Bug 427232 - CVE-2007-5965 qt4: QSslSocket may skip SSL certificate verification
Summary: CVE-2007-5965 qt4: QSslSocket may skip SSL certificate verification
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: qt4
Version: 7
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: source=vendorsec,reported=20071204,pu...
Depends On:
Blocks: CVE-2007-5965
TreeView+ depends on / blocked
 
Reported: 2008-01-02 13:06 UTC by Rex Dieter
Modified: 2008-01-03 01:45 UTC (History)
3 users (show)

Fixed In Version: 4.3.3-1.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-03 01:45:35 UTC


Attachments (Terms of Use)

Description Rex Dieter 2008-01-02 13:06:58 UTC
+++ This bug was initially created as a clone of Bug #411751 +++

Thiago José Macieira of Trolltech informed us of following problem affecting QT4
library:

Qt 4 has a potential vulnerability in QSslSocket, which might cause a
certificate verification in SSL connections not to be performed. As a 
consequence, code using QSslSocket might be mislead into thinking the 
certificate was verified correctly when it actually failed in one or more 
criteria.

Versions affected: 4.3.0, 4.3.1 and 4.3.2

-- Additional comment from thoger@redhat.com on 2007-12-05 05:03 EST --
Created an attachment (id=277991)
Upstream patch


-- Additional comment from thoger@redhat.com on 2007-12-05 05:09 EST --
This issue did not affect versions of qt and qt4 packages as shipped with Red
Hat Enterprise Linux 2.1, 3, 4, or 5.

Packages shipped are in version < 4.3 and do not contain vulnerable code.


-- Additional comment from thoger@redhat.com on 2008-01-02 03:06 EST --
Public now:

http://trolltech.com/company/newsroom/announcements/press.2007-12-21.2182567220

-- Additional comment from thoger@redhat.com on 2008-01-02 03:07 EST --
Fedora updates already built and available via testing repository:

https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4354
https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4285

Comment 1 Fedora Update System 2008-01-03 01:45:32 UTC
qt4-4.3.3-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.