Bug 427233 - CVE-2007-5965 qt4: QSslSocket may skip SSL certificate verification
CVE-2007-5965 qt4: QSslSocket may skip SSL certificate verification
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: qt4 (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
source=vendorsec,reported=20071204,pu...
: Security
Depends On:
Blocks: CVE-2007-5965
  Show dependency treegraph
 
Reported: 2008-01-02 08:07 EST by Rex Dieter
Modified: 2008-01-02 20:28 EST (History)
3 users (show)

See Also:
Fixed In Version: 4.3.3-1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-02 20:28:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rex Dieter 2008-01-02 08:07:37 EST
+++ This bug was initially created as a clone of Bug #411751 +++

Thiago José Macieira of Trolltech informed us of following problem affecting QT4
library:

Qt 4 has a potential vulnerability in QSslSocket, which might cause a
certificate verification in SSL connections not to be performed. As a 
consequence, code using QSslSocket might be mislead into thinking the 
certificate was verified correctly when it actually failed in one or more 
criteria.

Versions affected: 4.3.0, 4.3.1 and 4.3.2

-- Additional comment from thoger@redhat.com on 2007-12-05 05:03 EST --
Created an attachment (id=277991)
Upstream patch


-- Additional comment from thoger@redhat.com on 2007-12-05 05:09 EST --
This issue did not affect versions of qt and qt4 packages as shipped with Red
Hat Enterprise Linux 2.1, 3, 4, or 5.

Packages shipped are in version < 4.3 and do not contain vulnerable code.


-- Additional comment from thoger@redhat.com on 2008-01-02 03:06 EST --
Public now:

http://trolltech.com/company/newsroom/announcements/press.2007-12-21.2182567220

-- Additional comment from thoger@redhat.com on 2008-01-02 03:07 EST --
Fedora updates already built and available via testing repository:

https://admin.fedoraproject.org/updates/F7/FEDORA-2007-4354
https://admin.fedoraproject.org/updates/F8/FEDORA-2007-4285
Comment 1 Fedora Update System 2008-01-02 20:28:12 EST
qt4-4.3.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.