Advisories » MGASA-2015-0212

Updated async-http-client packages fix security vulnerabilities

Publication date: 11 May 2015
Modification date: 11 May 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2013-7397 , CVE-2013-7398

Description

Updated async-http-client packages fix security vulnerabilities:

It was found that async-http-client would disable SSL/TLS certificate
verification under certain conditions, for example if HTTPS communication also
uses client certificates. This can be exploited by a Man-in-the-middle (MITM)
attack where the attacker can spoof a valid certificate (CVE-2013-7397).

It was found that async-http-client did not verify that the server hostname
matched the domain name in the subject's Common Name (CN) or subjectAltName
field in X.509 certificates. This could allow a man-in-the-middle attacker to
spoof an SSL server if they had a certificate that was valid for any domain
name (CVE-2013-7398).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15887
• https://lists.fedoraproject.org/pipermail/package-announce/2015-May/157337.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7397
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7398

SRPMS

4/core

• async-http-client-1.7.22-1.mga4