Date: Tue, 8 Mar 2011 16:17:59 -0500 (EST) From: Josh Bressers <bressers@...hat.com> To: oss-security@...ts.openwall.com Cc: coley <coley@...re.org> Subject: Re: KDE SSL name check issue Please use CVE-2011-1094. Thanks. -- JB ----- Original Message ----- > Hi! > > KDE recently fixed an issue in the code checking host names of the > server SSL certificates. Previously, it accepted certificate as valid > for the site if it was issued for the user-specified host name, or if > it was issued for an IP address to which user-specified host name > resolved. > > An attacker able to get an SSL certificate form a trusted CA issued > for > an attacker-controlled IP address could perform a MITM attack, if they > were also able to hijack victim's DNS to resolve host names to the > attacker's IP. > > Fixed upstream in: > https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7 > > Patch is included in kdelibs 4.6.1. > > -- > Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