hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Koschany <...@gambaru.de>
Subject CVE-2014-3577: Test case to verify that versions of httpclient are not affected
Date Wed, 01 Apr 2015 10:47:44 GMT
Hello,

I am currently trying to verify for the Debian distribution that
versions of httpclient are or are not affected by the following security
vulnerabilities:

CVE-2014-3577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3577

CVE-2012-6153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153

I am aware that HttpClient <= 3.1 is EOL now but there are still
packages in the archive that depend on exactly this version in Debian.
We intend to apply a patch from RedHat / Fedora [1] that appears to
address CVE-2014-3577. However we would like to ensure that it really
resolves the issue once and for all.

How can I test that this patch actually addresses the vulnerability? Are
there any test cases available?

Thanks

Markus


[1]
http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch




Mime
View raw message