Bug 15887

Summary: async-http-client new security issues CVE-2013-7397 and CVE-2013-7398
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/643697/
Whiteboard: has_procedure advisory mga4-32-ok mga4-64-ok
Source RPM: async-http-client-1.7.19-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-08 19:11:27 CEST 
Fedora has issued an advisory on April 26:
https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157337.html

Updated and patched (resynced with Fedora 20) package uploaded for Mageia 4.

Advisory:
========================

Updated async-http-client packages fix security vulnerabilities:

It was found that async-http-client would disable SSL/TLS certificate
verification under certain conditions, for example if HTTPS communication also
uses client certificates. This can be exploited by a Man-in-the-middle (MITM)
attack where the attacker can spoof a valid certificate (CVE-2013-7397).

It was found that async-http-client did not verify that the server hostname
matched the domain name in the subject's Common Name (CN) or subjectAltName
field in X.509 certificates. This could allow a man-in-the-middle attacker to
spoof an SSL server if they had a certificate that was valid for any domain
name (CVE-2013-7398).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7398
https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157337.html
========================

Updated packages in core/updates_testing:
========================
async-http-client-1.7.22-1.mga4
async-http-client-javadoc-1.7.22-1.mga4

from async-http-client-1.7.22-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-11 15:06:27 CEST 
Please just verify that the updated packages install cleanly.

Whiteboard: (none) => has_procedure

claire robinson 2015-05-11 15:08:40 CEST

Whiteboard: has_procedure => has_procedure mga4-32-ok

Comment 2 claire robinson 2015-05-11 17:37:08 CEST 
Testing complete mga4 64

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2015-05-11 22:11:47 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0212.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED