PublicDateAtUSN: 2012-11-04 Candidate: CVE-2012-5783 PublicDate: 2012-11-04 22:55:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783 http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf https://ubuntu.com/security/notices/USN-2769-1 Description: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Ubuntu-Description: Notes: seth-arnold> Apache Commons HttpClient has been replaced by HttpComponents mdeslaur> debian released 3.1-10.1 with a possible regression mdeslaur> fix was incomplete, see CVE-2012-6153 and CVE-2014-3577 Bugs: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 https://issues.apache.org/jira/browse/HTTPCLIENT-1265 https://issues.apache.org/jira/browse/httpclient-613 Priority: low Discovered-by: Assigned-to: mdeslaur CVSS: Patches_httpcomponents-client: upstream: http://svn.apache.org/viewvc?view=revision&revision=483925 upstream_httpcomponents-client: needs-triage precise_httpcomponents-client: not-affected (4.1.1-1) trusty_httpcomponents-client: not-affected (4.3.3-1) trusty/esm_httpcomponents-client: not-affected (4.3.3-1) vivid_httpcomponents-client: not-affected (4.3.5-2) devel_httpcomponents-client: not-affected (4.4.1-1) Patches_commons-httpclient: vendor: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 upstream_commons-httpclient: released (3.1-10.2) hardy_commons-httpclient: ignored (reached end-of-life) lucid_commons-httpclient: ignored (reached end-of-life) oneiric_commons-httpclient: ignored (reached end-of-life) precise_commons-httpclient: released (3.1-10ubuntu0.1) quantal_commons-httpclient: ignored (reached end-of-life) raring_commons-httpclient: not-affected (3.1-10.2) saucy_commons-httpclient: not-affected (3.1-10.2) trusty_commons-httpclient: not-affected (3.1-10.2) trusty/esm_commons-httpclient: not-affected (3.1-10.2) utopic_commons-httpclient: not-affected (3.1-10.2) vivid_commons-httpclient: not-affected (3.1-10.2) devel_commons-httpclient: not-affected (3.1-10.2)