Vulnerabilities > CVE-2012-5783 - Improper Certificate Validation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 | |
| OS | 3 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0680.NASL description An updated jakarta-commons-httpclient package for JBoss Enterprise Application Platform 5.2.0 which fixes one security issue is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 65677 published 2013-03-26 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65677 title RHEL 5 / 6 : jakarta-commons-httpclient (RHSA-2013:0680) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0680. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(65677); script_version("1.16"); script_cvs_date("Date: 2019/10/24 15:35:36"); script_cve_id("CVE-2012-5783"); script_bugtraq_id(58073); script_xref(name:"RHSA", value:"2013:0680"); script_name(english:"RHEL 5 / 6 : jakarta-commons-httpclient (RHSA-2013:0680)"); script_summary(english:"Checks the rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing a security update." ); script_set_attribute( attribute:"description", value: "An updated jakarta-commons-httpclient package for JBoss Enterprise Application Platform 5.2.0 which fixes one security issue is now available for Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. (CVE-2012-5783) Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files). All users of JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to this updated package. The JBoss server process must be restarted for the update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:0680" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-5783" ); script_set_attribute( attribute:"solution", value:"Update the affected jakarta-commons-httpclient package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/04"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x / 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:0680"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_exists(rpm:"jakarta-commons-httpclient-3.1-2", release:"RHEL5") && rpm_check(release:"RHEL5", reference:"jakarta-commons-httpclient-3.1-2.1_patch_01.ep5.el5")) flag++; if (rpm_exists(rpm:"jakarta-commons-httpclient-3.1-2", release:"RHEL6") && rpm_check(release:"RHEL6", reference:"jakarta-commons-httpclient-3.1-2_patch_01.ep5.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jakarta-commons-httpclient"); } }NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-304.NASL description jakarta-commons-httpclient was updated to enhance the fix of bnc#803332 / CVE-2012-5783 - also check for subjectAltNames in the certificate. last seen 2020-06-05 modified 2014-06-13 plugin id 74960 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74960 title openSUSE Security Update : jakarta-commons-httpclient (openSUSE-SU-2013:0622-1) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-169.NASL description The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 69728 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69728 title Amazon Linux AMI : jakarta-commons-httpclient (ALAS-2013-169) NASL family SuSE Local Security Checks NASL id SUSE_11_JAKARTA-COMMONS-HTTPCLIENT3-130328.NASL description The following issue has been fixed : - SSL certificate hostname verification was not done and is fixed by this update. (CVE-2012-5783) last seen 2020-06-05 modified 2013-04-04 plugin id 65795 published 2013-04-04 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/65795 title SuSE 11.2 Security Update : jakarta (SAT Patch Number 7574) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2769-1.NASL description It was discovered that Apache Commons HttpClient did not properly verify the Common Name or subjectAltName fields of X.509 certificates. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-5783) Florian Weimer discovered the fix for CVE-2012-5783 was incomplete for Apache Commons HttpClient. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-6153) Subodh Iyengar and Will Shackleton discovered the fix for CVE-2012-5783 was incomplete for Apache Commons HttpClient. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2014-3577) It was discovered that Apache Commons HttpClient did not properly handle read timeouts during HTTPS handshakes. A remote attacker could trigger this flaw to cause a denial of service. (CVE-2015-5262). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86401 published 2015-10-15 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86401 title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : commons-httpclient vulnerabilities (USN-2769-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-222.NASL description CVE-2012-5783 and CVE-2012-6153 Apache Commons HttpClient 3.1 did not verify that the server hostname matches a domain name in the subject last seen 2020-03-17 modified 2015-05-20 plugin id 83545 published 2015-05-20 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83545 title Debian DLA-222-1 : commons-httpclient security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1320.NASL description Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject last seen 2020-06-01 modified 2020-06-02 plugin id 78007 published 2014-10-01 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78007 title RHEL 4 / 5 / 6 : JBoss EWP (RHSA-2014:1320) NASL family Scientific Linux Local Security Checks NASL id SL_20130219_JAKARTA_COMMONS_HTTPCLIENT_ON_SL5_X.NASL description The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject last seen 2020-03-18 modified 2013-02-21 plugin id 64778 published 2013-02-21 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64778 title Scientific Linux Security Update : jakarta-commons-httpclient on SL5.x, SL6.x i386/x86_64 (20130219) NASL family Fedora Local Security Checks NASL id FEDORA_2013-1289.NASL description This update fixes a security vulnerability that caused jakarta-commons-httpclient not to verify that the server hostname matches a domain name in the subject last seen 2020-03-17 modified 2013-02-04 plugin id 64409 published 2013-02-04 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64409 title Fedora 16 : jakarta-commons-httpclient-3.1-12.fc16 (2013-1289) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1321.NASL description Updated packages for Red Hat JBoss Enterprise Application Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject last seen 2020-06-01 modified 2020-06-02 plugin id 78008 published 2014-10-01 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78008 title RHEL 4 / 5 / 6 : JBoss EAP (RHSA-2014:1321) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0224.NASL description An updated redhat-support-plugin-rhev package that fixes one security issue is now available. