Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack
Raphael Hertzog
hertzog at debian.org
Mon Sep 22 13:56:00 UTC 2014
Hi,
On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
> On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> > Is there an example available somewhere of a subject improperly parsed
> > by commons-httpclient/3.1-10.2? This would help backporting the fix to
> > this version.
>
> I think this is already fixed in 3.1-10.2, see the Red Hat bug as
> reference and See https://bugs.debian.org/692442#56 and and following
> mails.
I don't understand this from those mails. On the contrary, RedHat
did update their packages with a new patch on top of the former
patch:
https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
And the Debian package still have the old version of getCN().
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
More information about the pkg-java-maintainers
mailing list