Debian Bug report logs - #628727
httpcomponents-client security issue CVE-2011-1498

version graph

Package: httpcomponents-client; Maintainer for httpcomponents-client is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Thijs Kinkhorst <thijs@debian.org>

Date: Tue, 31 May 2011 19:21:01 UTC

Severity: serious

Tags: security

Found in version 4.0.1-1

Fixed in versions httpcomponents-client/4.1.1-1, httpcomponents-client/4.0.1-1squeeze1

Done: Miguel Landaeta <miguel@miguel.cc>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, David Paleino <dapal@debian.org>:
Bug#628727; Package httpcomponents-client. (Tue, 31 May 2011 19:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
New Bug report received and forwarded. Copy sent to David Paleino <dapal@debian.org>. (Tue, 31 May 2011 19:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: submit@bugs.debian.org
Subject: httpcomponents-client security issue CVE-2011-1498
Date: Tue, 31 May 2011 21:14:48 +0200 (CEST)
Package: httpcomponents-client
Version: 4.0.1-1
Severity: serious
Tags: security

Hi,

the following CVE (Common Vulnerabilities & Exposures) id was
published for httpcomponents-client.

CVE-2011-1498
[HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be
sent to the target host when tunneling requests through a proxy server that
requires authentication. 

http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt
http://seclists.org/oss-sec/2011/q2/188

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry. Please contact the security team to get
the issue addressed in stable aswell.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1498
    http://security-tracker.debian.org/tracker/CVE-2011-1498




Reply sent to Miguel Landaeta <miguel@miguel.cc>:
You have taken responsibility. (Fri, 01 Jul 2011 05:21:03 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Fri, 01 Jul 2011 05:21:03 GMT) Full text and rfc822 format available.

Message #10 received at 628727-close@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 628727-close@bugs.debian.org
Subject: Bug#628727: fixed in httpcomponents-client 4.1.1-1
Date: Fri, 01 Jul 2011 05:17:24 +0000
Source: httpcomponents-client
Source-Version: 4.1.1-1

We believe that the bug you reported is fixed in the latest version of
httpcomponents-client, which is due to be installed in the Debian FTP archive:

