Overview

File _patchinfo of Package patchinfo.16970

<patchinfo incident="16970">
  <issue tracker="bnc" id="1178171">VUL-0: CVE-2014-3577: apache-commons-httpclient:MITM security vulnerability</issue>
  <issue tracker="bnc" id="945190">VUL-0: CVE-2015-5262: apache-commons-httpclient, httpcomponents-core: missing HTTPS connection timeout</issue>
  <issue tracker="cve" id="2014-3577"/>
  <issue tracker="cve" id="2015-5262"/>
  <packager>pmonrealgonzalez</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for apache-commons-httpclient</summary>
  <description>This update for apache-commons-httpclient fixes the following issues:

- http/conn/ssl/SSLConnectionSocketFactory.java ignores the
  http.socket.timeout configuration setting during an SSL handshake,
  which allows remote attackers to cause a denial of service (HTTPS
  call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]
- org.apache.http.conn.ssl.AbstractVerifier does not properly
  verify that the server hostname matches a domain name in the
  subject's Common Name (CN) or subjectAltName field of the X.509
  certificate, which allows MITM attackers to spoof SSL servers
  via a "CN=" string in a field in the distinguished name (DN)
  of a certificate. [bsc#1178171, CVE-2014-3577]
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places