oss-sec mailing list archives

Re: KMail/KIO POP3 SSL MITM Flaw

From: David Faure <faure () kde org>
Date: Sun, 22 Jun 2014 23:58:45 +0200

On Sunday 22 June 2014 21:47:50 Richard Moore wrote:

I'm not sure whether to interpret the 'Versions' line in the advisory
as "bug was introduced at kdelibs 4.10.95"


Yes, this is what
"Versions:       kdelibs 4.10.95 to 4.13.2"
means.

The file usernotificationhandler.cpp was introduced in 4.10.95
(for the fix for bug 154100 and 265228)

Before that, SlaveInterface handled the messagebox request itself, with no 
need for a job pointer.

There is an IBM ISS report [3] which implies the bug affects at least
kdelibs 4.6.x ....


No idea where they got that from.... I cannot confirm this.

-- 
David Faure, faure () kde org, http://www.davidfaure.fr
Working on KDE Frameworks 5

Current thread:

KMail/KIO POP3 SSL MITM Flaw Richard Moore (Jun 18)
- Re: KMail/KIO POP3 SSL MITM Flaw Nick Boyce (Jun 22)
  - Re: KMail/KIO POP3 SSL MITM Flaw Richard Moore (Jun 22)
    - Re: KMail/KIO POP3 SSL MITM Flaw David Faure (Jun 22)
    - Re: KMail/KIO POP3 SSL MITM Flaw Nick Boyce (Jun 22)