Debian 3.0: DSA 155-1 Critical: kdelibs SSL Flaw And Threats
debian
August 21, 2002
Due to a security engineering oversight, the SSL library from KDE,which Konqueror uses, doesn't check whether an intermediatecertificate for a connection is signed by the certifica...
Topics Covered
Summary
Due to a security engineering oversight, the SSL library from KDE,
which Konqueror uses, doesn't check whether an intermediate
certificate for a connection is signed by the certificate authority as
safe for the purpose, but accepts it when it is signed. This makes it
possible for anyone with a valid VeriSign SSL site certificate to
forge any other VeriSign SSL site certificate, and abuse Konqueror
users.
A local root exploit using artsd has been discovered which exploited
an insecure use of a format string. The exploit wasn't working on a
Debian system since artsd wasn't running setuid root. Neither artsd
nor artswrapper need to be setuid root anymore since current computer
systems are fast enuogh to handle the audio data in time.
Theese problems have been fixed in version 2.2.2-13.woody.2 for the
current stable stable distribution (woody). The old stable
distribution (potato) is not affected, since it doesn't contain KDE
packages. The unstable distribution (sid) is not yet fixed, but new
pack...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: kdelibs
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!