CVE-2014-3577 Apache HttpComponents hostname verification bypass

Debian Bug report logs - #758086
CVE-2014-3577 Apache HttpComponents hostname verification bypass

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Thu, 14 Aug 2014 10:06:47 +0300

[Message part 1 (text/plain, inline)]

Package: commons-httpclient
Version: 3.1-10.2
Severity: important
Tags: security

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6153

It was found that the fix for CVE-2012-5783 was incomplete. The code added to
check that the server hostname matches the domain name in the subject's CN field
was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where
the attacker can spoof a valid certificate using a specially crafted subject.

This issue was discovered by Florian Weimer of Red Hat Product Security.

---
Henri Salo

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Henri Salo <henri@nerv.fi>, 758086@bugs.debian.org, fw@deneb.enyo.de

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Thu, 14 Aug 2014 23:43:32 +0200

[Message part 1 (text/plain, inline)]

Hi Henri,

Thank you for the report.

Is there an example available somewhere of a subject improperly parsed
by commons-httpclient/3.1-10.2? This would help backporting the fix to
this version.

Emmanuel Bourg

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Emmanuel Bourg <ebourg@apache.org>, 758086@bugs.debian.org

Cc: Henri Salo <henri@nerv.fi>, fw@deneb.enyo.de

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Mon, 18 Aug 2014 22:26:40 +0200

Hi Emanuel,

On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> Hi Henri,
> 
> Thank you for the report.
> 
> Is there an example available somewhere of a subject improperly parsed
> by commons-httpclient/3.1-10.2? This would help backporting the fix to
> this version.

I think this is already fixed in 3.1-10.2, see the Red Hat bug as
reference and See https://bugs.debian.org/692442#56 and and following
mails.

Regards,
Salvatore

Message #20 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Emmanuel Bourg <ebourg@apache.org>, 758086@bugs.debian.org, Henri Salo <henri@nerv.fi>, fw@deneb.enyo.de

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Mon, 22 Sep 2014 15:56:00 +0200

Hi,

On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
> On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> > Is there an example available somewhere of a subject improperly parsed
> > by commons-httpclient/3.1-10.2? This would help backporting the fix to
> > this version.
> 
> I think this is already fixed in 3.1-10.2, see the Red Hat bug as
> reference and See https://bugs.debian.org/692442#56 and and following
> mails.

I don't understand this from those mails. On the contrary, RedHat
did update their packages with a new patch on top of the former
patch:
https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch

And the Debian package still have the old version of getCN().

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Message #25 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Raphael Hertzog <hertzog@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, Emmanuel Bourg <ebourg@apache.org>, 758086@bugs.debian.org, Henri Salo <henri@nerv.fi>, fw@deneb.enyo.de

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Mon, 29 Dec 2014 22:25:24 +0100

On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
> Hi,
> 
> On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
> > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> > > Is there an example available somewhere of a subject improperly parsed
> > > by commons-httpclient/3.1-10.2? This would help backporting the fix to
> > > this version.
> > 
> > I think this is already fixed in 3.1-10.2, see the Red Hat bug as
> > reference and See https://bugs.debian.org/692442#56 and and following
> > mails.
> 
> I don't understand this from those mails. On the contrary, RedHat
> did update their packages with a new patch on top of the former
> patch:
> https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
> 
> And the Debian package still have the old version of getCN().

What's the status? Can we get that fixed for jessie?

Cheers,
        Moritz

Message #30 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>

Cc: debian-lts@lists.debian.org, Alberto Fernández Martínez <infjaf@gmail.com>, 758086@bugs.debian.org

Subject: security update of commons-httpclient?

Date: Tue, 24 Feb 2015 15:21:52 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of your commons-httpclient:
https://security-tracker.debian.org/tracker/CVE-2012-6153

It would be nice if you could take care of this update as
the package is not high enough on our priority list and
we seem to never manage to find the time.

And the same seems to apply for the stable security team
since this issue is still open in all releases despite
a friendly ping from Moritz last december.

Yet the package seems to be relatively important in the java world since
it's a reverse dependency of quite a few other packages...

So it would be nice to have some action going. I don't want
to raise the severity to "serious" at this point of the release but it's
not good for Debian to leave security issues unattended for so long.
So can someone take the responsibility to provide fixed packages
for our releases?

I have included Alberto Fernández Martínez in copy since he's the last
person having uploaded the package in... 2012!

