Package: httpcomponents-client / 4.1.1-2+deb7u1

Metadata

Package Version Patches format
httpcomponents-client 4.1.1-2+deb7u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
00 fix_build.patch | (download)

pom.xml | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 disable build of httpclient-osgi
01 generate_osgi_metadata.patch | (download)

httpclient/pom.xml | 67 60 + 7 - 0 !
1 file changed, 60 insertions(+), 7 deletions(-)

 generate-osgi-metadata


CVE 2012 6153.patch | (download)

httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java | 14 8 + 6 - 0 !
1 file changed, 8 insertions(+), 6 deletions(-)

 cve-2012-6153

It was found that the fix for CVE-2012-5783 was incomplete.
The code added to check that the server hostname matches the domain name in the
subject's CN field was flawed. This can be exploited by a Man-in-the-middle
(MITM) attack, where the attacker can spoof a valid certificate using a
specially crafted subject.

Fix for 4.2.x branch, upstream revision 1411705
https://svn.apache.org/viewvc?view=revision&revision=1411705
More information:
https://bugzilla.redhat.com/show_bug.cgi?id=1129916

CVE 2014 3577.patch | (download)

httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java | 85 43 + 42 - 0 !
1 file changed, 43 insertions(+), 42 deletions(-)

 cve-2014-3577

It was found that the fix for CVE-2012-6153 was incomplete. The code added to
check that the server hostname matches  the domain name in the subject's CN
field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack
where the attacker can spoof a valid certificate using a specially crafted
subject.

This patch was taken from