The CVE-2012-6153 was apparently just recently assigned, and was for an incomplete fix for CVE-2012-5783, which we fixed in Bug 8933. The initial CVE-2012-6153 fix upstream was apparently also incomplete, causing CVE-2014-3577 to also be assigned, but if I understand correctly, since we never fixed CVE-2012-6153, CVE-2014-3577 shouldn't affect us, even though the final fix to fix them both is labeled with the latter CVE. This includes Fedora's patch: http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/commit/?id=f12a786b05da0a15e34267357b1b62f25e3656c4 RedHat bugs: https://bugzilla.redhat.com/show_bug.cgi?id=1129916 (CVE-2012-6153) https://bugzilla.redhat.com/show_bug.cgi?id=1129074 (CVE-2014-3577) Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated jakarta-commons-httpclient package fixes security vulnerability: The Jakarta Commons HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://bugzilla.redhat.com/show_bug.cgi?id=1129916 ======================== Updated packages in core/updates_testing: ======================== jakarta-commons-httpclient-3.1-10.1.mga3 jakarta-commons-httpclient-javadoc-3.1-10.1.mga3 jakarta-commons-httpclient-demo-3.1-10.1.mga3 jakarta-commons-httpclient-manual-3.1-10.1.mga3 jakarta-commons-httpclient-3.1-11.1.mga4 jakarta-commons-httpclient-javadoc-3.1-11.1.mga4 jakarta-commons-httpclient-demo-3.1-11.1.mga4 jakarta-commons-httpclient-manual-3.1-11.1.mga4 from SRPMS: jakarta-commons-httpclient-3.1-10.1.mga3.src.rpm jakarta-commons-httpclient-3.1-11.1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
RedHat has issued an advisory for this today (August 20): https://rhn.redhat.com/errata/RHSA-2014-1082.html Updating the advisory. Advisory: ======================== Updated jakarta-commons-httpclient package fixes security vulnerability: The Jakarta Commons HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://rhn.redhat.com/errata/RHSA-2014-1082.html
URL: (none) => http://lwn.net/Vulnerabilities/609031/
Ahh, we also have an httpcomponents-client package, which is the same one that RedHat fixed in their advisory. So, reading the RedHat bug again, we have version 4.2.2 in Mageia 3, vulnerable to CVE-2012-6153. That was fixed, incompletely, in 4.2.3, causing CVE-2014-3577. We have 4.3 in Mageia 4, vulnerable to the latter CVE. Also, from what I read, the jakarta 3.1 version is long since dead and unsupported upstream. Since we have the newer one packaged, D Morgan, can we please get rid of the jakarta one in Cauldron???
CC: (none) => dmorganec
I updated httpcomponents-client to 4.3.5 in Mageia 4 and Cauldron, fixing CVE-2014-3577. I updated httpcomponents-client to 4.2.5 in Mageia 3, fixing CVE-2012-6153, and added the patch from Fedora to fix CVE-2014-3577. Advisory (Mageia 3): ======================== Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerability: The Jakarta Commons HttpClient and Apache httpcomponents HttpClient components may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://rhn.redhat.com/errata/RHSA-2014-1082.html ======================== Updated packages in core/updates_testing: ======================== jakarta-commons-httpclient-3.1-10.1.mga3 jakarta-commons-httpclient-javadoc-3.1-10.1.mga3 jakarta-commons-httpclient-demo-3.1-10.1.mga3 jakarta-commons-httpclient-manual-3.1-10.1.mga3 httpcomponents-client-4.2.5-1.mga3 httpcomponents-client-javadoc-4.2.5-1.mga3 from SRPMS: jakarta-commons-httpclient-3.1-10.1.mga3.src.rpm httpcomponents-client-4.2.5-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerabilities: The Jakarta Commons HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153). The Apache httpcomponents HttpClient component may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2014-3577). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577 http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 https://rhn.redhat.com/errata/RHSA-2014-1082.html ======================== Updated packages in core/updates_testing: ======================== jakarta-commons-httpclient-3.1-11.1.mga4 jakarta-commons-httpclient-javadoc-3.1-11.1.mga4 jakarta-commons-httpclient-demo-3.1-11.1.mga4 jakarta-commons-httpclient-manual-3.1-11.1.mga4 httpcomponents-client-4.3.5-1.mga4 httpcomponents-client-javadoc-4.3.5-1.mga4 from SRPMS: jakarta-commons-httpclient-3.1-11.1.mga4.src.rpm httpcomponents-client-4.3.5-1.mga4.src.rpm
Summary: jakarta-commons-httpclient new security issue CVE-2012-6153 => jakarta-commons-httpclient/httpcomponents-client new security issue CVE-2012-6153/CVE-2014-3577Source RPM: jakarta-commons-httpclient-3.1-11.mga4.src.rpm => jakarta-commons-httpclient-3.1-11.mga4.src.rpm, httpcomponents-client-4.3-1.mga4.src.rpm