Thank you in advance!

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: If you want to handle the upload to squeeze-lts by yourself, please
follow the instructions here:
http://wiki.debian.org/LTS/Development
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #35 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 758086@bugs.debian.org

Cc: Emmanuel Bourg <ebourg@apache.org>, Henri Salo <henri@nerv.fi>, team@security.debian.org

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Mon, 23 Mar 2015 16:43:58 +0100

On Mon, Dec 29, 2014 at 10:25:24PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Sep 22, 2014 at 03:56:00PM +0200, Raphael Hertzog wrote:
> > Hi,
> > 
> > On Mon, 18 Aug 2014, Salvatore Bonaccorso wrote:
> > > On Thu, Aug 14, 2014 at 11:43:32PM +0200, Emmanuel Bourg wrote:
> > > > Is there an example available somewhere of a subject improperly parsed
> > > > by commons-httpclient/3.1-10.2? This would help backporting the fix to
> > > > this version.
> > > 
> > > I think this is already fixed in 3.1-10.2, see the Red Hat bug as
> > > reference and See https://bugs.debian.org/692442#56 and and following
> > > mails.
> > 
> > I don't understand this from those mails. On the contrary, RedHat
> > did update their packages with a new patch on top of the former
> > patch:
> > https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
> > 
> > And the Debian package still have the old version of getCN().
> 
> What's the status? Can we get that fixed for jessie?

*ping*, the release is getting closer.

Cheers,
        Moritz

Message #40 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 758086@bugs.debian.org

Cc: Henri Salo <henri@nerv.fi>, team@security.debian.org

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Mon, 23 Mar 2015 17:04:42 +0100

Le 23/03/2015 16:43, Moritz Muehlenhoff a écrit :

> *ping*, the release is getting closer.

I'm still missing a test case to ensure the patch does indeed address
the issue.

Emmanuel Bourg

Message #45 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 758086@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Henri Salo <henri@nerv.fi>, team@security.debian.org

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Mon, 23 Mar 2015 17:44:11 +0100

[Message part 1 (text/plain, inline)]

On 23.03.2015 17:04, Emmanuel Bourg wrote:
> Le 23/03/2015 16:43, Moritz Muehlenhoff a écrit :
> 
>> *ping*, the release is getting closer.
> 
> I'm still missing a test case to ensure the patch does indeed address
> the issue.

Hi,

a way to reproduce this issue was mentioned by upstream here:

https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

To clarify:

CVE-2012-6153 was assigned because of an incomplete fix for
CVE-2012-5783. The latter is already addressed in Debian's package.

However CVE-2012-6153 was still incomplete, so that CVE-2014-3577 had to
be created.

See this comment in RedHat's bug tracker.

https://bugzilla.redhat.com/show_bug.cgi?id=1129916#c15

The fix for CVE-2014-3577 is supposed to fix CVE-2012-5783 and
CVE-2012-6153 which means we have to replace the current

06_fix_CVE-2012-5783.patch

with the one Raphael Hertzog mentioned earlier in this thread.

https://git.centos.org/blob/rpms!jakarta-commons-httpclient/5acb7f7b3e637c3a6d072e3f037a3c4abb6c48af/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch

By the way
https://packages.qa.debian.org/h/httpcomponents-client.html

in wheezy and squeeze is also affected by CVE-2014-3577.

I will try to verify that the centos patch works.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #50 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 758086@bugs.debian.org

Subject: Re: Bug#758086: CVE-2012-6153: Apache HttpComponents client: Hostname verification susceptible to MITM attack

Date: Tue, 24 Mar 2015 00:18:14 +0100

[Message part 1 (text/plain, inline)]

Control: severity -1 serious
Control: tags -1 patch

I am raising the severity to serious because I think we want to fix this
for Jessie.

I have created a debdiff which is attached to this e-mail. I haven't
found a simple way yet to connect to an SSL protected web server and to
test this library. The server mentioned for testing purposes at

https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

seems to be down.

The patch for CVE-2014-3577 had to be combined with the existing patch
for CVE-2012-5783 similar to how Fedora, RedHat and CentOS addressed
this vulnerability.

Markus

[commons-httpclient.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #59 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 758086@bugs.debian.org

Subject: Re: Bug#758086: CVE-2014-3577 Apache HttpComponents hostname verification bypass

Date: Sat, 04 Apr 2015 02:57:50 +0200

[Message part 1 (text/plain, inline)]

Some more information about this issue. TL;DR this is actually
CVE-2014-3577. Debian's package is not affected by CVE-2012-6153.
I recommend to fix this bug by applying the debdiff from my last e-mail.

