Date: Tue, 12 Feb 2013 08:23:08 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, David Jorm <djorm@...hat.com> Subject: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Hello Kurt, Steve, vendors, Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching:  https://issues.apache.org/jira/browse/HTTPCLIENT-1255 which still allowed certain type of certificates checks to pass, even if they shouldn't. Relevant upstream patches:  https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213 (against 4.2.x branch)  https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217 (against trunk) References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268  https://bugzilla.redhat.com/show_bug.cgi?id=910358 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.