Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Moritz Mühlenhoff jmm at inutil.org
Mon Dec 29 21:25:24 UTC 2014


On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
> Hi,
> 
> On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
> > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> > > Is there an example available somewhere of a subject improperly parsed
> > > by commons-httpclient/3.1-10.2? This would help backporting the fix to
> > > this version.
> > 
> > I think this is already fixed in 3.1-10.2, see the Red Hat bug as
> > reference and See https://bugs.debian.org/692442#56 and and following
> > mails.
> 
> I don't understand this from those mails. On the contrary, RedHat
> did update their packages with a new patch on top of the former
> patch:
> https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
> 
> And the Debian package still have the old version of getCN().

What's the status? Can we get that fixed for jessie?

Cheers,
        Moritz



More information about the pkg-java-maintainers mailing list