Your message dated Sat, 16 May 2015 06:03:38 +0000
with message-id <e1ytvce-00068h...@franck.debian.org>
and subject line Bug#758086: fixed in commons-httpclient 3.1-10.2+deb7u1
has caused the Debian Bug report #758086,
regarding CVE-2014-3577 Apache HttpComponents hostname verification bypass
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
758086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: commons-httpclient
Version: 3.1-10.2
Severity: important
Tags: security

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153

It was found that the fix for CVE-2012-5783 was incomplete. The code added to
check that the server hostname matches the domain name in the subject's CN field
was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where
the attacker can spoof a valid certificate using a specially crafted subject.

This issue was discovered by Florian Weimer of Red Hat Product Security.

---
Henri Salo

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message ---
Source: commons-httpclient
Source-Version: 3.1-10.2+deb7u1

We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 758...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@gambaru.de> (supplier of updated commons-httpclient 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2015 21:24:48 +0200
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-10.2+deb7u1
Distribution: wheezy
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@gambaru.de>
Description: 
 libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 758086
Changes: 
 commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high
 .
   * Team upload.
   * Add CVE-2014-3577.patch. (Closes: #758086)
     It was found that the fix for CVE-2012-6153 was incomplete: the code added
     to check that the server hostname matches the domain name in a subject's
     Common Name (CN) field in X.509 certificates was flawed. A
     man-in-the-middle attacker could use this flaw to spoof an SSL server using
     a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
     intended to address the incomplete patch for CVE-2012-5783. The issue is
     now completely resolved by applying this patch and the
     06_fix_CVE-2012-5783.patch.
   * Change java.source and java.target ant properties to 1.5, otherwise
     commons-httpclient will not compile with this patch.
Checksums-Sha1: 
 ca26cd0f2a5be0029a7b2e8d56cf85fb38c31d1e 2526 
commons-httpclient_3.1-10.2+deb7u1.dsc
 0c6dfbf3d0d47cfc70595d2b15223a59f264795b 13684 
commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
 301f4d1a8f1e400f257c13cd222981d60696584c 299718 
libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
 b87b0f77aba48d6177092356e96e2b149f840283 1547514 
libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb
Checksums-Sha256: 
 219a2ecdf758361cec1ea85bce645115c14bf609dc7b565cd0ab5aee610f6cb1 2526 
commons-httpclient_3.1-10.2+deb7u1.dsc
 e977a7922cff20c65fb6dcfbd9bb2f11e2f079245edddc68567055dd0e444cac 13684 
commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
 7bafb3dc4b04d2c0af8ecb8010eae11b63496c57184fe1bd6b812f824eee2037 299718 
libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
 47af253e18f750a10ff226c487aceadb056a78a913a6ab3c1d66667022b620bd 1547514 
libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb
Files: 
 022067c70b0363ea2c1fa31542290b64 2526 java optional 
commons-httpclient_3.1-10.2+deb7u1.dsc
 8a5862dc9b0b0898c61e438359eec285 13684 java optional 
commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
 4deb3d76811d48c359dcbe0616f76b41 299718 java optional 
libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
 e1708de058fde033592dc11b9468294b 1547514 doc optional 
libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJVVPY9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGr8sQAMVXI1PRDTmuQsdtYFzXkBlp
sg7R1HAR7VSTBpJiM71VCaY3Q8E6Kc0Rz4u0WsHX2Zbn/RjN2634h/BHa781n9sN
RS1DtUjdsIC3vWcWA6D+MyrcIsc8HjYjfU4++MwuXOf4STsiZFCRF1mn+/+umW2K
D+z+03KuNNre/WIkyESqK5lF4l3fq0AUlexWJc7yZkscQwfLwE3sc3CXf0octwbc
5hieqg1lc7rfOWjj7KgK6HAAhYbqP1gJH6wCaoQkMohWauRdVJXLVConWCYKcVdS
R5yVWpu8/8v0C5IfzOMDSToRJyO/wknDqBsHYOKJw8CJgAgOnu/qvi2E+HE/Cooy
qYhmf/jMo6s1jj+kuZvrbGfW0hWW3JDb/Ooq17iU5r+f4D7HfBp8tjq+ZjPLBUXs
x0KMww9VzLFExVY+ySRk6J4B+YwgVwVXxQrWA+BCV2+SrwvdRqh3oQDVWa8IJONW
uOdKdrBu+GAbsOBFi/M81YgtmcJWyUX75ZjSDgXD9HrX4goiaS+/ZqvIVoMvmk+f
hN1QAcYFTbfKCZwiqJZ+GHBW6D2jqtpIphOXudsQFaeQKtykybbG+P1yOHIQoy1v
kFwGMnGRTrqCqZ9ajUdS7eTUweSjKZkZKsqKyGDXm2WWRPXjxHLXP/gv9tQu2Pfq
l4QFD1nwITCaQ/Wi22/H
=K+gw
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to