CVE-2007-6591
Published: 28 December 2007
KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regards the certificate as also accepted for all domain names in subjectAltName:dNSName fields, even though these fields cannot be examined in the product, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site.
Notes
Author | Note |
---|---|
jdstrand | notified Riddell (no patches yet) |
mdeslaur | upstream bug says it no longer occurs on 4.0.3 |
Priority
Status
Package | Release | Status |
---|---|---|
kdebase Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
edgy |
Ignored
(end of life, was needed)
|
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Ignored
(end of life, was needed)
|
|
hardy |
Ignored
(end of life)
|
|
intrepid |
Not vulnerable
(4:4.1.4-0ubuntu1~intrepid2)
|
|
jaunty |
Not vulnerable
(4:4.2.2-0ubuntu4)
|
|
karmic |
Not vulnerable
(4:4.3.0-0ubuntu3)
|
|
upstream |
Needs triage
|