Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398

Moritz Muehlenhoff Wed, 17 Dec 2014 22:13:29 -0800

On Wed, Dec 17, 2014 at 06:08:00PM +0100, Emmanuel Bourg wrote:
> Hi Moritz,
> 
> Thank you for the report
> 
> Le 17/12/2014 15:43, Moritz Muehlenhoff a écrit :
> 
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7397 :
> > https://github.com/AsyncHttpClient/async-http-client/issues/352
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7398 :
> > https://github.com/AsyncHttpClient/async-http-client/issues/197
> > https://github.com/wsargent/async-http-client/commit/db6716ad2f10f5c2d5124904725017b2ba8c3434
> 
> It seems the version 1.6.5 in wheezy/jessie/unstable is not affected by
> CVE-2013-7398. The class AllowAllHostnameVerifier doesn't exist, in this
> version the user of the API has to provide its own HostnameVerifier.
> 
> I confirm the version 1.6.5 is affected by CVE-2013-7397.


Thanks. I've updated the security tracker.

Cheers,
        Moritz

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
[email protected] for discussions and questions.

Bug#773364: async-http-client: CVE-2013-7397 CVE-2013-7398

Reply via email to