Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442292 - <dev-java/commons-httpclient-3.1-r1: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate (CVE-2012-{5783,6153})
Summary: <dev-java/commons-httpclient-3.1-r1: Does not verify that the server hostname...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 554030
Blocks:
  Show dependency tree
 
Reported: 2012-11-07 23:39 UTC by GLSAMaker/CVETool Bot
Modified: 2015-07-05 17:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
commons-httpclient-3.1-sslhostname.patch (commons-httpclient-3.1-sslhostname.patch,12.76 KB, patch)
2013-12-23 02:17 UTC, Samuel Damashek (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-11-07 23:39:39 UTC 
CVE-2012-5783 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5783):
  Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service
  (FPS) merchant Java SDK and other products, does not verify that the server
  hostname matches a domain name in the subject's Common Name (CN) or
  subjectAltName field of the X.509 certificate, which allows
  man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
  certificate.
Comment 1 Agostino Sarubbo gentoo-dev 2013-02-12 14:33:42 UTC 
https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1422573

this should be the fix
Comment 2 Samuel Damashek (RETIRED) gentoo-dev 2013-12-23 02:16:09 UTC 
Upstream has committed a fix to their repo, however there has been no official release since then. Attaching a patch of the affected file.
Comment 3 Samuel Damashek (RETIRED) gentoo-dev 2013-12-23 02:17:16 UTC 
Created attachment 365946 [details, diff]
commons-httpclient-3.1-sslhostname.patch
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 13:32:41 UTC 
CVE-2012-6153 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6153):
  http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before
  4.2.3 does not properly verify that the server hostname matches a domain
  name in the subject's Common Name (CN) or subjectAltName field of the X.509
  certificate, which allows man-in-the-middle attackers to spoof SSL servers
  via a certificate with a subject that specifies a common name in a field
  that is not the CN field.  NOTE: this issue exists because of an incomplete
  fix for CVE-2012-5783.
Comment 5 Patrice Clement gentoo-dev 2015-06-13 09:05:37 UTC 
+*commons-httpclient-3.1-r1 (13 Jun 2015)
+
+  13 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  +commons-httpclient-3.1-r1.ebuild,
+  +files/commons-httpclient-3.1-SSLProtocolSocketFactory.java.patch:
+  Add patch to mend SSLProtocolSocketFactory.java. EAPI 5 bump. Fix security bug
+  442292.
+

Arch teams, please stabilise ASAP

=dev-java/commons-httpclient-3.1-r1
Stable target: amd64 ppc ppc64 x86

Thanks.
Comment 6 jorgicio 2015-06-13 15:30:44 UTC 
Patch failed. Check this: http://pastebin.com/QZjv8Bpz
Comment 7 Patrice Clement gentoo-dev 2015-06-13 17:04:42 UTC 
  13 Jun 2015; Ulrich Müller <ulm@gentoo.org>
  files/commons-httpclient-3.1-SSLProtocolSocketFactory.java.patch:
  [QA] Remove first hunk from patch, otherwise it will fail due to CVS keyword
  expansion.

Ulrich pinged me in IRC earlier on about CVS expending a variable which, as a result, was causing the patching to choke. He's fixed the problem so please sync your sources and try again. Thanks for the heads up.
Comment 8 Agostino Sarubbo gentoo-dev 2015-06-16 07:19:21 UTC 
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-17 07:32:25 UTC 
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-29 13:16:14 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-06-29 13:17:25 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-06-29 20:34:01 UTC 
GLSA Vote: No

Maintainer(s), please drop the vulnerable version(s).
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-29 20:36:52 UTC 
GLSA Vote: No
Comment 14 Patrice Clement gentoo-dev 2015-07-05 17:46:17 UTC 
With jldap out of the way, and no other packages depending on a slot < :3.0, we can now drop vulnerable versions of dev-java/commons-httpclient:

+  05 Jul 2015; Patrice Clement <monsieurp@gentoo.org>
+  -commons-httpclient-2.0.2-r1.ebuild, -commons-httpclient-3.1.ebuild,
+  -files/commons-httpclient-3.0.1-gentoo.patch, -files/gentoo.diff:
+  Remove vulnerable versions. Fix security bug 442292.
+
Comment 15 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-07-05 17:51:33 UTC 
Thanks