Lucene search

K
mageiaGentoo FoundationMGASA-2014-0557
HistoryDec 31, 2014 - 3:28 p.m.

Updated cxf packages fix security vulnerabilities

2014-12-3115:28:04
Gentoo Foundation
advisories.mageia.org
11

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.018 Low

EPSS

Percentile

87.9%

Updated cxf packages fix security vulnerabilities: An Apache CXF JAX-RS service can process SAML tokens received in the authorization header of a request via the SamlHeaderInHandler. However it is possible to cause an infinite loop in the parsing of this header by passing certain bad values for the header, leading to a Denial of Service attack on the service (CVE-2014-3584). Apache CXF is vulnerable to a possible SSL hostname verification bypass, due to a flaw in comparing the server hostname to the domain name in the Subject’s DN field. A Man In The Middle attack can exploit this vulnerability by using a specially crafted Subject DN to spoof a valid certificate (CVE-2014-3577).

OSVersionArchitecturePackageVersionFilename
Mageia4noarchcxf< 2.7.5-3.1cxf-2.7.5-3.1.mga4

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.018 Low

EPSS

Percentile

87.9%