Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/12/2013 02:26 PM, Kurt Seifried wrote:
> On 02/12/2013 06:23 AM, Jan Lieskovsky wrote:
> > Hello Kurt, Steve, vendors,
>
> > Originally, Common Vulnerabilities and Exposures assigned an 
> > identifier CVE-2012-5783 to the following vulnerability:
>
> > Apache Commons HttpClient 3.x, as used in Amazon Flexible
> > Payments Service (FPS) merchant Java SDK and other products, does
> > not verify that the server hostname matches a domain name in the
> > subject's Common Name (CN) or subjectAltName field of the X.509
> > certificate, which allows man-in-the-middle attackers to spoof
> > SSL servers via an arbitrary valid certificate.
>
> > Later it was found, that the SSL hostname verifier implementation
> >  (CVE-2012-5783 fix) contained a bug in wildcard matching: [1] 
> > https://issues.apache.org/jira/browse/HTTPCLIENT-1255
>
> > which still allowed certain type of certificates checks to pass,
> >  even if they shouldn't.
>
> > Relevant upstream patches: [2] 
> > https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213
> >  (against 4.2.x branch) [3] 
> > https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217
> >  (against trunk)
>
> > References: [4] 
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268 [5] 
> > https://bugzilla.redhat.com/show_bug.cgi?id=910358
>
> > Could you allocate a CVE id for this?
>
> > Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat 
> > Security Response Team
>
> Please use CVE-2012-6127 for this issue.

Ok I should have looked into this deeper, it looks like it may not be
a security issue but I'm not 100% certain, so for now I will leave
this, and if someone can show there is no security impact I'll reject
it. Sorry for the mixup.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGt5bAAoJEBYNRVNeJnmT7jAQANpKfrw1Y/swmvQAUNQZEQOF
2eKGEqhghw/A28Fz0Yu9vb8ai9A8fqSsWY+U9TOuxgdGonawkhouB2Vm61PxT31O
QkNqaNfhOeUJhYCSKFucIgqVkYysSguUhnNbvTSkxpdQqrpoai+1OovdFF51n+eo
ESHAikn5eLqZUMj2zJV5HfRpM4jDUDkl1l0Oe8so5tLLMhcFZlr4ColRirCyYSSl
31hXDesfMRjN6ZDLEVLgQ+0sj80KSQPoP/ZcztCH4nwuvKoMllkKFL8vTo0EYEdA
lm9DSxDng0e6EEHCSIH9R7puk2uhfmegRunFtlr7Xz1xGUoV0bG5fK2b9OiqmFY4
oxUpgNq78N2TECe6Yq5luOwtKaN9Y04Qn+ZnpM6mKfbhnc/3hHo+hef4rEnRPmGc
xcHymh0oHNL5IWYhxp5jA+m43jLp8HPOzDtTHgft5CGcWP8ncXD90jQG+N+h7CUl
veNGjVZoZhTqQ1P4iWSSiyrlBqkOsWgNsZfcAptapf0C2nC9Lq8INHy7ABDEPL3V
pUZi9gj+CEAMyUWqSo28fCvk0Q1YbUeUkyXf4lO5eu9Ryw/Fp3XE6oZ7ft7YBO3Z
rcxG5Q10gcDIWjX3NFnj1EflpXsqrfL6Bc5tBL5zzGtJBOTtqAXpiuzyKgdSAO/U
tCxu2w7Hped3SDP/2SGM
=tPhD
-----END PGP SIGNATURE-----