REDHAT-BUG-891955
First published: Fri Jan 04 2013(Updated: )
A security flaw was found in the way QSslSocket implementation of the Qt, a software toolkit for applications development, performed certificate verification callbacks, when Qt libraries were used with different OpenSSL version than the one, they were compiled against. In such scenario, this would result in a connection error, but with the SSL error list to contain QSslError:NoError instead of proper reason of the error. This might result in a confusing error being presented to the end users, possibly encouraging them to ignore the SSL errors for the site the connection was initiated against. References: [1] <a href="http://lists.qt-project.org/pipermail/announce/2013-January/000020.html">http://lists.qt-project.org/pipermail/announce/2013-January/000020.html</a> Relevant upstream patch: [2] <a href="https://codereview.qt-project.org/#change,42461">https://codereview.qt-project.org/#change,42461</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Trolltech Qt | ||
| OpenSSL |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.qt-project.org/pipermail/announce/2013-January/000020.html
- https://codereview.qt-project.org/#change,42461
- http://www.openwall.com/lists/oss-security/2013/01/04/3
- https://admin.fedoraproject.org/updates/qt-4.8.4-4.fc18
- https://admin.fedoraproject.org/updates/qt-4.8.4-4.fc17
- https://admin.fedoraproject.org/updates/qt-4.8.4-4.fc16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=891964
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=891955#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=891955#c6
- http://www.openwall.com/lists/oss-security/2013/01/04/6
- https://bugzilla.redhat.com/show_bug.cgi?id=891955
Frequently Asked Questions
What is the severity of REDHAT-BUG-891955?
The severity of REDHAT-BUG-891955 is considered high due to the potential for certificate verification issues leading to security risks.
How do I fix REDHAT-BUG-891955?
To fix REDHAT-BUG-891955, ensure that the Qt libraries are compiled with the same OpenSSL version being used at runtime.
What systems are affected by REDHAT-BUG-891955?
REDHAT-BUG-891955 affects systems utilizing Qt in conjunction with incompatible versions of OpenSSL.
What risks are associated with REDHAT-BUG-891955?
Risks associated with REDHAT-BUG-891955 include potential man-in-the-middle attacks due to improper certificate validation.
Is there a patch available for REDHAT-BUG-891955?
Yes, patches have been released to address REDHAT-BUG-891955 and should be applied as soon as possible.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-6093
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/qt
- canonical/trolltech qt
- vendor/openssl
- canonical/openssl