Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via andaarbitrary valid certificate. References: [1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf [2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html [3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml
Created jakarta-commons-httpclient tracking bugs for this issue Affects: fedora-all [bug 873319]
Upstream ticket for 4.x: [4] https://issues.apache.org/jira/browse/httpclient-613 and relevant patch for 4.x: [5] http://svn.apache.org/viewvc?view=revision&revision=483925
This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Red Hat Enterprise Linux 5 and 6.
Upstream bug: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 Upstream patch commit: https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1422573
jakarta-commons-httpclient-3.1-12.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
jakarta-commons-httpclient-3.1-12.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
jakarta-commons-httpclient-3.1-12.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0270 https://rhn.redhat.com/errata/RHSA-2013-0270.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0679 https://rhn.redhat.com/errata/RHSA-2013-0679.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2013:0682 https://rhn.redhat.com/errata/RHSA-2013-0682.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0681 https://rhn.redhat.com/errata/RHSA-2013-0681.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2013:0680 https://rhn.redhat.com/errata/RHSA-2013-0680.html
This issue has been addressed in following products: JBoss Web Framework Kit 2.2.0 Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html
This issue has been addressed in following products: Red Hat JBoss BRMS 5.3.1 Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html
This issue has been addressed in following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2013:1147 https://rhn.redhat.com/errata/RHSA-2013-1147.html
This issue has been addressed in following products: Red Hat JBoss Operations Network 3.2.0 Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
This issue has been addressed in following products: RHEV Manager version 3.3 Via RHSA-2014:0224 https://rhn.redhat.com/errata/RHSA-2014-0224.html
Multiple problems were discovered in the fix for this issue, which got separate CVE ids assigned and are tracked via separate bug reports - CVE-2012-6153 (bug 1129916) and CVE-2014-3577 (bug 1129074).
This issue has been addressed in the following products: Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868
This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954