On Wed, 2015-04-01 at 12:47 +0200, Markus Koschany wrote: > Hello, > > I am currently trying to verify for the Debian distribution that > versions of httpclient are or are not affected by the following security > vulnerabilities: > > CVE-2014-3577 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577 > > CVE-2012-6153 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 > > I am aware that HttpClient <= 3.1 is EOL now but there are still > packages in the archive that depend on exactly this version in Debian. > We intend to apply a patch from RedHat / Fedora [1] that appears to > address CVE-2014-3577. However we would like to ensure that it really > resolves the issue once and for all. > > How can I test that this patch actually addresses the vulnerability? Are > there any test cases available? >
All execution paths that were found as vulnerable now have corresponding test cases here: http://hc.apache.org/httpcomponents-client-4.4.x/httpclient/xref-test/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.html Oleg --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
