Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 881181 (CVE-2022-45197) - <dev-python/slixmpp-1.8.3: missing certificate hostname validation
Summary: <dev-python/slixmpp-1.8.3: missing certificate hostname validation
Status: RESOLVED FIXED
Alias: CVE-2022-45197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lab.louiz.org/poezio/slixmpp/...
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 881211
Blocks:
  Show dependency tree
 
Reported: 2022-11-13 10:45 UTC by Florian Schmaus
Modified: 2023-05-03 09:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schmaus gentoo-dev 2022-11-13 10:45:30 UTC 
slixmpp < 1.8.3 does not validate the hostname in X.509 certificates.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-13 11:06:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cfed4940a901879b99a287b9ab781a7061bec7f5

commit cfed4940a901879b99a287b9ab781a7061bec7f5
Author:     Florian Schmaus <flow@gentoo.org>
AuthorDate: 2022-11-13 11:06:07 +0000
Commit:     Florian Schmaus <flow@gentoo.org>
CommitDate: 2022-11-13 11:06:21 +0000

    dev-python/slixmpp: add 1.8.3
    
    Bug: https://bugs.gentoo.org/881181
    Signed-off-by: Florian Schmaus <flow@gentoo.org>

 dev-python/slixmpp/Manifest             |  1 +
 dev-python/slixmpp/slixmpp-1.8.3.ebuild | 37 +++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 03:37:42 UTC 
cleanup done
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-14 05:17:59 UTC 
Thanks both! Florian, do you think we should GLSA?
Comment 4 Florian Schmaus gentoo-dev 2022-11-14 07:22:36 UTC 
> Florian, do you think we should GLSA?

Yes, I believe the severity of the issue would justify an GLSA.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 16:33:50 UTC 
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2023-05-03 09:54:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=6f987355d399e46bce92bf271bd9b94ff1a3e454

commit 6f987355d399e46bce92bf271bd9b94ff1a3e454
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 09:47:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 09:54:22 +0000

    [ GLSA 202305-07 ] slixmpp: Insufficient Certificate Validation
    
    Bug: https://bugs.gentoo.org/881181
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-07.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)