CVE-2013-1909

Advisory

Qpid-python 0.22 includes a fix for CVE-2013-1909: The Python client in Apache Qpid before 0.22 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
https://issues.apache.org/jira/browse/QPID-4918

Affected package

Affected versions

Fixed versions

Vulnerability changelog

The Python client in Apache Qpid before 2.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.


CONFIRM:http://qpid.apache.org/releases/qpid-0.22/release-notes.html: http://qpid.apache.org/releases/qpid-0.22/release-notes.html
CONFIRM:http://svn.apache.org/viewvc?view=revision&revision=1460013: http://svn.apache.org/viewvc?view=revision&revision=1460013
CONFIRM:https://issues.apache.org/jira/browse/QPID-4918: https://issues.apache.org/jira/browse/QPID-4918
REDHAT:RHSA-2013:1024: http://rhn.redhat.com/errata/RHSA-2013-1024.html
SECUNIA:53968: http://secunia.com/advisories/53968
SECUNIA:54137: http://secunia.com/advisories/54137

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1909
• https://issues.apache.org/jira/browse/QPID-4918
• http://qpid.apache.org/releases/qpid-0.22/release-notes.html
• http://secunia.com/advisories/54137
• http://secunia.com/advisories/53968
• http://rhn.redhat.com/errata/RHSA-2013-1024.html
• http://svn.apache.org/viewvc?view=revision&revision=1460013