The Apache Commons HTTPClient 3.x (as used in Amazon Flexible Payments Service FPS merchant Java SDK and other SDK products), does not verify that the server hostname matches a domain name in the subjects Common Name CN or subjectAltName field of the X.509 certificate, which allows Man In The Middle attackers to spoof SSL servers via an arbitrary valid certificate.
lists.opensuse.org/opensuse-updates/2013-02/msg00078.html
lists.opensuse.org/opensuse-updates/2013-04/msg00040.html
lists.opensuse.org/opensuse-updates/2013-04/msg00041.html
lists.opensuse.org/opensuse-updates/2013-04/msg00053.html
rhn.redhat.com/errata/RHSA-2013-0270.html
rhn.redhat.com/errata/RHSA-2013-0679.html
rhn.redhat.com/errata/RHSA-2013-0680.html
rhn.redhat.com/errata/RHSA-2013-0681.html
rhn.redhat.com/errata/RHSA-2013-0682.html
rhn.redhat.com/errata/RHSA-2013-1147.html
rhn.redhat.com/errata/RHSA-2013-1853.html
rhn.redhat.com/errata/RHSA-2014-0224.html
www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
www.securityfocus.com/bid/58073
www.ubuntu.com/usn/USN-2769-1
access.redhat.com/errata/RHSA-2017:0868
access.redhat.com/security/updates/classification/#moderate
exchange.xforce.ibmcloud.com/vulnerabilities/79984
issues.apache.org/jira/browse/HTTPCLIENT-1265
rhn.redhat.com/errata/RHSA-2013-0270.html