Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack
Henri Salo
henri at nerv.fi
Thu Aug 14 07:06:47 UTC 2014
Package: commons-httpclient
Version: 3.1-10.2
Severity: important
Tags: security
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153
It was found that the fix for CVE-2012-5783 was incomplete. The code added to
check that the server hostname matches the domain name in the subject's CN field
was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where
the attacker can spoof a valid certificate using a specially crafted subject.
This issue was discovered by Florian Weimer of Red Hat Product Security.
---
Henri Salo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140814/c95670eb/attachment.sig>
More information about the pkg-java-maintainers
mailing list