CVE-2009-2702

Published: 08 September 2009

KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Priority

Medium

Status

Package Release Status
kde4libs
Launchpad, Ubuntu, Debian 		Upstream Needed

kdelibs
Launchpad, Ubuntu, Debian 		Upstream Needed

Patches:
Other: https://bugzilla.redhat.com/show_bug.cgi?id=520661

Notes

AuthorNote
jdstrand 
kde4libs not as serious since KDE4 has moved to Qt4. However,
it should be fixed due to other applications may use it. Also, by
nad checin verification (ie non-netowork) will use kssl.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading