On 23.03.2015 17:04, Emmanuel Bourg wrote:
> Le 23/03/2015 16:43, Moritz Muehlenhoff a écrit :
> 
>> *ping*, the release is getting closer.
> 
> I'm still missing a test case to ensure the patch does indeed address
> the issue.

Hi,

a way to reproduce this issue was mentioned by upstream here:

https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

To clarify:

CVE-2012-6153 was assigned because of an incomplete fix for
CVE-2012-5783. The latter is already addressed in Debian's package.

However CVE-2012-6153 was still incomplete, so that CVE-2014-3577 had to
be created.

See this comment in RedHat's bug tracker.

https://bugzilla.redhat.com/show_bug.cgi?id=1129916#c15

The fix for CVE-2014-3577 is supposed to fix CVE-2012-5783 and
CVE-2012-6153 which means we have to replace the current

06_fix_CVE-2012-5783.patch

with the one Raphael Hertzog mentioned earlier in this thread.

https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch

By the way
https://packages.qa.debian.org/h/httpcomponents-client.html

in wheezy and squeeze is also affected by CVE-2014-3577.

I will try to verify that the centos patch works.

Regards,

Markus


Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to