Debian Bug report logs - #700268
libhttpclient-java: overly broad certificate wildcard match

version graph

Package: libhttpclient-java; Maintainer for libhttpclient-java is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>; Source for libhttpclient-java is src:httpcomponents-client (PTS, buildd, popcon).

Reported by: Helmut Grohne <helmut@subdivi.de>

Date: Sun, 10 Feb 2013 18:15:05 UTC

Severity: grave

Tags: security

Found in version httpcomponents-client/4.2.1-1

Fixed in version httpcomponents-client/4.2.1-2

Done: tony mancill <tmancill@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://issues.apache.org/jira/browse/HTTPCLIENT-1255

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#700268; Package libhttpclient-java. (Sun, 10 Feb 2013 18:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Helmut Grohne <helmut@subdivi.de>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Sun, 10 Feb 2013 18:15:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Helmut Grohne <helmut@subdivi.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libhttpclient-java: overly broad certificate wildcard match
Date: Sun, 10 Feb 2013 19:12:08 +0100
Package: libhttpclient-java
Version: 4.2.1-1
Severity: grave
Tags: security

In the version above the common name match of the certificate check was
rewritten. So the versions in squeeze and wheezy are not affected. The
rewritten version contains a bug (uses length of wrong object) and
thereby accepts ssl certificates where it should not.

Let me quote the relevant bits from the upstream bug
https://issues.apache.org/jira/browse/HTTPCLIENT-1255
> According to the findings of [1], the hostname verification in AbstractVerifier.java is not correct. The wildcard prefix extraction uses the dimension of the dotted parts array instead of the length of the first part itself.
> 
> String prefix = parts[0].substring(0, parts.length-2); // e.g. server
> should be
> String prefix = parts[0].substring(0, parts[0].length()-1); // e.g. server
> 
> (This is line 208 of http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java as of Revision 1402320)
> 
> [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Helmut

Set Bug forwarded-to-address to 'https://issues.apache.org/jira/browse/HTTPCLIENT-1255'. Request was from gregor herrmann <gregoa@debian.org> to control@bugs.debian.org. (Sun, 10 Feb 2013 18:39:06 GMT) (full text, mbox, link).

Reply sent to tony mancill <tmancill@debian.org>:
You have taken responsibility. (Mon, 11 Feb 2013 01:36:03 GMT) (full text, mbox, link).

Notification sent to Helmut Grohne <helmut@subdivi.de>:
Bug acknowledged by developer. (Mon, 11 Feb 2013 01:36:03 GMT) (full text, mbox, link).

Message #12 received at 700268-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>
To: 700268-close@bugs.debian.org
Subject: Bug#700268: fixed in httpcomponents-client 4.2.1-2
Date: Mon, 11 Feb 2013 01:32:32 +0000
Source: httpcomponents-client
Source-Version: 4.2.1-2

We believe that the bug you reported is fixed in the latest version of
httpcomponents-client, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 700268@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated httpcomponents-client package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 10 Feb 2013 16:28:27 -0800
Source: httpcomponents-client
Binary: libhttpclient-java libhttpmime-java
Architecture: source all
Version: 4.2.1-2
Distribution: experimental
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description: 
 libhttpclient-java - HTTP/1.1 compliant HTTP agent implementation
 libhttpmime-java - HTTP/1.1 compliant HTTP agent implementation - mime4j extension
Closes: 700268
Changes: 
 httpcomponents-client (4.2.1-2) experimental; urgency=low
 .
   * Team upload.
   * Apply upstream patch for wildcard certificate match security bug.
     (Closes: #700268)
   * Remove duplicate Copyright: in d/copyright (lintian warning).
   * Bump Standards-Version to 3.9.4 (no changes).
   * Update Vcs-Git field to be "/git/pkg-java"
Checksums-Sha1: 
 3179d07f8b252bac09b3aa95b65beea297fd278a 2500 httpcomponents-client_4.2.1-2.dsc
 8baf74da2c2662970a091107421d9dfbb571bf96 6167 httpcomponents-client_4.2.1-2.debian.tar.gz
 27499823279632a039e6289df949e3c178a83c51 401662 libhttpclient-java_4.2.1-2_all.deb
 443057eba1149af75a30968b91edb64d6cad8f1d 53000 libhttpmime-java_4.2.1-2_all.deb
Checksums-Sha256: 
 f18951f93e4c61b33d27b2f9fb3e119014b7f911fcf8a1d603ef201ddb94cfd3 2500 httpcomponents-client_4.2.1-2.dsc
 e57b8167b844d65bc9173dbd3dfae9f9812094b1c5dcdf155aa7d5beaf1e416b 6167 httpcomponents-client_4.2.1-2.debian.tar.gz
 f52e61724a02b5604aa3fa939bbcd9a8626493d1a7b8b40789a94595b2186522 401662 libhttpclient-java_4.2.1-2_all.deb
 a435612c0531ba9cbdd4ad0e05cb5719ec5e5d641bf0c61ae7ffbbcfc1c70f27 53000 libhttpmime-java_4.2.1-2_all.deb
Files: 
 7a559acd6fc12f3722e8183087c47c56 2500 java optional httpcomponents-client_4.2.1-2.dsc
 82bf41302cd93f3592e047d1e692e2ec 6167 java optional httpcomponents-client_4.2.1-2.debian.tar.gz
 ca31c315d5c02153ff4fc437eaf7ab7d 401662 java optional libhttpclient-java_4.2.1-2_all.deb
 653ab7222ff0fca3c0dc8916a8bb2ec1 53000 java optional libhttpmime-java_4.2.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJRGEZXAAoJECHSBYmXSz6W6YwQAMmMvBLnr4rph3TzRzJkvBZe
0Znb3qBtQhZQUcUMOwNHxMovaHSw9E0wiNc+9fcClqdJNGP43oFZUX+tzb5doZVy
s+OL7SBmwPQMAih7YJZvpnQx3SNRJs8p84q7CFI8CvyBcSoTqflvtHQyF8OL29+4
Rb3udxP7xztsSzl2anXHchRmXI61zsK/8nC9KRK5IkM9qGeCRQY+FWx8IksiOsSY
sBHGrJUf32z5yExJmzMJPEgJU31fSvlAwwbecJ/degP7V7QEXZBzFTaacd6ZaAFs
iEMeH+EFDtA1dvGv4dgs5vwI6eVLyGy18F7km1BTbMBncNsB1pNRTN3LXXcSrquT
86ZT6fLJC0+zEA8KBCIcnX8yMHWeVH76PH6YCEfz2ee9GgdAho6Sy+0Lvj2ndGTy
GeXc5IfcZtX3FS/oifzmCCrUmZRmDm1Xv/9rxsRGcUlE8+5gdBHSjP0P50LQOBPS
qFbM5MlmG9d8S2fHNgdnLJqCTgX952Ln332QXexokHV7P0A4MO2GtXw1K/LMqQTY
EBWFDQNIY2cKfz70hpRmNPTQiC1TMmhl33fGHVUp89Nzf/q7Spk8R6Eqgvvhrnl7
gfX9D3etnafDt7JM5XfapSlqa3yoOesJ9XgIn0Rfu16MxBCOVdeUjVLpb6yLhcOJ
nqhGhNDmwq+BELznmsQG
=2ee0
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 11 Mar 2013 07:27:41 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jul 23 09:56:46 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.