We normally just ensure these update OK but I've looked a bit deeper to try and test it better. I'm not sure it's working. I get the errors below from two separate java scripts I've found when compiling but don't know enough to say whether I'm compiling it properly. I get the same errors on mga4 64 and mga3 32 with release or update candidate. $ cat HttpClientTest.java import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.methods.GetMethod; public class HttpClientTest { public static void main(String args[]) throws Exception { HttpClient client = new HttpClient(); GetMethod method = new GetMethod("http://www.google.com"); int returnCode = client.executeMethod(method); System.err.println(method.getResponseBodyAsString()); method.releaseConnection(); } } $ javac HttpClientTest.java HttpClientTest.java:1: error: package org.apache.commons.httpclient does not exist import org.apache.commons.httpclient.HttpClient; ^ HttpClientTest.java:2: error: package org.apache.commons.httpclient.methods does not exist import org.apache.commons.httpclient.methods.GetMethod; ...etc
Whiteboard: MGA3TOO => MGA3TOO feedback
That doesn't mean it's not working, it means it's not loading it in the first place, so that it can even try to use it. You'll need to set your CLASSPATH correctly so that it'll find it (exactly to what I'm not sure)
Whiteboard: MGA3TOO feedback => MGA3TOO
It seems to use drop symlinks in /usr/share/java. I've tried also using that as a classpath.. $ javac -cp /usr/share/java/ HttpClientTest.java HttpClientTest.java:1: error: package org.apache.commons.httpclient does not exist import org.apache.commons.httpclient.HttpClient; ^ HttpClientTest.java:2: error: package org.apache.commons.httpclient.methods does not exist import org.apache.commons.httpclient.methods.GetMethod;
Adding Frank to CC. Any ideas about this Frank please?
CC: (none) => ftg
I have no internets at the moment, so I can't check (on my phone), but where is the org directory? The directory containing that should be added to the classpath
The org seems to be in the -demo package Tried all combinations from.. javac -cp /usr/share/ HttpClientTest.java to javac -cp /usr/share/jakarta-commons-httpclient/contrib/org/apache/commons/httpclient/contrib/ HttpClientTest.java It's likely something I'm doing wrong and this is deeper than we've looked before but as there are test scripts for this, assuming theyre the right scripts, it would be good to test it.
Ah I got it to compile by giving it the jar.. $ javac -cp /usr/share/java/jakarta-commons-httpclient.jar HttpClientTest.java Next problem is httpclient.. $ java HttpClientTest Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/commons/httpclient/HttpMethod at java.lang.Class.getDeclaredMethods0(Native Method) at java.lang.Class.privateGetDeclaredMethods(Class.java:2570) at java.lang.Class.getMethod0(Class.java:2813) at java.lang.Class.getMethod(Class.java:1663) at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494) at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486) Caused by: java.lang.ClassNotFoundException: org.apache.commons.httpclient.HttpMethod at java.net.URLClassLoader$1.run(URLClassLoader.java:366) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:425) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at java.lang.ClassLoader.loadClass(ClassLoader.java:358) ... 6 more Added the classpath again.. $ java -cp /usr/share/java/jakarta-commons-httpclient.jar HttpClientTest Error: Could not find or load main class HttpClientTest At the point now of giving up :\
Got a little further but running into issues of missing other classes when executing the class so I'll add the OK's as it does compile ok.
Whiteboard: MGA3TOO => MGA3TOO mga3-32-ok mga4-64-ok
Success \o/ $ java -cp .:/usr/share/java/jakarta-commons-httpclient.jar:/usr/share/java/commons-logging-api.jar:/usr/share/java/apache-commons-codec.jar HttpClientTest Shows google html output!
For future reference, it needed the current directory "." where the compiled class is as the first classpath and the others from apache-commons-logging and apache-commons-codec.
Validating. Separate advisories uploaded for mga3 & 4. Could sysadmin please push both to updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO mga3-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Wow, thanks Claire. Nice job. I am familiar with Java, and I knew . had to be in the cp, just wasn't sure what else. It slipped my mind that they would be in jars (I could have seen that if my Internet was working), but that makes sense as that's usually the case. Even when using an IDE like Eclipse, that's always the hard part about getting a Java program working, getting all the right jars in the classpath. It'd be nice if they could devise a way to make that easier
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0347.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0348.html