Your submission was sent successfully! Close

CVE-2012-5783

Published: 4 November 2012

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Notes

AuthorNote
seth-arnold
Apache Commons HttpClient has been replaced by HttpComponents
mdeslaur
debian released 3.1-10.1 with a possible regression
fix was incomplete, see CVE-2012-6153 and CVE-2014-3577
Priority

Low

Status

Package Release Status
commons-httpclient
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Ignored
(reached end-of-life)
oneiric Ignored
(reached end-of-life)
precise
Released (3.1-10ubuntu0.1)
quantal Ignored
(reached end-of-life)
raring Not vulnerable
(3.1-10.2)
saucy Not vulnerable
(3.1-10.2)
trusty Not vulnerable
(3.1-10.2)
upstream
Released (3.1-10.2)
utopic Not vulnerable
(3.1-10.2)
vivid Not vulnerable
(3.1-10.2)
Patches:
vendor: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442

httpcomponents-client
Launchpad, Ubuntu, Debian
precise Not vulnerable
(4.1.1-1)
trusty Not vulnerable
(4.3.3-1)
upstream Needs triage

vivid Not vulnerable
(4.3.5-2)
Patches:

upstream: http://svn.apache.org/viewvc?view=revision&revision=483925