Summary: | <dev-libs/poco-1.4.6_p4: "Poco::Net::X509Certificate::verify()" Wildcard Certificate Verification (CVE-2014-0350) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | cpp+disabled, hasufell, tommy |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/58177/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-04-25 20:04:12 UTC
CVE-2014-0350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0350): The Poco::Net::X509Certificate::verify method in the NetSSL library in POCO C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL servers via crafted DNS PTR records that are requested during comparison of a server name to a wildcard domain name in an X.509 certificate. Seems like i missed this one, added version 1.4.6_p4 to the main tree now. Since this looks like a bugfix release only, should be fine to quick-stabilize Arches, please test and mark stable: =dev-libs/poco-1.4.6_p4 Target Keywords : " md64 arm x86" Thank you! amd64 stable x86 stable (In reply to Agostino Sarubbo from comment #4) > amd64 stable I suggest to test packages at least once with all USE flags enabled and all USE flags disabled where that can be reasonably done. Because the package does not build with odbc on stable arch. + 05 Jan 2015; Julian Ospald <hasufell@gentoo.org> files/1.4.6_p4-gentoo.patch: + fix broken patch arm stable, all arches done. Guys, thanks for you work! GLSA vote: no GLSA Vote: No Setting bug to noglsa. Maintainer(s), please drop the vulnerable version(s). all versions <dev-libs/poco-1.4.6_p4 have been removed Maintainer(s), Thank you for cleanup! Closing noglsa. |