June 09, 2023 by Andy Shaw | Comments
A recent SSL issue affecting both OpenSSL and Schannel in Qt Network has been reported and has been assigned the CVE id CVE-2023-34410.
In some circumstances, system CA certificates list remains unexpectedly active for the authentication of SSL peers. In a case where clients are supposed to be authenticated by server side using a custom restricted CA certificate list, and if the server is vulnerable, this allows malicious clients to successfully pass the SSL authentication against the server, by being able to use a very wide range of unexpectedly valid SSL private keys and certificates to do so.
Solution: Apply the following patches or update to Qt 5.15.15, Qt 6.2.9 or Qt 6.5.2
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 and https://codereview.qt-project.org/c/qt/qtbase/+/480002
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/479276 and https://codereview.qt-project.org/c/qt/qtbase/+/480474 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-34410-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-34410-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff
Update 13:53 CEST: The original CVE id was incorrect, so this was edited to use the correct one.
Download the latest release here: www.qt.io/download.
Qt 6.5 is the latest Long-Term-Support release with all you need for C++ cross-platform app development.
Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.
Sep 22, 2023
An issue on Windows with the GDI font engine has been reported and has..
Sep 5, 2023
We are happy to announce the release of the Qt Visual Studio Tools version..
Jul 18, 2023
A recently reported potential buffer overflow issue in QXmlStreamReader..
Qt Group includes The Qt Company Oy and its global subsidiaries and affiliates.