Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398
Moritz Muehlenhoff
jmm at inutil.org
Thu Dec 18 06:05:48 UTC 2014
On Wed, Dec 17, 2014 at 06:08:00PM +0100, Emmanuel Bourg wrote:
> Hi Moritz,
>
> Thank you for the report
>
> Le 17/12/2014 15:43, Moritz Muehlenhoff a écrit :
>
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 :
> > https://github.com/AsyncHttpClient/async-http-client/issues/352
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 :
> > https://github.com/AsyncHttpClient/async-http-client/issues/197
> > https://github.com/wsargent/async-http-client/commit/db6716ad2f10f5c2d5124904725017b2ba8c3434
>
> It seems the version 1.6.5 in wheezy/jessie/unstable is not affected by
> CVE-2013-7398. The class AllowAllHostnameVerifier doesn't exist, in this
> version the user of the API has to provide its own HostnameVerifier.
>
> I confirm the version 1.6.5 is affected by CVE-2013-7397.
Thanks. I've updated the security tracker.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list