Bug 1127276 (CVE-2014-5075)
Summary: | CVE-2014-5075 smack: MitM vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | brms-jira, chazlett, grocha, java-sig-commits, pavelp, tkirby, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | smack-core 4.0.2, smack-tcp 4.0.2, smack 4.0.2 | Doc Type: | Bug Fix |
Doc Text: |
It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-01-21 21:04:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1127277 | ||
Bug Blocks: | 1127281, 1232965 |
Description
Vasyl Kaigorodov
2014-08-06 14:07:38 UTC
Created smack tracking bugs for this issue: Affects: fedora-all [bug 1127277] References: http://seclists.org/bugtraq/2014/Aug/29 Upstream Issue: https://igniterealtime.org/issues/browse/SMACK-586 Upstream Commits: http://fisheye.igniterealtime.org/changelog/smackgit?cs=057d00c9de04d576db40c4f2525a74dace9580b4 smack-3.2.2-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.0 Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html |