Package: libhttpclient-java Version: 4.2.1-1 Severity: grave Tags: security
In the version above the common name match of the certificate check was rewritten. So the versions in squeeze and wheezy are not affected. The rewritten version contains a bug (uses length of wrong object) and thereby accepts ssl certificates where it should not. Let me quote the relevant bits from the upstream bug https://issues.apache.org/jira/browse/HTTPCLIENT-1255 > According to the findings of [1], the hostname verification in > AbstractVerifier.java is not correct. The wildcard prefix extraction uses the > dimension of the dotted parts array instead of the length of the first part > itself. > > String prefix = parts[0].substring(0, parts.length-2); // e.g. server > should be > String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server > > (This is line 208 of > http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java > as of Revision 1402320) > > [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf Helmut -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org