MGASA-2015-0212

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2015-0212.html

Import Source

https://advisories.mageia.org/MGASA-2015-0212.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2015-0212

Related

CVE-2013-7397
CVE-2013-7398

Published

2015-05-11T20:10:38Z

Modified

2015-05-11T19:59:21Z

Summary

Updated async-http-client packages fix security vulnerabilities

Details

Updated async-http-client packages fix security vulnerabilities:

It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also uses client certificates. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate (CVE-2013-7397).

It was found that async-http-client did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name (CVE-2013-7398).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:4 / async-http-client

Package

Name: async-http-client
Purl: pkg:rpm/mageia/async-http-client?arch=source&distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.22-1.mga4

Ecosystem specific

{
    "section": "core"
}