Bug#758086: marked as done (CVE-2014-3577 Apache HttpComponents hostname verification bypass)
Your message dated Sat, 16 May 2015 06:03:38 + with message-id e1ytvce-00068h...@franck.debian.org and subject line Bug#758086: fixed in commons-httpclient 3.1-10.2+deb7u1 has caused the Debian Bug report #758086, regarding CVE-2014-3577 Apache HttpComponents hostname verification bypass to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 758086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: commons-httpclient Version: 3.1-10.2 Severity: important Tags: security https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153 It was found that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject. This issue was discovered by Florian Weimer of Red Hat Product Security. --- Henri Salo signature.asc Description: Digital signature ---End Message--- ---BeginMessage--- Source: commons-httpclient Source-Version: 3.1-10.2+deb7u1 We believe that the bug you reported is fixed in the latest version of commons-httpclient, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 758...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany a...@gambaru.de (supplier of updated commons-httpclient package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 15 Apr 2015 21:24:48 +0200 Source: commons-httpclient Binary: libcommons-httpclient-java libcommons-httpclient-java-doc Architecture: source all Version: 3.1-10.2+deb7u1 Distribution: wheezy Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintain...@lists.alioth.debian.org Changed-By: Markus Koschany a...@gambaru.de Description: libcommons-httpclient-java - A Java(TM) library for creating HTTP clients libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java Closes: 758086 Changes: commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high . * Team upload. * Add CVE-2014-3577.patch. (Closes: #758086) It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. * Change java.source and java.target ant properties to 1.5, otherwise commons-httpclient will not compile with this patch. Checksums-Sha1: ca26cd0f2a5be0029a7b2e8d56cf85fb38c31d1e 2526 commons-httpclient_3.1-10.2+deb7u1.dsc 0c6dfbf3d0d47cfc70595d2b15223a59f264795b 13684 commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz 301f4d1a8f1e400f257c13cd222981d60696584c 299718 libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb b87b0f77aba48d6177092356e96e2b149f840283 1547514 libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb Checksums-Sha256: 219a2ecdf758361cec1ea85bce645115c14bf609dc7b565cd0ab5aee610f6cb1 2526 commons-httpclient_3.1-10.2+deb7u1.dsc e977a7922cff20c65fb6dcfbd9bb2f11e2f079245edddc68567055dd0e444cac 13684 commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz 7bafb3dc4b04d2c0af8ecb8010eae11b63496c57184fe1bd6b812f824eee2037 299718 libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb 47af253e18f750a10ff226c487aceadb056a78a913a6ab3c1d7022b620bd 1547514 libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb Files: 022067c70b0363ea2c1fa31542290b64 2526 java optional commons-httpclient_3.1-10.2+deb7u1.dsc 8a5862dc9b0b0898c61e438359eec285 13684 java optional commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz 4deb3d76811d48c359dcbe0616f76b41 299718 java optional libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb e1708de058fde033592dc11b9468294b 1547514 doc
Bug#758086: marked as done (CVE-2014-3577 Apache HttpComponents hostname verification bypass)
Your message dated Mon, 13 Apr 2015 17:05:26 + with message-id e1yhhna-0001cz...@franck.debian.org and subject line Bug#758086: fixed in commons-httpclient 3.1-11 has caused the Debian Bug report #758086, regarding CVE-2014-3577 Apache HttpComponents hostname verification bypass to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 758086: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758086 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems ---BeginMessage--- Package: commons-httpclient Version: 3.1-10.2 Severity: important Tags: security https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153 It was found that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject. This issue was discovered by Florian Weimer of Red Hat Product Security. --- Henri Salo signature.asc Description: Digital signature ---End Message--- ---BeginMessage--- Source: commons-httpclient Source-Version: 3.1-11 We believe that the bug you reported is fixed in the latest version of commons-httpclient, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 758...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany a...@gambaru.de (supplier of updated commons-httpclient package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Mon, 23 Mar 2015 22:57:54 +0100 Source: commons-httpclient Binary: libcommons-httpclient-java libcommons-httpclient-java-doc Architecture: source all Version: 3.1-11 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers pkg-java-maintain...@lists.alioth.debian.org Changed-By: Markus Koschany a...@gambaru.de Description: libcommons-httpclient-java - A Java(TM) library for creating HTTP clients libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java Closes: 758086 Changes: commons-httpclient (3.1-11) unstable; urgency=high . * Team upload. * Add CVE-2014-3577.patch. (Closes: #758086) It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. * Change java.source and java.target ant properties to 1.5, otherwise commons-httpclient will not compile with this patch. Checksums-Sha1: 6813d403d1100210a3adc632a8e7dcff477c4d61 2028 commons-httpclient_3.1-11.dsc 15202a3ff56c0f5336ce35ba95f6b07d293d89ad 12444 commons-httpclient_3.1-11.debian.tar.xz 95e5b8d3ac5bb3f5ff7b1affebbb984bfb23f68f 302008 libcommons-httpclient-java_3.1-11_all.deb bc3bbb89be84880a18be2716d6abd7ee39a18b03 766086 libcommons-httpclient-java-doc_3.1-11_all.deb Checksums-Sha256: 81b0cbe1b1804c5c43cac7d089ba9ca65fe971ef3015602c8c790193a87eb3a6 2028 commons-httpclient_3.1-11.dsc 51feecd75226900f90e52eaa2b3660579b0e734740ef07cffb8f1a6c3db9aaeb 12444 commons-httpclient_3.1-11.debian.tar.xz e7ccb4f5e34d6750a07da64ca86a73ec9bd81b47eaea4815bed694b4e6e4f521 302008 libcommons-httpclient-java_3.1-11_all.deb 74a38afa380426fd5c626751d95779dd6ccc36bb3705489a36759606e71bd3a4 766086 libcommons-httpclient-java-doc_3.1-11_all.deb Files: 2793d3bf04df3bf4b6d8bd11dd0db543 2028 java optional commons-httpclient_3.1-11.dsc 18ce71adc3c0c83fa1555d8eb426b3f3 12444 java optional commons-httpclient_3.1-11.debian.tar.xz 3291b34ed300ca218163ec3807c1d181 302008 java optional libcommons-httpclient-java_3.1-11_all.deb 7d6a72907b03943d5ff2d889dc388995 766086 doc optional libcommons-httpclient-java-doc_3.1-11_all.deb -BEGIN PGP SIGNATURE- Version: GnuPG v1
