-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 3.0 (quilt) Source: commons-httpclient Binary: libcommons-httpclient-java, libcommons-httpclient-java-doc Architecture: all Version: 3.1-11 Maintainer: Debian Java Maintainers <[email protected]> Uploaders: Michael Koch <[email protected]>, Kumar Appaiah <[email protected]>, Varun Hiremath <[email protected]>, Torsten Werner <[email protected]>, Damien Raude-Morvan <[email protected]> Homepage: http://hc.apache.org/httpclient-3.x Standards-Version: 3.9.1 Vcs-Browser: http://svn.debian.org/wsvn/pkg-java/trunk/commons-httpclient Vcs-Svn: svn://svn.debian.org/svn/pkg-java/trunk/commons-httpclient Build-Depends: debhelper (>= 7), cdbs Build-Depends-Indep: maven-repo-helper, ant, default-jdk, libcommons-codec-java, libcommons-logging-java, junit Package-List: libcommons-httpclient-java deb java optional arch=all libcommons-httpclient-java-doc deb doc optional arch=all Checksums-Sha1: 5c604f102e0716597b3d2659ac3e77f80a02f22d 1882664 commons-httpclient_3.1.orig.tar.gz 15202a3ff56c0f5336ce35ba95f6b07d293d89ad 12444 commons-httpclient_3.1-11.debian.tar.xz Checksums-Sha256: f9a496d3418b0e15894fb351652cd4fa5ca434ebfc3ce3bb8da40defd8b097f2 1882664 commons-httpclient_3.1.orig.tar.gz 51feecd75226900f90e52eaa2b3660579b0e734740ef07cffb8f1a6c3db9aaeb 12444 commons-httpclient_3.1-11.debian.tar.xz Files: 2c9b0f83ed5890af02c0df1c1776f39b 1882664 commons-httpclient_3.1.orig.tar.gz 18ce71adc3c0c83fa1555d8eb426b3f3 12444 commons-httpclient_3.1-11.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJVK+2dAAoJEFb2GnlAHawEaQoH/Ai0yPUkz08SH3vZ+3f1hGy1 pt8JC28eOsizGCur3Ni3Wjxd0EboZTDX7hflkABCe8r29CcZJAnxQFSzh7ZxJI7n WlmGhvqhkkRqiNYMR5xQE9O9+W6gE0LkhbZU6Tj8D2dE7a4T++0CxkriUieZEp8E AXLIwVPr6dFKC+rbdsietzm/EGzDprkZnuMySD/lfFPYq1dSsj9xeaBeL3yea0BL IGrqCLY/ORhaQb10NZknmY1MeDRWwCfq7VGr+bc9QSXqbRIqkHoPXGkNj6MuZ6pA ZSLa0z+OXD87wS+5DyEYm0PxlcliupPmdYIUC206qI2nKJtmrGBUd7RH7+YkW6U= =uTzo -----END PGP SIGNATURE----- Changes: commons-httpclient (3.1-11) unstable; urgency=high * Team upload. * Add CVE-2014-3577.patch. (Closes: #758086) It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the 06_fix_CVE-2012-5783.patch. * Change java.source and java.target ant properties to 1.5, otherwise commons-httpclient will not compile with this patch. -- Markus Koschany <[email protected]> Mon, 23 Mar 2015 22:57:54 +0100
