[
https://issues.apache.org/jira/browse/HTTPCLIENT-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alberto Fernández reopened HTTPCLIENT-1265:
-------------------------------------------
Hi Oleg
I know HttpClient 3 is EOL, but it's used widely in linux distros (basically
because axis 1.4 is still used and depends on httpclient 3).
This patch have been commited to Debian package, and it would be great if you
can apply to the ASF repository, so other distros can take the fixed version
from the SVN.
The patch is a mix of : backport from httpclient 4.2, some bites from apache
synapse and some refactor of my own (basically splitting in smaller functions).
If you can also do a fast review to see if i've done a obvious mistake, i would
very grateful.
Thanks for your time and your patience
> Insercure certificate validation CVE-2012-5783
> ----------------------------------------------
>
> Key: HTTPCLIENT-1265
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1265
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 3.1 Final
> Environment: All
> Reporter: Alberto Fernández
> Attachments: CVE-2012-5783-2.patch
>
>
> See.
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
> Using JSSE you must manually validate server name you're connecting to
> matches one of the names provided by the certificate. So you can detect a
> man-in-the-middle type attack with a valid certificado for other site.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
