-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-3577: Apache CXF SSL hostname verification bypass 

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 2.7.14 and
3.0.3.

Description:

Apache CXF is vulnerable to a possible SSL hostname verification bypass, due
to a flaw in comparing the server hostname to the domain name in the Subject's
DN field. A Man In The Middle attack can exploit this vulnerability by using
a specially crafted Subject DN to spoof a valid certificate.

See here for more information:

https://bugzilla.redhat.com/show_bug.cgi?id=1129074

This has been fixed in revision:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=68cd67b1187edfca957f15a00eab9a14cd140672

Migration:

CXF 2.7.x users should upgrade to 2.7.14 or later as soon as possible.
CXF 3.0.x users should upgrade to 3.0.3 or later as soon as possible.

References: http://cxf.apache.org/security-advisories.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUkETDAAoJEGe/gLEK1TmDBkEIAKS+SgDmNuG8Kz6dFxKghPiJ
1SsG6DAu0sWOqhTG3ZW0Wg6s8oA1J4b6MtDTrUhjZ/MyJqOpsTYgioRNC0FIon9+
ixjNJzFDOQjiGNvDyr3CayCmugKsSTHdJTM27NEWegrLyMGTEvLI7xgEt8ZKrXV0
0zDLJvfiic6PVHY7aX0D4DADRNlxpaF9D3jnpAlP7zDe37VeGUwwlWntDN3Ju0z9
AkNpvw510owbFbg/nrqpMK1Kdo1OWh3OBq5Dk0SDEYZdoMI50a/GolOnJeL3j13v
ny0CXQ/XCLy76i4dIMqFib/4/JykZuyIA46CECfLfMpUg3MbMLDoRKUN9y1SlYU=
=i1Q4
-----END PGP SIGNATURE-----