Updated smack packages fix security vulnerabilities
Publication date: 26 Dec 2014Modification date: 26 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-0363 , CVE-2014-5075
Description
Updated smack packages fix security vulnerabilities: The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain (CVE-2014-0363). The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate (CVE-2014-5075).
References
- https://bugs.mageia.org/show_bug.cgi?id=14040
- https://lists.fedoraproject.org/pipermail/package-announce/2014-September/137233.html
- https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146206.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5075
SRPMS
4/core
- smack-3.2.2-4.1.mga4