Re: [Development] [Announce] Security advisory: Qt Network
Kevin Kofler via Development wrote: > Qt 4.8 (backported by Than Ngo): > https://src.fedoraproject.org/rpms/qt/raw/rawhide/f/qt-CVE-2023-34410.patch PS: Qt 4.8 does NOT include the Windows-specific qsslsocket_schannel.cpp, which was introduced in Qt 5.13. (Qt 4.8 supported only OpenSSL.) Hence, the qsslsocket_schannel.cpp part of the patch is neither needed for nor applicable to Qt 4.8, and not included in the above backport. Only the qsslsocket.cpp part is needed and backported above. Kevin Kofler -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] [Announce] Security advisory: Qt Network
List for announcements regarding Qt releases and development via Announce via Development wrote: > Patches: > dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and > https://codereview.qt-project.org/c/qt/qtbase/+/480002 Qt 6.5: > https://codereview.qt-project.org/c/qt/qtbase/+/479276 and > https://codereview.qt-project.org/c/qt/qtbase/+/480474 or > https://download.qt.io/official_releases/qt/6.5/CVE-2023-34410-qtbase-6.5.diff > Qt 6.2: > https://download.qt.io/official_releases/qt/6.2/CVE-2023-34410-qtbase-6.2.diff > Qt 5.15: > https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff Qt 4.8 (backported by Than Ngo): https://src.fedoraproject.org/rpms/qt/raw/rawhide/f/qt-CVE-2023-34410.patch Qt 3.3: not vulnerable (code introduced in Qt 4.3) Kevin kofler -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
Re: [Development] [Announce] Security advisory: Qt Network
2023-06-09
Thread
List for announcements regarding Qt releases and development via Announce via Development
A mistake was made with the CVE id for this one as it is CVE-2023-34410. Therefore the links are: Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and https://codereview.qt-project.org/c/qt/qtbase/+/480002 Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/479276 and https://codereview.qt-project.org/c/qt/qtbase/+/480474 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-34410-qtbase-6.5.diff Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-34410-qtbase-6.2.diff Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff I apologise for any confusion caused. Kind regards, Andy -Original Message- From: Development On Behalf Of List for announcements regarding Qt releases and development via Announce via Development Sent: Friday, June 9, 2023 1:00 PM To: annou...@qt-project.org Cc: List for announcements regarding Qt releases and development via Announce Subject: [Development] [Announce] Security advisory: Qt Network Hi, A recent SSL issue affecting both OpenSSL and Schannel in Qt Network has been reported and has been assigned the CVE id CVE-2023-33410. In some circumstances, system CA certificates list remains unexpectedly active for the authentication of SSL peers. In a case where clients are supposed to be authenticated by server side using a custom restricted CA certificate list, and if the server is vulnerable, this allows malicious clients to successfully pass the SSL authentication against the server, by being able to use a very wide range of unexpectedly valid SSL private keys and certificates to do so. Solution: Apply the following patches or update to Qt 5.15.15, Qt 6.2.9 or Qt 6.5.2 Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and https://codereview.qt-project.org/c/qt/qtbase/+/480002 Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/479276 and https://codereview.qt-project.org/c/qt/qtbase/+/480474 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-33410-qtbase-6.5.diff Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-33410-qtbase-6.2.diff Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-33410-qtbase-5.15.diff Kind regards, Andy -- Andy Shaw Director, Technical Customer Success The Qt Company ___ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development ___ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
[Development] [Announce] Security advisory: Qt Network
2023-06-09
Thread
List for announcements regarding Qt releases and development via Announce via Development
Hi, A recent SSL issue affecting both OpenSSL and Schannel in Qt Network has been reported and has been assigned the CVE id CVE-2023-33410. In some circumstances, system CA certificates list remains unexpectedly active for the authentication of SSL peers. In a case where clients are supposed to be authenticated by server side using a custom restricted CA certificate list, and if the server is vulnerable, this allows malicious clients to successfully pass the SSL authentication against the server, by being able to use a very wide range of unexpectedly valid SSL private keys and certificates to do so. Solution: Apply the following patches or update to Qt 5.15.15, Qt 6.2.9 or Qt 6.5.2 Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and https://codereview.qt-project.org/c/qt/qtbase/+/480002 Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/479276 and https://codereview.qt-project.org/c/qt/qtbase/+/480474 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-33410-qtbase-6.5.diff Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-33410-qtbase-6.2.diff Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-33410-qtbase-5.15.diff Kind regards, Andy -- Andy Shaw Director, Technical Customer Success The Qt Company ___ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
[Development] [Announce] Security advisory: Qt Network
2023-06-01
Thread
List for announcements regarding Qt releases and development via Announce via Development
Hi, A recent buffer overflow issue in Qt Network has been reported and has been assigned the CVE id CVE-2023-33285. QDnsLookup may read outside the bounds of the buffer it allocated to receive the DNS reply with certain, specially crafted replies that violate the DNS protocol. QDnsLookup only parses DNS replies as a result of a DNS query initiated by the user application, explicitly with this class. This class is usually used by applications that specifically need support for DNS records, such as obtaining an MX for email delivery, and is not used in normal domain name resolution. It is currently not used by any other class in Qt. To exploit this, the attacker must obtain a valid DNS query and must reply from the correct IP address of the server queried (usually, by controlling the DNS server used by the victim system, such as in a public WiFi scenario). Attacks from further remote locations may be possible, but intermediary DNS servers may reject this malformed answer and not propagate it. This only affects Unix based platforms, Windows is not affected at all. Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1 Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/477644 Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/477704 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-33285-qtbase-6.5.diff Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-33285-qtbase-6.2.diff Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-33285-qtbase-5.15.diff Kind regards, Andy -- Andy Shaw Director, Technical Customer Success The Qt Company ___ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
[Development] [Announce] Security advisory: Qt Network
2023-05-23
Thread
List for announcements regarding Qt releases and development via Announce via Development
Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not matching directly. Unencrypted connections are susceptible to man-in-the-middle attacks. Those connections could be established by using URLs with the http instead of the https scheme. With HSTS, the https scheme must be used regardless. Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1 Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/476494 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-32762-qtbase-6.5.diff Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-32762-qtbase-6.2.diff Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff Kind regards, Andy -- Andy Shaw Director, Technical Customer Success The Qt Company ___ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development