From $url: QSslSocket applies the * in the wildcard verification to the entire hostname, meaning it can match more than one domain label. At the limit, in case of a bad configuration or malicious system, a certificate with CN=* would serve as a universal certificate. Qt should apply the wildcard to a single DNS domain label only. Originally disclosed at: http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
The upstream bug report says it is fixed in version 4.7.0
Thanks muchly. Is there a fix option for sparc?
We are removing the vulnerable version (I'm planning to mask it tomorrow). So unless sparc and alpha will keyword newer Qt versions, they will lose keywords on Qt and revdeps. I have informed them of this, but so far no response.
Last remaining affected version now masked pending removal.
Thank you all. Affected version removed from tree. Removing qt from CC, nothing to do here for us anymore.
It looks like we're past this now. GLSA Vote: no.
GLSA vote: no. Closing noglsa.