Bug 8933 - jakarta-commons-httpclient new security issue CVE-2012-5783
Summary: jakarta-commons-httpclient new security issue CVE-2012-5783
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/535734/
Whiteboard: MGA2-64-OK MGA2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-02-01 19:40 CET by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: jakarta-commons-httpclient-3.1-8.mga3.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-02-01 19:40:38 CET
Fedora has issued an advisory on January 23:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097836.html

Mageia 2 is also affected.
David Walser 2013-02-01 19:57:58 CET

Whiteboard: (none) => MGA2TOO

David Walser 2013-02-01 20:38:30 CET

CC: (none) => dmorganec

David Walser 2013-02-01 21:43:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/535734/

Comment 1 David Walser 2013-02-02 00:11:13 CET
I fixed this in Cauldron.

D Morgan, I'll need you to look at this for Mageia 2.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 2 David Walser 2013-02-20 18:49:57 CET
RedHat has issued an advisory for this on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0270.html
Comment 3 D Morgan 2013-06-25 01:11:50 CEST
fixed and on the BS
Comment 4 David Walser 2013-06-25 01:18:34 CEST
Thanks D Morgan!

Advisory:
========================

Updated jakarta-commons-httpclient package fixes security vulnerability:

The Jakarta Commons HttpClient component did not verify that the server
hostname matched the domain name in the subject's Common Name (CN) or
subjectAltName field in X.509 certificates. This could allow a
man-in-the-middle attacker to spoof an SSL server if they had a certificate
that was valid for any domain name (CVE-2012-5783).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783
https://rhn.redhat.com/errata/RHSA-2013-0270.html
========================

Updated packages in core/updates_testing:
========================
jakarta-commons-httpclient-3.1-3.1.mga2
jakarta-commons-httpclient-javadoc-3.1-3.1.mga2
jakarta-commons-httpclient-demo-3.1-3.1.mga2
jakarta-commons-httpclient-manual-3.1-3.1.mga2

from jakarta-commons-httpclient-3.1-3.1.mga2.src.rpm

Assignee: dmorganec => qa-bugs

Comment 5 Dave Hodgins 2013-07-01 04:07:27 CEST
http://svnweb.mageia.org/advisories/8933.adv?view=markup&sortby=date
Uploaded.

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2013-07-01 22:51:41 CEST
As with other java development updates, we don't have anyone who knows how
to test this properly, so all we can do is confirm that it installs cleanly.

Could someone from the sysadmin team push 8933.adv

Keywords: (none) => validated_update
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Nicolas Vigier 2013-07-06 16:28:54 CEST
http://advisories.mageia.org/MGASA-2013-0199.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:11 CEST

CC: boklm => (none)


Note You need to log in before you can comment on or make changes to this bug.