508720 – (CVE-2014-0350) <dev-libs/poco-1.4.6_p4: "Poco::Net::X509Certificate::verify()" Wildcard Certificate Verification (CVE-2014-0350)

Bug 508720 (CVE-2014-0350) - <dev-libs/poco-1.4.6_p4: "Poco::Net::X509Certificate::verify()" Wildcard Certificate Verification (CVE-2014-0350)

Summary: <dev-libs/poco-1.4.6_p4: "Poco::Net::X509Certificate::verify()" Wildcard Cert...

Status:	RESOLVED FIXED

Alias:	CVE-2014-0350

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://secunia.com/advisories/58177/
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2014-04-25 20:04 UTC by Agostino Sarubbo
Modified:	2015-01-17 17:31 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2014-04-25 20:04:12 UTC

From ${URL} :

Description

A security issue has been reported in POCO C++ Libraries, which can be exploited by malicious people to conduct spoofing attacks.

The security issue is caused due to an error within the "Poco::Net::X509Certificate::verify()" function when verifying SSL certificates 
containing wildcard characters. This can be exploited to e.g. spoof a server and conduct a Man-in-the-Middle (MitM) attack.

The security issue is reported in versions 1.4.6p2 and prior.


Solution:
Update to version 1.4.6p4.

Provided and/or discovered by:
US-CERT credits Tuomas Siren and Alexander Berezhnoy.

Original Advisory:
POCO:
https://raw.github.com/pocoproject/poco/poco-1.4.6p4-release/CHANGELOG

US-CERT (VU#118748):
http://www.kb.cert.org/vuls/id/118748


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2014-12-28 23:22:33 UTC

CVE-2014-0350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0350):
  The Poco::Net::X509Certificate::verify method in the NetSSL library in POCO
  C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL
  servers via crafted DNS PTR records that are requested during comparison of
  a server name to a wildcard domain name in an X.509 certificate.

Comment 2 Thomas Sachau gentoo-dev

2014-12-29 13:14:48 UTC

Seems like i missed this one, added version 1.4.6_p4 to the main tree now. Since this looks like a bugfix release only, should be fine to quick-stabilize

Comment 3 Yury German Gentoo Infrastructure

2014-12-31 14:32:13 UTC

Arches, please test and mark stable:

=dev-libs/poco-1.4.6_p4

Target Keywords : " md64 arm x86"

Thank you!

Comment 4 Agostino Sarubbo gentoo-dev

2015-01-02 13:40:04 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2015-01-02 13:48:24 UTC

x86 stable

Comment 6 Julian Ospald 2015-01-05 02:16:48 UTC

(In reply to Agostino Sarubbo from comment #4)
> amd64 stable

I suggest to test packages at least once with all USE flags enabled and all USE flags disabled where that can be reasonably done.

Because the package does not build with odbc on stable arch.


+  05 Jan 2015; Julian Ospald <hasufell@gentoo.org> files/1.4.6_p4-gentoo.patch:
+  fix broken patch

Comment 7 Markus Meier gentoo-dev

2015-01-08 20:41:22 UTC

arm stable, all arches done.

Comment 8 Sergey Popov gentoo-dev

2015-01-10 18:14:13 UTC

Guys, thanks for you work!

GLSA vote: no

Comment 9 Yury German Gentoo Infrastructure

2015-01-15 23:07:40 UTC

GLSA Vote: No
Setting bug to noglsa.

Maintainer(s), please drop the vulnerable version(s).

Comment 10 Thomas Sachau gentoo-dev

2015-01-16 16:24:05 UTC

all versions <dev-libs/poco-1.4.6_p4 have been removed

Comment 11 Yury German Gentoo Infrastructure

2015-01-17 17:31:29 UTC

Maintainer(s), Thank you for cleanup!

Closing noglsa.