Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANMpf86pR03Hea8=OsT5_PKADprCMvArOD7WfiGOCzQEWfCFRA@mail.gmail.com>
Date: Thu, 27 May 2021 07:18:08 -0700
From: James Dailey <jamespdailey@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS

The fineract project announces release of 1.5.0 which - among other things
- fixes this issue.

*CVE-2020-17514: Disabled Hostname verification for HTTPS  *

[DESCRIPTION]:

*Critical*:  Apache Fineract disables HTTPS hostname verification in
`ProcessorHelper` in the `configureClient` method.

Under typical deployments, a man in the middle attack could be successful.

*Release branch*: The fix is available at
https://github.com/apache/fineract/tree/1.5.0.

*Acknowledgements*: We would like to thank Simon Gerst at
https://github.com/intrigus-lgtm  for reporting this issue, and the *Apache
Security team* for their assistance.
Reported to security team 15 October 2020
Fixed 19 October 2020
Update Released 23 May  2021
Issue public 26 May 2021
Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0,
1.2.0, 1.3.0, 1.4.0

[REFERENCES]:

https://issues.apache.org/jira/browse/FINERACT-1211

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.