MGASA-2017-0079

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2017-0079.html

Import Source

https://advisories.mageia.org/MGASA-2017-0079.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2017-0079

Related

CVE-2017-6410

Published

2017-03-23T07:19:23Z

Modified

2017-03-23T07:08:29Z

Summary

Updated kdelibs4 packages fix security vulnerability

Details

Using a malicious PAC file, and then using exfiltration methods in the PAC function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive information in the URL authentication part (user:password@host), and in the path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings allow âDetect Proxy Configuration Automaticallyâ. This setting uses WPAD to retrieve the PAC file, and an attacker who has access to the victimâs LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP) and inject his/her own malicious PAC instead of the legitimate one

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / kdelibs4

Package

Name: kdelibs4
Purl: pkg:rpm/mageia/kdelibs4?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.14.30-1.mga5

Ecosystem specific

{
    "section": "core"
}