httpcomponents-client_4.1.1-1.debian.tar.gz
  to main/h/httpcomponents-client/httpcomponents-client_4.1.1-1.debian.tar.gz
httpcomponents-client_4.1.1-1.dsc
  to main/h/httpcomponents-client/httpcomponents-client_4.1.1-1.dsc
httpcomponents-client_4.1.1.orig.tar.gz
  to main/h/httpcomponents-client/httpcomponents-client_4.1.1.orig.tar.gz
libhttpclient-java_4.1.1-1_all.deb
  to main/h/httpcomponents-client/libhttpclient-java_4.1.1-1_all.deb
libhttpmime-java_4.1.1-1_all.deb
  to main/h/httpcomponents-client/libhttpmime-java_4.1.1-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 628727@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated httpcomponents-client package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Jun 2011 00:13:18 -0430
Source: httpcomponents-client
Binary: libhttpclient-java libhttpmime-java
Architecture: source all
Version: 4.1.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description: 
 libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation
 libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j extension
Closes: 628727 628731
Changes: 
 httpcomponents-client (4.1.1-1) unstable; urgency=high
 .
   * New upstream release:
     Fixed critical bug causing Proxy-Authorization header to be
     sent to the target host when tunneling requests through a proxy
     server that requires authentication: CVE-2011-1498. (Closes: #628727).
   * New maintainer. (Closes: #628731).
   * Bump Standards-Version to 3.9.2. No changes were required.
   * Add Build-Depends on libmockito-java.
   * Update Vcs-* fields.
Checksums-Sha1: 
 3a1fa570924b717d8332bb14d771db2ffe0aa320 2294 httpcomponents-client_4.1.1-1.dsc
 0ef17a593669a08a3c41399a73fead81e621e5d7 1445826 httpcomponents-client_4.1.1.orig.tar.gz
 33b8738482a3fc9f32728d226f599a73593c0dcd 3334 httpcomponents-client_4.1.1-1.debian.tar.gz
 3022f9f539edc94ff6556eb5a88eaf3eea463af2 324200 libhttpclient-java_4.1.1-1_all.deb
 4dbd825865f5ba83f942c7a70258c73a0b9340e2 34118 libhttpmime-java_4.1.1-1_all.deb
Checksums-Sha256: 
 a8dc8a2407711ae806f96f9a07fde42ce00630792413bc4c9626d831b554d342 2294 httpcomponents-client_4.1.1-1.dsc
 ca8384eaeefba78b3e185f072d66b500007f276fbdae296ed08dba9a3dab51c8 1445826 httpcomponents-client_4.1.1.orig.tar.gz
 0436f00cb3147d7ebc15b4f88f73ef3bbb820a9c631458de0f3844b67e50eb11 3334 httpcomponents-client_4.1.1-1.debian.tar.gz
 0ce28146f046525465b4443d83227cefaa91f8aff1be09d919db01cdd29b1f35 324200 libhttpclient-java_4.1.1-1_all.deb
 f0c62afef206d315edaad68d7ed8d1334fdcb1dd8a865a83934af1adbcf9d92a 34118 libhttpmime-java_4.1.1-1_all.deb
Files: 
 0630f41d32ce8de04e9b3a8ea2c34137 2294 java optional httpcomponents-client_4.1.1-1.dsc
 12be9646128db4a4383e47341cbeb7fd 1445826 java optional httpcomponents-client_4.1.1.orig.tar.gz
 e645e1c7ac47c4345dbeb4841ed67667 3334 java optional httpcomponents-client_4.1.1-1.debian.tar.gz
 889ebcfd575b0ba176f329cb07a05295 324200 java optional libhttpclient-java_4.1.1-1_all.deb
 15966e50651585a51e0eaec043757017 34118 java optional libhttpmime-java_4.1.1-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJODVVuAAoJECHSBYmXSz6WW9cP/3gGiKZFiOyrUKBypoUQUNSi
5LMKkKfJ5MiC+BxLJjs7bz7voLI3S/OCxPStRkQl+2/S4rfFms6NwEkPEqh6l7KV
0SZaXDzbBhytPvTIY2fJ3ii/DR+r6wNYzzVYCgJYiDMdxLfFqCtu06uhL+rkw5/D
EirbQRs+IWEJVVQmhUwyANpLHLwbg8cTaNjRL3DLX8+Cgm+pzMLtMjmSAvhe8ZlM
bvGaMy+Ay3fnaToBYxOaRAnDBUlDh/DFOYR41RT8KtpmfVuQPf9fZquE5ybeiFyj
pEyMwh0A4gg5sF6dO5vc5tPKajAtsHNg6YJDIj5VHmtDSHBsl6Z6ou89MdKa/I3J
0MxQ7VopxpkhB69JxhcHGSaT7M+JDiFFmY/TkLRipw15fOSLDA5xneSnMRce8vEy
iNSjR48F44KAWL+ZsE7IydwQESftGpA4JnA10u8Ac/uYiQi7BFmZSEivL4GgTohg
KLAJULf/qU5vkcF3ThVBvfE3qOEsOD9u/NOtl+fGyhZpljHFoflw0kco3XPsNL6C
zFKjwvDPyBqV1mDrtLEKgpAKO36t0I8+i2tW+XEEbFNIfQWioP5xFcXL7wXoCHwL
41aLmFrw7nwxhz0GeU+o2uMe5Gs5cRrXvAim9Dm+4ObiugYRMNwQZ27qdpf79KBW
wFIJSOMlfNnrtYzA9dbG
=iy9G
-----END PGP SIGNATURE-----





Reply sent to Miguel Landaeta <miguel@miguel.cc>:
You have taken responsibility. (Sun, 03 Jul 2011 19:57:09 GMT) Full text and rfc822 format available.

Notification sent to Thijs Kinkhorst <thijs@debian.org>:
Bug acknowledged by developer. (Sun, 03 Jul 2011 19:57:09 GMT) Full text and rfc822 format available.

Message #15 received at 628727-close@bugs.debian.org (full text, mbox):

From: Miguel Landaeta <miguel@miguel.cc>
To: 628727-close@bugs.debian.org
Subject: Bug#628727: fixed in httpcomponents-client 4.0.1-1squeeze1
Date: Sun, 03 Jul 2011 19:54:34 +0000
Source: httpcomponents-client
Source-Version: 4.0.1-1squeeze1

