Date: Thu, 27 May 2021 07:18:08 -0700 From: James Dailey <jamespdailey@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS The fineract project announces release of 1.5.0 which - among other things - fixes this issue. *CVE-2020-17514: Disabled Hostname verification for HTTPS * [DESCRIPTION]: *Critical*: Apache Fineract disables HTTPS hostname verification in `ProcessorHelper` in the `configureClient` method. Under typical deployments, a man in the middle attack could be successful. *Release branch*: The fix is available at https://github.com/apache/fineract/tree/1.5.0. *Acknowledgements*: We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue, and the *Apache Security team* for their assistance. Reported to security team 15 October 2020 Fixed 19 October 2020 Update Released 23 May 2021 Issue public 26 May 2021 Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0 [REFERENCES]: https://issues.apache.org/jira/browse/FINERACT-1211
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.