Skip to navigation

Security Advisory Moderate: jakarta-commons-httpclient security update

Advisory: RHSA-2013:0680-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-03-25
Last updated on: 2013-03-25
Affected Products: JBoss Enterprise Application Platform 5 EL4
JBoss Enterprise Application Platform 5 EL5
JBoss Enterprise Application Platform 5 EL6
CVEs (cve.mitre.org): CVE-2012-5783

Details

An updated jakarta-commons-httpclient package for JBoss Enterprise
Application Platform 5.2.0 which fixes one security issue is now available
for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The Jakarta Commons HttpClient component can be used to build HTTP-aware
client applications (such as web browsers and web service clients).

The Jakarta Commons HttpClient component did not verify that the server
hostname matched the domain name in the subject's Common Name (CN) or
subjectAltName field in X.509 certificates. This could allow a
man-in-the-middle attacker to spoof an SSL server if they had a certificate
that was valid for any domain name. (CVE-2012-5783)

Warning: Before applying this update, back up your existing JBoss
Enterprise Application Platform installation (including all applications
and configuration files).

All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated
package. The JBoss server process must be restarted for the update to take
effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Application Platform 5 EL4

SRPMS:
jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.src.rpm     MD5: b96bdead7fbcaa0ad14c99699120f225
SHA-256: b7507f1da33d08cf5bb9e29ccd1788d624c1d09861bf8741d786c75ce8529392
 
IA-32:
jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.noarch.rpm     MD5: 7e242db13dd4e60e2b25447bb35d9979
SHA-256: ae423b8bc65c724a23853b2e1ce58d8bcfc9640b92c229fae20e047199161a02
 
x86_64:
jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el4.noarch.rpm     MD5: 7e242db13dd4e60e2b25447bb35d9979
SHA-256: ae423b8bc65c724a23853b2e1ce58d8bcfc9640b92c229fae20e047199161a02
 
JBoss Enterprise Application Platform 5 EL5

SRPMS:
jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5.src.rpm     MD5: 317eebff6785e39300d58b97353367e1
SHA-256: 0d51ca57a23e5e18491708d5b55b103584c508c4b5ba48d8dde7d48591cae882
 
IA-32:
jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5.noarch.rpm     MD5: dd033f69a56c7a37e6baff5d8089345e
SHA-256: c0fe0524445bdd35ddb1467c109874a2807b248ea6a1f9fcc9fa472307315c79
 
x86_64:
jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5.noarch.rpm     MD5: dd033f69a56c7a37e6baff5d8089345e
SHA-256: c0fe0524445bdd35ddb1467c109874a2807b248ea6a1f9fcc9fa472307315c79
 
JBoss Enterprise Application Platform 5 EL6

SRPMS:
jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6.src.rpm     MD5: 4499111bb7778f2d10fb0ed578c91ecd
SHA-256: ff4b047b6fc5fbfc0825371f354e0d5fa01c50a7bdbeefb23cb9273b6ec33c9f
 
IA-32:
jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6.noarch.rpm     MD5: dee3ba95e74cecac1e8680b68b3fae59
SHA-256: 91303f586a1dbb4621e649d79b63dbc877c9063b275426b2000b227d49fc009a
 
x86_64:
jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6.noarch.rpm     MD5: dee3ba95e74cecac1e8680b68b3fae59
SHA-256: 91303f586a1dbb4621e649d79b63dbc877c9063b275426b2000b227d49fc009a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

873317 - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/