Summary: | <dev-java/commons-httpclient-3.1-r1: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate (CVE-2012-{5783,6153}) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | java | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 554030 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
GLSAMaker/CVETool Bot
2012-11-07 23:39:39 UTC
https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1422573 this should be the fix Upstream has committed a fix to their repo, however there has been no official release since then. Attaching a patch of the affected file. Created attachment 365946 [details, diff]
commons-httpclient-3.1-sslhostname.patch
CVE-2012-6153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6153): http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783. +*commons-httpclient-3.1-r1 (13 Jun 2015) + + 13 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +commons-httpclient-3.1-r1.ebuild, + +files/commons-httpclient-3.1-SSLProtocolSocketFactory.java.patch: + Add patch to mend SSLProtocolSocketFactory.java. EAPI 5 bump. Fix security bug + 442292. + Arch teams, please stabilise ASAP =dev-java/commons-httpclient-3.1-r1 Stable target: amd64 ppc ppc64 x86 Thanks. Patch failed. Check this: http://pastebin.com/QZjv8Bpz 13 Jun 2015; Ulrich Müller <ulm@gentoo.org> files/commons-httpclient-3.1-SSLProtocolSocketFactory.java.patch: [QA] Remove first hunk from patch, otherwise it will fail due to CVS keyword expansion. Ulrich pinged me in IRC earlier on about CVS expending a variable which, as a result, was causing the patching to choke. He's fixed the problem so please sync your sources and try again. Thanks for the heads up. amd64 stable x86 stable ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No With jldap out of the way, and no other packages depending on a slot < :3.0, we can now drop vulnerable versions of dev-java/commons-httpclient: + 05 Jul 2015; Patrice Clement <monsieurp@gentoo.org> + -commons-httpclient-2.0.2-r1.ebuild, -commons-httpclient-3.1.ebuild, + -files/commons-httpclient-3.0.1-gentoo.patch, -files/gentoo.diff: + Remove vulnerable versions. Fix security bug 442292. + Thanks |