Package: commons-httpclient / 3.1-11+deb8u1
Metadata
Package | Version | Patches format |
---|---|---|
commons-httpclient | 3.1-11+deb8u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
00_build_xml_no_external_links.patch | (download) |
build.xml |
2 0 + 2 - 0 ! |
--- |
01_build_xml_version_jar.patch | (download) |
build.xml |
2 1 + 1 - 0 ! |
--- |
02_upstream_disable_examples_classes.patch | (download) |
build.xml |
3 2 + 1 - 0 ! |
--- |
03_upstream_qualify_ConnectionPool_declaration.patch | (download) |
src/java/org/apache/commons/httpclient/MultiThreadedHttpConnectionManager.java |
2 1 + 1 - 0 ! |
--- |
04_fix_classpath.patch | (download) |
src/conf/MANIFEST.MF |
2 1 + 1 - 0 ! |
--- |
05_osgi_metadata | (download) |
src/conf/MANIFEST.MF |
20 20 + 0 - 0 ! |
--- |
06_fix_CVE 2012 5783.patch | (download) |
src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java |
301 293 + 8 - 0 ! |
fixed cn extraction from dn of x500 principal and wildcard validation commons-httpclient (3.1-10.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation |
CVE 2014 3577.patch | (download) |
src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java |
57 37 + 20 - 0 ! |
cve-2014-3577 It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. This means the issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. References: upstream announcement: https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 Fedora-Fix: http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch CentOS-Fix: https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch Debian-Bug: https://bugs.debian.org/758086 |
CVE 2015 5262.patch | (download) |
src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java |
5 4 + 1 - 0 ! |
cve-2015-5262 Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during SSL Handshake See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892 Thanks to Mikolaj Izdebski for the patch. Bug: https://bugs.debian.org/798650 |