Bug 42226 (suse27226)

Summary: Bug in SSL implementation allows man-in-the-middle attack
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: adrian.schroeter, kde-maintainers
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2003-06-04 15:33:19 UTC 
part of KDE security advisory: 
KDE Security Advisory: KDE 2.2 / Konqueror Embedded SSL vulnerability 
Original Release Date: 2003-06-02 
URL: http://www.kde.org/info/security/advisory-20030602-1.txt 
 
0. References 
        http://lists.insecure.org/lists/fulldisclosure/2003/May/0161.html 
 
1. Systems affected: 
 
        Konqueror Embedded and KDE 2.2.2 and earlier versions. 
        KDE 3.0 and later versions are not affected. 
 
2. Overview: 
 
        KDE's SSL implementation in the affected versions matches certificates 
based on IP number instead of hostname. Due to this it may fail to notice 
a man-in-the-middle attack. 
 
3. Impact: 
 
        Users of Konqueror and other SSL enabled KDE software may fall victim 
to a malicious man-in-the-middle attack without noticing. In such case the 
user will be under the impression that there is a secure connection with a 
trusted site while in fact a different site has been connected to. 
 
4. Solution: 
 
        Users of KDE 2.2.2 are advised to upgrade to either KDE 3.0.5a or 
KDE 3.1.2. A patch for KDE 2.2.2 is available as well for users that are 
unable to upgrade to KDE 3. 
 
        Users of Konqueror/Embedded are advised to upgrade to a snapshot of 
Konqueror/Embedded of May 16, 2003 or later, available from 
http://devel-home.kde.org/~hausmann/snapshots/ : 
 
        a58888ab9b7910c5d5f498da15f2d425 
konqueror-embedded-snapshot-20030516.tar.gz 
 
 
5. Patch: 
        Patches for KDE 2.2.2 are available from 
ftp://ftp.kde.org/pub/kde/security_patches : 
 
        4c252809dec8be73bbe55367350c27ca  post-2.2.2-kdelibs-kssl-2.diff 
        441afec72fab406f8c1cd7d6b839b3e0  post-2.2.2-kdelibs-kio-2.diff 
 
[...]
Comment 1 Thomas Biege 2003-06-04 15:33:19 UTC 
<!-- SBZ_reproduce  -->
s.a.
Comment 2 Stephan Kulow 2003-06-04 19:31:26 UTC 
I backported kssl from 2.2.2+ and put the package into /work/src/done/7.3/kdelibs.
Comment 3 Thomas Biege 2003-08-11 17:43:58 UTC 
Some news here.
Comment 4 Sebastian Krahmer 2003-08-11 21:25:07 UTC 
some news here?
Comment 5 Adrian Schröter 2003-10-07 19:52:19 UTC 
*** Bug 42976 has been marked as a duplicate of this bug. ***
Comment 6 Adrian Schröter 2003-10-13 17:34:19 UTC 
update rpms has been provided, needs to get approved.
Comment 7 Thomas Biege 2003-11-03 18:14:54 UTC 
packages approved