Your submission was sent successfully! Close

CVE-2015-5262

Published: 30 September 2015

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

From the Ubuntu Security Team

It was discovered that Apache Commons HttpClient did not properly handle read timeouts during HTTPS handshakes. A remote attacker could trigger this flaw to cause a denial of service.

Notes

AuthorNote
mdeslaur
introduced in httpcomponents-client 4.3.0
Priority

Medium

Status

Package Release Status
commons-httpclient
Launchpad, Ubuntu, Debian
artful
Released (3.1-11ubuntu1)
bionic
Released (3.1-11ubuntu1)
cosmic
Released (3.1-11ubuntu1)
disco
Released (3.1-11ubuntu1)
eoan
Released (3.1-11ubuntu1)
focal
Released (3.1-11ubuntu1)
groovy
Released (3.1-11ubuntu1)
hirsute
Released (3.1-11ubuntu1)
impish
Released (3.1-11ubuntu1)
jammy
Released (3.1-11ubuntu1)
precise Does not exist
(precise was released [3.1-10ubuntu0.1])
trusty
Released (3.1-10.2ubuntu0.14.04.1)
upstream Needs triage

vivid
Released (3.1-10.2ubuntu0.15.04.1)
wily
Released (3.1-11ubuntu1)
xenial
Released (3.1-11ubuntu1)
yakkety
Released (3.1-11ubuntu1)
zesty
Released (3.1-11ubuntu1)
Patches:
vendor: https://bugzilla.redhat.com/attachment.cgi?id=1072467
httpcomponents-client
Launchpad, Ubuntu, Debian
artful Not vulnerable
(4.4.1-1)
bionic Not vulnerable
(4.4.1-1)
cosmic Not vulnerable
(4.4.1-1)
disco Not vulnerable
(4.4.1-1)
eoan Not vulnerable
(4.4.1-1)
focal Not vulnerable
(4.4.1-1)
groovy Not vulnerable
(4.4.1-1)
hirsute Not vulnerable
(4.4.1-1)
impish Not vulnerable
(4.4.1-1)
jammy Not vulnerable
(4.4.1-1)
precise Does not exist
(precise was not-affected [code not present])
trusty Needed

upstream
Released (4.3.6-1)
vivid Ignored
(reached end-of-life)
wily Not vulnerable
(4.4.1-1)
xenial Not vulnerable
(4.4.1-1)
yakkety Not vulnerable
(4.4.1-1)
zesty Not vulnerable
(4.4.1-1)