We believe that the bug you reported is fixed in the latest version of
httpcomponents-client, which is due to be installed in the Debian FTP archive:

httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
  to main/h/httpcomponents-client/httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
httpcomponents-client_4.0.1-1squeeze1.dsc
  to main/h/httpcomponents-client/httpcomponents-client_4.0.1-1squeeze1.dsc
libhttpclient-java_4.0.1-1squeeze1_all.deb
  to main/h/httpcomponents-client/libhttpclient-java_4.0.1-1squeeze1_all.deb
libhttpmime-java_4.0.1-1squeeze1_all.deb
  to main/h/httpcomponents-client/libhttpmime-java_4.0.1-1squeeze1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 628727@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Miguel Landaeta <miguel@miguel.cc> (supplier of updated httpcomponents-client package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 29 Jun 2011 20:32:56 -0430
Source: httpcomponents-client
Binary: libhttpclient-java libhttpmime-java
Architecture: source all
Version: 4.0.1-1squeeze1
Distribution: stable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Miguel Landaeta <miguel@miguel.cc>
Description: 
 libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation
 libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j extension
Closes: 628727
Changes: 
 httpcomponents-client (4.0.1-1squeeze1) stable; urgency=high
 .
   * Fixed critical bug causing Proxy-Authorization header to be
     sent to the target host when tunneling requests through a proxy
     server that requires authentication: CVE-2011-1498. (Closes: #628727).
   * Set Debian Java Team as Maintainer and add myself to Uploaders.
Checksums-Sha1: 
 65ebe94e669426253a873549ef04dbac4fab6fee 2324 httpcomponents-client_4.0.1-1squeeze1.dsc
 56d9bf8dfde9dc1312ace306e53b03f7d0e1f8fa 4433 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
 0e31cf3fc63b516e89ce5d64fb2b351476a2a7ea 270928 libhttpclient-java_4.0.1-1squeeze1_all.deb
 2ba634f274e6b9e3f1741a97df5c7ba09f525c27 31922 libhttpmime-java_4.0.1-1squeeze1_all.deb
Checksums-Sha256: 
 f0e447402f88ea15264be15af926894163ba6f59df0d217dc003a350d404710c 2324 httpcomponents-client_4.0.1-1squeeze1.dsc
 5b70569dfdf36ba43afdae42cb5b59939c863b1f3882c218b6d8191841dcb32b 4433 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
 7bc8488a8d48da592a0719fccb6f2817fbd7666c2e9f66eed272ab19e461d083 270928 libhttpclient-java_4.0.1-1squeeze1_all.deb
 62f7b864dfa049e61afc62332e05fa39a164326b54c9d8b233ef9a557ca5bace 31922 libhttpmime-java_4.0.1-1squeeze1_all.deb
Files: 
 96372bec0c915cb49f04c244346cfdcf 2324 java optional httpcomponents-client_4.0.1-1squeeze1.dsc
 a2ae1cd30cab32577d40efb05a4c5325 4433 java optional httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
 b9127243c2ebddb0b3fc729423a6ce20 270928 java optional libhttpclient-java_4.0.1-1squeeze1_all.deb
 3cb6f6cd6f390a4ec7fd9c62d283efe8 31922 java optional libhttpmime-java_4.0.1-1squeeze1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJOD+jHAAoJECHSBYmXSz6WRC0P/11Cycoqs5RscP6BBjqs5XRi
oyBupImuOQpoAmA6Ts1NsciSyNYJJxG7TH6UDekhhmlhwmLZzfM1r5nxmuhzy+sl
k+D6f5V3uHBMKEh2z2Cq8LjfI5Fwld6x0jnWQD1TNktyua+1Fjltvc/iUL+35wzd
NRryz/XdjIJsnaClbMlzObxIomBJB9F+YeTjpBChXbJ3+o8HF4MNCJ7RJ4RmYEXV
38YMxoqp3TwfMnJbpQCCMPL667dJbSi/SMS7v8R3ORrYAyZBQhmup8jqQDxR/L9B
R8V0l8ulyx3TsWHgv5789iVDPzo5eOW8bcqHki7YtBlvHtQW92pUuHJWdC5PEswg
RhxskeNXG5pkGgrXJhJRmpA/LlN9anOqExsEtIHokpWAPn88fAzQEFSFq36J677I
zeF1AR1JUBd3RSkZK8TCNalsYkOGINBgjuYaRp9C86PUpIwJa00Wf6J8tpGC6L8B
SsnB10GFkXNHh1MD7BUZFHXjEjr67p8bhBfuC+GbqwEk9kWWri2Ii5Fq1yPiJ/oU
3w3PzcI7XwDLAsRNn73D312qE7oosgZK2AdDC1m8VLqhtP5Y2pX8MdyukB5BV9HO
ycodu2T9xsvfAzscS4kd7KGtMVafB/Xws+pCiSu6QapQBdf6TNXAyKXjWjSgHRtA
HeYEmO17y4aA9LmJqlbh
=Ovp4
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 09 Oct 2011 07:32:54 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:48:48 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.