| Summary: | smack new security issues CVE-2014-5075 and CVE-2014-0363 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | herman.viaene, mageia, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/610410/ | ||
| Whiteboard: | advisory MGA4-32-OK MGA4-64-OK | ||
| Source RPM: | smack-3.2.2-4.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-09-02 20:47:33 CEST
David Walser
2014-09-02 20:47:41 CEST
Whiteboard:
(none) =>
MGA4TOO Dropped from cauldron. Whiteboard:
MGA4TOO =>
(none) Fedora has issued an advisory on December 6: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html This fixes an additional security issue, from this commit: http://pkgs.fedoraproject.org/cgit/smack.git/commit/?id=48915f05037f5c246878f9b6a6fab78bfcd6c86f Summary:
smack new security issue CVE-2014-5075 =>
smack new security issues CVE-2014-5075 and CVE-2014-0363 LWN reference for CVE-2014-0363: http://lwn.net/Vulnerabilities/626432/ Still gone from Cauldron for now (thankfully). Patches from Fedora added and re-synced with Fedora 20 in Mageia 4 SVN. Patched package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated smack packages fixes security vulnerability: The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain (CVE-2014-0363). The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate (CVE-2014-5075). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5075 https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137233.html https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html ======================== Updated package in core/updates_testing: ======================== smack-3.2.2-4.1.mga4 smack-javadoc-3.2.2-4.1.mga4 from smack-3.2.2-4.1.mga4.src.rpm Assignee:
dmorganec =>
qa-bugs MGA4-64 on HP Probook 6555b No installation issues. CC:
(none) =>
herman.viaene MGA4-32 on Acer D620 Xfce. No installation issues. Whiteboard:
MGA4-64-OK =>
MGA4-32-OK MGA4-64-OK Validating. Advisory uploaded. Please push to updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0548.html Resolution:
(none) =>
FIXED |