]> code.ossystems Code Review - openembedded-core.git/commit
Code Review / openembedded-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 06ffe56) | patch
serf: uprev to 1.3.7 for fixing CVE-2014-3504
authorWenzong Fan <wenzong.fan@windriver.com>
Fri, 21 Nov 2014 06:02:05 +0000 (01:02 -0500)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Fri, 21 Nov 2014 16:50:43 +0000 (16:50 +0000)
commit832aa4c5a7989636dae3068f508ab2bff8b4ab23
tree7608d905b02bd8329dd7d294ab17254a1dac1b46tree | snapshot
parent06ffe5637f23f6036aaf58b40f7f9a721624cd5bcommit | diff
serf: uprev to 1.3.7 for fixing CVE-2014-3504

The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_-
ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7
does not properly handle a NUL byte in a domain name in the subject's
Common Name (CN) field of an X.509 certificate, which allows man-in-
the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3504

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/recipes-support/serf/serf_1.3.7.bb [moved from meta/recipes-support/serf/serf_1.3.6.bb with 82% similarity] diff | blob | history
Mirror of the official openembedded-core repository