Source: apache-directory-api Version: 2.1.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for apache-directory-api. CVE-2026-35563[0]: | It was identified that the LDAP client implementation in version | 2.1.7 does not verify if the server certificate matches the intended | LDAP hostname. While the underlying code validates the certificate | chain against a trusted authority, the absence of endpoint | identification allows a valid certificate issued for an entirely | unrelated host to be improperly accepted. This oversight leaves the | connection highly vulnerable to server impersonation and complete | connection compromise. The root cause of this vulnerability lies | in the incomplete TLS server identity verification within the LDAP | client implementation. The attacker requires MITM capability on | the network to exploit this vulnerability. This attacker must be | able to present a certificate trusted by the client's configured | trust store. The hostname verification has been enforced in the | new version of the LDAP API If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-35563 https://www.cve.org/CVERecord?id=CVE-2026-35563 [1] https://www.openwall.com/lists/oss-security/2026/06/01/2 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
