Your message dated Sat, 16 May 2015 06:03:38 +0000
with message-id <[email protected]>
and subject line Bug#758086: fixed in commons-httpclient 3.1-10.2+deb7u1
has caused the Debian Bug report #758086,
regarding CVE-2014-3577 Apache HttpComponents hostname verification bypass
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
758086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: commons-httpclient
Version: 3.1-10.2
Severity: important
Tags: security
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153
It was found that the fix for CVE-2012-5783 was incomplete. The code added to
check that the server hostname matches the domain name in the subject's CN field
was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where
the attacker can spoof a valid certificate using a specially crafted subject.
This issue was discovered by Florian Weimer of Red Hat Product Security.
---
Henri Salo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: commons-httpclient
Source-Version: 3.1-10.2+deb7u1
We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated commons-httpclient
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Apr 2015 21:24:48 +0200
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-10.2+deb7u1
Distribution: wheezy
Urgency: high
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Description:
libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 758086
Changes:
commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high
.
* Team upload.
* Add CVE-2014-3577.patch. (Closes: #758086)
It was found that the fix for CVE-2012-6153 was incomplete: the code added
to check that the server hostname matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed. A
man-in-the-middle attacker could use this flaw to spoof an SSL server using
a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
intended to address the incomplete patch for CVE-2012-5783. The issue is
now completely resolved by applying this patch and the
06_fix_CVE-2012-5783.patch.
* Change java.source and java.target ant properties to 1.5, otherwise
commons-httpclient will not compile with this patch.
Checksums-Sha1:
ca26cd0f2a5be0029a7b2e8d56cf85fb38c31d1e 2526
commons-httpclient_3.1-10.2+deb7u1.dsc
0c6dfbf3d0d47cfc70595d2b15223a59f264795b 13684
commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
301f4d1a8f1e400f257c13cd222981d60696584c 299718
libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
b87b0f77aba48d6177092356e96e2b149f840283 1547514
libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb
Checksums-Sha256:
219a2ecdf758361cec1ea85bce645115c14bf609dc7b565cd0ab5aee610f6cb1 2526
commons-httpclient_3.1-10.2+deb7u1.dsc
e977a7922cff20c65fb6dcfbd9bb2f11e2f079245edddc68567055dd0e444cac 13684
commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
7bafb3dc4b04d2c0af8ecb8010eae11b63496c57184fe1bd6b812f824eee2037 299718
libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
47af253e18f750a10ff226c487aceadb056a78a913a6ab3c1d66667022b620bd 1547514
libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb
Files:
022067c70b0363ea2c1fa31542290b64 2526 java optional
commons-httpclient_3.1-10.2+deb7u1.dsc
8a5862dc9b0b0898c61e438359eec285 13684 java optional
commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
4deb3d76811d48c359dcbe0616f76b41 299718 java optional
libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
e1708de058fde033592dc11b9468294b 1547514 doc optional
libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJVVPY9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGr8sQAMVXI1PRDTmuQsdtYFzXkBlp
sg7R1HAR7VSTBpJiM71VCaY3Q8E6Kc0Rz4u0WsHX2Zbn/RjN2634h/BHa781n9sN
RS1DtUjdsIC3vWcWA6D+MyrcIsc8HjYjfU4++MwuXOf4STsiZFCRF1mn+/+umW2K
D+z+03KuNNre/WIkyESqK5lF4l3fq0AUlexWJc7yZkscQwfLwE3sc3CXf0octwbc
5hieqg1lc7rfOWjj7KgK6HAAhYbqP1gJH6wCaoQkMohWauRdVJXLVConWCYKcVdS
R5yVWpu8/8v0C5IfzOMDSToRJyO/wknDqBsHYOKJw8CJgAgOnu/qvi2E+HE/Cooy
qYhmf/jMo6s1jj+kuZvrbGfW0hWW3JDb/Ooq17iU5r+f4D7HfBp8tjq+ZjPLBUXs
x0KMww9VzLFExVY+ySRk6J4B+YwgVwVXxQrWA+BCV2+SrwvdRqh3oQDVWa8IJONW
uOdKdrBu+GAbsOBFi/M81YgtmcJWyUX75ZjSDgXD9HrX4goiaS+/ZqvIVoMvmk+f
hN1QAcYFTbfKCZwiqJZ+GHBW6D2jqtpIphOXudsQFaeQKtykybbG+P1yOHIQoy1v
kFwGMnGRTrqCqZ9ajUdS7eTUweSjKZkZKsqKyGDXm2WWRPXjxHLXP/gv9tQu2Pfq
l4QFD1nwITCaQ/Wi22/H
=K+gw
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
