CVE-2009-2702

Published: 08 September 2009

KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Priority

Medium

Status

Package Release Status
kde4libs
Launchpad, Ubuntu, Debian
Upstream Needed

kdelibs
Launchpad, Ubuntu, Debian
Upstream Needed

Patches:
Other: https://bugzilla.redhat.com/show_bug.cgi?id=520661

Notes

AuthorNote
jdstrand
kde4libs not as serious since KDE4 has moved to Qt4. However,
it should be fixed due to other applications may use it. Also, by
nad checin verification (ie non-netowork) will use kssl.

References