-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenLinux: KDE 2.2 / Konqueror Embedded SSL vulnerability
Advisory number: 	CSSA-2003-022.0
Issue date: 		2003 September 26
Cross reference: 	sr879150 fz527919 erg712317
______________________________________________________________________________


1. Problem Description

	KDE's SSL implementation in the affected versions matches
	certificates based on IP number instead of hostname. Due to
	this it may fail to notice a man-in-the-middle attack. 
	
	Users of Konqueror and other SSL enabled KDE software may 
	fall victim to a malicious man-in-the-middle attack without 
	noticing. In such case the user will be under the impression 
	that there is a secure connection with a trusted site while 
	in fact a different site has been connected to. 
	
	The Common Vulnerabilities and Exposures (CVE) project has 
	assigned the name CAN-2003-0370 to this issue. This is a 
	candidate for inclusion in the CVE list (http://cve.mitre.org),
	which standardizes names for security problems.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to kdelibs2-2.2.1-6.4.i386.rpm
					prior to kdelibs2-devel-2.2.1-6.4.i386.rpm
					prior to kdelibs2-devel-static-2.2.1-6.4.i386.rpm
					prior to kdelibs2-doc-2.2.1-6.4.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to kdelibs2-2.2.1-6.4.i386.rpm
					prior to kdelibs2-devel-2.2.1-6.4.i386.rpm
					prior to kdelibs2-devel-static-2.2.1-6.4.i386.rpm
					prior to kdelibs2-doc-2.2.1-6.4.i386.rpm


3. Solution

	The proper solution is to install the latest packages. Many
	customers find it easier to use the Caldera System Updater, called
	cupdate (or kcupdate under the KDE environment), to update these
	packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-022.0/RPMS

	4.2 Packages

	3368ccf24367363256b9956a82d76137	kdelibs2-2.2.1-6.4.i386.rpm
	c1db1d8193b6da2d05eb211f0767afe6	kdelibs2-devel-2.2.1-6.4.i386.rpm
	b1ce39420b3ec635886cf771b430b280	kdelibs2-devel-static-2.2.1-6.4.i386.rpm
	0feb85fc3cd32d2f2ff0f15958edfe25	kdelibs2-doc-2.2.1-6.4.i386.rpm

	4.3 Installation

	rpm -Fvh kdelibs2-2.2.1-6.4.i386.rpm
	rpm -Fvh kdelibs2-devel-2.2.1-6.4.i386.rpm
	rpm -Fvh kdelibs2-devel-static-2.2.1-6.4.i386.rpm
	rpm -Fvh kdelibs2-doc-2.2.1-6.4.i386.rpm

	4.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-022.0/SRPMS

	4.5 Source Packages

	90d9d8421bfee9cb1ae493653d54cd1a	kdelibs2-2.2.1-6.4.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-022.0/RPMS

	5.2 Packages

	027834cb3f0b0d68609ee06bd6c70893	kdelibs2-2.2.1-6.4.i386.rpm
	90bad18be98aa431b74ed1bd8d02340b	kdelibs2-devel-2.2.1-6.4.i386.rpm
	9e77ca6cc3a5710e2aadc9aa1abf9347	kdelibs2-devel-static-2.2.1-6.4.i386.rpm
	e3ced8f89c2c142487f147183b129914	kdelibs2-doc-2.2.1-6.4.i386.rpm

	5.3 Installation

	rpm -Fvh kdelibs2-2.2.1-6.4.i386.rpm
	rpm -Fvh kdelibs2-devel-2.2.1-6.4.i386.rpm
	rpm -Fvh kdelibs2-devel-static-2.2.1-6.4.i386.rpm
	rpm -Fvh kdelibs2-doc-2.2.1-6.4.i386.rpm

	5.4 Source Package Location

	ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-022.0/SRPMS

	5.5 Source Packages

	29f24e717973dbd2d2ed4030bde1edfa	kdelibs2-2.2.1-6.4.src.rpm


6. References

	Specific references for this advisory:
		none


	SCO security resources:
		http://www.sco.com/support/security/index.html

	This security fix closes SCO incidents sr879150 fz527919
	erg712317.


7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers intended
	to promote secure installation and use of SCO products.


8. Acknowledgements

	SCO would like to thank Jesse burns for his notification to kde.org.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj90ryEACgkQbluZssSXDTGLVQCcCzNCQOZuJW+mUBXq7P/0ys74
HyAAn2FAt8daLK4va8/UpfENddU8baaw
=cKmw
-----END PGP SIGNATURE-----