Your submission was sent successfully! Close

CVE-2009-2702

Published: 08 September 2009

KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Priority

Medium

Status

Package Release Status
kde4libs
Launchpad, Ubuntu, Debian 		Upstream Needed

kdelibs
Launchpad, Ubuntu, Debian 		Upstream Needed

Patches:
Other: https://bugzilla.redhat.com/show_bug.cgi?id=520661

Notes

AuthorNote
jdstrand 
kde4libs not as serious since KDE4 has moved to Qt4. However,
it should be fixed due to other applications may use it. Also, by
nad checin verification (ie non-netowork) will use kssl.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading