Lucene search

Gentoo FoundationMGASA-2015-0212

HistoryMay 11, 2015 - 11:10 p.m.

Updated async-http-client packages fix security vulnerabilities

2015-05-1123:10:38

Gentoo Foundation

advisories.mageia.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.5%

JSON

Updated async-http-client packages fix security vulnerabilities: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also uses client certificates. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate (CVE-2013-7397). It was found that async-http-client did not verify that the server hostname matched the domain name in the subject’s Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name (CVE-2013-7398).

OSVersionArchitecturePackageVersionFilename
Mageia4noarchasync-http-client< 1.7.22-1async-http-client-1.7.22-1.mga4

OS	Version	Architecture	Package	Version	Filename
Mageia	4	noarch	async-http-client	< 1.7.22-1	async-http-client-1.7.22-1.mga4

References

bugs.mageia.org/show_bug.cgi?id=15887

lists.fedoraproject.org/pipermail/package-announce/2015-May/157337.html

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

69.5%

JSON

Related for MGASA-2015-0212