UbuntuUpdates.org

Package "httpcomponents-client"

Name: httpcomponents-client

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • HTTP/1.1 compliant HTTP agent implementation
  • HTTP/1.1 compliant HTTP agent implementation - MIME extension
Latest version: 4.3.3-1ubuntu0.1
Release: trusty (14.04)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "httpcomponents-client" in Trusty

Repository Area Version
base universe 4.3.3-1
security universe 4.3.3-1ubuntu0.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 4.3.3-1ubuntu0.1 2018-08-14 16:06:28 UTC

  httpcomponents-client (4.3.3-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: It was found that the fix for CVE-2012-5783
    and CVE-2012-6153 was incomplete. The code added to check that
    the server hostname matches the domain name in the subject's CN
    field was flawed. This can be exploited by a Man-in-the-middle
    (MITM) attack where the attacker can spoof a valid certificate
    using a specially crafted subject.
    - debian/patches/CVE-2014-3577.patch: fix in AbstractVerifier.java
    - CVE-2014-3577

 -- Eduardo Barretto <email address hidden> Fri, 10 Aug 2018 17:06:26 -0300
CVE-2012-5783 Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the serve
CVE-2012-6153 http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name
CVE-2014-3577 org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify


About   -   Send Feedback to @ubuntu_updates