On 02/12/2013 06:23 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,
Originally, Common Vulnerabilities and Exposures assigned an
identifier CVE-2012-5783 to the following vulnerability:
Apache Commons HttpClient 3.x, as used in Amazon Flexible
Payments Service (FPS) merchant Java SDK and other products, does
not verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows man-in-the-middle attackers to spoof
SSL servers via an arbitrary valid certificate.
Later it was found, that the SSL hostname verifier implementation
(CVE-2012-5783 fix) contained a bug in wildcard matching: 
which still allowed certain type of certificates checks to pass,
even if they shouldn't.
Relevant upstream patches: 
(against 4.2.x branch) 
Could you allocate a CVE id for this?
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team
Please use CVE-2012-6127 for this issue.