Advisories ยป MGASA-2014-0548

Updated smack packages fix security vulnerabilities

Publication date: 26 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0363 , CVE-2014-5075

Description

Updated smack packages fix security vulnerabilities:

The ServerTrustManager component in the Ignite Realtime Smack XMPP API
before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in
X.509 certificate chains from SSL servers, which allows man-in-the-middle
attackers to spoof servers and obtain sensitive information via a crafted
certificate chain (CVE-2014-0363).

The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a
custom SSLContext is used, does not verify that the server hostname matches
a domain name in the subject's Common Name (CN) or subjectAltName field of
the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL
servers via an arbitrary valid certificate (CVE-2014-5075).
                

References

SRPMS

4/core