CVE-2014-0363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0363): The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-0364 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0364): The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute.
Maintainer(s): *ping*
It appears that there are no ebuilds in tree which depend on dev-java/smack. I would simply remove the ebuild.
(In reply to Florian Schmaus from comment #3) > It appears that there are no ebuilds in tree which depend on dev-java/smack. > I would simply remove the ebuild. That's not true, dev-java/netbeans-ide does.
(In reply to James Le Cuirot from comment #4) > (In reply to Florian Schmaus from comment #3) > > It appears that there are no ebuilds in tree which depend on dev-java/smack. > > I would simply remove the ebuild. > That's not true, dev-java/netbeans-ide does. My fault, I was only checking the output of "equery d dev-java/smack". I created a new netbeans-ide ebuild for testing purposes without a dependency to dev-java/smack and it didn't compile. Which surprised me, since Smack 2.2 is from 2005 and I didn't expect any contemporary software to depend on such on old release.
(In reply to James Le Cuirot from comment #4) > (In reply to Florian Schmaus from comment #3) > > It appears that there are no ebuilds in tree which depend on dev-java/smack. > > I would simply remove the ebuild. > > That's not true, dev-java/netbeans-ide does. So what to do here? Can the Java team patch this?
@java, please bump to >=dev-java/smack-4.1.9 Mike Boyle Gentoo Security Padawan
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e80934f925f9640a1c43020531ff1d06fe5e67d4 commit e80934f925f9640a1c43020531ff1d06fe5e67d4 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-14 20:10:11 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-14 20:10:11 +0000 profiles/package.mask: mask dev-java/smack * Package has longstanding vulnerabilities * Unmaintained in Gentoo Bug: https://bugs.gentoo.org/509354 Bug: https://bugs.gentoo.org/519216 Bug: https://bugs.gentoo.org/603440 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b284fe06667eddb6283c94328bccdde0dc622446 commit b284fe06667eddb6283c94328bccdde0dc622446 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:36:42 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:37:35 +0000 dev-java/smack: Remove last-rited pkg Bug: https://bugs.gentoo.org/509354 Bug: https://bugs.gentoo.org/519216 Bug: https://bugs.gentoo.org/603440 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/smack/Manifest | 2 -- dev-java/smack/metadata.xml | 8 ------ dev-java/smack/smack-2.2.1.ebuild | 60 --------------------------------------- dev-java/smack/smack-3.2.1.ebuild | 30 -------------------- profiles/package.mask | 6 ---- 5 files changed, 106 deletions(-)
Bye
