Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake
Raphael Hertzog
hertzog at debian.org
Mon Sep 28 14:27:41 UTC 2015
Control: tag -1 + security patch
(this is not about commons-httpclient but about httpcomponents-client)
On Fri, 11 Sep 2015, Guido Günther wrote:
> > Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> > the version 4.3.6. So if this is really a security issue the
> > httpcomponents-client package in stable and oldstable is also affected.
>
> I do think so but I haven't checked yet and
[...]
> claim that it's not yet reproduced for httpcomponents-client 4.2.x
> that's why I didn't file a but for httpcomponents-client yet until
> this is investigated further.
I did look into the source code and it looks like that this was a
regression in 4.3.x. So only jessie is affected. squeeze, wheezy (and
likely sid) seem to be fine.
Coming back to commons-httpclient:
RedHat produced a patch here:
https://bugzilla.redhat.com/attachment.cgi?id=1072467&action=diff
Part of https://bugzilla.redhat.com/show_bug.cgi?id=1259892
BTW, would it not be possible to get rid of commons-httpclient
if it has been obsoleted by httpcomponents-client ?
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
More information about the pkg-java-maintainers
mailing list