KDE Security Advisory: Konqueror SSL vulnerability

Waldo Bastian bastian at kde.org
Mon Aug 19 05:18:57 BST 2002

Hash: SHA1

KDE Security Advisory: Konqueror SSL vulnerability
Original Release Date: 2002-08-18
URL: http://www.kde.org/info/security/advisory-20020818-1.txt

0. References


1. Systems affected:

      All versions of KDE up to and including KDE 3.0.2

2. Overview:

      KDE's SSL implementation fails to check the basic constraints on
certificates and as a result may accept certificates as valid that were signed
by an issuer who was not authorized to do so.
3. Impact:

      Users of Konqueror and other SSL enabled KDE software may fall victim
to a malicious man-in-the-middle attack without noticing. In such case the
user will be under the impression that there is a secure connection with a
trusted site while in fact a different site has been connected to.

4. Solution:

      Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
well for users that are unable to upgrade to KDE 3.

5. Patch:
      A patch for KDE 2.2.2 is available from 
ftp://ftp.kde.org/pub/kde/security_patches :

      0e0da738b276567e9ee36aa824e86124  post-2.2.2-kdelibs-kssl.diff

- -- 
bastian at kde.org  |   SuSE Labs KDE Developer  |  bastian at suse.com
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


This message is from the kde mailing list.
Account management:  http://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

More information about the kde mailing list