| Summary: | jakarta-commons-httpclient/httpcomponents-client new security issue CVE-2012-6153/CVE-2014-3577 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | dmorganec, ftg, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/609031/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga4-64-ok | ||
| Source RPM: | jakarta-commons-httpclient-3.1-11.mga4.src.rpm, httpcomponents-client-4.3-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-08-18 21:19:51 CEST
David Walser
2014-08-18 21:19:58 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated jakarta-commons-httpclient package fixes security vulnerability: The Jakarta Commons HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://bugzilla.redhat.com/show_bug.cgi?id=1129916 ======================== Updated packages in core/updates_testing: ======================== jakarta-commons-httpclient-3.1-10.1.mga3 jakarta-commons-httpclient-javadoc-3.1-10.1.mga3 jakarta-commons-httpclient-demo-3.1-10.1.mga3 jakarta-commons-httpclient-manual-3.1-10.1.mga3 jakarta-commons-httpclient-3.1-11.1.mga4 jakarta-commons-httpclient-javadoc-3.1-11.1.mga4 jakarta-commons-httpclient-demo-3.1-11.1.mga4 jakarta-commons-httpclient-manual-3.1-11.1.mga4 from SRPMS: jakarta-commons-httpclient-3.1-10.1.mga3.src.rpm jakarta-commons-httpclient-3.1-11.1.mga4.src.rpm Version:
Cauldron =>
4 RedHat has issued an advisory for this today (August 20): https://rhn.redhat.com/errata/RHSA-2014-1082.html Updating the advisory. Advisory: ======================== Updated jakarta-commons-httpclient package fixes security vulnerability: The Jakarta Commons HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://rhn.redhat.com/errata/RHSA-2014-1082.html URL:
(none) =>
http://lwn.net/Vulnerabilities/609031/ Ahh, we also have an httpcomponents-client package, which is the same one that RedHat fixed in their advisory. So, reading the RedHat bug again, we have version 4.2.2 in Mageia 3, vulnerable to CVE-2012-6153. That was fixed, incompletely, in 4.2.3, causing CVE-2014-3577. We have 4.3 in Mageia 4, vulnerable to the latter CVE. Also, from what I read, the jakarta 3.1 version is long since dead and unsupported upstream. Since we have the newer one packaged, D Morgan, can we please get rid of the jakarta one in Cauldron??? CC:
(none) =>
dmorganec I updated httpcomponents-client to 4.3.5 in Mageia 4 and Cauldron, fixing CVE-2014-3577. I updated httpcomponents-client to 4.2.5 in Mageia 3, fixing CVE-2012-6153, and added the patch from Fedora to fix CVE-2014-3577. Advisory (Mageia 3): ======================== Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerability: The Jakarta Commons HttpClient and Apache httpcomponents HttpClient components may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://rhn.redhat.com/errata/RHSA-2014-1082.html ======================== Updated packages in core/updates_testing: ======================== jakarta-commons-httpclient-3.1-10.1.mga3 jakarta-commons-httpclient-javadoc-3.1-10.1.mga3 jakarta-commons-httpclient-demo-3.1-10.1.mga3 jakarta-commons-httpclient-manual-3.1-10.1.mga3 httpcomponents-client-4.2.5-1.mga3 httpcomponents-client-javadoc-4.2.5-1.mga3 from SRPMS: jakarta-commons-httpclient-3.1-10.1.mga3.src.rpm httpcomponents-client-4.2.5-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerabilities: The Jakarta Commons HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). The Apache httpcomponents HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2014-3577). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://rhn.redhat.com/errata/RHSA-2014-1082.html ======================== Updated packages in core/updates_testing: ======================== jakarta-commons-httpclient-3.1-11.1.mga4 jakarta-commons-httpclient-javadoc-3.1-11.1.mga4 jakarta-commons-httpclient-demo-3.1-11.1.mga4 jakarta-commons-httpclient-manual-3.1-11.1.mga4 httpcomponents-client-4.3.5-1.mga4 httpcomponents-client-javadoc-4.3.5-1.mga4 from SRPMS: jakarta-commons-httpclient-3.1-11.1.mga4.src.rpm httpcomponents-client-4.3.5-1.mga4.src.rpm Summary:
jakarta-commons-httpclient new security issue CVE-2012-6153 =>
jakarta-commons-httpclient/httpcomponents-client new security issue CVE-2012-6153/CVE-2014-3577 We normally just ensure these update OK but I've looked a bit deeper to try and test it better. I'm not sure it's working.
