Your message dated Mon, 11 Feb 2013 01:32:32 +0000
with message-id <e1u4ig0-0001oq...@franck.debian.org>
and subject line Bug#700268: fixed in httpcomponents-client 4.2.1-2
has caused the Debian Bug report #700268,
regarding libhttpclient-java: overly broad certificate wildcard match
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
700268: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libhttpclient-java
Version: 4.2.1-1
Severity: grave
Tags: security

In the version above the common name match of the certificate check was
rewritten. So the versions in squeeze and wheezy are not affected. The
rewritten version contains a bug (uses length of wrong object) and
thereby accepts ssl certificates where it should not.

Let me quote the relevant bits from the upstream bug
https://issues.apache.org/jira/browse/HTTPCLIENT-1255
> According to the findings of [1], the hostname verification in 
> AbstractVerifier.java is not correct. The wildcard prefix extraction uses the 
> dimension of the dotted parts array instead of the length of the first part 
> itself.
> 
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
> 
> (This is line 208 of 
> http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
>  as of Revision 1402320)
> 
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Helmut

--- End Message ---
--- Begin Message ---
Source: httpcomponents-client
Source-Version: 4.2.1-2

We believe that the bug you reported is fixed in the latest version of
httpcomponents-client, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmanc...@debian.org> (supplier of updated httpcomponents-client 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 10 Feb 2013 16:28:27 -0800
Source: httpcomponents-client
Binary: libhttpclient-java libhttpmime-java
Architecture: source all
Version: 4.2.1-2
Distribution: experimental
Urgency: low
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmanc...@debian.org>
Description: 
 libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation
 libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j 
extension
Closes: 700268
Changes: 
 httpcomponents-client (4.2.1-2) experimental; urgency=low
 .
   * Team upload.
   * Apply upstream patch for wildcard certificate match security bug.
     (Closes: #700268)
   * Remove duplicate Copyright: in d/copyright (lintian warning).
   * Bump Standards-Version to 3.9.4 (no changes).
   * Update Vcs-Git field to be "/git/pkg-java"
Checksums-Sha1: 
 3179d07f8b252bac09b3aa95b65beea297fd278a 2500 httpcomponents-client_4.2.1-2.dsc
 8baf74da2c2662970a091107421d9dfbb571bf96 6167 
httpcomponents-client_4.2.1-2.debian.tar.gz
 27499823279632a039e6289df949e3c178a83c51 401662 
libhttpclient-java_4.2.1-2_all.deb
 443057eba1149af75a30968b91edb64d6cad8f1d 53000 libhttpmime-java_4.2.1-2_all.deb
Checksums-Sha256: 
 f18951f93e4c61b33d27b2f9fb3e119014b7f911fcf8a1d603ef201ddb94cfd3 2500 
httpcomponents-client_4.2.1-2.dsc
 e57b8167b844d65bc9173dbd3dfae9f9812094b1c5dcdf155aa7d5beaf1e416b 6167 
httpcomponents-client_4.2.1-2.debian.tar.gz
 f52e61724a02b5604aa3fa939bbcd9a8626493d1a7b8b40789a94595b2186522 401662 
libhttpclient-java_4.2.1-2_all.deb
 a435612c0531ba9cbdd4ad0e05cb5719ec5e5d641bf0c61ae7ffbbcfc1c70f27 53000 
libhttpmime-java_4.2.1-2_all.deb
Files: 
 7a559acd6fc12f3722e8183087c47c56 2500 java optional 
httpcomponents-client_4.2.1-2.dsc
 82bf41302cd93f3592e047d1e692e2ec 6167 java optional 
httpcomponents-client_4.2.1-2.debian.tar.gz
 ca31c315d5c02153ff4fc437eaf7ab7d 401662 java optional 
libhttpclient-java_4.2.1-2_all.deb
 653ab7222ff0fca3c0dc8916a8bb2ec1 53000 java optional 
libhttpmime-java_4.2.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRGEZXAAoJECHSBYmXSz6W6YwQAMmMvBLnr4rph3TzRzJkvBZe
0Znb3qBtQhZQUcUMOwNHxMovaHSw9E0wiNc+9fcClqdJNGP43oFZUX+tzb5doZVy
s+OL7SBmwPQMAih7YJZvpnQx3SNRJs8p84q7CFI8CvyBcSoTqflvtHQyF8OL29+4
Rb3udxP7xztsSzl2anXHchRmXI61zsK/8nC9KRK5IkM9qGeCRQY+FWx8IksiOsSY
sBHGrJUf32z5yExJmzMJPEgJU31fSvlAwwbecJ/degP7V7QEXZBzFTaacd6ZaAFs
iEMeH+EFDtA1dvGv4dgs5vwI6eVLyGy18F7km1BTbMBncNsB1pNRTN3LXXcSrquT
86ZT6fLJC0+zEA8KBCIcnX8yMHWeVH76PH6YCEfz2ee9GgdAho6Sy+0Lvj2ndGTy
GeXc5IfcZtX3FS/oifzmCCrUmZRmDm1Xv/9rxsRGcUlE8+5gdBHSjP0P50LQOBPS
qFbM5MlmG9d8S2fHNgdnLJqCTgX952Ln332QXexokHV7P0A4MO2GtXw1K/LMqQTY
EBWFDQNIY2cKfz70hpRmNPTQiC1TMmhl33fGHVUp89Nzf/q7Spk8R6Eqgvvhrnl7
gfX9D3etnafDt7JM5XfapSlqa3yoOesJ9XgIn0Rfu16MxBCOVdeUjVLpb6yLhcOJ
nqhGhNDmwq+BELznmsQG
=2ee0
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to