[java-sig-commits] [Bug 1093273] New: CVE-2014-0363 smack: incorrect X.509 validation

https://bugzilla.redhat.com/show_bug.cgi?id=1093273 Bug ID: 1093273 Summary: CVE-2014-0363 smack: incorrect X.509 validation Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team(a)redhat.com Reporter: mmcallis(a)redhat.com CC: java-sig-commits(a)lists.fedoraproject.org, puntogil(a)libero.it, weli(a)redhat.com Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0363 to the following vulnerability: Name: CVE-2014-0363 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363 Assigned: 20131205 Reference: http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc... Reference: http://issues.igniterealtime.org/browse/SMACK-410 Reference: CERT-VN:VU#489228 Reference: http://www.kb.cert.org/vuls/id/489228 The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. The man-in-the-middle attacker requires a certificate that is valid for any domain name. Upstream patch: http://fisheye.igniterealtime.org/changelog/smackgit?cs=93030c218c62cf0a0... advisory mentions version 3.4.1 and possibly earlier versions). -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=1wrKeWsHiZ&a=cc_unsubscribe