Hello, I am currently trying to verify for the Debian distribution that versions of httpclient are or are not affected by the following security vulnerabilities:
CVE-2014-3577 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577 CVE-2012-6153 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 I am aware that HttpClient <= 3.1 is EOL now but there are still packages in the archive that depend on exactly this version in Debian. We intend to apply a patch from RedHat / Fedora [1] that appears to address CVE-2014-3577. However we would like to ensure that it really resolves the issue once and for all. How can I test that this patch actually addresses the vulnerability? Are there any test cases available? Thanks Markus [1] http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch
signature.asc
Description: OpenPGP digital signature
