On Apr/15, Markus Koschany wrote:
I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The
patch is identical to the Jessie / Sid fix. Do you consider this
vulnerability important enough for a DSA or do you prefer a point
release update?
Hi Markus,
this issue was marked no-dsa
Hello security team,
I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The
patch is identical to the Jessie / Sid fix. Do you consider this
vulnerability important enough for a DSA or do you prefer a point
release update?
Regards,
Markus
[1] https://bugs.debian.org/758086
Hi,
Since the last maintainer upload was well over three years ago and there have
been several unacknowledged NMU's since then, I've taken the liberty to upload
Markus' good work as-is to unstable to fix this security issue for jessie.
Cheers,
Thijs
signature.asc
Description: This is a
Some more information about this issue. TL;DR this is actually
CVE-2014-3577. Debian's package is not affected by CVE-2012-6153.
I recommend to fix this bug by applying the debdiff from my last e-mail.
We currently apply the 06_fix_CVE-2012-5783.patch [1]. Now I am sure
that this patch fixes two
Processing commands for cont...@bugs.debian.org:
retitle 758086 CVE-2014-3577 Apache HttpComponents hostname verification
bypass
Bug #758086 [commons-httpclient] CVE-2012-6153: Apache HttpComponents client:
Hostname verification susceptible to MITM attack
Changed Bug title to 'CVE-2014-3577
5 matches
Mail list logo
