Bug#758086: CVE-2014-3577 Apache HttpComponents hostname verification bypass
Markus Koschany
apo at gambaru.de
Sat Apr 4 00:57:50 UTC 2015
Some more information about this issue. TL;DR this is actually
CVE-2014-3577. Debian's package is not affected by CVE-2012-6153.
I recommend to fix this bug by applying the debdiff from my last e-mail.
We currently apply the 06_fix_CVE-2012-5783.patch [1]. Now I am sure
that this patch fixes two CVEs namely CVE-2012-5783 and CVE-2012-6153.
Two and a half years ago Debian bug #692442 [2] was assigned for
CVE-2012-5783. David Jorm from RedHat discovered that the original patch
from Alberto Fernández was not complete and MITM attacks were still
possible under certain, hypothetical circumstances. [3] He forwarded his
patch upstream and upstream applied it for the 4.2.x branch of
httpcomponents-client. [4] It was not immediately clear that this issue
was exploitable. Two years later it became apparent that it was and
CVE-2012-6153 was assigned.
If you take a closer look at the bug report about CVE-2012-6153 in
RedHat's bug tracker [5], which was filed by David Jorm by the way, you
will notice that the link to upstream's repository is the same one as in
[4]. Hence it is clear that David Jorm's patch in #692442 is also the
fix for CVE-2012-6153.
It is easily comprehensible that Debian's 06_fix_CVE-2012-5783.patch
already contains the fix for CVE-2012-6153.
Hence I have retitled this bug report because commons-httpclient is not
affected by CVE-2012-6153 but by CVE-2014-3577. This issue was fixed in
the 4.x branch and RedHat backported this fix to 3.1. See [6] for the
corresponding upstream commits. There is also a test case but for the
4.3.x branch though.
CVE-2014-3577 in RedHat's bug tracker. [7]
Background information about CVE-2012-6153 and CVE-2014-3577. [8]
My debdiff contains the fix for CVE-2014-3577. The patch looks sane and
reproduces the already applied upstream changes from [6] for the 3.1
branch. The patch has been applied in packages for RedHat, Fedora and
CentOS for the past six months.
I have also asked upstream for further test cases to verify that this
issue is completely solved. [9] However only the latest version is
supported and those test cases are only available in 4.4.x which has not
been packaged for Debian yet.
Markus
[1]
https://sources.debian.net/src/commons-httpclient/3.1-10.2/debian/patches/06_fix_CVE-2012-5783.patch
[2] https://bugs.debian.org/692442
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442#56
[4] http://svn.apache.org/viewvc?view=revision&revision=1411705
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1129916#c2
[6] https://svn.apache.org/viewvc?view=revision&revision=1614064
[7] https://bugzilla.redhat.com/show_bug.cgi?id=1129074
[8] https://access.redhat.com/solutions/1165533
[9]
https://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201504.mbox/%3C1427898558.14757.3.camel@apache.org%3E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150404/c831ebf6/attachment.sig>
More information about the pkg-java-maintainers
mailing list