Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 881181 (CVE-2022-45197)

Summary: <dev-python/slixmpp-1.8.3: missing certificate hostname validation
Product: Gentoo Security Reporter: Florian Schmaus <flow>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: flow, mgorny, python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://lab.louiz.org/poezio/slixmpp/-/commit/b60b1b985db928532f97c4f61d6fbc801f0aa7fa
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 881211    
Bug Blocks:    

Description Florian Schmaus gentoo-dev 2022-11-13 10:45:30 UTC 
slixmpp < 1.8.3 does not validate the hostname in X.509 certificates.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-13 11:06:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cfed4940a901879b99a287b9ab781a7061bec7f5

commit cfed4940a901879b99a287b9ab781a7061bec7f5
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-11-13 11:06:07 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-11-13 11:06:21 +0000

    dev-python/slixmpp: add 1.8.3
    
    Bug: https://bugs.gentoo.org/881181
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-python/slixmpp/Manifest             |  1 +
 dev-python/slixmpp/slixmpp-1.8.3.ebuild | 37 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 03:37:42 UTC 
cleanup done
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 05:17:59 UTC 
Thanks both! Florian, do you think we should GLSA?
Comment 4 Florian Schmaus gentoo-dev 2022-11-14 07:22:36 UTC 
> Florian, do you think we should GLSA?

Yes, I believe the severity of the issue would justify an GLSA.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 16:33:50 UTC 
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2023-05-03 09:54:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=6f987355d399e46bce92bf271bd9b94ff1a3e454

commit 6f987355d399e46bce92bf271bd9b94ff1a3e454
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:47:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:54:22 +0000

    [ GLSA 202305-07 ] slixmpp: Insufficient Certificate Validation
    
    Bug: https://bugs.gentoo.org/881181
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)