From ${URL} : Description A security issue has been reported in POCO C++ Libraries, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to an error within the "Poco::Net::X509Certificate::verify()" function when verifying SSL certificates containing wildcard characters. This can be exploited to e.g. spoof a server and conduct a Man-in-the-Middle (MitM) attack. The security issue is reported in versions 1.4.6p2 and prior. Solution: Update to version 1.4.6p4. Provided and/or discovered by: US-CERT credits Tuomas Siren and Alexander Berezhnoy. Original Advisory: POCO: https://raw.github.com/pocoproject/poco/poco-1.4.6p4-release/CHANGELOG US-CERT (VU#118748): http://www.kb.cert.org/vuls/id/118748 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-0350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0350): The Poco::Net::X509Certificate::verify method in the NetSSL library in POCO C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL servers via crafted DNS PTR records that are requested during comparison of a server name to a wildcard domain name in an X.509 certificate.
Seems like i missed this one, added version 1.4.6_p4 to the main tree now. Since this looks like a bugfix release only, should be fine to quick-stabilize
Arches, please test and mark stable: =dev-libs/poco-1.4.6_p4 Target Keywords : " md64 arm x86" Thank you!
amd64 stable
x86 stable
(In reply to Agostino Sarubbo from comment #4) > amd64 stable I suggest to test packages at least once with all USE flags enabled and all USE flags disabled where that can be reasonably done. Because the package does not build with odbc on stable arch. + 05 Jan 2015; Julian Ospald <hasufell@gentoo.org> files/1.4.6_p4-gentoo.patch: + fix broken patch
arm stable, all arches done.
Guys, thanks for you work! GLSA vote: no
GLSA Vote: No Setting bug to noglsa. Maintainer(s), please drop the vulnerable version(s).
all versions <dev-libs/poco-1.4.6_p4 have been removed
Maintainer(s), Thank you for cleanup! Closing noglsa.