Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285018 (CVE-2009-2702) - <=kde-base/kdelibs-{3.5.10-r6,4.2.4-r4,4.3.1} SSL certificate spoofing (CVE-2009-2702)
Summary: <=kde-base/kdelibs-{3.5.10-r6,4.2.4-r4,4.3.1} SSL certificate spoofing (CVE-2...
Alias: CVE-2009-2702
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa]
Depends on: 292791
  Show dependency tree
Reported: 2009-09-14 22:39 UTC by Stefan Behte (RETIRED)
Modified: 2014-05-31 22:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-09-14 22:39:29 UTC
CVE-2009-2702 (
  KDE KSSL in kdelibs 3.5.4, 4.2.4, and 4.3 does not properly handle a
  '\0' character in a domain name in the Subject Alternative Name field
  of an X.509 certificate, which allows man-in-the-middle attackers to
  spoof arbitrary SSL servers via a crafted certificate issued by a
  legitimate Certification Authority, a related issue to CVE-2009-2408.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2010-01-23 15:51:37 UTC
All these versions are out of tree, removing kde@, reuss if we are still required
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 23:04:27 UTC
Added to existing GLSA request.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2014-05-31 22:13:06 UTC
This issue has been fixed since Oct 18, 2009. No GLSA will be issued.