[Secure-testing-commits] r36877 - data/CVE
Raphaël Hertzog
hertzog at moszumanska.debian.org
Mon Sep 28 14:28:01 UTC 2015
Author: hertzog
Date: 2015-09-28 14:28:01 +0000 (Mon, 28 Sep 2015)
New Revision: 36877
Modified:
data/CVE/list
Log:
Investigate CVE-2015-5262
All versions of commons-httpclient are likely vulnerable but only the
jessie version of httpcomponents-client is affected.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2015-09-28 14:27:53 UTC (rev 36876)
+++ data/CVE/list 2015-09-28 14:28:01 UTC (rev 36877)
@@ -5134,13 +5134,17 @@
CVE-2015-5263
RESERVED
NOT-FOR-US: Pulp (Red Hat)
-CVE-2015-5262
+CVE-2015-5262 [Possible DoS due to failure to set socket timeout on SSL connections]
RESERVED
- - httpcomponents-client <unfixed>
+ - httpcomponents-client 4.3.6-1 (low)
+ [squeeze] - httpcomponents-client <not-affected> (Regression introduced in 4.3.0)
+ [wheezy] - httpcomponents-client <not-affected> (Regression introduced in 4.3.0)
- commons-httpclient <unfixed> (bug #798650)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1261538
- NOTE: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
+ NOTE: https://issues.apache.org/jira/browse/HTTPCLIENT-1478 says it's really fixed in 4.3.6 and that 4.2.x did not have this bug.
NOTE: Proposed patch for commons-httpclient: https://bugzilla.redhat.com/show_bug.cgi?id=1259892
+ NOTE: Checked that both 4.0.1 (in Squeeze) and 4.1.1 (in Wheezy) have the call to set the timout before the SSL connection is opened.
+ NOTE: Jessie's 4.3.5-2 is however missing the upstream patch: http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?r1=1560975&r2=1626784
CVE-2015-5261
RESERVED
CVE-2015-5260 [Insufficient validation of surface_id parameter can cause crash]
More information about the Secure-testing-commits
mailing list