{"id":"MGASA-2014-0557","summary":"Updated cxf packages fix security vulnerabilities","details":"Updated cxf packages fix security vulnerabilities:\n\nAn Apache CXF JAX-RS service can process SAML tokens received in the\nauthorization header of a request via the SamlHeaderInHandler. However it is\npossible to cause an infinite loop in the parsing of this header by passing \ncertain bad values for the header, leading to a Denial of Service attack on\nthe service (CVE-2014-3584).\n\nApache CXF is vulnerable to a possible SSL hostname verification bypass, due\nto a flaw in comparing the server hostname to the domain name in the Subject's\nDN field. A Man In The Middle attack can exploit this vulnerability by using\na specially crafted Subject DN to spoof a valid certificate (CVE-2014-3577).\n","modified":"2026-04-16T06:24:24.855453140Z","published":"2014-12-31T12:28:04Z","upstream":["CVE-2014-3577","CVE-2014-3584"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0557.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14363"},{"type":"ADVISORY","url":"http://cxf.apache.org/security-advisories.data/CVE-2014-3584.txt.asc"},{"type":"ADVISORY","url":"http://cxf.apache.org/security-advisories.data/CVE-2014-3577.txt.asc"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1157330"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1129074"}],"affected":[{"package":{"name":"cxf","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/cxf?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.7.5-3.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0557.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}