Debian Security Advisory

DLA-222-1 commons-httpclient -- LTS security update

Date Reported:
19 May 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2012-5783, CVE-2012-6153, CVE-2014-3577.
More information:
  • CVE-2012-5783

    and CVE-2012-6153 Apache Commons HttpClient 3.1 did not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Thanks to Alberto Fernandez Martinez for the patch.

  • CVE-2014-3577

    It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the one for the previous CVEs

This upload was prepared by Markus Koschany.