[SECURITY] [DLA 2405-1] httpcomponents-client security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2405-1] httpcomponents-client security update
From: Markus Koschany <apo@debian.org>
Date: Sat, 10 Oct 2020 19:12:02 +0200
Message-id: <[🔎] c271da7d-edd6-d5ff-9577-8e0461bc9228@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2405-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
October 10, 2020                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : httpcomponents-client
Version        : 4.5.2-2+deb9u1
CVE ID         : CVE-2020-13956

Oleg Kalnichevski discovered that httpcomponents-client, a Java library
for building HTTP-aware applications, can misinterpret a malformed
authority component in request URIs passed to the library as
java.net.URI object and pick the wrong target host for request
execution.

For Debian 9 stretch, this problem has been fixed in version
4.5.2-2+deb9u1.

We recommend that you upgrade your httpcomponents-client packages.

For the detailed security status of httpcomponents-client please refer
to its security tracker page at:
https://security-tracker.debian.org/tracker/httpcomponents-client

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl+B62JfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQzqhAAgDrwdMQKAGTgeLCzDpPKpmYyiV8OKOxZj5V0PtIs9rGNk97ChLL1Fned
0cCzRLhbdEM2sS2SBv6SVOLHQwMNIl1C7MEkJDsbpV+q9GhpeNunZgTlfO/YPyTE
a8ATZ3Fto9ofDu3gleXRAURY3OSSKB5uGkITEL6/UjWefNZvuYBRQWwMXlnpzdbR
pbICe+eYbRsxxZFn7pPB0lnnlaicvLFmTXEegGd8YTVB0CjXHP/6AVg11jNlrN1x
peck4qLckxL9jE3IeeCWLcLbga8mpNd7mhreiEqH2M4gyANSRPGm7/AGFLmX2vew
U0VfPDJSjJjjFFUepXY5JQZ3Hw89WbZ7X1TYAbAj9IlP7XpBnt49MzSDMlcJi0iK
bKxNzCNyzH4ntRbvlzIZnQxzKVNyj4ZyxdWpGXjpgSn2ISkR07GzfTWqUUL86kns
jgBv2TDwctZgPxtGYZdDQfplO5izYR9Ti8GJuTTBLHY+YN8zU6L5Hpf8ef4Ek6u5
VUYAs/XTIa5OStIVWcTORV03HnDpaI5MjxZdaPeeJVBQsous89e6xpP1h6nKSffr
iuCR8nNPzGP5mVjnT1Hok6AJVXE+WXwQJPdFMfDx7eAuSdZeKmWHrtwdu5//YqQ0
d71slFwnUDCjVcxlcZdH/c5Mj/jBZBNQ1I9FvPNJt1WXkDNZo9M=
=xuQY
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2404-1] eclipse-wtp security update
Next by Date: [SECURITY] [DLA 2406-1] jackson-databind security update
Previous by thread: [SECURITY] [DLA 2404-1] eclipse-wtp security update
Next by thread: [SECURITY] [DLA 2406-1] jackson-databind security update
Index(es):
- Date
- Thread