Bug 1584893 (CVE-2016-10659)

Summary: CVE-2016-10659 poco: MITM due to resources download over HTTP
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: francis.andre.kampbell, swt
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-29 01:22:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1584894, 1584895    
Bug Blocks:    

Description Laura Pardo 2018-05-31 21:27:58 UTC 
A flaw was found in the POCO libraries, downloads source file resources used for compliation over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested resources with an attacker controlled copy if the attacker is on the network or positioned in between the user and the remote server.


References:
https://nodesecurity.io/advisories/271
Comment 1 Laura Pardo 2018-05-31 21:28:20 UTC 
Created poco tracking bugs for this issue:

Affects: epel-all [bug 1584894]
Affects: fedora-all [bug 1584895]
Comment 2 Scott Talbert 2018-06-11 00:53:43 UTC 
I believe this can be closed out as the CVE doesn't apply to the Fedora/EPEL packages, but to a Node package of poco.
Comment 3 Scott Talbert 2019-01-29 01:22:34 UTC 
Closing as this does not apply to the Fedora/EPEL packages.