Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Moritz Muehlenhoff jmm at inutil.org
Mon Mar 23 15:43:58 UTC 2015


On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
> > Hi,
> > 
> > On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
> > > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> > > > Is there an example available somewhere of a subject improperly parsed
> > > > by commons-httpclient/3.1-10.2? This would help backporting the fix to
> > > > this version.
> > > 
> > > I think this is already fixed in 3.1-10.2, see the Red Hat bug as
> > > reference and See https://bugs.debian.org/692442#56 and and following
> > > mails.
> > 
> > I don't understand this from those mails. On the contrary, RedHat
> > did update their packages with a new patch on top of the former
> > patch:
> > https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
> > 
> > And the Debian package still have the old version of getCN().
> 
> What's the status? Can we get that fixed for jessie?

*ping*, the release is getting closer.

Cheers,
        Moritz



More information about the pkg-java-maintainers mailing list