Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 8 Mar 2011 16:17:59 -0500 (EST)
From: Josh Bressers <>
Cc: coley <>
Subject: Re: KDE SSL name check issue

Please use CVE-2011-1094.



----- Original Message -----
> Hi!
> KDE recently fixed an issue in the code checking host names of the
> server SSL certificates. Previously, it accepted certificate as valid
> for the site if it was issued for the user-specified host name, or if
> it was issued for an IP address to which user-specified host name
> resolved.
> An attacker able to get an SSL certificate form a trusted CA issued
> for
> an attacker-controlled IP address could perform a MITM attack, if they
> were also able to hijack victim's DNS to resolve host names to the
> attacker's IP.
> Fixed upstream in:
> Patch is included in kdelibs 4.6.1.
> --
> Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