[SECURITY] [DLA 222-1] commons-httpclient security update


Package : commons-httpclient Version : 3.1-9+deb6u1 CVE ID : CVE-2012-5783 CVE-2012-6153 CVE-2014-3577 CVE-2012-5783 and CVE-2012-6153 Apache Commons HttpClient 3.1 did not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Thanks to Alberto Fernandez Martinez for the patch. CVE-2014-3577 It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the one for the previous CVEs This upload was prepared by Markus Koschany.

Affected Package

OS OS Version Package Name Package Version
Debian 6 libcommons-httpclient-java 3.1-9+deb6u1
Debian 6 commons-httpclient 3.1-9+deb6u1
Debian 7 httpcomponents-client 4.1.1-2+deb7u1
Debian 6 libcommons-httpclient-java-doc 3.1-9+deb6u1
Debian 7 libhttpmime-java 4.1.1-2+deb7u1
Debian 7 libcommons-httpclient-java-doc 3.1-10.2+deb7u1
Debian 7 libcommons-httpclient-java 3.1-10.2+deb7u1
Debian 7 commons-httpclient 3.1-10.2+deb7u1
Debian 7 libhttpclient-java 4.1.1-2+deb7u1