Your message dated Mon, 13 Apr 2015 17:05:26 +0000 with message-id <e1yhhna-0001cz...@franck.debian.org> and subject line Bug#758086: fixed in commons-httpclient 3.1-11 has caused the Debian Bug report #758086, regarding CVE-2014-3577 Apache HttpComponents hostname verification bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 758086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: commons-httpclient Version: 3.1-10.2 Severity: important Tags: security https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153 It was found that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject. This issue was discovered by Florian Weimer of Red Hat Product Security. --- Henri Salo
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: commons-httpclient Source-Version: 3.1-11 We believe that the bug you reported is fixed in the latest version of commons-httpclient, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 758...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated commons-httpclient package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 23 Mar 2015 22:57:54 +0100 Source: commons-httpclient Binary: libcommons-httpclient-java libcommons-httpclient-java-doc Architecture: source all Version: 3.1-11 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <email@example.com> Changed-By: Markus Koschany <a...@gambaru.de> Description: libcommons-httpclient-java - A Java(TM) library for creating HTTP clients libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java Closes: 758086 Changes: commons-httpclient (3.1-11) unstable; urgency=high . * Team upload. * Add CVE-2014-3577.patch. (Closes: #758086) It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. * Change java.source and java.target ant properties to 1.5, otherwise commons-httpclient will not compile with this patch. Checksums-Sha1: 6813d403d1100210a3adc632a8e7dcff477c4d61 2028 commons-httpclient_3.1-11.dsc 15202a3ff56c0f5336ce35ba95f6b07d293d89ad 12444 commons-httpclient_3.1-11.debian.tar.xz 95e5b8d3ac5bb3f5ff7b1affebbb984bfb23f68f 302008 libcommons-httpclient-java_3.1-11_all.deb bc3bbb89be84880a18be2716d6abd7ee39a18b03 766086 libcommons-httpclient-java-doc_3.1-11_all.deb Checksums-Sha256: 81b0cbe1b1804c5c43cac7d089ba9ca65fe971ef3015602c8c790193a87eb3a6 2028 commons-httpclient_3.1-11.dsc 51feecd75226900f90e52eaa2b3660579b0e734740ef07cffb8f1a6c3db9aaeb 12444 commons-httpclient_3.1-11.debian.tar.xz e7ccb4f5e34d6750a07da64ca86a73ec9bd81b47eaea4815bed694b4e6e4f521 302008 libcommons-httpclient-java_3.1-11_all.deb 74a38afa380426fd5c626751d95779dd6ccc36bb3705489a36759606e71bd3a4 766086 libcommons-httpclient-java-doc_3.1-11_all.deb Files: 2793d3bf04df3bf4b6d8bd11dd0db543 2028 java optional commons-httpclient_3.1-11.dsc 18ce71adc3c0c83fa1555d8eb426b3f3 12444 java optional commons-httpclient_3.1-11.debian.tar.xz 3291b34ed300ca218163ec3807c1d181 302008 java optional libcommons-httpclient-java_3.1-11_all.deb 7d6a72907b03943d5ff2d889dc388995 766086 doc optional libcommons-httpclient-java-doc_3.1-11_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVK+2eAAoJEFb2GnlAHawEkQMH/AwsHevlwJXk1AhDJriltKMT jzC4Jz0iXo1Rccb7+vvCwW6Uk8VLRDEAC2bVGiHOT5CoE/Nkr2j6I6YyZDniPDc3 RC8c/QC0oY0NHrH7fAxm25HLNLVfRGWUz7/TdS2ceUruP3/08Baa4PlvaYZb/+01 r+aw3eP/us8V92nftahoa4kl+/mo8/utT7oCNcc16Zhd57/5CQ+AV+bIDeLcAE16 vgxbIatV74qZBEhmBQDqvKya/DS2xGaWILozmQw+/T9IPZTI010aHlz9/YWQdlaA AkwWyvyWYT7ZmmZ8Xl2/sKjvVdqNQsxmx0nBvJzOHoLTy8iNFwd8cCtUzNHEf44= =c2Gn -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.