CVE-2023-32762: [Announce] Security advisory: Qt Network

List for announcements regarding Qt releases and development announce at qt-project.org
Tue May 23 16:00:02 CEST 2023

• Previous message (by thread): [Announce] Qt Design Studio 4.1.0 released
• Next message (by thread): [Announce] Qt 6.5.1 Released
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not matching directly. Unencrypted connections are susceptible to man-in-the-middle attacks. Those connections could be established by using URLs with the http instead of the https scheme. With HSTS, the https scheme must be used regardless.

Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1 Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/477560 Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/476494 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-32762-qtbase-6.5.diff Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-32762-qtbase-6.2.diff Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff

Kind regards, Andy – Andy Shaw Director, Technical Customer Success The Qt Company

• Previous message (by thread): [Announce] Qt Design Studio 4.1.0 released
• Next message (by thread): [Announce] Qt 6.5.1 Released
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Announce mailing list