KDE 3.0.1 Info Page
KDE 3.0.1 was released on May 22nd, 2002. Read the official announcement.
FAQ
See the KDE FAQ for any specific questions you may have. Questions about Konqueror should be directed to the Konqueror FAQ and sound related questions are answered in the FAQ of the aRts Project
Download and Installation
See the links listed in the announcement. The KDE FAQ provides generic instruction about installation issues.
Binary packages can be found under http://download.kde.org/stable/3.0.1/ or in the equivalent directory at one of the KDE FTP mirrors. Additional binary packages might become available in the coming weeks, as well as updates to the current packages.
Updates
A compile failure has been found in the release kde-i18n tarball. The tarball has been fixed and replaced on ftp (24 May 2002).The same problem was in kde-i18n-fr language-specific tarball.
Please redownload the tarball in case you hit this problem.
Security Issues
Konqueror fails to correctly initialize the site domains for sub-(i)frames and may as a result allow access to forein cookies.
It is strongly recommended to upgrade at least kdelibs to KDE 3.0.3a in which this bug is fixed.
A patch is also available for download to address this particular problem.
KDE's SSL implementation fails to check the basic constraints on certificates and as a result may accept certificates as valid that were signed by an issuer who was not authorized to do so.
Konqueror fails to detect the "secure" flag in HTTP cookies and as a result may send secure cookies back to the originating site over an unencrypted network connection.
It is strongly recommended to upgrade at least kdelibs to KDE 3.0.3a in which this bug is fixed.
A patch is also available for download to address this particular problem.
KDE's SSL implementation fails to check the basic constraints on certificates and as a result may accept certificates as valid that were signed by an issuer who was not authorized to do so.
Due to this, users of Konqueror and other SSL enabled KDE software may fall victim to a malicious man-in-the-middle attack without noticing. In such case the user will be under the impression that there is a secure connection with a trusted site while in fact a different site has been connected to.
It is strongly recommended to upgrade at least kdelibs to KDE 3.0.3 in which this bug is fixed.
A format string vulnerability was found in the commonly used talkd implementation, which ktalk(d) uses.
A patch is available for download to address this particular problem.
The use of ktalk(d) is strongly discouraged in any security relevant area. Use it with care, and never make it accessible outside your local, trusted network.
KHTML, the html rendering component of Konqueror, allowed webpages to initialize the file upload box with a filename. This could cause unwanted submit of the file to the remote host.
A patch is available for download to address this problem.
- A Denial of Service vulnerability has been found in the
aRts soundserver. All versions of
KDE 2.2.x and KDE 3.0.x are affected. If you allow untrusted users to login, it is recommended to remove the sUID bit of the artswrapper application. To achieve this, please
run the following command in the directory artswrapper is installed in:
chmod u-s artswrapper
Several buffer overflows have been found in code KGhostview shared from other postscript viewers. Read the detailed advisory. Update to KDE 3.0.4 is recommended.
A patch is also available for download to address this particular problem.
A path traversal exploit has been found in kpf. Read the detailed advisory. Update to KDE 3.0.4 is recommended.
A patch is also available for download to address this particular problem.
- Several vulnerabilites have been found in LISa/resLISa and the rlan:// protocol, including the possibility to escalate the privileges to root via a remote attack. See the detailed advisory for an explanation and instructions for immediate workaround. A patch is available for download. The use of LISa/resLISa is strongly discouraged in any security relevant area. Never make it available outside your local, trusted network.
- the rlogin protocol implementation in KIO allows remote command execution. See the detailed advisory for an explanation and instructions for immediate workaround. A patch is available for download.
Several shell escaping vulnerabilities have been found throughout KDE which allow a remote attacker to execute commands as the local user. Read the detailed advisory. It is strongly recommended to update to KDE 3.0.5a.
- Several problems with KDE's use of Ghostscript where discovered that allow the execution of arbitrary commands contained in PostScript (PS) or PDF files with the privileges of the victim. Read the detailed advisory. It is strongly recommended to update to KDE 3.0.5b
- A HTTP authentication credentials leak via the a "Referrer" was discovered by George Staikos in Konqueror. If the HTTP authentication credentials were part of the URL they would be possibly sent in the referer header to a 3rd party web site. Read the detailed advisory. KDE 3.1.3 and newer are not vulnerable.
Bugs
This is a list of grave bugs and common pitfalls surfacing after the release date:
- Support for <OBJECT> tags in webpages has been accidently broken. The KHTML patch above, which is strongly recommended, corrects this problem as well.
Please check the bug database before filing any bug reports. Also check for possible updates on this pag that might describe or fix your problem.
Developer Info
If you need help porting your application to KDE 3.x see the porting guide or subscribe to the KDE Devel Mailinglist to ask specific questions about porting your applications.
There is also info on the architecture and the programming interface of KDE 3.0.