Security Advisory: Qt Network
May 23, 2023 by Andy Shaw | Comments
Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not matching directly. Unencrypted connections are susceptible to man-in-the-middle attacks. Those connections could be established by using URLs with the http instead of the https scheme. With HSTS, the https scheme must be used regardless.
Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/476494 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-32762-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-32762-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff
Blog Topics:
Comments
Subscribe to our newsletter
Subscribe Newsletter
Try Qt 6.5 Now!
Download the latest release here: www.qt.io/download.
Qt 6.5 is the latest Long-Term-Support release with all you need for C++ cross-platform app development.
Explore Qt World
Check our Qt demos and case studies in the virtual Qt World
We're Hiring
Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.
Näytä tämä julkaisu Instagramissa.Henkilön Qt (@theqtcompany) jakama julkaisu