285018 – (CVE-2009-2702) <=kde-base/kdelibs-{3.5.10-r6,4.2.4-r4,4.3.1} SSL certificate spoofing (CVE-2009-2702)

Bug 285018 (CVE-2009-2702) - <=kde-base/kdelibs-{3.5.10-r6,4.2.4-r4,4.3.1} SSL certificate spoofing (CVE-2009-2702)

Summary: <=kde-base/kdelibs-{3.5.10-r6,4.2.4-r4,4.3.1} SSL certificate spoofing (CVE-2...

Status:	RESOLVED FIXED

Alias:	CVE-2009-2702

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	292791
Blocks:
	Show dependency tree

Reported:	2009-09-14 22:39 UTC by Stefan Behte (RETIRED)
Modified:	2014-05-31 22:13 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Behte (RETIRED) gentoo-dev

2009-09-14 22:39:29 UTC

CVE-2009-2702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2702):
  KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
  '\0' character in a domain name in the Subject Alternative Name field
  of an X.509 certificate, which allows man-in-the-middle attackers to
  spoof arbitrary SSL servers via a crafted certificate issued by a
  legitimate Certification Authority, a related issue to CVE-2009-2408.

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2010-01-23 15:51:37 UTC

All these versions are out of tree, removing kde@, reuss if we are still required

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-03-09 23:04:27 UTC

Added to existing GLSA request.

Comment 3 Sean Amoss (RETIRED) gentoo-dev

2014-05-31 22:13:06 UTC

This issue has been fixed since Oct 18, 2009. No GLSA will be issued.