[SECURITY] Fedora 10 Update: kdelibs-4.2.4-6.fc10

updates at fedoraproject.org updates at fedoraproject.org
Tue Jul 28 18:26:55 UTC 2009


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2009-8049
2009-07-27 21:07:34
--------------------------------------------------------------------------------

Name        : kdelibs
Product     : Fedora 10
Version     : 4.2.4
Release     : 6.fc10
URL         : http://www.kde.org/
Summary     : K Desktop Environment 4 - Libraries
Description :
Libraries for the K Desktop Environment 4.

--------------------------------------------------------------------------------
Update Information:

This update fixes several security issues in KHTML (CVE-2009-1725,
CVE-2009-1690, CVE-2009-1687, CVE-2009-1698, CVE-2009-0945, CVE-2009-2537) which
may lead to a denial of service or potentially even arbitrary code execution.
In addition, libplasma was fixed to make Plasmaboard (a virtual keyboard applet)
work, and a bug in a Fedora patch which made builds of the SRPM on single-CPU
machines fail was fixed.
--------------------------------------------------------------------------------
ChangeLog:

* Sun Jul 26 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-6
- fix CVE-2009-1725 - crash, possible ACE in numeric character references
- fix CVE-2009-1690 - crash, possible ACE in KHTML (<head> use-after-free)
- fix CVE-2009-1687 - possible ACE in KJS (FIXME: still crashes?)
- fix CVE-2009-1698 - crash, possible ACE in CSS style attribute handling
- fix CVE-2009-0945 - NULL-pointer dereference in the SVGList interface impl
* Thu Jul 23 2009 Jaroslav Reznik <jreznik at redhat.com> - 4.2.4-5
- CVE-2009-2537 - select length DoS
- correct fixPopupForPlasmaboard.patch
* Wed Jul  8 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.4-4
- fix CMake dependency in parallel_devel patch (#510259, CHIKAMA Masaki)
* Mon Jun 15 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.4-3
- fixPopupForPlasmaboard.patch
* Mon Jun  1 2009 Lukáš Tinkl <ltinkl at redhat.com> - 4.2.4-2
- respun tarball
* Sat May 30 2009 Lukáš Tinkl <ltinkl at redhat.com> - 4.2.4-1
- KDE 4.2.4
* Tue May 12 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.2.3-3
- kde4.(sh|csh): drop QT_PLUGINS_PATH munging, kde4-config call (#498809)
* Mon May  4 2009 Than Ngo <than at redhat.com> - 4.2.3-2
- better fix for strcasestr detection
* Sun May  3 2009 Than Ngo <than at redhat.com> - 4.2.3-1
- 4.2.3
* Tue Apr 28 2009 Lukáš Tinkl <ltinkl at redhat.com> - 4.2.2-13
- upstream patch to fix GCC4.4 crashes in kjs
  (kdebug:189809)
* Fri Apr 24 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.2-12
- drop the PopupApplet configuration backports (#495998) for now, kconf_update
  does not work as expected for Plasma
* Thu Apr 23 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.2-11
- fix the kconf_update scriptlet for #495998 again (missing DELETEGROUP)
* Thu Apr 23 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.2-10
- fix the kconf_update scriptlet for #495998 (broken .upd syntax)
* Tue Apr 21 2009 Than Ngo <than at redhat.com> - 4.2.2-9
- don't let plasma appear over screensaver
* Mon Apr 20 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> 4.2.2-8
- fix Plasma PopupApplet configuration interfering with weather applet (#495998)
* Sun Apr 19 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.2-7
- fix and simplify the child struct disposal (kde#180785)
* Sat Apr 18 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.2-6
- squash leaky file descriptors in kdeinit (kde#180785,rhbz#484370)
* Fri Apr 10 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.2-5
- fix bidi-related hangs in khtml (kde#189161)
* Wed Apr  8 2009 Than Ngo <than at redhat.com> - 4.2.2-4
- upstream patch fix ReadOnlyPart crash for non-local file
* Tue Apr  7 2009 Than Ngo <than at redhat.com> - 4.2.2-3
- fix kickoff focus issue
