Processed: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Processing control commands: > severity -1 serious Bug #758086 [commons-httpclient] CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack Severity set to 'serious' from 'important' > tags -1 patch Bug #758086 [commons-httpclient] CVE-2012-6153: Apache HttpC

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Control: severity -1 serious Control: tags -1 patch I am raising the severity to serious because I think we want to fix this for Jessie. I have created a debdiff which is attached to this e-mail. I haven't found a simple way yet to connect to an SSL protected web server and to test this library.

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

On 23.03.2015 17:04, Emmanuel Bourg wrote: > Le 23/03/2015 16:43, Moritz Muehlenhoff a écrit : > >> *ping*, the release is getting closer. > > I'm still missing a test case to ensure the patch does indeed address > the issue. Hi, a way to reproduce this issue was mentioned by upstream here: ht

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Le 23/03/2015 16:43, Moritz Muehlenhoff a écrit : > *ping*, the release is getting closer. I'm still missing a test case to ensure the patch does indeed address the issue. Emmanuel Bourg __ This is the maintainer address of Debian's Java team

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote: > On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote: > > Hi, > > > > On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote: > > > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: > > > > Is there an example a

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote: > Hi, > > On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote: > > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: > > > Is there an example available somewhere of a subject improperly parsed > > > by commons-httpclient/3

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Hi, On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote: > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: > > Is there an example available somewhere of a subject improperly parsed > > by commons-httpclient/3.1-10.2? This would help backporting the fix to > > this version. > > I thin

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Hi Emanuel, On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote: > Hi Henri, > > Thank you for the report. > > Is there an example available somewhere of a subject improperly parsed > by commons-httpclient/3.1-10.2? This would help backporting the fix to > this version. I think this

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Hi Henri, Thank you for the report. Is there an example available somewhere of a subject improperly parsed by commons-httpclient/3.1-10.2? This would help backporting the fix to this version. Emmanuel Bourg signature.asc Description: OpenPGP digital signature __ This is the maintainer address

Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Package: commons-httpclient Version: 3.1-10.2 Severity: important Tags: security https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153 It was found that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field