CVE request - OkHttp Certificate Pining Bypass

[Matthew McPherrin <mmc () squareup com>]

A vulnerability was discovered in OkHttp that allows an attacker to bypass
certificate pinning. OkHttp did not validate that the pinned certificate
was in the chain to a trusted certificate authority.

This resulted in an attacker being able to present a certificate chain with
a certificate issued by one trusted certificate authority, and additionally
including the pinned certificate authority. Because the pinned certificate
was present, and the certificate was issued by a trusted certificate
authority, the server's certificate was accepted. However, it should not
have been accepted as the pinned certificate was not in the trust chain.

This allows an attacker to obtain a certificate from a non-pinned but
trusted CA, then have OkHttp connect to that server, bypassing certificate
pinning.