* Tue Apr  7 2009 Than Ngo <than at redhat.com> - 4.2.2-2
- upstream patch to fix kio_http issue
* Wed Apr  1 2009 Lukáš Tinkl <ltinkl at redhat.com> - 4.2.2-1
- KDE 4.2.2
* Mon Mar 23 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.2.1-9
- scriptlet optimization
* Thu Mar 19 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.2.1-8
- Provides: kdelibs4%{?_isa} ... (#491082)
* Wed Mar 18 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.1-7
- Provides: kross(javascript) kross(qtscript)  (#490586)
* Thu Mar 12 2009 Than Ngo <than at redhat.com> - 4.2.1-6
- apply patch to fix encoding for Qt-4.5.0
* Mon Mar  9 2009 Than Ngo <than at redhat.com> - 4.2.1-5
- apply patch to fix issue in CSS style that causes konqueror shows a blank page
* Thu Mar  5 2009 Rex Dieter <rdieter at fedorproject.org> - 4.2.1-4 
- move designer plugins to main/runtime (#487622)
* Sun Mar  1 2009 Than Ngo <than at redhat.com> - 4.2.1-2
- respin
* Fri Feb 27 2009 Than Ngo <than at redhat.com> - 4.2.1-1
- 4.2.1
* Thu Feb 26 2009 Than Ngo <than at redhat.com> 4.2.0-17
- fix build issue against gcc44
* Wed Feb 25 2009 Than Ngo <than at redhat.com> - 4.2.0-16
- fix files conflicts with 3.5.x
* Tue Feb 24 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.0-15
- fix crash in ~KMainWindow triggered by sending messages in KNode (kde#182322)
* Mon Feb 23 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.2.0-14
- (Build)Req: soprano(-devel) >= 2.2
- devel: drop Req: zlib-devel libutempter-devel
* Wed Feb 18 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.0-13
- disable strict aliasing in kjs/dtoa.cpp (GCC 4.4 x86_64 crash) (#485968)
* Thu Feb 12 2009 Than Ngo <than at redhat.com> - 4.2.0-11
- make plasma work better with Qt 4.5 (when built against Qt 4.5)
- add gcc44-workaround
* Fri Feb  6 2009 Than Ngo <than at redhat.com> - 4.2.0-10
- Fix duplicated applications in the K menu and in keditfiletype
* Thu Feb  5 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.0-9
- ssl/proxy patch (kde#179934)
* Sat Jan 31 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.0-8
- unowned dirs (#483315,#483318)
* Fri Jan 30 2009 Rex Dieter <rdieter at fedoraproject.org> 4.2.0-7
- kded/kdirwatch patch (kde#182472)
* Fri Jan 30 2009 Lukáš Tinkl <ltinkl at redhat.com> 4.2.0-6
- Emit the correct FilesRemoved signal if the job was aborted in the middle of its operation, 
  otherwise it can result in confusion and data loss (overwriting files with files
  that don't exist). kdebug:118593
- Fix "klauncher hangs when kdeinit4 dies" -- this happened because
  klauncher was doing a blocking read forever.
- Repair klauncher support for unique-applications like konsole.
  kdebug:162729, kdebug:75492
* Fri Jan 30 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.2.0-5
- reenable PolicyKit and NTFS workarounds
* Mon Jan 26 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.2.0-4
- revert Requires: qt4%{_isa}
* Mon Jan 26 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.2.0-3
- respun tarball
* Mon Jan 26 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.2.0-2
- plasma-on-screensaver-security patch
- (Build)Req: automoc4 >= 0.9.88, phonon(-devel) >= 4.3.0
- Requires: strigi-libs >= 0.6.3
- use %{?_isa} to avoid potential multilib heartbreak
* Thu Jan 22 2009 Than Ngo <than at redhat.com> - 4.2.0-1
- 4.2.0
* Fri Jan 16 2009 Than Ngo <than at redhat.com> - 4.1.96-9
- drop kdelibs-4.1.85-plasma-default-wallpaper.patch, it's not needed
  since new plasma allows to define default wallpaper, new kde-setting
  is required
- backport fix from trunk to allow symlinks in wallpaper theme
* Fri Jan 16 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.1.96-8
- rebuild for new OpenSSL
* Mon Jan 12 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.1.96-7
- Slight speedup to profile.d/kde.sh (#465370)
- (Build)Req: strigi(-devel) >= 0.6.3
