Bug 15487

Summary: Qupzilla is vulnerable in Mageia 4 for Freak
Product: Mageia Reporter: psyca <linux>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal    
Version: 4   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: qupzilla-1.4.4-2.mga4.x86_64 CVE:
Status comment:

Description psyca 2015-03-13 20:46:39 CET 
Description of problem:
Start Qupzilla in Mageia 4
Go to https://freakattack.com/ to check against freak.
It says its vulnerable.

In Mageia 5 (Beta 3) its not affected.

Reference:
https://github.com/QupZilla/qupzilla/issues/1621

Reproducible: 

Steps to Reproduce:
psyca 2015-03-13 20:47:13 CET

Summary: Qupzilla is vulnerable in Mageia 4 => Qupzilla is vulnerable in Mageia 4 for Freak

Comment 1 David Walser 2015-03-14 17:27:48 CET 
The test seems unlikely to be accurate.  I don't know whether it's really testing the vulnerability or testing versions of things or what.  The upstream bug report you linked reported varying results with QupZilla 1.8.6, which at the least suggests that QupZilla doesn't have its own SSL implementation.  You wouldn't think it would, and a quick look at the source code suggests that it doesn't.  So, it would have to be using one from a library it's linked to.  I see that QupZilla is linked to libQtNetwork.so.4 (from qt4) which is linked to libssl.so.1 (from OpenSSL), so as I suspect, it's most likely using OpenSSL.  We fixed FREAK, also known as CVE-2014-0204, in our last OpenSSL update in Bug 14987.  Make sure you have the updated packages installed.

Status: NEW => UNCONFIRMED
Ever confirmed: 1 => 0

Comment 2 psyca 2015-03-19 21:02:17 CET 
Fixed with the today released update : openssl-1.0.1m-1.mga4

Status: UNCONFIRMED => RESOLVED
Resolution: (none) => FIXED