Debian 9844 Published by

A commons-httpclient security update has been released dor Debian 6 LTS



Package : commons-httpclient
Version : 3.1-9+deb6u1
CVE ID : CVE-2012-5783 CVE-2012-6153 CVE-2014-3577

CVE-2012-5783 and CVE-2012-6153
Apache Commons HttpClient 3.1 did not verify that the server hostname
matches a domain name in the subject's Common Name (CN) or subjectAltName
field of the X.509 certificate, which allows man-in-the-middle attackers to
spoof SSL servers via an arbitrary valid certificate.
Thanks to Alberto Fernandez Martinez for the patch.

CVE-2014-3577
It was found that the fix for CVE-2012-6153 was incomplete: the code added
to check that the server hostname matches the domain name in a subject's
Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address
the incomplete patch for CVE-2012-5783. The issue is now completely resolved
by applying this patch and the one for the previous CVEs


This upload was prepared by Markus Koschany.