Your message dated Mon, 13 Apr 2015 17:05:26 +0000
with message-id <[email protected]>
and subject line Bug#758086: fixed in commons-httpclient 3.1-11
has caused the Debian Bug report #758086,
regarding CVE-2014-3577 Apache HttpComponents hostname verification bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
758086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: commons-httpclient
Version: 3.1-10.2
Severity: important
Tags: security
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153
It was found that the fix for CVE-2012-5783 was incomplete. The code added to
check that the server hostname matches the domain name in the subject's CN field
was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where
the attacker can spoof a valid certificate using a specially crafted subject.
This issue was discovered by Florian Weimer of Red Hat Product Security.
---
Henri Salo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: commons-httpclient
Source-Version: 3.1-11
We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated commons-httpclient
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 23 Mar 2015 22:57:54 +0100
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-11
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Description:
libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 758086
Changes:
commons-httpclient (3.1-11) unstable; urgency=high
.
* Team upload.
* Add CVE-2014-3577.patch. (Closes: #758086)
It was found that the fix for CVE-2012-6153 was incomplete: the code added
to check that the server hostname matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed. A
man-in-the-middle attacker could use this flaw to spoof an SSL server using
a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
intended to address the incomplete patch for CVE-2012-5783. The issue is
now completely resolved by applying this patch and the
06_fix_CVE-2012-5783.patch.
* Change java.source and java.target ant properties to 1.5, otherwise
commons-httpclient will not compile with this patch.
Checksums-Sha1:
6813d403d1100210a3adc632a8e7dcff477c4d61 2028 commons-httpclient_3.1-11.dsc
15202a3ff56c0f5336ce35ba95f6b07d293d89ad 12444
commons-httpclient_3.1-11.debian.tar.xz
95e5b8d3ac5bb3f5ff7b1affebbb984bfb23f68f 302008
libcommons-httpclient-java_3.1-11_all.deb
bc3bbb89be84880a18be2716d6abd7ee39a18b03 766086
libcommons-httpclient-java-doc_3.1-11_all.deb
Checksums-Sha256:
81b0cbe1b1804c5c43cac7d089ba9ca65fe971ef3015602c8c790193a87eb3a6 2028
commons-httpclient_3.1-11.dsc
51feecd75226900f90e52eaa2b3660579b0e734740ef07cffb8f1a6c3db9aaeb 12444
commons-httpclient_3.1-11.debian.tar.xz
e7ccb4f5e34d6750a07da64ca86a73ec9bd81b47eaea4815bed694b4e6e4f521 302008
libcommons-httpclient-java_3.1-11_all.deb
74a38afa380426fd5c626751d95779dd6ccc36bb3705489a36759606e71bd3a4 766086
libcommons-httpclient-java-doc_3.1-11_all.deb
Files:
2793d3bf04df3bf4b6d8bd11dd0db543 2028 java optional
commons-httpclient_3.1-11.dsc
18ce71adc3c0c83fa1555d8eb426b3f3 12444 java optional
commons-httpclient_3.1-11.debian.tar.xz
3291b34ed300ca218163ec3807c1d181 302008 java optional
libcommons-httpclient-java_3.1-11_all.deb
7d6a72907b03943d5ff2d889dc388995 766086 doc optional
libcommons-httpclient-java-doc_3.1-11_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJVK+2eAAoJEFb2GnlAHawEkQMH/AwsHevlwJXk1AhDJriltKMT
jzC4Jz0iXo1Rccb7+vvCwW6Uk8VLRDEAC2bVGiHOT5CoE/Nkr2j6I6YyZDniPDc3
RC8c/QC0oY0NHrH7fAxm25HLNLVfRGWUz7/TdS2ceUruP3/08Baa4PlvaYZb/+01
r+aw3eP/us8V92nftahoa4kl+/mo8/utT7oCNcc16Zhd57/5CQ+AV+bIDeLcAE16
vgxbIatV74qZBEhmBQDqvKya/DS2xGaWILozmQw+/T9IPZTI010aHlz9/YWQdlaA
AkwWyvyWYT7ZmmZ8Xl2/sKjvVdqNQsxmx0nBvJzOHoLTy8iNFwd8cCtUzNHEf44=
=c2Gn
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
