oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Qt SSL endless loop

From: Vincent Danen <vdanen () redhat com>
Date: Fri, 16 Jul 2010 16:29:26 -0600
* [2010-07-16 11:19:09 -0400] Josh Bressers wrote:


Please use CVE-2010-2533


Wasn't this already assigned CVE-2010-2621?

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2621

It links to the same advisory (qtsslame-adv.txt) and that only seems to
be reporting one single problem.


----- "Ludwig Nussel" <ludwig.nussel () suse de> wrote:


Raphael Geissert wrote:
> [...]
> He also reported another vulnerability in Qt4's SSL support:
> http://aluigi.altervista.org/adv/qtsslame-adv.txt
>
> (reported to the Debian maintainers in
http://bugs.debian.org/587711)
>
> Could a CVE be assigned for this other issue too?

Looks like the request got lost.

The fix seems to be
http://qt.gitorious.org/qt/qt/commit/f7fe575bc5f628533aeeca3eb564af89a1a1426b

According to the Mumble author this fix causes a regression with peer
certificate validation when used with openssl >= 0.9.8n though:
http://sourceforge.net/mailarchive/forum.php?thread_name=4C3F8BC6.9030303%40natvig.com&forum_name=mumble-packaging
http://bugreports.qt.nokia.com/browse/QTBUG-7200


--
Vincent Danen / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: