Corsaire discovered that a number of HTTP user agents contained a flaw
in how they handle cookies. This flaw could allow an attacker to
avoid the path restrictions specified by a cookie's originator.
According to their advisory:
"The cookie specifications detail a path argument that can be used to
restrict the areas of a host that will be exposed to a cookie. By
using standard traversal techniques this functionality can be
subverted, potentially exposing the cookie to scrutiny and use in
This issue was fixed in KDE 3.1.3; the updated packages are patched to
protect against this vulnerability.
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
A list of FTP mirrors can be obtained from:
All packages are signed by Mandrakesoft for security. You can obtain
the GPG public key of the Mandrakelinux Security Team by executing:
gpg --recv-keys --keyserver http://www.mandrakesecure.net 0x22458A98
Please be aware that sometimes it takes the mirrors a few hours to
You can view other update advisories for Mandrakelinux at:
Mandrakesoft has several security-related mailing list services that
anyone can subscribe to. Information on these lists can be obtained by
If you want to report vulnerabilities, please contact
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----
This topic does not have any threads posted yet!
You cannot post until you login.