Your submission was sent successfully! Close

CVE-2011-1094

Published: 16 March 2011

kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702.

Notes

AuthorNote
jdstrand
kdelibs has a very different ssl implementation and konqueror does
not use it
Priority

Medium

Status

Package Release Status
kde4libs
Launchpad, Ubuntu, Debian
dapper Does not exist

hardy Ignored
(reached end-of-life)
karmic
Released (4:4.3.2-0ubuntu7.3)
lucid
Released (4:4.4.5-0ubuntu1.1)
maverick
Released (4:4.5.1-0ubuntu8.1)
upstream Needs triage

Patches:
upstream: https://projects.kde.org/projects/kde/kde4libs/repository/revisions/76f935197599a335a5fe09b78751ddb455248cf7
kdelibs
Launchpad, Ubuntu, Debian
dapper Ignored
(reached end-of-life)
hardy Ignored
(reached end-of-life)
karmic Ignored

lucid Ignored

maverick Ignored

upstream Needs triage