AUG
19
2002

KDE Security Advisory: Konqueror SSL vulnerability

A problem has been discovered in the way in which the KDE webbrowser Konqueror handles SSL certificates. SSL certificates are used by websites to prove that they are indeed the website the user thinks they are. The following advisory has been released to bring this issue under the attention of all KDE users.

KDE Security Advisory: Konqueror SSL vulnerability
Original Release Date: 2002-08-18
URL:
http://www.kde.org/info/security/advisory-20020818-1.txt

0. References:
http://online.securityfocus.com/archive/1/286290/2002-07-31/2002-08-06/
http://online.securityfocus.com/archive/1/287050/2002-08-07/2002-08-13/

1. Systems affected:

All versions of KDE up to and including KDE 3.0.2

2. Overview:

KDE's SSL implementation fails to check the basic constraints on
certificates and as a result may accept certificates as valid that were signed
by an issuer who was not authorized to do so.

3. Impact:

Users of Konqueror and other SSL enabled KDE software may fall victim
to a malicious man-in-the-middle attack without noticing. In such case the
user will be under the impression that there is a secure connection with a
trusted site while in fact a different site has been connected to.

4. Solution:

Upgrade kdelibs to KDE 3.0.3. A patch for KDE 2.2.2 is available as
well for users that are unable to upgrade to KDE 3.

5. Patch:
A patch for KDE 2.2.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :

0e0da738b276567e9ee36aa824e86124 post-2.2.2-kdelibs-kssl.diff

Comments

I just picked up that Waldo had it fixed only 95 minutes after it had been reported! HE!.. why is it that i shake my head overbearingly when 'em comercial companies say that "the KDE/Linux community isnt as professional" as they are? When was the last time HugeHard (or what was the name again?) fixed *anything* in less then a month?

Keep Up the Excelent Work... we love ya for it!

/kidcat


By kidcat at Mon, 2002/08/19 - 5:00am

Don't believe everything which originates from Slashdot.


By Anonymous at Mon, 2002/08/19 - 5:00am

This 95 minutes came from OSNews.com


By arjuna at Mon, 2002/08/19 - 5:00am

No, the OSnews author read the Slashdot headline. Compare articles dates and times.


By Anonymous at Mon, 2002/08/19 - 5:00am

Who cares? If it took 24hrs to fix it, it's
still a much better performance compared to
a well known proprietary company.


By Leo at Mon, 2002/08/19 - 5:00am

The critics who complain that 95min are not sufficient to implement and test a patch. AFAIR the first posted patch had to be a little bit corrected later.


By Anonymous at Mon, 2002/08/19 - 5:00am

That's how open source works. You write a patch and then post it, so that others can have a look at it. Important is not, when the first patch was posted, but how many looked into it and tested it before it was released.


By michael at Tue, 2002/08/20 - 5:00am

If you say it was fixed on 95 minutes, in this case, it is important because it is not true.

Waldo had started to write the fix before the original advisory was posted, because he knew about it in advance.

I think it was something like 48 hours or so.

So, if 48 hours is impressive, cool.

But everyone, stop saying 90 minutes, because you are spreading misinformation.


By Roberto Alsina at Tue, 2002/08/20 - 5:00am

So....95 minutes....impressive.


By Kevin at Fri, 2002/08/23 - 5:00am

Yep, and check this out IE has the same bug but not in the browser it is in OS, and it is still unpatched http://www.linuxquestions.org/questions/showthread.php?postid=131116#pos...


By Boris at Fri, 2002/08/23 - 5:00am

This is all fine and good that this patch was made available while Microsoft is still doing the yaba-dabas, but for those of us who have come over here to the wonderful world of Linux from the Redmond Beast, how the HELL do we install it?

Mandrake (my distro) offers me nothing, and KDE offers me less when it comes to instructions.


By Bob at Wed, 2002/08/21 - 5:00am

I cannot comment on Mandrake, though I've heard it's pretty good. With SuSE (if you buy the distro) you get some good manuals. As a user, I just installed it and I've been playing with it ever since. You just get going. It also handles dual install very well, if you are feeling a bit insecure about only using Linux.

There are loads of books available but use the sites - from which I've always received loads of help

Modems will be a problem - you'll need a full hardware spec'd card - PCI are abit dodgy but getting better apparentl, external are safest, but watch for USB as some of them are not full hardware.

ADSL, been there, done that, got the t-shirt, I used the alcatel frog, but I think that's a mistake as ADSL doesn't seem to like being switched on and off. If I were to do it again I'd get a powered router with an ethernet interface and NIC card

- err, that's it

Go for it, I'm not a techie, if I can't break it, no one can.


By gerry gavigan at Thu, 2002/08/22 - 5:00am