New Search

ELSA-2014-1166 -- jakarta-commons-httpclient security update (Important)

oval:org.mitre.oval:def:27050

Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages which contain a backported patch to correct this issue.

Family:
unix
Status:
ACCEPTED
Platform(s):
  • Oracle Linux 7
  • Oracle Linux 6
  • Oracle Linux 5
Class:
patch
Reference(s):
  • ELSA-2014-1166
  • CVE-2014-3577
  • CVE-2012-6153
Product(s):
  • jakarta-commons-httpclient