OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Waldo Bastian (bastian_at_kde.org)
Date: Sun Aug 18 2002 - 23:17:14 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    KDE Security Advisory: Konqueror SSL vulnerability
    Original Release Date: 2002-08-18
    URL: http://www.kde.org/info/security/advisory-20020818-1.txt

    0. References

          http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/0
          http://online.securityfocus.com/archive/1/287050/2002-08-07/2002-08-13/2

    1. Systems affected:

          All versions of KDE up to and including KDE 3.0.2

    2. Overview:

          KDE's SSL implementation fails to check the basic constraints on
    certificates and as a result may accept certificates as valid that were signed
    by an issuer who was not authorized to do so.
          
    3. Impact:

          Users of Konqueror and other SSL enabled KDE software may fall victim
    to a malicious man-in-the-middle attack without noticing. In such case the
    user will be under the impression that there is a secure connection with a
    trusted site while in fact a different site has been connected to.

    4. Solution:

          Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
    well for users that are unable to upgrade to KDE 3.

    5. Patch:
          A patch for KDE 2.2.2 is available from
    ftp://ftp.kde.org/pub/kde/security_patches :

          0e0da738b276567e9ee36aa824e86124 post-2.2.2-kdelibs-kssl.diff

    - --
    bastiankde.org | SuSE Labs KDE Developer | bastiansuse.com
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9YHFKN4pvrENfboIRAiqXAJ9AR1cwt8YcJPIwPVqp4zJjppRSvQCfTiBG
    kclIqM6hSG9WzXmK1o5ntT8=
    =2mtr
    -----END PGP SIGNATURE-----