hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alberto Fernández (JIRA) <j...@apache.org>
Subject [jira] [Reopened] (HTTPCLIENT-1265) Insercure certificate validation CVE-2012-5783
Date Mon, 10 Dec 2012 19:49:21 GMT

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alberto Fernández reopened HTTPCLIENT-1265:
-------------------------------------------


Hi Oleg

I know HttpClient 3 is EOL, but it's used widely in linux distros (basically because axis
1.4 is still used and depends on httpclient 3).

This patch have been commited to  Debian package, and it would be great if you can apply to
the ASF repository, so other distros can take the fixed version from the SVN.

The patch is a mix of : backport from httpclient 4.2, some bites from apache synapse and some
refactor of my own (basically splitting in smaller functions).

If you can also do a fast review to see if i've done a obvious mistake, i would very grateful.

Thanks for your time and your patience



                
> Insercure certificate validation CVE-2012-5783
> ----------------------------------------------
>
>                 Key: HTTPCLIENT-1265
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1265
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 3.1 Final
>         Environment: All
>            Reporter: Alberto Fernández
>         Attachments: CVE-2012-5783-2.patch
>
>
> See.
> http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
> Using JSSE you must manually validate server name you're connecting to matches one of
the names provided by the certificate. So you can detect a man-in-the-middle type attack with
a valid certificado for other site.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message