[Development] [Announce] Security advisory: Qt Network

List for announcements regarding Qt releases and development via Announce announce at qt-project.org
Fri Jun 9 13:55:27 CEST 2023 

A mistake was made with the CVE id for this one as it is CVE-2023-34410.

Therefore the links are:

Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and https://codereview.qt-project.org/c/qt/qtbase/+/480002
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/479276 and https://codereview.qt-project.org/c/qt/qtbase/+/480474 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-34410-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-34410-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff

I apologise for any confusion caused.

Kind regards,
Andy

-----Original Message-----
From: Development <development-bounces at qt-project.org> On Behalf Of List for announcements regarding Qt releases and development via Announce via Development
Sent: Friday, June 9, 2023 1:00 PM
To: announce at qt-project.org
Cc: List for announcements regarding Qt releases and development via Announce <announce at qt-project.org>
Subject: [Development] [Announce] Security advisory: Qt Network

Hi,

A recent SSL issue affecting both OpenSSL and Schannel in Qt Network has been reported and has been assigned the CVE id CVE-2023-33410.

In some circumstances, system CA certificates list remains unexpectedly active for the authentication of SSL peers. In a case where clients are supposed to be authenticated by server side using a custom restricted CA certificate list, and if the server is vulnerable, this allows malicious clients to successfully pass the SSL authentication against the server, by being able to use a very wide range of unexpectedly valid SSL private keys and certificates to do so.

Solution: Apply the following patches or update to Qt 5.15.15, Qt 6.2.9 or Qt 6.5.2

Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and https://codereview.qt-project.org/c/qt/qtbase/+/480002
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/479276 and https://codereview.qt-project.org/c/qt/qtbase/+/480474 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-33410-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-33410-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-33410-qtbase-5.15.diff

Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company

_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce
-- 
Development mailing list
Development at qt-project.org
https://lists.qt-project.org/listinfo/development
_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce

More information about the Development mailing list