Date: Tue, 12 Feb 2013 08:52:58 -0500 (EST) From: Jan Lieskovsky <jlieskov@...hat.com> To: oss-security@...ts.openwall.com Cc: "Steven M. Christey" <coley@...us.mitre.org>, David Jorm <djorm@...hat.com> Subject: [Ignore not a security flaw] Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Hello vendors, taking back. Looks like we have previously investigated this issue with the following conclusion: > /* Should HTTPCLIENT-1255 one be also classified as (another) CVE id? */ It is my understanding that this bug will cause valid certificates to be rejected, but not for invalid certificates to be accepted. Therefore I do not think it qualifies for a CVE ID. => not a security flaw. Ignore my previous request. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team ----- Original Message ----- Hello Kurt, Steve, vendors, Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching:  https://issues.apache.org/jira/browse/HTTPCLIENT-1255 which still allowed certain type of certificates checks to pass, even if they shouldn't. Relevant upstream patches:  https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213 (against 4.2.x branch)  https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217 (against trunk) References:  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268  https://bugzilla.redhat.com/show_bug.cgi?id=910358 Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.