Debian-LTS has issued an advisory today (October 1): http://lwn.net/Alerts/658922/ According to the RedHat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1259892 It was fixed in httpcomponents-client 4.3.6, and they attached a patch for jakarta-commons-httpclient. Furthermore, jakarta stuff is long since dead upstream and obsoleted by newer stuff like httpcomponents-client, and all the jakarta stuff needs to be dropped from Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
jakarta-commons-httpclient is now fixed for Cauldron and mga5 too by applying patch from Fedora. However I don't know how to fix httpcomponents-client package for this CVE. I think 4.3.6 release does not fix this security contents of its release date 2014-11-05, see: http://www.apache.org/dist/httpcomponents/httpclient/source/
Do you have a specific reason to believe that 4.3.6 doesn't include the fix? Remember, jakarta stuff is dead for several years, so it needing a patch that was included in httpcomponents-client in late 2014 would not be unusual.
No, not specific reason to believe that 4.3.6 doesn't include the fix. :) Just see that Fedora 21 has not yet fixed this package and no reference on this CVE for other Fedora release.
Fedora's Java packages aren't always very actively maintained either.
So now httpcomponents-client is updated to 4.3.6 release on Cauldron and mga5 too according to the RedHat bug.
Thanks David! Advisory: ======================== Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerability: The Apache httpclient library had a bug where the socket timeout was ignored during the SSL handshake, causing threads in an application to hang (CVE-2015-5262). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262 https://bugzilla.redhat.com/show_bug.cgi?id=1259892 ======================== Updated packages in core/updates_testing: ======================== jakarta-commons-httpclient-3.1-15.1.mga5 jakarta-commons-httpclient-javadoc-3.1-15.1.mga5 jakarta-commons-httpclient-demo-3.1-15.1.mga5 jakarta-commons-httpclient-manual-3.1-15.1.mga5 httpcomponents-client-4.3.6-1.mga5 httpcomponents-client-javadoc-4.3.6-1.mga5 httpcomponents-client-tests-4.3.6-1.mga5 from SRPMS: jakarta-commons-httpclient-3.1-15.1.mga5.src.rpm httpcomponents-client-4.3.6-1.mga5.src.rpm
CC: (none) => geiger.david68210Version: Cauldron => 5Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA5TOO => (none)
Just ensure these upgrade cleanly.
Whiteboard: (none) => has_procedure
Installed. Did my php tests through the apache server. I did not delve into writing some java server code. Seems to be working on 64bit. At least it didn't break anything I can tell.
CC: (none) => brtians1
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure advisory
(In reply to Brian Rockwell from comment #8) > Installed. > > Did my php tests through the apache server. I did not delve into writing > some java server code. > > Seems to be working on 64bit. At least it didn't break anything I can tell. they update fine on MGA5-64. Marking as MGA5-64-OK .
CC: (none) => shlomifWhiteboard: has_procedure advisory => has_procedure advisory MGA5-64-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0392.html
Status: NEW => RESOLVEDResolution: (none) => FIXED