Debian Security Advisory
DLA-222-1 commons-httpclient -- LTS security update
- Date Reported:
- 19 May 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2012-5783, CVE-2012-6153, CVE-2014-3577.
- More information:
and CVE-2012-6153 Apache Commons HttpClient 3.1 did not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Thanks to Alberto Fernandez Martinez for the patch.
It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the one for the previous CVEs
This upload was prepared by Markus Koschany.