Advisories » MGASA-2013-0199

Updated jakarta-commons-httpclient package fixes security vulnerability

Publication date: 06 Jul 2013
Modification date: 06 Jul 2013
Type: security
Affected Mageia releases : 2
CVE: CVE-2012-5783

Description

The Jakarta Commons HttpClient component did not verify that the server
hostname matched the domain name in the subject's Common Name (CN) or
subjectAltName field in X.509 certificates. This could allow a
man-in-the-middle attacker to spoof an SSL server if they had a certificate
that was valid for any domain name (CVE-2012-5783).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=8933
• https://rhn.redhat.com/errata/RHSA-2013-0270.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783

SRPMS

2/core

• jakarta-commons-httpclient-3.1-3.1.mga2