We currently apply the 06_fix_CVE-2012-5783.patch [1]. Now I am sure
that this patch fixes two CVEs namely CVE-2012-5783 and CVE-2012-6153.
Two and a half years ago Debian bug #692442 [2] was assigned for
CVE-2012-5783. David Jorm from RedHat discovered that the original patch
from Alberto Fernández was not complete and MITM attacks were still
possible under certain, hypothetical circumstances. [3] He forwarded his
patch upstream and upstream applied it for the 4.2.x branch of
httpcomponents-client. [4] It was not immediately clear that this issue
was exploitable. Two years later it became apparent that it was and
CVE-2012-6153 was assigned.

If you take a closer look at the bug report about CVE-2012-6153 in
RedHat's bug tracker [5], which was filed by David Jorm by the way, you
will notice that the link to upstream's repository is the same one as in
[4]. Hence it is clear that David Jorm's patch in #692442 is also the
fix for CVE-2012-6153.

It is easily comprehensible that Debian's 06_fix_CVE-2012-5783.patch
already contains the fix for CVE-2012-6153.

Hence I have retitled this bug report because commons-httpclient is not
affected by CVE-2012-6153 but by CVE-2014-3577. This issue was fixed in
the 4.x branch and RedHat backported this fix to 3.1. See [6] for the
corresponding upstream commits. There is also a test case but for the
4.3.x branch though.

CVE-2014-3577 in RedHat's bug tracker. [7]
Background information about CVE-2012-6153 and CVE-2014-3577. [8]

My debdiff contains the fix for CVE-2014-3577. The patch looks sane and
reproduces the already applied upstream changes from [6] for the 3.1
branch. The patch has been applied in packages for RedHat, Fedora and
CentOS for the past six months.

I have also asked upstream for further test cases to verify that this
issue is completely solved. [9] However only the latest version is
supported and those test cases are only available in 4.4.x which has not
been packaged for Debian yet.

Markus

[1]
https://sources.debian.net/src/commons-httpclient/3.1-10.2/debian/patches/06_fix_CVE-2012-5783.patch
[2] https://bugs.debian.org/692442
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442#56
[4] http://svn.apache.org/viewvc?view=revision&revision=1411705
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1129916#c2
[6] https://svn.apache.org/viewvc?view=revision&revision=1614064
[7] https://bugzilla.redhat.com/show_bug.cgi?id=1129074
[8] https://access.redhat.com/solutions/1165533
[9]
https://mail-archives.apache.org/mod_mbox/hc-httpclient-users/201504.mbox/%3C1427898558.14757.3.camel@apache.org%3E

[signature.asc (application/pgp-signature, attachment)]

Message #66 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 758086@bugs.debian.org

Subject: Re: Bug#758086: CVE-2014-3577 Apache HttpComponents hostname verification bypass

Date: Mon, 13 Apr 2015 18:25:46 +0200

[Message part 1 (text/plain, inline)]

Hi,

Since the last maintainer upload was well over three years ago and there have 
been several unacknowledged NMU's since then, I've taken the liberty to upload 
Markus' good work as-is to unstable to fix this security issue for jessie.


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Message #71 received at 758086-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 758086-close@bugs.debian.org

