Bug#458968: CVE-2007-6591: Accepts SSL certificates for sites in subjectAltName, even though these are not displayed
Package: konqueror
Version: 4:3.5.8.dfsg.1-2
Severity: important
Tags: security
>From CVE-2007-6591:
"KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate
on the basis of the CN domain name in the DN field, regards the certificate as
also accepted for all domain names in subjectAltName:dNSName fields, even though
these fields cannot be examined in the product, which makes it easier for remote
attackers to trick a user into accepting an invalid certificate for a spoofed
web site."
There is more info at
http://nils.toedtmann.net/pub/subjectAltName.txt
and
http://www.securityfocus.com/archive/1/483942/100/100/threaded
Reply to: