Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 519216 (CVE-2014-5075) - dev-java/smack: MitM vulnerability
Summary: dev-java/smack: MitM vulnerability
Alias: CVE-2014-5075
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on: CVE-2016-10027
  Show dependency tree
Reported: 2014-08-06 14:16 UTC by Agostino Sarubbo
Modified: 2019-09-15 02:30 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-08-06 14:16:14 UTC
From ${URL} :

It was reported [1] that Smack (XMPP client library) is vulnerable to MitM attacks with a crafted SSL certificates.
Quote from [1]:

Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.

In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
and has been removed in Smack 4.0.0.

Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-23 15:08:10 UTC
@ Maintainer(s): Please bump package to >=dev-java/smack-4.1.9.
Comment 2 Larry the Git Cow gentoo-dev 2019-08-14 20:10:48 UTC
The bug has been referenced in the following commit(s):

commit e80934f925f9640a1c43020531ff1d06fe5e67d4
Author:     Aaron Bauman <>
AuthorDate: 2019-08-14 20:10:11 +0000
Commit:     Aaron Bauman <>
CommitDate: 2019-08-14 20:10:11 +0000

    profiles/package.mask: mask dev-java/smack
    * Package has longstanding vulnerabilities
    * Unmaintained in Gentoo
    Signed-off-by: Aaron Bauman <>

 profiles/package.mask | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2019-09-14 15:37:41 UTC
The bug has been referenced in the following commit(s):

commit b284fe06667eddb6283c94328bccdde0dc622446
Author:     Michał Górny <>
AuthorDate: 2019-09-14 15:36:42 +0000
Commit:     Michał Górny <>
CommitDate: 2019-09-14 15:37:35 +0000

    dev-java/smack: Remove last-rited pkg
    Signed-off-by: Michał Górny <>

 dev-java/smack/Manifest           |  2 --
 dev-java/smack/metadata.xml       |  8 ------
 dev-java/smack/smack-2.2.1.ebuild | 60 ---------------------------------------
 dev-java/smack/smack-3.2.1.ebuild | 30 --------------------
 profiles/package.mask             |  6 ----
 5 files changed, 106 deletions(-)
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-09-15 02:30:38 UTC
bye Felicia