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Red Hat Support plug-in for Red Hat Enterprise Virtualization is a new feature which offers seamless integrated access to Red Hat Access services from the Red Hat Enterprise Virtualization Administration Portal. The plug-in provides automated functionality that enables quicker help, answers, and proactive services. It offers easy and instant access to Red Hat exclusive knowledge, resources, engagement, and diagnostic features. Detailed information about this plug-in can be found in the Red Hat Customer Portal at https://access.redhat.com/site/articles/425603 The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 78999 published 2014-11-08 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78999 title RHEL 6 : redhat-support-plugin-rhev (RHSA-2014:0224) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2014-410.NASL description Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 78353 published 2014-10-12 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/78353 title Amazon Linux AMI : jakarta-commons-httpclient (ALAS-2014-410) NASL family Fedora Local Security Checks NASL id FEDORA_2014-9581.NASL description Security fix for CVE-2014-3577, CVE-2012-6153 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-27 plugin id 77399 published 2014-08-27 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77399 title Fedora 20 : jakarta-commons-httpclient-3.1-15.fc20 (2014-9581) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0270.NASL description Updated jakarta-commons-httpclient packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 64691 published 2013-02-20 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64691 title CentOS 5 : jakarta-commons-httpclient (CESA-2013:0270) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-161.NASL description jakarta-commons-httpclient3 was updated to add SSL certificate hostname checking. (CVE-2012-5783) last seen 2020-06-05 modified 2014-06-13 plugin id 74904 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74904 title openSUSE Security Update : jakarta-commons-httpclient3 (openSUSE-SU-2013:0354-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-1203.NASL description This update fixes a security vulnerability that caused jakarta-commons-httpclient not to verify that the server hostname matches a domain name in the subject last seen 2020-03-17 modified 2013-02-04 plugin id 64404 published 2013-02-04 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64404 title Fedora 18 : jakarta-commons-httpclient-3.1-12.fc18 (2013-1203) NASL family Fedora Local Security Checks NASL id FEDORA_2013-1189.NASL description This update fixes a security vulnerability that caused jakarta-commons-httpclient not to verify that the server hostname matches a domain name in the subject last seen 2020-03-17 modified 2013-02-04 plugin id 64402 published 2013-02-04 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64402 title Fedora 17 : jakarta-commons-httpclient-3.1-12.fc17 (2013-1189) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1162.NASL description Updated Red Hat JBoss Enterprise Application Platform 6.3.0 packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject last seen 2020-06-01 modified 2020-06-02 plugin id 77561 published 2014-09-08 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77561 title RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:1162) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0270.NASL description Updated jakarta-commons-httpclient packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 64695 published 2013-02-20 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64695 title RHEL 5 / 6 : jakarta-commons-httpclient (RHSA-2013:0270) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0270.NASL description From Red Hat Security Advisory 2013:0270 : Updated jakarta-commons-httpclient packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta Commons HttpClient component can be used to build HTTP-aware client applications (such as web browsers and web service clients). The Jakarta Commons HttpClient component did not verify that the server hostname matched the domain name in the subject last seen 2020-06-01 modified 2020-06-02 plugin id 68731 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68731 title Oracle Linux 5 / 6 : jakarta-commons-httpclient (ELSA-2013-0270) NASL family Fedora Local Security Checks NASL id FEDORA_2014-9539.NASL description Security fix for CVE-2014-3577, CVE-2012-6153 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-08-27 plugin id 77396 published 2014-08-27 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77396 title Fedora 19 : jakarta-commons-httpclient-3.1-15.fc19 (2014-9539) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-305.NASL description jakarta-commons-httpclient3 was updated to enhance the fix of bnc#803332 / CVE-2012-5783 : - also add a check for subjectAltNames in certificates last seen 2020-06-05 modified 2014-06-13 plugin id 74961 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74961 title openSUSE Security Update : jakarta-commons-httpclient3 (openSUSE-SU-2013:0623-1)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
- http://rhn.redhat.com/errata/RHSA-2013-0270.html
- http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html
- http://rhn.redhat.com/errata/RHSA-2013-0681.html
- http://rhn.redhat.com/errata/RHSA-2013-0679.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html
- http://rhn.redhat.com/errata/RHSA-2013-0680.html
- http://rhn.redhat.com/errata/RHSA-2013-0682.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html
- http://rhn.redhat.com/errata/RHSA-2013-1147.html
- http://rhn.redhat.com/errata/RHSA-2013-1853.html
- http://rhn.redhat.com/errata/RHSA-2014-0224.html
- http://www.ubuntu.com/usn/USN-2769-1
- http://www.securityfocus.com/bid/58073
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
- https://issues.apache.org/jira/browse/HTTPCLIENT-1265
- https://access.redhat.com/errata/RHSA-2017:0868