Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack
Moritz Muehlenhoff
jmm at inutil.org
Mon Mar 23 15:43:58 UTC 2015
On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
> > Hi,
> >
> > On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
> > > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> > > > Is there an example available somewhere of a subject improperly parsed
> > > > by commons-httpclient/3.1-10.2? This would help backporting the fix to
> > > > this version.
> > >
> > > I think this is already fixed in 3.1-10.2, see the Red Hat bug as
> > > reference and See https://bugs.debian.org/692442#56 and and following
> > > mails.
> >
> > I don't understand this from those mails. On the contrary, RedHat
> > did update their packages with a new patch on top of the former
> > patch:
> > https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
> >
> > And the Debian package still have the old version of getCN().
>
> What's the status? Can we get that fixed for jessie?
*ping*, the release is getting closer.
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list