Bug 8933 - jakarta-commons-httpclient new security issue CVE-2012-5783
: jakarta-commons-httpclient new security issue CVE-2012-5783
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/535734/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-02-01 19:40 CET by David Walser
Modified: 2014-05-08 18:05 CEST (History)
3 users (show)

See Also:
Source RPM: jakarta-commons-httpclient-3.1-8.mga3.src.rpm
CVE:


Attachments

Description David Walser 2013-02-01 19:40:38 CET
Fedora has issued an advisory on January 23:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097836.html

Mageia 2 is also affected.
Comment 1 David Walser 2013-02-02 00:11:13 CET
I fixed this in Cauldron.

D Morgan, I'll need you to look at this for Mageia 2.
Comment 2 David Walser 2013-02-20 18:49:57 CET
RedHat has issued an advisory for this on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0270.html
Comment 3 D Morgan 2013-06-25 01:11:50 CEST
fixed and on the BS
Comment 4 David Walser 2013-06-25 01:18:34 CEST
Thanks D Morgan!

Advisory:
========================

Updated jakarta-commons-httpclient package fixes security vulnerability:

The Jakarta Commons HttpClient component did not verify that the server
hostname matched the domain name in the subject's Common Name (CN) or
subjectAltName field in X.509 certificates. This could allow a
man-in-the-middle attacker to spoof an SSL server if they had a certificate
that was valid for any domain name (CVE-2012-5783).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783
https://rhn.redhat.com/errata/RHSA-2013-0270.html
========================

Updated packages in core/updates_testing:
========================
jakarta-commons-httpclient-3.1-3.1.mga2
jakarta-commons-httpclient-javadoc-3.1-3.1.mga2
jakarta-commons-httpclient-demo-3.1-3.1.mga2
jakarta-commons-httpclient-manual-3.1-3.1.mga2

from jakarta-commons-httpclient-3.1-3.1.mga2.src.rpm
Comment 6 Dave Hodgins 2013-07-01 22:51:41 CEST
As with other java development updates, we don't have anyone who knows how
to test this properly, so all we can do is confirm that it installs cleanly.

Could someone from the sysadmin team push 8933.adv
Comment 7 Nicolas Vigier 2013-07-06 16:28:54 CEST
http://advisories.mageia.org/MGASA-2013-0199.html

Note You need to log in before you can comment on or make changes to this bug.