subject:"Bug#798650\: CVE\-2015\-5262\: https calls ignore http.socket.timeout during SSL Handshake"

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

2015-09-28 Thread Raphael Hertzog

Control: tag -1 + security patch

(this is not about commons-httpclient but about httpcomponents-client)

On Fri, 11 Sep 2015, Guido Günther wrote:
> > Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> > the version 4.3.6. So if this is really a security issue the
> > httpcomponents-client package in stable and oldstable is also affected.
> 
> I do think so but I haven't checked yet and
[...]
> claim that it's not yet reproduced for httpcomponents-client 4.2.x
> that's why I didn't file a but for httpcomponents-client yet until
> this is investigated further.

I did look into the source code and it looks like that this was a
regression in 4.3.x. So only jessie is affected. squeeze, wheezy (and
likely sid) seem to be fine.

Coming back to commons-httpclient:

RedHat produced a patch here:
https://bugzilla.redhat.com/attachment.cgi?id=1072467=diff
Part of https://bugzilla.redhat.com/show_bug.cgi?id=1259892

BTW, would it not be possible to get rid of commons-httpclient
if it has been obsoleted by httpcomponents-client ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

2015-09-28 Thread Debian Bug Tracking System

Processing control commands:

> tag -1 + security patch
Bug #798650 [src:commons-httpclient] CVE-2015-5262: https calls ignore 
http.socket.timeout during SSL Handshake
Added tag(s) patch and security.

-- 
798650: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798650
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

2015-09-11 Thread Guido Günther

Source: commons-httpclient
Version: 3.1-11
Severity: important

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892

Cheers,
 -- Guido

-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), 
(500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

2015-09-11 Thread Guido Günther

Hi,
On Fri, Sep 11, 2015 at 04:20:42PM +0200, Emmanuel Bourg wrote:
> Le 11/09/2015 15:12, Guido Günther a écrit :
> 
> > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892
> 
> Thank you for the report Guido. A hanging connection is certainly
> annoying but I fail to understand why it's flagged as a security
> vulnerability.

Since a malicious server can starve client connections _although_ the
client took countermeasures to prevent this (by setting a timeout).

> Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> the version 4.3.6. So if this is really a security issue the
> httpcomponents-client package in stable and oldstable is also affected.

I do think so but I haven't checked yet and

https://bugzilla.redhat.com/show_bug.cgi?id=1261538

as well as

https://issues.apache.org/jira/browse/HTTPCLIENT-1478?focusedCommentId=13926162=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13926162

claim that it's not yet reproduced for httpcomponents-client 4.2.x
that's why I didn't file a but for httpcomponents-client yet until
this is investigated further.

Cheers,
 -- Guido

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

2015-09-11 Thread Emmanuel Bourg

Le 11/09/2015 15:12, Guido Günther a écrit :

> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892

Thank you for the report Guido. A hanging connection is certainly
annoying but I fail to understand why it's flagged as a security
vulnerability.

Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
the version 4.3.6. So if this is really a security issue the
httpcomponents-client package in stable and oldstable is also affected.

[1] https://issues.apache.org/jira/browse/HTTPCLIENT-1478

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Processed: Re: Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

5 matches

Site Navigation

Mail list logo

Footer information