hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oleg Kalnichevski <ol...@apache.org>
Subject Re: CVE-2014-3577: Test case to verify that versions of httpclient are not affected
Date Wed, 01 Apr 2015 14:29:18 GMT
On Wed, 2015-04-01 at 12:47 +0200, Markus Koschany wrote:
> Hello,
> 
> I am currently trying to verify for the Debian distribution that
> versions of httpclient are or are not affected by the following security
> vulnerabilities:
> 
> CVE-2014-3577
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577
> 
> CVE-2012-6153
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153
> 
> I am aware that HttpClient <= 3.1 is EOL now but there are still
> packages in the archive that depend on exactly this version in Debian.
> We intend to apply a patch from RedHat / Fedora [1] that appears to
> address CVE-2014-3577. However we would like to ensure that it really
> resolves the issue once and for all.
> 
> How can I test that this patch actually addresses the vulnerability? Are
> there any test cases available?
> 

All execution paths that were found as vulnerable now have corresponding
test cases here:

http://hc.apache.org/httpcomponents-client-4.4.x/httpclient/xref-test/org/apache/http/conn/ssl/TestDefaultHostnameVerifier.html

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message