Your message dated Mon, 11 Feb 2013 01:32:32 +0000 with message-id <e1u4ig0-0001oq...@franck.debian.org> and subject line Bug#700268: fixed in httpcomponents-client 4.2.1-2 has caused the Debian Bug report #700268, regarding libhttpclient-java: overly broad certificate wildcard match to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 700268: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libhttpclient-java Version: 4.2.1-1 Severity: grave Tags: security In the version above the common name match of the certificate check was rewritten. So the versions in squeeze and wheezy are not affected. The rewritten version contains a bug (uses length of wrong object) and thereby accepts ssl certificates where it should not. Let me quote the relevant bits from the upstream bug https://issues.apache.org/jira/browse/HTTPCLIENT-1255 > According to the findings of [1], the hostname verification in > AbstractVerifier.java is not correct. The wildcard prefix extraction uses the > dimension of the dotted parts array instead of the length of the first part > itself. > > String prefix = parts[0].substring(0, parts.length-2); // e.g. server > should be > String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server > > (This is line 208 of > http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java > as of Revision 1402320) > > [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf Helmut
--- End Message ---
--- Begin Message ---Source: httpcomponents-client Source-Version: 4.2.1-2 We believe that the bug you reported is fixed in the latest version of httpcomponents-client, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 700...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. tony mancill <tmanc...@debian.org> (supplier of updated httpcomponents-client package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 10 Feb 2013 16:28:27 -0800 Source: httpcomponents-client Binary: libhttpclient-java libhttpmime-java Architecture: source all Version: 4.2.1-2 Distribution: experimental Urgency: low Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: tony mancill <tmanc...@debian.org> Description: libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j extension Closes: 700268 Changes: httpcomponents-client (4.2.1-2) experimental; urgency=low . * Team upload. * Apply upstream patch for wildcard certificate match security bug. (Closes: #700268) * Remove duplicate Copyright: in d/copyright (lintian warning). * Bump Standards-Version to 3.9.4 (no changes). * Update Vcs-Git field to be "/git/pkg-java" Checksums-Sha1: 3179d07f8b252bac09b3aa95b65beea297fd278a 2500 httpcomponents-client_4.2.1-2.dsc 8baf74da2c2662970a091107421d9dfbb571bf96 6167 httpcomponents-client_4.2.1-2.debian.tar.gz 27499823279632a039e6289df949e3c178a83c51 401662 libhttpclient-java_4.2.1-2_all.deb 443057eba1149af75a30968b91edb64d6cad8f1d 53000 libhttpmime-java_4.2.1-2_all.deb Checksums-Sha256: f18951f93e4c61b33d27b2f9fb3e119014b7f911fcf8a1d603ef201ddb94cfd3 2500 httpcomponents-client_4.2.1-2.dsc e57b8167b844d65bc9173dbd3dfae9f9812094b1c5dcdf155aa7d5beaf1e416b 6167 httpcomponents-client_4.2.1-2.debian.tar.gz f52e61724a02b5604aa3fa939bbcd9a8626493d1a7b8b40789a94595b2186522 401662 libhttpclient-java_4.2.1-2_all.deb a435612c0531ba9cbdd4ad0e05cb5719ec5e5d641bf0c61ae7ffbbcfc1c70f27 53000 libhttpmime-java_4.2.1-2_all.deb Files: 7a559acd6fc12f3722e8183087c47c56 2500 java optional httpcomponents-client_4.2.1-2.dsc 82bf41302cd93f3592e047d1e692e2ec 6167 java optional httpcomponents-client_4.2.1-2.debian.tar.gz ca31c315d5c02153ff4fc437eaf7ab7d 401662 java optional libhttpclient-java_4.2.1-2_all.deb 653ab7222ff0fca3c0dc8916a8bb2ec1 53000 java optional libhttpmime-java_4.2.1-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJRGEZXAAoJECHSBYmXSz6W6YwQAMmMvBLnr4rph3TzRzJkvBZe 0Znb3qBtQhZQUcUMOwNHxMovaHSw9E0wiNc+9fcClqdJNGP43oFZUX+tzb5doZVy s+OL7SBmwPQMAih7YJZvpnQx3SNRJs8p84q7CFI8CvyBcSoTqflvtHQyF8OL29+4 Rb3udxP7xztsSzl2anXHchRmXI61zsK/8nC9KRK5IkM9qGeCRQY+FWx8IksiOsSY sBHGrJUf32z5yExJmzMJPEgJU31fSvlAwwbecJ/degP7V7QEXZBzFTaacd6ZaAFs iEMeH+EFDtA1dvGv4dgs5vwI6eVLyGy18F7km1BTbMBncNsB1pNRTN3LXXcSrquT 86ZT6fLJC0+zEA8KBCIcnX8yMHWeVH76PH6YCEfz2ee9GgdAho6Sy+0Lvj2ndGTy GeXc5IfcZtX3FS/oifzmCCrUmZRmDm1Xv/9rxsRGcUlE8+5gdBHSjP0P50LQOBPS qFbM5MlmG9d8S2fHNgdnLJqCTgX952Ln332QXexokHV7P0A4MO2GtXw1K/LMqQTY EBWFDQNIY2cKfz70hpRmNPTQiC1TMmhl33fGHVUp89Nzf/q7Spk8R6Eqgvvhrnl7 gfX9D3etnafDt7JM5XfapSlqa3yoOesJ9XgIn0Rfu16MxBCOVdeUjVLpb6yLhcOJ nqhGhNDmwq+BELznmsQG =2ee0 -----END PGP SIGNATURE-----
--- End Message ---
