Security advisory: Qt Network
June 09, 2023 by Andy Shaw | Comments
A recent SSL issue affecting both OpenSSL and Schannel in Qt Network has been reported and has been assigned the CVE id CVE-2023-34410.
In some circumstances, system CA certificates list remains unexpectedly active for the authentication of SSL peers. In a case where clients are supposed to be authenticated by server side using a custom restricted CA certificate list, and if the server is vulnerable, this allows malicious clients to successfully pass the SSL authentication against the server, by being able to use a very wide range of unexpectedly valid SSL private keys and certificates to do so.
Solution: Apply the following patches or update to Qt 5.15.15, Qt 6.2.9 or Qt 6.5.2
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and https://codereview.qt-project.org/c/qt/qtbase/+/480002
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/479276 and https://codereview.qt-project.org/c/qt/qtbase/+/480474 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-34410-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-34410-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff
Update 13:53 CEST: The original CVE id was incorrect, so this was edited to use the correct one.
Blog Topics:
Comments
Subscribe to our newsletter
Subscribe Newsletter
Try Qt 6.5 Now!
Download the latest release here: www.qt.io/download.
Qt 6.5 is the latest Long-Term-Support release with all you need for C++ cross-platform app development.
Explore Qt World
Check our Qt demos and case studies in the virtual Qt World
We're Hiring
Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.
Näytä tämä julkaisu Instagramissa.Henkilön Qt (@theqtcompany) jakama julkaisu