CVE-2009-2702
Published: 8 September 2009
KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Notes
| Author | Note |
|---|---|
| jdstrand | kde4libs not as serious since KDE4 has moved to Qt4. However, it should be fixed due to other applications may use it. Also, by nad checin verification (ie non-netowork) will use kssl. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
kde4libs Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Released
(4:4.1.4-0ubuntu1~intrepid1.3)
|
|
| jaunty |
Released
(4:4.2.2-0ubuntu5.2)
|
|
| karmic |
Released
(4:4.3.1-0ubuntu3)
|
|
| lucid |
Released
(4:4.3.1-0ubuntu3)
|
|
| upstream |
Needed
|
|
|
kdelibs Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Released
(4:3.5.10-0ubuntu1~hardy1.3)
|
|
| intrepid |
Released
(4:3.5.10-0ubuntu6.2)
|
|
| jaunty |
Released
(4:3.5.10.dfsg.1-1ubuntu8.2)
|
|
| karmic |
Released
(4:3.5.10.dfsg.1-2ubuntu5)
|
|
| lucid |
Released
(4:3.5.10.dfsg.1-2ubuntu5)
|
|
| upstream |
Needed
|
|
|
Patches: other: https://bugzilla.redhat.com/show_bug.cgi?id=520661 |
||