| Summary: | dev-java/commons-httpclient : Wildcard matching in SSL hostname verifier incorrect | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | java |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=910358 | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
this appears to be invalid http://www.openwall.com/lists/oss-security/2013/02/12/2 |
From ${URL} : Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching: [1] https://issues.apache.org/jira/browse/HTTPCLIENT-1255 which still allowed certain type of certificates checks to pass, even if they shouldn't. Relevant upstream patches: [2] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213 (against 4.2.x branch) [3] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217 (against trunk) References: [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268