- CVE-2012-5783
and CVE-2012-6153
Apache Commons HttpClient 3.1 did not verify that the server hostname
matches a domain name in the subject’s Common Name (CN) or subjectAltName
field of the X.509 certificate, which allows man-in-the-middle attackers to
spoof SSL servers via an arbitrary valid certificate.
Thanks to Alberto Fernandez Martinez for the patch.
- CVE-2014-3577
It was found that the fix for CVE-2012-6153 was incomplete: the code added
to check that the server hostname matches the domain name in a subject’s
Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address
the incomplete patch for CVE-2012-5783. The issue is now completely resolved
by applying this patch and the one for the previous CVEs
This upload was prepared by Markus Koschany.