Summary: | <dev-java/httpcomponents-core-4.4.1: Hostname verification susceptible to MITM attack (CVE-2014-3577) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/browser | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 552566 | ||
Bug Blocks: |
Description
Kristian Fiskerstrand (RETIRED)
![]() CVE-2014-3577 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3577): org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. +*httpcomponents-core-4.4.1 (19 Jun 2015) + + 19 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + +files/httpcomponents-core-4.4.1-httpcore-build.xml, + +files/httpcomponents-core-4.4.1-httpcore-nio-build.xml, + +httpcomponents-core-4.4.1.ebuild: + Version bump. Fix security bug 520200. + Arch teams, Please stabilise: =dev-java/httpcomponents-core-4.4.1 Target arches: amd64 x86 Thanks. amd64 stable x86 stable. Maintainer(s), please cleanup. Package never stabilized, setting noglsa. Maintainer, please close the bug after cleanup + 26 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -httpcomponents-client-4.3.1-r1.ebuild: + Remove vulnerable version. Fix security bug 520200. + + 26 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -httpcomponents-core-4.2.4.ebuild, -httpcomponents-core-4.3.ebuild, + -httpcomponents-core-4.4.1.ebuild: + Remove vulnerable versions. Fix security bug 520200. + I had to revbump and stabilise httpcomponents-core-4.4.1-r1.ebuild. See bug 553234 for more info. Closing this bug as per Kristian's comment. |