Candidate: CVE-2016-4467
PublicDate: 2017-05-02 14:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4467
 https://marc.info/?l=oss-security&m=146857058811961&w=2
Description:
 The C client and C-based client bindings in the Apache Qpid Proton library
 before 0.13.1 on Windows do not properly verify that the server hostname
 matches a domain name in the subject's Common Name (CN) or subjectAltName
 field of the X.509 certificate when using the SChannel-based security
 layer, which allows man-in-the-middle attackers to spoof servers via an
 arbitrary valid certificate.
Ubuntu-Description:
Notes:
 seth-arnold> Claimed to affect only Windows
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N [5.9 MEDIUM]

Patches_qpid-proton:
upstream_qpid-proton: released (0.13.1)
precise_qpid-proton: DNE
trusty_qpid-proton: DNE
trusty/esm_qpid-proton: DNE
vivid/stable-phone-overlay_qpid-proton: DNE
vivid/ubuntu-core_qpid-proton: DNE
wily_qpid-proton: not-affected
xenial_qpid-proton: not-affected
devel_qpid-proton: not-affected