Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Raphael Hertzog hertzog at debian.org
Mon Sep 28 14:27:41 UTC 2015


Control: tag -1 + security patch

(this is not about commons-httpclient but about httpcomponents-client)

On Fri, 11 Sep 2015, Guido Günther wrote:
> > Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> > the version 4.3.6. So if this is really a security issue the
> > httpcomponents-client package in stable and oldstable is also affected.
> 
> I do think so but I haven't checked yet and
[...]
> claim that it's not yet reproduced for httpcomponents-client 4.2.x
> that's why I didn't file a but for httpcomponents-client yet until
> this is investigated further.

I did look into the source code and it looks like that this was a
regression in 4.3.x. So only jessie is affected. squeeze, wheezy (and
likely sid) seem to be fine.

Coming back to commons-httpclient:

RedHat produced a patch here:
https://bugzilla.redhat.com/attachment.cgi?id=1072467&action=diff
Part of https://bugzilla.redhat.com/show_bug.cgi?id=1259892

BTW, would it not be possible to get rid of commons-httpclient
if it has been obsoleted by httpcomponents-client ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/



More information about the pkg-java-maintainers mailing list