Debian Project and Canonical released a security update for supported operating systems to address some of the vulnerabilities recently disclosed KDE libraries.
A few weeks ago, KDE community fixes security holes found in KDEfig Dominik Penner components, KConfig component is configured to set the framework of KDE Plasma desktop environment could allow an attacker to execute malicious code via a specially crafted .desktop files contained in the file manager open the archive.
"Dominik Penner found KConfig support custom features shell commands that are executed in the .desktop file. If you provide a malformed .desktop file for the user (for example, if it is embedded in the downloaded archive and open the file browser) arbitrary commands can perform. this update deletes this feature, "read the Debian security bulletin .
The problem affects KDE Frameworks open-source software suite version is less than version August 10, 2019 release of 5.61.0. Patch in the original error report was released two days later can be used, they are entering a stable software repository since then the most popular GNU / Linux distributions.
We recommend that users install the update immediately
Debian project released a security patch to fix Debian GNU / Linux 9 "Stretch" and Debian GNU / Linux 10 "Buster" series operating system vulnerabilities ( CVE-2019-14744 ), urged users to update kconfig package. They were installed version 5.28.0-2 + deb9u1 and 5.54.0-1 + deb10u1.
另一方面,Canonical今天发布了kconfig和kde4libs软件包的更新版本,以修复Dominik Penner发现的漏洞 (CVE-2016-6232),以及可能允许远程攻击者编写的3年安全问题通过档案文件中的文件名中的../任意文件。