204339 – (CVE-2007-6591) kde-base/konqueror SSL subjectAltName:dNSName certificate spoofing (CVE-2007-6591)

Bug 204339 (CVE-2007-6591) - kde-base/konqueror SSL subjectAltName:dNSName certificate spoofing (CVE-2007-6591)

Summary: kde-base/konqueror SSL subjectAltName:dNSName certificate spoofing (CVE-2007-...

Status:	RESOLVED FIXED

Alias:	CVE-2007-6591

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://bugs.kde.org/show_bug.cgi?id=1...
Whiteboard:	A4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2008-01-04 22:29 UTC by Robert Buchholz (RETIRED)
Modified:	2008-09-08 14:41 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Buchholz (RETIRED) gentoo-dev

2008-01-04 22:29:27 UTC

CVE-2007-6591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6591):
  KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server
  certificate on the basis of the CN domain name in the DN field, regards the
  certificate as also accepted for all domain names in subjectAltName:dNSName
  fields, even though these fields cannot be examined in the product, which
  makes it easier for remote attackers to trick a user into accepting an
  invalid certificate for a spoofed web site.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-09-07 18:04:27 UTC

Quoting http://bugs.kde.org/show_bug.cgi?id=154921:
"completely corrected for KDE 3.5.7" 

We have 3.5.9 stable, so moving to GLSA decision. I vote NO.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-09-08 14:41:32 UTC

NO too, closing.