Your message dated Sun, 03 Jul 2011 19:54:34 +0000
with message-id <e1qdsku-0002rk...@franck.debian.org>
and subject line Bug#628727: fixed in httpcomponents-client 4.0.1-1squeeze1
has caused the Debian Bug report #628727,
regarding httpcomponents-client security issue CVE-2011-1498
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
628727: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628727
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: httpcomponents-client
Version: 4.0.1-1
Severity: serious
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for httpcomponents-client.
CVE-2011-1498
[HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be
sent to the target host when tunneling requests through a proxy server that
requires authentication.
http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt
http://seclists.org/oss-sec/2011/q2/188
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry. Please contact the security team to get
the issue addressed in stable aswell.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1498
http://security-tracker.debian.org/tracker/CVE-2011-1498
--- End Message ---
--- Begin Message ---
Source: httpcomponents-client
Source-Version: 4.0.1-1squeeze1
We believe that the bug you reported is fixed in the latest version of
httpcomponents-client, which is due to be installed in the Debian FTP archive:
httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
to
main/h/httpcomponents-client/httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
httpcomponents-client_4.0.1-1squeeze1.dsc
to main/h/httpcomponents-client/httpcomponents-client_4.0.1-1squeeze1.dsc
libhttpclient-java_4.0.1-1squeeze1_all.deb
to main/h/httpcomponents-client/libhttpclient-java_4.0.1-1squeeze1_all.deb
libhttpmime-java_4.0.1-1squeeze1_all.deb
to main/h/httpcomponents-client/libhttpmime-java_4.0.1-1squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 628...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Miguel Landaeta <mig...@miguel.cc> (supplier of updated httpcomponents-client
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 29 Jun 2011 20:32:56 -0430
Source: httpcomponents-client
Binary: libhttpclient-java libhttpmime-java
Architecture: source all
Version: 4.0.1-1squeeze1
Distribution: stable
Urgency: high
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <mig...@miguel.cc>
Description:
libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation
libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j
extension
Closes: 628727
Changes:
httpcomponents-client (4.0.1-1squeeze1) stable; urgency=high
.
* Fixed critical bug causing Proxy-Authorization header to be
sent to the target host when tunneling requests through a proxy
server that requires authentication: CVE-2011-1498. (Closes: #628727).
* Set Debian Java Team as Maintainer and add myself to Uploaders.
Checksums-Sha1:
65ebe94e669426253a873549ef04dbac4fab6fee 2324
httpcomponents-client_4.0.1-1squeeze1.dsc
56d9bf8dfde9dc1312ace306e53b03f7d0e1f8fa 4433
httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
0e31cf3fc63b516e89ce5d64fb2b351476a2a7ea 270928
libhttpclient-java_4.0.1-1squeeze1_all.deb
2ba634f274e6b9e3f1741a97df5c7ba09f525c27 31922
libhttpmime-java_4.0.1-1squeeze1_all.deb
Checksums-Sha256:
f0e447402f88ea15264be15af926894163ba6f59df0d217dc003a350d404710c 2324
httpcomponents-client_4.0.1-1squeeze1.dsc
5b70569dfdf36ba43afdae42cb5b59939c863b1f3882c218b6d8191841dcb32b 4433
httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
7bc8488a8d48da592a0719fccb6f2817fbd7666c2e9f66eed272ab19e461d083 270928
libhttpclient-java_4.0.1-1squeeze1_all.deb
62f7b864dfa049e61afc62332e05fa39a164326b54c9d8b233ef9a557ca5bace 31922
libhttpmime-java_4.0.1-1squeeze1_all.deb
Files:
96372bec0c915cb49f04c244346cfdcf 2324 java optional
httpcomponents-client_4.0.1-1squeeze1.dsc
a2ae1cd30cab32577d40efb05a4c5325 4433 java optional
httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
b9127243c2ebddb0b3fc729423a6ce20 270928 java optional
libhttpclient-java_4.0.1-1squeeze1_all.deb
3cb6f6cd6f390a4ec7fd9c62d283efe8 31922 java optional
libhttpmime-java_4.0.1-1squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBAgAGBQJOD+jHAAoJECHSBYmXSz6WRC0P/11Cycoqs5RscP6BBjqs5XRi
oyBupImuOQpoAmA6Ts1NsciSyNYJJxG7TH6UDekhhmlhwmLZzfM1r5nxmuhzy+sl
k+D6f5V3uHBMKEh2z2Cq8LjfI5Fwld6x0jnWQD1TNktyua+1Fjltvc/iUL+35wzd
NRryz/XdjIJsnaClbMlzObxIomBJB9F+YeTjpBChXbJ3+o8HF4MNCJ7RJ4RmYEXV
38YMxoqp3TwfMnJbpQCCMPL667dJbSi/SMS7v8R3ORrYAyZBQhmup8jqQDxR/L9B
R8V0l8ulyx3TsWHgv5789iVDPzo5eOW8bcqHki7YtBlvHtQW92pUuHJWdC5PEswg
RhxskeNXG5pkGgrXJhJRmpA/LlN9anOqExsEtIHokpWAPn88fAzQEFSFq36J677I
zeF1AR1JUBd3RSkZK8TCNalsYkOGINBgjuYaRp9C86PUpIwJa00Wf6J8tpGC6L8B
SsnB10GFkXNHh1MD7BUZFHXjEjr67p8bhBfuC+GbqwEk9kWWri2Ii5Fq1yPiJ/oU
3w3PzcI7XwDLAsRNn73D312qE7oosgZK2AdDC1m8VLqhtP5Y2pX8MdyukB5BV9HO
ycodu2T9xsvfAzscS4kd7KGtMVafB/Xws+pCiSu6QapQBdf6TNXAyKXjWjSgHRtA
HeYEmO17y4aA9LmJqlbh
=Ovp4
-----END PGP SIGNATURE-----
--- End Message ---