Subject: Bug#758086: fixed in commons-httpclient 3.1-11

Date: Mon, 13 Apr 2015 17:05:26 +0000

Source: commons-httpclient
Source-Version: 3.1-11

We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 758086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated commons-httpclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 23 Mar 2015 22:57:54 +0100
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-11
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description:
 libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 758086
Changes:
 commons-httpclient (3.1-11) unstable; urgency=high
 .
   * Team upload.
   * Add CVE-2014-3577.patch. (Closes: #758086)
     It was found that the fix for CVE-2012-6153 was incomplete: the code added
     to check that the server hostname matches the domain name in a subject's
     Common Name (CN) field in X.509 certificates was flawed. A
     man-in-the-middle attacker could use this flaw to spoof an SSL server using
     a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
     intended to address the incomplete patch for CVE-2012-5783. The issue is
     now completely resolved by applying this patch and the
     06_fix_CVE-2012-5783.patch.
   * Change java.source and java.target ant properties to 1.5, otherwise
     commons-httpclient will not compile with this patch.
Checksums-Sha1:
 6813d403d1100210a3adc632a8e7dcff477c4d61 2028 commons-httpclient_3.1-11.dsc
 15202a3ff56c0f5336ce35ba95f6b07d293d89ad 12444 commons-httpclient_3.1-11.debian.tar.xz
 95e5b8d3ac5bb3f5ff7b1affebbb984bfb23f68f 302008 libcommons-httpclient-java_3.1-11_all.deb
 bc3bbb89be84880a18be2716d6abd7ee39a18b03 766086 libcommons-httpclient-java-doc_3.1-11_all.deb
Checksums-Sha256:
 81b0cbe1b1804c5c43cac7d089ba9ca65fe971ef3015602c8c790193a87eb3a6 2028 commons-httpclient_3.1-11.dsc
 51feecd75226900f90e52eaa2b3660579b0e734740ef07cffb8f1a6c3db9aaeb 12444 commons-httpclient_3.1-11.debian.tar.xz
 e7ccb4f5e34d6750a07da64ca86a73ec9bd81b47eaea4815bed694b4e6e4f521 302008 libcommons-httpclient-java_3.1-11_all.deb
 74a38afa380426fd5c626751d95779dd6ccc36bb3705489a36759606e71bd3a4 766086 libcommons-httpclient-java-doc_3.1-11_all.deb
Files:
 2793d3bf04df3bf4b6d8bd11dd0db543 2028 java optional commons-httpclient_3.1-11.dsc
 18ce71adc3c0c83fa1555d8eb426b3f3 12444 java optional commons-httpclient_3.1-11.debian.tar.xz
 3291b34ed300ca218163ec3807c1d181 302008 java optional libcommons-httpclient-java_3.1-11_all.deb
 7d6a72907b03943d5ff2d889dc388995 766086 doc optional libcommons-httpclient-java-doc_3.1-11_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJVK+2eAAoJEFb2GnlAHawEkQMH/AwsHevlwJXk1AhDJriltKMT
jzC4Jz0iXo1Rccb7+vvCwW6Uk8VLRDEAC2bVGiHOT5CoE/Nkr2j6I6YyZDniPDc3
RC8c/QC0oY0NHrH7fAxm25HLNLVfRGWUz7/TdS2ceUruP3/08Baa4PlvaYZb/+01
r+aw3eP/us8V92nftahoa4kl+/mo8/utT7oCNcc16Zhd57/5CQ+AV+bIDeLcAE16
vgxbIatV74qZBEhmBQDqvKya/DS2xGaWILozmQw+/T9IPZTI010aHlz9/YWQdlaA
AkwWyvyWYT7ZmmZ8Xl2/sKjvVdqNQsxmx0nBvJzOHoLTy8iNFwd8cCtUzNHEf44=
=c2Gn
-----END PGP SIGNATURE-----

Message #76 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: team@security.debian.org

Cc: 758086@bugs.debian.org

Subject: CVE-2014-3577: Apache HttpComponents hostname verification bypass

Date: Wed, 15 Apr 2015 21:37:18 +0200

[Message part 1 (text/plain, inline)]

Hello security team,

I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The
patch is identical to the Jessie / Sid fix. Do you consider this
vulnerability important enough for a DSA or do you prefer a point
release update?

Regards,

Markus

[1] https://bugs.debian.org/758086

[commons-httpclient.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #81 received at 758086@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Markus Koschany <apo@gambaru.de>

Cc: team@security.debian.org, 758086@bugs.debian.org

Subject: Re: CVE-2014-3577: Apache HttpComponents hostname verification bypass

Date: Wed, 15 Apr 2015 21:42:47 +0200

On Apr/15, Markus Koschany wrote:
> I have prepared a patch for CVE-2014-3577 (commons-httpclient). [1] The
> patch is identical to the Jessie / Sid fix. Do you consider this
> vulnerability important enough for a DSA or do you prefer a point
> release update?

Hi Markus,

this issue was marked "no-dsa" some time ago (see
https://security-tracker.debian.org/tracker/CVE-2014-3577), so a
point-release update will be the way to go.

