On 23.03.2015 17:04, Emmanuel Bourg wrote: > Le 23/03/2015 16:43, Moritz Muehlenhoff a écrit : > >> *ping*, the release is getting closer. > > I'm still missing a test case to ensure the patch does indeed address > the issue.
Hi, a way to reproduce this issue was mentioned by upstream here: https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 To clarify: CVE-2012-6153 was assigned because of an incomplete fix for CVE-2012-5783. The latter is already addressed in Debian's package. However CVE-2012-6153 was still incomplete, so that CVE-2014-3577 had to be created. See this comment in RedHat's bug tracker. https://bugzilla.redhat.com/show_bug.cgi?id=1129916#c15 The fix for CVE-2014-3577 is supposed to fix CVE-2012-5783 and CVE-2012-6153 which means we have to replace the current 06_fix_CVE-2012-5783.patch with the one Raphael Hertzog mentioned earlier in this thread. https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch By the way https://packages.qa.debian.org/h/httpcomponents-client.html in wheezy and squeeze is also affected by CVE-2014-3577. I will try to verify that the centos patch works. Regards, Markus
signature.asc
Description: OpenPGP digital signature
