Bug 8933

Summary: jakarta-commons-httpclient new security issue CVE-2012-5783
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/535734/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: jakarta-commons-httpclient-3.1-8.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-02-01 19:40:38 CET 
Fedora has issued an advisory on January 23:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097836.html

Mageia 2 is also affected.
David Walser 2013-02-01 19:57:58 CET

Whiteboard: (none) => MGA2TOO

David Walser 2013-02-01 20:38:30 CET

CC: (none) => dmorganec

David Walser 2013-02-01 21:43:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/535734/

Comment 1 David Walser 2013-02-02 00:11:13 CET 
I fixed this in Cauldron.

D Morgan, I'll need you to look at this for Mageia 2.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 2 David Walser 2013-02-20 18:49:57 CET 
RedHat has issued an advisory for this on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0270.html
Comment 3 D Morgan 2013-06-25 01:11:50 CEST 
fixed and on the BS
Comment 4 David Walser 2013-06-25 01:18:34 CEST 
Thanks D Morgan!

Advisory:
========================

Updated jakarta-commons-httpclient package fixes security vulnerability:

The Jakarta Commons HttpClient component did not verify that the server
hostname matched the domain name in the subject's Common Name (CN) or
subjectAltName field in X.509 certificates. This could allow a
man-in-the-middle attacker to spoof an SSL server if they had a certificate
that was valid for any domain name (CVE-2012-5783).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783
https://rhn.redhat.com/errata/RHSA-2013-0270.html
========================

Updated packages in core/updates_testing:
========================
jakarta-commons-httpclient-3.1-3.1.mga2
jakarta-commons-httpclient-javadoc-3.1-3.1.mga2
jakarta-commons-httpclient-demo-3.1-3.1.mga2
jakarta-commons-httpclient-manual-3.1-3.1.mga2

from jakarta-commons-httpclient-3.1-3.1.mga2.src.rpm

Assignee: dmorganec => qa-bugs

Comment 5 Dave Hodgins 2013-07-01 04:07:27 CEST 
http://svnweb.mageia.org/advisories/8933.adv?view=markup&sortby=date
Uploaded.

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2013-07-01 22:51:41 CEST 
As with other java development updates, we don't have anyone who knows how
to test this properly, so all we can do is confirm that it installs cleanly.

Could someone from the sysadmin team push 8933.adv

Keywords: (none) => validated_update
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Nicolas Vigier 2013-07-06 16:28:54 CEST 
http://advisories.mageia.org/MGASA-2013-0199.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:11 CEST

CC: boklm => (none)