[Secure-testing-team] Bug#545793: CVE-2009-2700: QSslCertificate incorrect verification of SSL certificate with NUL in subjectAltName
Giuseppe Iuculano
giuseppe at iuculano.it
Wed Sep 9 07:51:00 UTC 2009
Package: qt4-x11
Severity: grave
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for qt4-x11.
CVE-2009-2700[0]:
| src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not
| properly handle a '\0' character in a domain name in the Subject
| Alternative Name field of an X.509 certificate, which allows
| man-in-the-middle attackers to spoof arbitrary SSL servers via a
| crafted certificate issued by a legitimate Certification Authority, a
| related issue to CVE-2009-2408.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
qt4-x11 in etch is not affected because QSsl* classes were introduced in Qt 4.3.
Please coordinate with the security team (team at security.debian.org) to
prepare packages for the stable releases.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2700
http://security-tracker.debian.net/tracker/CVE-2009-2700
http://qt.gitorious.org/qt/qt/commit/41d27eac40cecbc0067be9622c9bc1c579582a47
http://qt.gitorious.org/qt/qt/commit/802d8c02eaa0aa9cd8d0c6cbd18cd814e6337bc6
http://qt.nokia.com/about/news/qt-patches-released-addressing-potential-security-flaw
http://qt.nokia.com/developer/task-tracker/?method=entry&id=260103
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqnXmEACgkQNxpp46476ap8WgCdElAAbxPdqIf95X1ajDxKao6o
4DQAnRK4V8qSADZecdlaIyVh7tq2AHnQ
=rgYk
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list