From ${URL} : It was reported [1] that Smack (XMPP client library) is vulnerable to MitM attacks with a crafted SSL certificates. Quote from [1]: ... Details ------- Smack is using Java's `SSLSocket`, which checks the peer certificate using an `X509TrustManager`, but does not perform hostname verification. Therefore, it is possible to redirect the traffic between a Smack-using application and a legitimate XMPP server through the attacker's server, merely by providing a valid certificate for a domain under the attacker's control. In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager` implementation was used, which was supplied with the connection's server name, and performed hostname verification. However, it failed to verify the basicConstraints and nameConstraints of the certificate chain (CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363) and has been removed in Smack 4.0.0. Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did not benefit from `ServerTrustManager` and are vulnerable as well, unless their own `TrustManager` implementation explicitly performs hostname verification. ... [1]: http://seclists.org/bugtraq/2014/Aug/29 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@ Maintainer(s): Please bump package to >=dev-java/smack-4.1.9.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e80934f925f9640a1c43020531ff1d06fe5e67d4 commit e80934f925f9640a1c43020531ff1d06fe5e67d4 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-14 20:10:11 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-14 20:10:11 +0000 profiles/package.mask: mask dev-java/smack * Package has longstanding vulnerabilities * Unmaintained in Gentoo Bug: https://bugs.gentoo.org/509354 Bug: https://bugs.gentoo.org/519216 Bug: https://bugs.gentoo.org/603440 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b284fe06667eddb6283c94328bccdde0dc622446 commit b284fe06667eddb6283c94328bccdde0dc622446 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:36:42 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:37:35 +0000 dev-java/smack: Remove last-rited pkg Bug: https://bugs.gentoo.org/509354 Bug: https://bugs.gentoo.org/519216 Bug: https://bugs.gentoo.org/603440 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/smack/Manifest | 2 -- dev-java/smack/metadata.xml | 8 ------ dev-java/smack/smack-2.2.1.ebuild | 60 --------------------------------------- dev-java/smack/smack-3.2.1.ebuild | 30 -------------------- profiles/package.mask | 6 ---- 5 files changed, 106 deletions(-)
bye Felicia
