Oracle Linux: CVE-2024-39936: ELSA-2024-4623: qt5-qtbase security update (IMPORTANT) (Multiple Advisories)

Oracle Linux: CVE-2024-39936: ELSA-2024-4623:qt5-qtbase security update (IMPORTANT) (Multiple Advisories)

Severity

8

CVSS

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Published

07/04/2024

Created

07/20/2024

Added

08/16/2024

Modified

01/08/2025

Description

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed.. A vulnerability was found in Qt where, during a TLS connection for servers supporting HTTP2, Qt may send data to a server even if the TLS certificate doesn't match the redirected address. This occurs because Qt fails to validate the certificate against the redirected address, potentially sending data to an incorrect or malicious server.

Solution(s)

• oracle-linux-upgrade-qt5-qtbase
• oracle-linux-upgrade-qt5-qtbase-common
• oracle-linux-upgrade-qt5-qtbase-devel
• oracle-linux-upgrade-qt5-qtbase-doc
• oracle-linux-upgrade-qt5-qtbase-examples
• oracle-linux-upgrade-qt5-qtbase-gui
• oracle-linux-upgrade-qt5-qtbase-mysql
• oracle-linux-upgrade-qt5-qtbase-odbc
• oracle-linux-upgrade-qt5-qtbase-postgresql
• oracle-linux-upgrade-qt5-qtbase-private-devel
• oracle-linux-upgrade-qt5-qtbase-static
• oracle-linux-upgrade-qt5-rpm-macros

References

• https://attackerkb.com/topics/cve-2024-39936
• CVE - 2024-39936
• ELSA-2024-4623
• ELSA-2024-4617
• ELSA-2024-4647