oss-sec mailing list archives
Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 12 Feb 2013 14:26:49 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/12/2013 06:23 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching: [1] https://issues.apache.org/jira/browse/HTTPCLIENT-1255 which still allowed certain type of certificates checks to pass, even if they shouldn't. Relevant upstream patches: [2] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213 (against 4.2.x branch) [3] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217 (against trunk) References: [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268 [5] https://bugzilla.redhat.com/show_bug.cgi?id=910358 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Please use CVE-2012-6127 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRGrOZAAoJEBYNRVNeJnmTHhUQAK94liX7ROncLrSLEOsW/tFB 5uQrAdUsrZtR7Tzpk4XaEIgT2wXo/hbvfS8cYo6TPQ6OExYRCfJCEnFLIbtlEC2B T0p1xOBS1nwvS8/sUOg5Bj63hWRqE/4IY+DOVDD7ik23n5LlWoDllnbvM4FI+JwT G2U0FW4SfjpX+eb2KmnOHNABXNfMebfUs9gGMRisSLlESjrUWqQJrkAxbZ7osrXb AHmopz1MuMuY5xQ/FtjsukNXwCBWK/nVZumiqwLBzipA3iGNuxPsT63sUya13eyd tWFfOR196I/lr8JQfHU2Xui0gMBHuH9qVdhs2taq1FLpnoNN9xG5LWnzG5J9m8dH xUY/69UitCg6Echum9X9JCWhpNDjC9TV+XWxxmopYATEr5z8cvS45jhz69Vk71B8 ieApYTqZKTgjv5nWEqTS3MkPlb6OTEjatPDuSLl8ZFqNiV1kZ8lXwNFLmqRbverj +UVEkFk9uFYFbltEiaXgUq248XBwItxoHm/Z1jxwSOOoCF7nLxApFTdz2+7/P/bj gS0nszMPSMrsULYR2tl70C5jA5HmWfv9eQjAwygD5bjvyCYgH5DXZO9vOa2NfxKN m8rZNV8ZZ5QVwJ/NqVDx9i2oWG2CP+DYqKjgvSOO3A4OcdxH4TdJEFNCp0hT7paX vLPbftX9DC9ZA7t2cmKZ =icmK -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Jan Lieskovsky (Feb 12)
- [Ignore not a security flaw] Re: [oss-security] CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Jan Lieskovsky (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) David Jorm (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)
- RE: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Christey, Steven M. (Feb 13)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)