[SECURITY] [DLA 222-1] commons-httpclient security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 222-1] commons-httpclient security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Tue, 19 May 2015 17:18:39 +0200 (CEST)
Message-id: <[🔎] alpine.DEB.2.02.1505191717270.28313@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : commons-httpclient
Version        : 3.1-9+deb6u1
CVE ID         : CVE-2012-5783 CVE-2012-6153 CVE-2014-3577

CVE-2012-5783 and CVE-2012-6153
   Apache Commons HttpClient 3.1 did not verify that the server hostname
   matches a domain name in the subject's Common Name (CN) or subjectAltName
   field of the X.509 certificate, which allows man-in-the-middle attackers to
   spoof SSL servers via an arbitrary valid certificate.
   Thanks to Alberto Fernandez Martinez for the patch.

CVE-2014-3577
   It was found that the fix for CVE-2012-6153 was incomplete: the code added
   to check that the server hostname matches the domain name in a subject's
   Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle
   attacker could use this flaw to spoof an SSL server using  a specially
   crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address
   the incomplete patch for CVE-2012-5783. The issue is now completely resolved
   by applying this patch and the one for the previous CVEs


This upload was prepared by Markus Koschany.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJVW1RPXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHi+8QAJ6ldSzSu/hQS4CaSEtk8pee
ymaTs7NJMTJsd8fht0OmkNZz0jB5DK/6OiKYiYxNotJIoPcuJwX7P1A06TjgxvGO
rK09YgFpiOO2ilGrDVhclcviFQO7Op4FzzjKOXzTRStiYX/P/Olw3PGx4jiUdqAP
9ADKTdKm1T5uz4RmYDRTpGjvgJrnq5+3PLqT6b7J0RAaSGe1XNh7XOB0LzHNnk89
UJaif6Mcpnr9Pw14fUuiWwchnUqjVjI/u5rIUDDv8i/IiPpd3lek0yy0532g4HM3
AjVBteHBQBYbEGZK/O3tcAILENw+YRJ3S30LPh5P2BaaQ3O2Zjmh5d+tY6OziD8T
qdxEvP7zdiw3bxyIjfpIJTNB3xxan/CrvDZ/PdPhNoUB52ZuqUclgf7F0aD6FTqO
aRqcPuRCkwnvjyU5UIxaCVI1U59LDShv59ztniQpkxXb5Mn0JpqHmxMD4T51bc9K
6ZBQdVvpYWKse5WKkbD3nYzzRVk/NgUi03ZIJ6ps0g0FY+NEBg5DxRb5b1Ef/kvg
chHGEN/44Wg1CYVPFzPe7NOxOIkW032NOSLC/ycAWEg28rH0PKGIRv78wApnb2xd
uQwOdnW5gyIruroCAgTPgBP4ZXrA6f2CPMg1yT9QXTEcX4Pf7Xh1szEG4HPD9SbV
DZud12JzKaUHMJohxYtG
=l4a0
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 224-1] ruby1.8 security update
Next by Date: [SECURITY] [DLA 225-1] dnsmasq security update
Previous by thread: [SECURITY] [DLA 224-1] ruby1.8 security update
Next by thread: [SECURITY] [DLA 225-1] dnsmasq security update
Index(es):
- Date
- Thread