Fedora has issued an advisory on April 26: https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157337.html Updated and patched (resynced with Fedora 20) package uploaded for Mageia 4. Advisory: ======================== Updated async-http-client packages fix security vulnerabilities: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also uses client certificates. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate (CVE-2013-7397). It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name (CVE-2013-7398). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7398 https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157337.html ======================== Updated packages in core/updates_testing: ======================== async-http-client-1.7.22-1.mga4 async-http-client-javadoc-1.7.22-1.mga4 from async-http-client-1.7.22-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Please just verify that the updated packages install cleanly.
Whiteboard: (none) => has_procedure
Whiteboard: has_procedure => has_procedure mga4-32-ok
Testing complete mga4 64 Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-32-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0212.html
Status: NEW => RESOLVEDResolution: (none) => FIXED