Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6591 to the following vulnerability: KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regards the certificate as also accepted for all domain names in subjectAltName:dNSName fields, even though these fields cannot be examined in the product, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site. References: http://www.securityfocus.com/archive/1/archive/1/483929/100/100/threaded http://www.securityfocus.com/archive/1/archive/1/483960/100/100/threaded http://www.securityfocus.com/archive/1/archive/1/483937/100/100/threaded http://nils.toedtmann.net/pub/subjectAltName.txt
Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-6591 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/#low
Reporter changed to security-response-team by request of Jay Turner.
The upstream bug report is here: http://bugs.kde.org/show_bug.cgi?id=154921 By the sounds of things, this was fixed in 4.0.x; at least in 4.0.3 it seems to prevent this behaviour (either on purpose or by accident). There doesn't seem to be any further details available.
Statement: Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.