part of KDE security advisory: 
KDE Security Advisory: KDE 2.2 / Konqueror Embedded SSL vulnerability 
Original Release Date: 2003-06-02 
URL: http://www.kde.org/info/security/advisory-20030602-1.txt 
 
0. References 
        http://lists.insecure.org/lists/fulldisclosure/2003/May/0161.html 
 
1. Systems affected: 
 
        Konqueror Embedded and KDE 2.2.2 and earlier versions. 
        KDE 3.0 and later versions are not affected. 
 
2. Overview: 
 
        KDE's SSL implementation in the affected versions matches certificates 
based on IP number instead of hostname. Due to this it may fail to notice 
a man-in-the-middle attack. 
 
3. Impact: 
 
        Users of Konqueror and other SSL enabled KDE software may fall victim 
to a malicious man-in-the-middle attack without noticing. In such case the 
user will be under the impression that there is a secure connection with a 
trusted site while in fact a different site has been connected to. 
 
4. Solution: 
 
        Users of KDE 2.2.2 are advised to upgrade to either KDE 3.0.5a or 
KDE 3.1.2. A patch for KDE 2.2.2 is available as well for users that are 
unable to upgrade to KDE 3. 
 
        Users of Konqueror/Embedded are advised to upgrade to a snapshot of 
Konqueror/Embedded of May 16, 2003 or later, available from 
http://devel-home.kde.org/~hausmann/snapshots/ : 
 
        a58888ab9b7910c5d5f498da15f2d425 
konqueror-embedded-snapshot-20030516.tar.gz 
 
 
5. Patch: 
        Patches for KDE 2.2.2 are available from 
ftp://ftp.kde.org/pub/kde/security_patches : 
 
        4c252809dec8be73bbe55367350c27ca  post-2.2.2-kdelibs-kssl-2.diff 
        441afec72fab406f8c1cd7d6b839b3e0  post-2.2.2-kdelibs-kio-2.diff 
 
[...]