Updated smack packages fix security vulnerabilities
Publication date: 26 Dec 2014Modification date: 26 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0363 , CVE-2014-5075
Description
Updated smack packages fix security vulnerabilities:
The ServerTrustManager component in the Ignite Realtime Smack XMPP API
before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in
X.509 certificate chains from SSL servers, which allows man-in-the-middle
attackers to spoof servers and obtain sensitive information via a crafted
certificate chain (CVE-2014-0363).
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a
custom SSLContext is used, does not verify that the server hostname matches
a domain name in the subject's Common Name (CN) or subjectAltName field of
the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL
servers via an arbitrary valid certificate (CVE-2014-5075).
References
- https://bugs.mageia.org/show_bug.cgi?id=14040
- https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137233.html
- https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5075
SRPMS
4/core
- smack-3.2.2-4.1.mga4