[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#157255: Konqueror SSL vunerability

Package: kdelibs3-crypto
Version: 4:2.2.2-6
Severity: critical
Tags: security upstream


KDE Security Advisory: Konqueror SSL vulnerability
Original Release Date: 2002-08-18
URL: http://www.kde.org/info/security/advisory-20020818-1.txt

0. References

1. Systems affected:

        All versions of KDE up to and including KDE 3.0.2

2. Overview:

        KDE's SSL implementation fails to check the basic constraints on
certificates and as a result may accept certificates as valid that were signed
by an issuer who was not authorized to do so.

3. Impact:

        Users of Konqueror and other SSL enabled KDE software may fall victim
to a malicious man-in-the-middle attack without noticing. In such case the
user will be under the impression that there is a secure connection with a
trusted site while in fact a different site has been connected to.

4. Solution:

        Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
well for users that are unable to upgrade to KDE 3.

5. Patch:
        A patch for KDE 2.2.2 is available from 
ftp://ftp.kde.org/pub/kde/security_patches :

        0e0da738b276567e9ee36aa824e86124  post-2.2.2-kdelibs-kssl.diff

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux dell 2.4.18-bf2.4 #1 Fri Jun 7 06:12:37 UTC 2002 i686

Versions of packages kdelibs3-crypto depends on:
pn  kdelibs3                                 Not found.
ii  libc6                        2.2.5-14    GNU C Library: Shared libraries an
ii  libssl0.9.6                  0.9.6g-2    SSL shared libraries
ii  libstdc++2.10-glibc2.2       1:2.95.4-11 The GNU stdc++ library
ii  zlib1g                       1:1.1.4-3   compression library - runtime

-- no debconf information

Reply to: