Fedora has issued an advisory on August 23: https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137233.html Mageia 4 is also affected. They fixed it in this commit: http://pkgs.fedoraproject.org/cgit/smack.git/commit/?id=b16cc9479639845fcc6511762dd4b2768fc4584c Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
Dropped from cauldron.
Whiteboard: MGA4TOO => (none)Version: Cauldron => 4CC: (none) => mageia
Fedora has issued an advisory on December 6: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html This fixes an additional security issue, from this commit: http://pkgs.fedoraproject.org/cgit/smack.git/commit/?id=48915f05037f5c246878f9b6a6fab78bfcd6c86f
Summary: smack new security issue CVE-2014-5075 => smack new security issues CVE-2014-5075 and CVE-2014-0363
LWN reference for CVE-2014-0363: http://lwn.net/Vulnerabilities/626432/
Still gone from Cauldron for now (thankfully). Patches from Fedora added and re-synced with Fedora 20 in Mageia 4 SVN.
Patched package uploaded for Mageia 4. Verifying that the updated packages install cleanly is sufficient for testing this update. Advisory: ======================== Updated smack packages fixes security vulnerability: The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain (CVE-2014-0363). The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate (CVE-2014-5075). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5075 https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137233.html https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html ======================== Updated package in core/updates_testing: ======================== smack-3.2.2-4.1.mga4 smack-javadoc-3.2.2-4.1.mga4 from smack-3.2.2-4.1.mga4.src.rpm
Assignee: dmorganec => qa-bugs
MGA4-64 on HP Probook 6555b No installation issues.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
MGA4-32 on Acer D620 Xfce. No installation issues.
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0548.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED