Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398
Emmanuel Bourg
ebourg at apache.org
Wed Dec 17 17:08:00 UTC 2014
Hi Moritz,
Thank you for the report
Le 17/12/2014 15:43, Moritz Muehlenhoff a écrit :
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 :
> https://github.com/AsyncHttpClient/async-http-client/issues/352
>
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 :
> https://github.com/AsyncHttpClient/async-http-client/issues/197
> https://github.com/wsargent/async-http-client/commit/db6716ad2f10f5c2d5124904725017b2ba8c3434
It seems the version 1.6.5 in wheezy/jessie/unstable is not affected by
CVE-2013-7398. The class AllowAllHostnameVerifier doesn't exist, in this
version the user of the API has to provide its own HostnameVerifier.
I confirm the version 1.6.5 is affected by CVE-2013-7397.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list