Some more information about this issue. TL;DR this is actually CVE-2014-3577. Debian's package is not affected by CVE-2012-6153. I recommend to fix this bug by applying the debdiff from my last e-mail.
We currently apply the 06_fix_CVE-2012-5783.patch [1]. Now I am sure that this patch fixes two CVEs namely CVE-2012-5783 and CVE-2012-6153. Two and a half years ago Debian bug #692442 [2] was assigned for CVE-2012-5783. David Jorm from RedHat discovered that the original patch from Alberto Fernández was not complete and MITM attacks were still possible under certain, hypothetical circumstances. [3] He forwarded his patch upstream and upstream applied it for the 4.2.x branch of httpcomponents-client. [4] It was not immediately clear that this issue was exploitable. Two years later it became apparent that it was and CVE-2012-6153 was assigned. If you take a closer look at the bug report about CVE-2012-6153 in RedHat's bug tracker [5], which was filed by David Jorm by the way, you will notice that the link to upstream's repository is the same one as in [4]. Hence it is clear that David Jorm's patch in #692442 is also the fix for CVE-2012-6153. It is easily comprehensible that Debian's 06_fix_CVE-2012-5783.patch already contains the fix for CVE-2012-6153. Hence I have retitled this bug report because commons-httpclient is not affected by CVE-2012-6153 but by CVE-2014-3577. This issue was fixed in the 4.x branch and RedHat backported this fix to 3.1. See [6] for the corresponding upstream commits. There is also a test case but for the 4.3.x branch though. CVE-2014-3577 in RedHat's bug tracker. [7] Background information about CVE-2012-6153 and CVE-2014-3577. [8] My debdiff contains the fix for CVE-2014-3577. The patch looks sane and reproduces the already applied upstream changes from [6] for the 3.1 branch. The patch has been applied in packages for RedHat, Fedora and CentOS for the past six months. I have also asked upstream for further test cases to verify that this issue is completely solved. [9] However only the latest version is supported and those test cases are only available in 4.4.x which has not been packaged for Debian yet. Markus [1] https://sources.debian.net/src/commons-httpclient/3.1-10.2/debian/patches/06_fix_CVE-2012-5783.patch [2] https://bugs.debian.org/692442 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442#56 [4] http://svn.apache.org/viewvc?view=revision&revision=1411705 [5] https://bugzilla.redhat.com/show_bug.cgi?id=1129916#c2 [6] https://svn.apache.org/viewvc?view=revision&revision=1614064 [7] https://bugzilla.redhat.com/show_bug.cgi?id=1129074 [8] https://access.redhat.com/solutions/1165533 [9] https://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201504.mbox/%3c1427898558.14757.3.ca...@apache.org%3E
signature.asc
Description: OpenPGP digital signature
