Mandriva Linux Security Advisory : kdelibs4 (MDVSA-2011:162)
High Nessus Plugin ID 56687
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities was discovered and corrected in kdelibs4 :
KDE KSSL in kdelibs does not properly handle a \'\0\' (NUL) character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2009-2702).
An input sanitization flaw was found in the KSSL (KDE SSL Wrapper) API. An attacker could supply a specially crafted SSL certificate (for example, via a web page) to an application using KSSL, such as the Konqueror web browser, causing misleading information to be presented to the user, possibly tricking them into accepting the certificate as valid (CVE-2011-3365).
The updated packages have been patched to correct these issues.
SolutionUpdate the affected packages.