An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Qt | Qt | * | 5.15.14 (excluding) |
Qt | Qt | 6.0.0 (including) | 6.2.9 (excluding) |
Qt | Qt | 6.3.0 (including) | 6.5.1 (excluding) |
Qt6-base | Ubuntu | kinetic | * |
Qt6-base | Ubuntu | lunar | * |
Qt6-base | Ubuntu | mantic | * |
Qt6-base | Ubuntu | trusty | * |
Qt6-base | Ubuntu | xenial | * |
Qtbase-opensource-src | Ubuntu | bionic | * |
Qtbase-opensource-src | Ubuntu | kinetic | * |
Qtbase-opensource-src | Ubuntu | lunar | * |
Qtbase-opensource-src | Ubuntu | mantic | * |
Qtbase-opensource-src | Ubuntu | trusty | * |
Qtbase-opensource-src | Ubuntu | xenial | * |
Qtbase-opensource-src-gles | Ubuntu | kinetic | * |
Qtbase-opensource-src-gles | Ubuntu | lunar | * |
Qtbase-opensource-src-gles | Ubuntu | mantic | * |
Qtbase-opensource-src-gles | Ubuntu | trusty | * |
Qtbase-opensource-src-gles | Ubuntu | xenial | * |