[qt4] [CVE-2007-5965] error in handling certificate verification in SSL connections
Bug #191218 reported by
disabled.user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qt4-x11 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Gutsy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: libqt4-core
References:
MDVSA-2008:042 (http://
SUSE-SR:2008:002 (http://
Quoting CVE-2007-5965:
"QSslSocket in Trolltech Qt 4.3.0 through 4.3.2 does not properly verify SSL certificates, which might make it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service, or trick a service into accepting an invalid client certificate for a user."
Related branches
CVE References
Changed in qt4-x11: | |
status: | New → Invalid |
To post a comment you must log in.
This bug was fixed in the package qt4-x11 - 4.3.2-0ubuntu3.2
---------------
qt4-x11 (4.3.2-0ubuntu3.2) gutsy-security; urgency=low
* SECURITY UPDATE: a potential vulnerability in QSslSocket, which 02_qsslsocket_ verification. dpatch from www.trolltech. com/developer/ download/ 190133. patch: ensure trolltech. com/company/ newsroom/ announcements/ press.2007- 12-21.218256722 0
might cause a certificate verification in SSL connections not to
be performed. As a consequence, code using QSslSocket might be
misled into thinking the certificate was verified correctly when
it actually failed in one or more criteria.
* Added kubuntu_
http://
certificates are verified. (Fixes LP: #191218)
* References
http://
CVE-2007-5965
-- Jonathan Riddell <email address hidden> Wed, 20 Feb 2008 00:26:45 +0000