Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <511ADE5C.2070006@redhat.com>
Date: Tue, 12 Feb 2013 17:29:16 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
        "Steven M. Christey" <coley@...us.mitre.org>,
        David Jorm <djorm@...hat.com>
Subject: Re: CVE Request --  jakarta-commons-httpclient: Wildcard
 matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/12/2013 02:26 PM, Kurt Seifried wrote:
> On 02/12/2013 06:23 AM, Jan Lieskovsky wrote:
>> Hello Kurt, Steve, vendors,
> 
>> Originally, Common Vulnerabilities and Exposures assigned an 
>> identifier CVE-2012-5783 to the following vulnerability:
> 
>> Apache Commons HttpClient 3.x, as used in Amazon Flexible
>> Payments Service (FPS) merchant Java SDK and other products, does
>> not verify that the server hostname matches a domain name in the
>> subject's Common Name (CN) or subjectAltName field of the X.509
>> certificate, which allows man-in-the-middle attackers to spoof
>> SSL servers via an arbitrary valid certificate.
> 
>> Later it was found, that the SSL hostname verifier implementation
>>  (CVE-2012-5783 fix) contained a bug in wildcard matching: [1] 
>> https://issues.apache.org/jira/browse/HTTPCLIENT-1255
> 
>> which still allowed certain type of certificates checks to pass,
>>  even if they shouldn't.
> 
>> Relevant upstream patches: [2] 
>> https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213
>>  (against 4.2.x branch) [3] 
>> https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217
>>  (against trunk)
> 
>> References: [4] 
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268 [5] 
>> https://bugzilla.redhat.com/show_bug.cgi?id=910358
> 
>> Could you allocate a CVE id for this?
> 
>> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat 
>> Security Response Team
> 
> Please use CVE-2012-6127 for this issue.

Ok I should have looked into this deeper, it looks like it may not be
a security issue but I'm not 100% certain, so for now I will leave
this, and if someone can show there is no security impact I'll reject
it. Sorry for the mixup.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGt5bAAoJEBYNRVNeJnmT7jAQANpKfrw1Y/swmvQAUNQZEQOF
2eKGEqhghw/A28Fz0Yu9vb8ai9A8fqSsWY+U9TOuxgdGonawkhouB2Vm61PxT31O
QkNqaNfhOeUJhYCSKFucIgqVkYysSguUhnNbvTSkxpdQqrpoai+1OovdFF51n+eo
ESHAikn5eLqZUMj2zJV5HfRpM4jDUDkl1l0Oe8so5tLLMhcFZlr4ColRirCyYSSl
31hXDesfMRjN6ZDLEVLgQ+0sj80KSQPoP/ZcztCH4nwuvKoMllkKFL8vTo0EYEdA
lm9DSxDng0e6EEHCSIH9R7puk2uhfmegRunFtlr7Xz1xGUoV0bG5fK2b9OiqmFY4
oxUpgNq78N2TECe6Yq5luOwtKaN9Y04Qn+ZnpM6mKfbhnc/3hHo+hef4rEnRPmGc
xcHymh0oHNL5IWYhxp5jA+m43jLp8HPOzDtTHgft5CGcWP8ncXD90jQG+N+h7CUl
veNGjVZoZhTqQ1P4iWSSiyrlBqkOsWgNsZfcAptapf0C2nC9Lq8INHy7ABDEPL3V
pUZi9gj+CEAMyUWqSo28fCvk0Q1YbUeUkyXf4lO5eu9Ryw/Fp3XE6oZ7ft7YBO3Z
rcxG5Q10gcDIWjX3NFnj1EflpXsqrfL6Bc5tBL5zzGtJBOTtqAXpiuzyKgdSAO/U
tCxu2w7Hped3SDP/2SGM
=tPhD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.