https://bugzilla.redhat.com/show_bug.cgi?id=1093273
Bug ID: 1093273
Summary: CVE-2014-0363 smack: incorrect X.509 validation
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mmcallis(a)redhat.com
CC: java-sig-commits(a)lists.fedoraproject.org,
puntogil(a)libero.it, weli(a)redhat.com
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0363 to
the following vulnerability:
Name: CVE-2014-0363
URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363
Assigned: 20131205
Reference:
http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc...
Reference:
http://issues.igniterealtime.org/browse/SMACK-410
Reference: CERT-VN:VU#489228
Reference:
http://www.kb.cert.org/vuls/id/489228
The ServerTrustManager component in the Ignite Realtime Smack XMPP API
before 4.0.0-rc1 does not verify basicConstraints and nameConstraints
in X.509 certificate chains from SSL servers, which allows
man-in-the-middle attackers to spoof servers and obtain sensitive
information via a crafted certificate chain.
The man-in-the-middle attacker requires a certificate that is valid for any
domain name.
Upstream patch:
http://fisheye.igniterealtime.org/changelog/smackgit?cs=93030c218c62cf0a0...
From code inspection, this issue affects the 3.2.2 version in Fedora
(the CERT
advisory mentions version 3.4.1 and possibly earlier versions).
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=1wrKeWsHiZ&a=cc_unsubscribe