Subject: [ASA-202010-7] kdeconnect: arbitrary code execution Arch Linux Security Advisory ASA-202010-7 ========================================= Severity: High Date : 2020-10-18 CVE-ID : CVE-2020-26164 Package : kdeconnect Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1241 Summary ======= The package kdeconnect before version 20.08.2-1 is vulnerable to arbitrary code execution. Resolution ========== Upgrade to 20.08.2-1. # pacman -Syu "kdeconnect>=20.08.2-1" The problem has been fixed upstream in version 20.08.2. Workaround ========== None. Description =========== Several issues have been found in kdeconnect <= 20.08.1 where a remote, unauthenticated attacker on the local network can access sensitive information, crash the daemon or possibly execute arbitrary code via a use-after-free. Impact ====== A remote unauthenticated attacker on the local network can access sensitive information, crash the daemon or possible execute arbitrary code. References ========== https://kde.org/info/security/advisory-20201002-1.txt https://www.openwall.com/lists/oss-security/2020/10/13/4 https://security.archlinux.org/CVE-2020-26164