Cheers,

--Seb

Message #86 received at 758086-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 758086-close@bugs.debian.org

Subject: Bug#758086: fixed in commons-httpclient 3.1-10.2+deb7u1

Date: Sat, 16 May 2015 06:03:38 +0000

Source: commons-httpclient
Source-Version: 3.1-10.2+deb7u1

We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 758086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@gambaru.de> (supplier of updated commons-httpclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2015 21:24:48 +0200
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-10.2+deb7u1
Distribution: wheezy
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description: 
 libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 758086
Changes: 
 commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high
 .
   * Team upload.
   * Add CVE-2014-3577.patch. (Closes: #758086)
     It was found that the fix for CVE-2012-6153 was incomplete: the code added
     to check that the server hostname matches the domain name in a subject's
     Common Name (CN) field in X.509 certificates was flawed. A
     man-in-the-middle attacker could use this flaw to spoof an SSL server using
     a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
     intended to address the incomplete patch for CVE-2012-5783. The issue is
     now completely resolved by applying this patch and the
     06_fix_CVE-2012-5783.patch.
   * Change java.source and java.target ant properties to 1.5, otherwise
     commons-httpclient will not compile with this patch.
Checksums-Sha1: 
 ca26cd0f2a5be0029a7b2e8d56cf85fb38c31d1e 2526 commons-httpclient_3.1-10.2+deb7u1.dsc
 0c6dfbf3d0d47cfc70595d2b15223a59f264795b 13684 commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
 301f4d1a8f1e400f257c13cd222981d60696584c 299718 libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
 b87b0f77aba48d6177092356e96e2b149f840283 1547514 libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb
Checksums-Sha256: 
 219a2ecdf758361cec1ea85bce645115c14bf609dc7b565cd0ab5aee610f6cb1 2526 commons-httpclient_3.1-10.2+deb7u1.dsc
 e977a7922cff20c65fb6dcfbd9bb2f11e2f079245edddc68567055dd0e444cac 13684 commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
 7bafb3dc4b04d2c0af8ecb8010eae11b63496c57184fe1bd6b812f824eee2037 299718 libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
 47af253e18f750a10ff226c487aceadb056a78a913a6ab3c1d66667022b620bd 1547514 libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb
Files: 
 022067c70b0363ea2c1fa31542290b64 2526 java optional commons-httpclient_3.1-10.2+deb7u1.dsc
 8a5862dc9b0b0898c61e438359eec285 13684 java optional commons-httpclient_3.1-10.2+deb7u1.debian.tar.gz
 4deb3d76811d48c359dcbe0616f76b41 299718 java optional libcommons-httpclient-java_3.1-10.2+deb7u1_all.deb
 e1708de058fde033592dc11b9468294b 1547514 doc optional libcommons-httpclient-java-doc_3.1-10.2+deb7u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJVVPY9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGr8sQAMVXI1PRDTmuQsdtYFzXkBlp
sg7R1HAR7VSTBpJiM71VCaY3Q8E6Kc0Rz4u0WsHX2Zbn/RjN2634h/BHa781n9sN
RS1DtUjdsIC3vWcWA6D+MyrcIsc8HjYjfU4++MwuXOf4STsiZFCRF1mn+/+umW2K
D+z+03KuNNre/WIkyESqK5lF4l3fq0AUlexWJc7yZkscQwfLwE3sc3CXf0octwbc
5hieqg1lc7rfOWjj7KgK6HAAhYbqP1gJH6wCaoQkMohWauRdVJXLVConWCYKcVdS
R5yVWpu8/8v0C5IfzOMDSToRJyO/wknDqBsHYOKJw8CJgAgOnu/qvi2E+HE/Cooy
qYhmf/jMo6s1jj+kuZvrbGfW0hWW3JDb/Ooq17iU5r+f4D7HfBp8tjq+ZjPLBUXs
x0KMww9VzLFExVY+ySRk6J4B+YwgVwVXxQrWA+BCV2+SrwvdRqh4oQDVWa8IJONW
uOdKdrBu+GAbsOBFi/M81YgtmcJWyUX75ZjSDgXD9HrX4goiaS+/ZqvIVoMvmk+f
hN1QAcYFTbfKCZwiqJZ+GHBW6D2jqtpIphOXudsQFaeQKtykybbG+P1yOHIQoy1v
kFwGMnGRTrqCqZ9ajUdS7eTUweSjKZkZKsqKyGDXm2WWRPXjxHLXP/gv9tQu2Pfq
l4QFD1nwITCaQ/Wi22/H
=K+gw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.