Your message dated Sat, 16 May 2015 06:03:38 +0000 with message-id <e1ytvce-00068h...@franck.debian.org> and subject line Bug#758086: fixed in commons-httpclient 3.1-10.2+deb7u1 has caused the Debian Bug report #758086, regarding CVE-2014-3577 Apache HttpComponents hostname verification bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 758086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: commons-httpclient Version: 3.1-10.2 Severity: important Tags: security https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153 It was found that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject. This issue was discovered by Florian Weimer of Red Hat Product Security. --- Henri Salo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: commons-httpclient Source-Version: 3.1-10.2+deb7u1 We believe that the bug you reported is fixed in the latest version of commons-httpclient, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 758...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated commons-httpclient package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2015 21:24:48 +0200 Source: commons-httpclient Binary: libcommons-httpclient-java libcommons-httpclient-java-doc Architecture: source all Version: 3.1-10.2+deb7u1 Distribution: wheezy Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@gambaru.de> Description: libcommons-httpclient-java - A Java(TM) library for creating HTTP clients libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java Closes: 758086 Changes: commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high . * Team upload. * Add CVE-2014-3577.patch. (Closes: #758086) It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. * Change java.source and java.target ant properties to 1.5, otherwise commons-httpclient will not compile with this patch. Checksums-Sha1: ca26cd0f2a5be0029a7b2e8d56cf85fb38c31d1e 2526 commons-httpclient_3.1-10.2+deb7u1.dsc 0c6dfbf3d0d47cfc70595d2b15223a59f264795b 13684 commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz 301f4d1a8f1e400f257c13cd222981d60696584c 299718 libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb b87b0f77aba48d6177092356e96e2b149f840283 1547514 libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb Checksums-Sha256: 219a2ecdf758361cec1ea85bce645115c14bf609dc7b565cd0ab5aee610f6cb1 2526 commons-httpclient_3.1-10.2+deb7u1.dsc e977a7922cff20c65fb6dcfbd9bb2f11e2f079245edddc68567055dd0e444cac 13684 commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz 7bafb3dc4b04d2c0af8ecb8010eae11b63496c57184fe1bd6b812f824eee2037 299718 libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb 47af253e18f750a10ff226c487aceadb056a78a913a6ab3c1d66667022b620bd 1547514 libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb Files: 022067c70b0363ea2c1fa31542290b64 2526 java optional commons-httpclient_3.1-10.2+deb7u1.dsc 8a5862dc9b0b0898c61e438359eec285 13684 java optional commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz 4deb3d76811d48c359dcbe0616f76b41 299718 java optional libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb e1708de058fde033592dc11b9468294b 1547514 doc optional libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQJ8BAEBCgBmBQJVVPY9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGr8sQAMVXI1PRDTmuQsdtYFzXkBlp sg7R1HAR7VSTBpJiM71VCaY3Q8E6Kc0Rz4u0WsHX2Zbn/RjN2634h/BHa781n9sN RS1DtUjdsIC3vWcWA6D+MyrcIsc8HjYjfU4++MwuXOf4STsiZFCRF1mn+/+umW2K D+z+03KuNNre/WIkyESqK5lF4l3fq0AUlexWJc7yZkscQwfLwE3sc3CXf0octwbc 5hieqg1lc7rfOWjj7KgK6HAAhYbqP1gJH6wCaoQkMohWauRdVJXLVConWCYKcVdS R5yVWpu8/8v0C5IfzOMDSToRJyO/wknDqBsHYOKJw8CJgAgOnu/qvi2E+HE/Cooy qYhmf/jMo6s1jj+kuZvrbGfW0hWW3JDb/Ooq17iU5r+f4D7HfBp8tjq+ZjPLBUXs x0KMww9VzLFExVY+ySRk6J4B+YwgVwVXxQrWA+BCV2+SrwvdRqh3oQDVWa8IJONW uOdKdrBu+GAbsOBFi/M81YgtmcJWyUX75ZjSDgXD9HrX4goiaS+/ZqvIVoMvmk+f hN1QAcYFTbfKCZwiqJZ+GHBW6D2jqtpIphOXudsQFaeQKtykybbG+P1yOHIQoy1v kFwGMnGRTrqCqZ9ajUdS7eTUweSjKZkZKsqKyGDXm2WWRPXjxHLXP/gv9tQu2Pfq l4QFD1nwITCaQ/Wi22/H =K+gw -----END PGP SIGNATURE-----
--- End Message ---
