Red Hat Security Advisory 2015-1176-01 – Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. The following security fixes are addressed in this release: It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle attacker could use this flaw to spoof a valid certificate. It was found that async-http-client did not verify that the server hostname matched the domain name in the subject’s Common Name or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name.