mailing list archives
CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 12 Feb 2013 08:23:08 -0500 (EST)
Hello Kurt, Steve, vendors,
Originally, Common Vulnerabilities and Exposures
assigned an identifier CVE-2012-5783 to the following
Apache Commons HttpClient 3.x, as used in Amazon Flexible
Payments Service (FPS) merchant Java SDK and other products,
does not verify that the server hostname matches a domain
name in the subject's Common Name (CN) or subjectAltName field
of the X.509 certificate, which allows man-in-the-middle
attackers to spoof SSL servers via an arbitrary valid certificate.
Later it was found, that the SSL hostname verifier implementation
(CVE-2012-5783 fix) contained a bug in wildcard matching:
which still allowed certain type of certificates checks to pass,
even if they shouldn't.
Relevant upstream patches:
(against 4.2.x branch)
Could you allocate a CVE id for this?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783) Jan Lieskovsky (Feb 12)