* Mon Jan 12 2009 Than Ngo <than at redhat.com> - 4.1.96-6
- fix a crash (appearing in KSMServer)
* Sat Jan 10 2009 Than Ngo <than at redhat.com> - 4.1.96-5
- kdeworkspace cmake files in correct place
* Fri Jan  9 2009 Rex Dieter <rdieter at fedoraproject.org> - 4.1.96-4
- bump min deps (cmake, kde-filesystem, phonon)
- kde.(sh|csh): cleanup QT_PLUGIN_PATH handling (#477095)
- Requires: coreutils grep
* Fri Jan  9 2009 Than Ngo <than at redhat.com> - 4.1.96-3
- BR soprano >= 2.1.64
* Thu Jan  8 2009 Than Ngo <than at redhat.com> - 4.1.96-2
- kdepim cmake files in correct place
* Wed Jan  7 2009 Than Ngo <than at redhat.com> - 4.1.96-1
- 4.2rc1
* Fri Dec 19 2008 Kevin Kofler <Kevin at tigcc.ticalc.org> 4.1.85-6
- add plasma-default-wallpaper libplasma patch from kdebase-workspace-4.1
* Tue Dec 16 2008 Rex Dieter <rdieter at fedoraproject.org> 4.1.85-5
- respun tarball, integrates kde-l10n-systemsettings patch
* Tue Dec 16 2008 Than Ngo <than at redhat.com> - 4.1.85-4
- add missing ENTITY systemsettings in pt, that fixes kde-l10
  build breakage
* Mon Dec 15 2008 Than Ngo <than at redhat.com> - 4.1.85-3
- add missing ENTITY systemsettings in ru/gl/es/pt, that fixes kde-l10
  build breakage
- rename suffix .xxcmake to avoid install .cmake
* Sun Dec 14 2008 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.1.85-2
- tweak parallel_devel patch to get a -L flag for the symlink directory
* Thu Dec 11 2008 Than Ngo <than at redhat.com> -  4.1.85-1
- 4.2beta2
* Tue Dec  9 2008 Lorenzo Villani <lvillani at binaryhelix.net> - 6:4.1.82-2
- rebase parallel devel patch and kde149705 patch
* Mon Dec  8 2008 Lorenzo Villani <lvillani at binaryhelix.net> - 6:4.1.82-1
- 4.1.82
* Tue Nov 25 2008 Kevin Kofler <Kevin at tigcc.ticalc.org> 4.1.80-5
- remove workaround BR on phonon-backend-gstreamer, it's ineffective since
  phonon now explicitly Requires: phonon-backend-xine and the dependency is no
  longer circular anyway
- update parallel_devel patch
- fix minimum strigi version (only 0.5.9 needed)
* Tue Nov 25 2008 Than Ngo <than at redhat.com> 4.1.80-4
- respin
* Thu Nov 20 2008 Rex Dieter <rdieter at fedoraproject.org> 4.1.80-3
- -devel: Provides: plasma-devel
* Thu Nov 20 2008 Than Ngo <than at redhat.com> 4.1.80-2
- merged
* Thu Nov 20 2008 Lorenzo Villani <lvillani at binaryhelix.net> - 6:4.1.80-1
- 4.1.80
- BR strigi 0.60
- BR cmake 2.6
- make install/fast
- rebase policykit patch
- rebase cmake patch
- rebase a couple of patches and drop _default_patch_fuzz 2
* Wed Nov 12 2008 Than Ngo <than at redhat.com> 4.1.3-1
- 4.1.3
* Fri Nov  7 2008 Rex Dieter <rdieter at fedoraproject.org> 4.1.2-6
- backport http_cache_cleaner fix (kdebug:172182)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #513813 - CVE-2009-1725: KHTML: improper handling of numeric character references (ACE, DoS)
        https://bugzilla.redhat.com/show_bug.cgi?id=513813
  [ 2 ] Bug #505571 - CVE-2009-1690 kdelibs: KHTML Incorrect handling <head> element content once the <head> element was removed (DoS, ACE)
        https://bugzilla.redhat.com/show_bug.cgi?id=505571
  [ 3 ] Bug #506453 - CVE-2009-1687 kdelibs: Integer overflow in KJS JavaScript garbage collector
        https://bugzilla.redhat.com/show_bug.cgi?id=506453
  [ 4 ] Bug #506469 - CVE-2009-1698 kdelibs: KHTML CSS parser - incorrect handling CSS "style" attribute content (DoS, ACE)
        https://bugzilla.redhat.com/show_bug.cgi?id=506469
  [ 5 ] Bug #506703 - CVE-2009-0945 kdegraphics: KSVG NULL-pointer dereference in the SVGList interface implementation (ACE)
        https://bugzilla.redhat.com/show_bug.cgi?id=506703
  [ 6 ] Bug #512911 - CVE-2009-2537 Konqueror: DoS via large length property of a Select object
        https://bugzilla.redhat.com/show_bug.cgi?id=512911
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update kdelibs' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the package-announce mailing list