| Name | CVE-2024-55581 |
| Description | When AdaCore Ada Web Server 25.0.0 is linked with GnuTLS, the default behaviour of AWS.Client is vulnerable to a man-in-the-middle attack because of lack of verification of an HTTPS server's certificate (unless the using program specifies a TLS configuration). |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libaws (PTS) | bullseye | 20.2-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libaws | source | (unstable) | (unfixed) |
https://docs.adacore.com/corp/security-advisories/SEC.AWS-0056-v1.pdf
Fixed by: https://github.com/AdaCore/aws/commit/3e9df7f8712112d653884610c7518cace6c16e41 (master)
Fixed by: https://github.com/AdaCore/aws/commit/30bccf02675c6022b061481c603f1da501e30572 (v25.1.0)
Followup (test renames): https://github.com/AdaCore/aws/commit/0616c672df44091bec69effd74867ed60d4ea866 (v25.1.0)