This blog post continues from the previous blog post, What the DigiNotar security breach means for Qt users.

What needs to be done

Contrary to an earlier DigiNotar statement, possibly all DigiNotar intermediate certificates are affected by the attack; this means that blacklisting only the DigiNotar root certificate is not enough. Since some of those intermediates are cross-signed, i.e. their trust does not ultimately rely on the DigiNotar root certificate, they need to be blacklisted.
Below are patches provided that blacklist all DigiNotar intermediates and root certificates.

For Qt versions 4.7.3 and 4.7.4:

(or if the patch for blacklisting the fraudulent Comodo certificates has been applied to earlier versions (see the blog post on the Comodo attack):

blacklist-diginotar-certs.diff

For Qt versions 4.7.0, 4.7.1 and 4.7.2:

blacklist-diginotar-and-comodo-certs.diff

All upcoming Qt versions, including 4.8 and 5, will contain a fix for the problem already (see e.g. the Qt 5 commit, the commits in the 4.7 and 4.8 repositories are not public yet).

Acknowledgements

Thanks to Rich Moore from KDE for cross-reading this post.