I get the errors below from two separate java scripts I've found when compiling but don't know enough to say whether I'm compiling it properly. I get the same errors on mga4 64 and mga3 32 with release or update candidate.
$ cat HttpClientTest.java
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.methods.GetMethod;
public class HttpClientTest {
public static void main(String args[]) throws Exception {
HttpClient client = new HttpClient();
GetMethod method = new GetMethod("http://www.google.com");
int returnCode = client.executeMethod(method);
System.err.println(method.getResponseBodyAsString());
method.releaseConnection();
}
}
$ javac HttpClientTest.java
HttpClientTest.java:1: error: package org.apache.commons.httpclient does not exist
import org.apache.commons.httpclient.HttpClient;
^
HttpClientTest.java:2: error: package org.apache.commons.httpclient.methods does not exist
import org.apache.commons.httpclient.methods.GetMethod;
...etcWhiteboard:
MGA3TOO =>
MGA3TOO feedback That doesn't mean it's not working, it means it's not loading it in the first place, so that it can even try to use it. You'll need to set your CLASSPATH correctly so that it'll find it (exactly to what I'm not sure) Whiteboard:
MGA3TOO feedback =>
MGA3TOO It seems to use drop symlinks in /usr/share/java. I've tried also using that as a classpath..
$ javac -cp /usr/share/java/ HttpClientTest.java
HttpClientTest.java:1: error: package org.apache.commons.httpclient does not exist
import org.apache.commons.httpclient.HttpClient;
^
HttpClientTest.java:2: error: package org.apache.commons.httpclient.methods does not exist
import org.apache.commons.httpclient.methods.GetMethod;
Adding Frank to CC. Any ideas about this Frank please? CC:
(none) =>
ftg I have no internets at the moment, so I can't check (on my phone), but where is the org directory? The directory containing that should be added to the classpath The org seems to be in the -demo package Tried all combinations from.. javac -cp /usr/share/ HttpClientTest.java to javac -cp /usr/share/jakarta-commons-httpclient/contrib/org/apache/commons/httpclient/contrib/ HttpClientTest.java It's likely something I'm doing wrong and this is deeper than we've looked before but as there are test scripts for this, assuming theyre the right scripts, it would be good to test it. Ah I got it to compile by giving it the jar..
$ javac -cp /usr/share/java/jakarta-commons-httpclient.jar HttpClientTest.java
Next problem is httpclient..
$ java HttpClientTest
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/httpclient/HttpMethod
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2570)
at java.lang.Class.getMethod0(Class.java:2813)
at java.lang.Class.getMethod(Class.java:1663)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.httpclient.HttpMethod
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
... 6 more
Added the classpath again..
$ java -cp /usr/share/java/jakarta-commons-httpclient.jar HttpClientTest
Error: Could not find or load main class HttpClientTest
At the point now of giving up :\
Got a little further but running into issues of missing other classes when executing the class so I'll add the OK's as it does compile ok. Whiteboard:
MGA3TOO =>
MGA3TOO mga3-32-ok mga4-64-ok Success \o/ $ java -cp .:/usr/share/java/jakarta-commons-httpclient.jar:/usr/share/java/commons-logging-api.jar:/usr/share/java/apache-commons-codec.jar HttpClientTest Shows google html output! For future reference, it needed the current directory "." where the compiled class is as the first classpath and the others from apache-commons-logging and apache-commons-codec. Validating. Separate advisories uploaded for mga3 & 4. Could sysadmin please push both to updates Thanks Keywords:
(none) =>
validated_update Wow, thanks Claire. Nice job. I am familiar with Java, and I knew . had to be in the cp, just wasn't sure what else. It slipped my mind that they would be in jars (I could have seen that if my Internet was working), but that makes sense as that's usually the case. Even when using an IDE like Eclipse, that's always the hard part about getting a Java program working, getting all the right jars in the classpath. It'd be nice if they could devise a way to make that easier An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0347.html Status:
NEW =>
RESOLVED An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0348.html |