Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack
Markus Koschany
apo at gambaru.de
Mon Mar 23 16:44:11 UTC 2015
On 23.03.2015 17:04, Emmanuel Bourg wrote:
> Le 23/03/2015 16:43, Moritz Muehlenhoff a écrit :
>
>> *ping*, the release is getting closer.
>
> I'm still missing a test case to ensure the patch does indeed address
> the issue.
Hi,
a way to reproduce this issue was mentioned by upstream here:
https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
To clarify:
CVE-2012-6153 was assigned because of an incomplete fix for
CVE-2012-5783. The latter is already addressed in Debian's package.
However CVE-2012-6153 was still incomplete, so that CVE-2014-3577 had to
be created.
See this comment in RedHat's bug tracker.
https://bugzilla.redhat.com/show_bug.cgi?id=1129916#c15
The fix for CVE-2014-3577 is supposed to fix CVE-2012-5783 and
CVE-2012-6153 which means we have to replace the current
06_fix_CVE-2012-5783.patch
with the one Raphael Hertzog mentioned earlier in this thread.
https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
By the way
https://packages.qa.debian.org/h/httpcomponents-client.html
in wheezy and squeeze is also affected by CVE-2014-3577.
I will try to verify that the centos patch works.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150323/96025c3a/attachment.sig>
More information about the pkg-java-maintainers
mailing list