Advisories » MGASA-2014-0348

Updated Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerabilities

Publication date: 25 Aug 2014
Modification date: 25 Aug 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2012-6153 , CVE-2014-3577

Description

Updated jakarta-commons-httpclient and httpcomponents-client packages fix
security vulnerabilities:

The Jakarta Commons HttpClient component may be susceptible to a 'Man in the
Middle Attack' due to a flaw in the default hostname verification during
SSL/TLS when a specially crafted server side certificate is used
(CVE-2012-6153).

The Apache httpcomponents HttpClient component may be susceptible to a 'Man
in the Middle Attack' due to a flaw in the default hostname verification
during SSL/TLS when a specially crafted server side certificate is used
(CVE-2014-3577).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=13932
• http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
• https://rhn.redhat.com/errata/RHSA-2014-1082.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577

SRPMS

4/core

• jakarta-commons-httpclient-3.1-11.1.mga4
• httpcomponents-client-4.3.5-1.mga4