Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Guido Günther agx at sigxcpu.org
Fri Sep 11 14:47:22 UTC 2015


Hi,
On Fri, Sep 11, 2015 at 04:20:42PM +0200, Emmanuel Bourg wrote:
> Le 11/09/2015 15:12, Guido Günther a écrit :
> 
> > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892
> 
> Thank you for the report Guido. A hanging connection is certainly
> annoying but I fail to understand why it's flagged as a security
> vulnerability.

Since a malicious server can starve client connections _although_ the
client took countermeasures to prevent this (by setting a timeout).

> Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> the version 4.3.6. So if this is really a security issue the
> httpcomponents-client package in stable and oldstable is also affected.

I do think so but I haven't checked yet and

https://bugzilla.redhat.com/show_bug.cgi?id=1261538

as well as

https://issues.apache.org/jira/browse/HTTPCLIENT-1478?focusedCommentId=13926162&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13926162

claim that it's not yet reproduced for httpcomponents-client 4.2.x
that's why I didn't file a but for httpcomponents-client yet until
this is investigated further.

Cheers,
 -- Guido



More information about the pkg-java-maintainers mailing list