Bug#157255: Konqueror SSL vunerability
Tags: security upstream
KDE Security Advisory: Konqueror SSL vulnerability
Original Release Date: 2002-08-18
1. Systems affected:
All versions of KDE up to and including KDE 3.0.2
KDE's SSL implementation fails to check the basic constraints on
certificates and as a result may accept certificates as valid that were signed
by an issuer who was not authorized to do so.
Users of Konqueror and other SSL enabled KDE software may fall victim
to a malicious man-in-the-middle attack without noticing. In such case the
user will be under the impression that there is a secure connection with a
trusted site while in fact a different site has been connected to.
Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
well for users that are unable to upgrade to KDE 3.
A patch for KDE 2.2.2 is available from
-- System Information:
Debian Release: testing/unstable
Kernel: Linux dell 2.4.18-bf2.4 #1 Fri Jun 7 06:12:37 UTC 2002 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages kdelibs3-crypto depends on:
pn kdelibs3 Not found.
ii libc6 2.2.5-14 GNU C Library: Shared libraries an
ii libssl0.9.6 0.9.6g-2 SSL shared libraries
ii libstdc++2.10-glibc2.2 1:2.95.4-11 The GNU stdc++ library
ii zlib1g 1:1.1.4-3 compression library - runtime
-- no debconf information