Bug#1139171: apache-directory-api: CVE-2026-35563
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 6 20:11:46 BST 2026
Source: apache-directory-api
Version: 2.1.2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for apache-directory-api.
CVE-2026-35563[0]:
| It was identified that the LDAP client implementation in version
| 2.1.7 does not verify if the server certificate matches the intended
| LDAP hostname. While the underlying code validates the certificate
| chain against a trusted authority, the absence of endpoint
| identification allows a valid certificate issued for an entirely
| unrelated host to be improperly accepted. This oversight leaves the
| connection highly vulnerable to server impersonation and complete
| connection compromise. The root cause of this vulnerability lies
| in the incomplete TLS server identity verification within the LDAP
| client implementation. The attacker requires MITM capability on
| the network to exploit this vulnerability. This attacker must be
| able to present a certificate trusted by the client's configured
| trust store. The hostname verification has been enforced in the
| new version of the LDAP API
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-35563
https://www.cve.org/CVERecord?id=CVE-2026-35563
[1] https://www.openwall.com/lists/oss-security/2026/06/01/2
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list