Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Mar 2011 16:17:59 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: coley <coley@...re.org>
Subject: Re: KDE SSL name check issue

Please use CVE-2011-1094.

Thanks.

-- 
    JB


----- Original Message -----
> Hi!
> 
> KDE recently fixed an issue in the code checking host names of the
> server SSL certificates. Previously, it accepted certificate as valid
> for the site if it was issued for the user-specified host name, or if
> it was issued for an IP address to which user-specified host name
> resolved.
> 
> An attacker able to get an SSL certificate form a trusted CA issued
> for
> an attacker-controlled IP address could perform a MITM attack, if they
> were also able to hijack victim's DNS to resolve host names to the
> attacker's IP.
> 
> Fixed upstream in:
> https://projects.kde.org/projects/kde/kdelibs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7
> 
> Patch is included in kdelibs 4.6.1.
> 
> --
> Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