Security Advisory: Qt Network

May 23, 2023

Comments

Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not matching directly. Unencrypted connections are susceptible to man-in-the-middle attacks. Those connections could be established by using URLs with the http instead of the https scheme. With HSTS, the https scheme must be used regardless.

Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/476494 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-32762-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-32762-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff

Security Advisory: Qt Network

Share with your friends

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.11 Now!

We're Hiring

Related Articles

Security advisory: Type confusion and heap-buffer-overflow vulnerability in Qt SVG marker handling impacts Qt

Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

Security advisory: Recently reported dr_wav issue impacts Qt