what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 6 of 6 RSS Feed

CVE-2011-3365

Status Candidate

Overview

The KDE SSL Wrapper (KSSL) API in KDE SC 4.6.0 through 4.7.1, and possibly earlier versions, does not use a certain font when rendering certificate fields in a security dialog, which allows remote attackers to spoof the common name (CN) of a certificate via rich text.

Related Files

Gentoo Linux Security Advisory 201406-34
Posted Jun 30, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201406-34 - Multiple vulnerabilities have been discovered in KDE Libraries, the worst of which could lead to man-in-the-middle attacks. Versions less than 4.12.5-r1 are affected.

tags | advisory, vulnerability
systems | linux, gentoo
advisories | CVE-2011-1094, CVE-2011-3365, CVE-2013-2074, CVE-2014-3494
SHA-256 | c63b9a944ba7c2935d68a4a420c83a2435da78ca96c29e73e8fb03e625d03496
Mandriva Linux Security Advisory 2011-162
Posted Nov 1, 2011
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2011-162 - KDE KSSL in kdelibs does not properly handle a NUL character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. An input sanitization flaw was found in the KSSL API. An attacker could supply a specially-crafted SSL certificate to an application using KSSL, such as the Konqueror web browser, causing misleading information to be presented to the user, possibly tricking them into accepting the certificate as valid. The updated packages have been patched to correct these issues.

tags | advisory, web, arbitrary, spoof
systems | linux, mandriva
advisories | CVE-2009-2408, CVE-2009-2702, CVE-2011-3365
SHA-256 | 0b381d0e6a6306be9feffb69a83c5e196277a065e827c68c9a869e6303be4f3d
Ubuntu Security Notice USN-1248-1
Posted Oct 25, 2011
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1248-1 - Tim Brown discovered that KSSL in KDE-Libs did not properly perform input validation when displaying the common name (CN) for an SSL certificate. An attacker could exploit this to spoof the common name which could be used in an attack to trick the user into accepting a fraudulent certificate. This issue only affected Ubuntu 10.04 LTS and Ubuntu 10.10. It was discovered that KIO in KDE-Libs did not properly perform input validation during proxy authentication. An attacker could exploit this to modify displaying of the realm and proxy URL. Various other issues were also addressed.

tags | advisory, spoof
systems | linux, ubuntu
advisories | CVE-2011-3365
SHA-256 | b72f099c8d8ac3650765e3fd99be619d5711842026d8fc594ef9d2cacd4f30d8
Red Hat Security Advisory 2011-1385-01
Posted Oct 19, 2011
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2011-1385-01 - The kdelibs and kdelibs3 packages provide libraries for the K Desktop Environment. An input sanitization flaw was found in the KSSL API. An attacker could supply a specially-crafted SSL certificate to an application using KSSL, such as the Konqueror web browser, causing misleading information to be presented to the user, possibly tricking them into accepting the certificate as valid. Users should upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted for this update to take effect.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2011-3365
SHA-256 | 93d3a041d26b448ebf9aa48719ed1b488137fda9ab4c9f89b9db8e97b49be46d
Red Hat Security Advisory 2011-1364-01
Posted Oct 12, 2011
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2011-1364-01 - The kdelibs packages provide libraries for the K Desktop Environment. An input sanitization flaw was found in the KSSL API. An attacker could supply a specially-crafted SSL certificate to an application using KSSL, such as the Konqueror web browser, causing misleading information to be presented to the user, possibly tricking them into accepting the certificate as valid.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2011-3365
SHA-256 | 42d57e16e44097171470596df1e3290bdb422e02da5b6b0fb5d50caa9a857888
Qt KSSL URL Spoofing
Posted Oct 7, 2011
Authored by Tim Brown | Site nth-dimension.org.uk

Various Qt applications including KSSL (the KDE class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. The primary area of concern at this time relates to the named applications SSL certificate dialogue UI however other similar dialogue boxes may also be vulnerable.

tags | advisory, spoof
advisories | CVE-2011-3365, CVE-2011-3366, CVE-2011-3367
SHA-256 | f1104d7ba2003aa2ac18e3d2d43aeb4860aa6ccd918b4b4b79f4e418e6abe44f
Page 1 of 1
Back1Next

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close