https://bugzilla.redhat.com/show_bug.cgi?id=1308851
Bug ID: 1308851 Summary: okhttp: certificate pining bypass Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: gerard@ryan.lt, java-sig-commits@lists.fedoraproject.org, mizdebsk@redhat.com
A vulnerability was discovered in OkHttp that allows an attacker to bypass certificate pinning. OkHttp did not validate that the pinned certificate was in the chain to a trusted certificate authority.
External reference:
https://publicobject.com/2016/02/11/okhttp-certificate-pinning-vulnerability...
CVE request:
http://seclists.org/oss-sec/2016/q1/308
https://bugzilla.redhat.com/show_bug.cgi?id=1308851
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1308853
--- Comment #1 from Andrej Nemec anemec@redhat.com ---
Created okhttp tracking bugs for this issue:
Affects: fedora-all [bug 1308853]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1308853 [Bug 1308853] okhttp: certificate pining bypass [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1308851
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Alias| |CVE-2016-2402
https://bugzilla.redhat.com/show_bug.cgi?id=1308851
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|okhttp: certificate pining |CVE-2016-2402 okhttp: |bypass |certificate pining bypass
https://bugzilla.redhat.com/show_bug.cgi?id=1308851
--- Comment #2 from Andrej Nemec anemec@redhat.com --- CVE assignment:
http://seclists.org/oss-sec/2016/q1/370
https://bugzilla.redhat.com/show_bug.cgi?id=1308851
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- okhttp-2.7.4-1.fc23, okio-1.6.0-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1308851 Bug 1308851 depends on bug 1308853, which changed state.
Bug 1308853 Summary: CVE-2016-2402 okhttp: certificate pinning bypass [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1308853
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
java-sig-commits@lists.fedoraproject.org