oss-sec mailing list archives
Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 12 Feb 2013 17:29:16 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/12/2013 02:26 PM, Kurt Seifried wrote:
On 02/12/2013 06:23 AM, Jan Lieskovsky wrote:Hello Kurt, Steve, vendors,Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability:Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching: [1] https://issues.apache.org/jira/browse/HTTPCLIENT-1255which still allowed certain type of certificates checks to pass, even if they shouldn't.Relevant upstream patches: [2] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213 (against 4.2.x branch) [3] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217 (against trunk)References: [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268 [5] https://bugzilla.redhat.com/show_bug.cgi?id=910358Could you allocate a CVE id for this?Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response TeamPlease use CVE-2012-6127 for this issue.
Ok I should have looked into this deeper, it looks like it may not be a security issue but I'm not 100% certain, so for now I will leave this, and if someone can show there is no security impact I'll reject it. Sorry for the mixup. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRGt5bAAoJEBYNRVNeJnmT7jAQANpKfrw1Y/swmvQAUNQZEQOF 2eKGEqhghw/A28Fz0Yu9vb8ai9A8fqSsWY+U9TOuxgdGonawkhouB2Vm61PxT31O QkNqaNfhOeUJhYCSKFucIgqVkYysSguUhnNbvTSkxpdQqrpoai+1OovdFF51n+eo ESHAikn5eLqZUMj2zJV5HfRpM4jDUDkl1l0Oe8so5tLLMhcFZlr4ColRirCyYSSl 31hXDesfMRjN6ZDLEVLgQ+0sj80KSQPoP/ZcztCH4nwuvKoMllkKFL8vTo0EYEdA lm9DSxDng0e6EEHCSIH9R7puk2uhfmegRunFtlr7Xz1xGUoV0bG5fK2b9OiqmFY4 oxUpgNq78N2TECe6Yq5luOwtKaN9Y04Qn+ZnpM6mKfbhnc/3hHo+hef4rEnRPmGc xcHymh0oHNL5IWYhxp5jA+m43jLp8HPOzDtTHgft5CGcWP8ncXD90jQG+N+h7CUl veNGjVZoZhTqQ1P4iWSSiyrlBqkOsWgNsZfcAptapf0C2nC9Lq8INHy7ABDEPL3V pUZi9gj+CEAMyUWqSo28fCvk0Q1YbUeUkyXf4lO5eu9Ryw/Fp3XE6oZ7ft7YBO3Z rcxG5Q10gcDIWjX3NFnj1EflpXsqrfL6Bc5tBL5zzGtJBOTtqAXpiuzyKgdSAO/U tCxu2w7Hped3SDP/2SGM =tPhD -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Jan Lieskovsky (Feb 12)
- [Ignore not a security flaw] Re: [oss-security] CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Jan Lieskovsky (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) David Jorm (Feb 12)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)
- RE: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Christey, Steven M. (Feb 13)
- Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Kurt Seifried (Feb 12)