Candidate: CVE-2013-7397
PublicDate: 2015-06-24 16:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7397
 https://github.com/AsyncHttpClient/async-http-client/issues/352
Description:
 Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509
 certificate verification unless both a keyStore location and a trustStore
 location are explicitly set, which allows man-in-the-middle attackers to
 spoof HTTPS servers by presenting an arbitrary certificate during use of a
 typical AHC configuration, as demonstrated by a configuration that does not
 send client certificates.
Ubuntu-Description:
 It was discovered that AsyncHttpClient did not properly validate SSL/TLS
 certificates. An attacker could use this vulnerability to execute a
 man-in-the-middle attack.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_async-http-client:
upstream_async-http-client: released (1.6.5-3)
lucid_async-http-client: DNE
precise_async-http-client: ignored (reached end-of-life)
precise/esm_async-http-client: DNE (precise was needs-triage)
trusty_async-http-client: ignored (out of standard support)
trusty/esm_async-http-client: released (1.6.5-2ubuntu0.1~esm1)
utopic_async-http-client: ignored (reached end-of-life)
vivid_async-http-client: ignored (reached end-of-life)
vivid/stable-phone-overlay_async-http-client: DNE
vivid/ubuntu-core_async-http-client: DNE
wily_async-http-client: ignored (reached end-of-life)
xenial_async-http-client: not-affected
yakkety_async-http-client: not-affected
zesty_async-http-client: not-affected
artful_async-http-client: not-affected
bionic_async-http-client: not-affected
cosmic_async-http-client: not-affected
disco_async-http-client: not-affected
eoan_async-http-client: not-affected
focal_async-http-client: not-affected
groovy_async-http-client: not-affected
hirsute_async-http-client: not-affected
impish_async-http-client: not-affected
jammy_async-http-client: not-affected
devel_async-http-client: not-affected