Debian Package Tracker

From: Markus Koschany <apo@gambaru.de>
To: <debian-lts-changes@lists.debian.org>
Subject: Accepted commons-httpclient 3.1-9+deb6u1 (source all) into squeeze-lts
Date: Sat, 16 May 2015 12:52:01 +0000
Signed by: Thorsten Alteholz <debian@alteholz.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Apr 2015 22:18:19 +0200
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-9+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@gambaru.de>
Description: 
 libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Changes: 
 commons-httpclient (3.1-9+deb6u1) squeeze-lts; urgency=medium
 .
   * Team upload.
   * Add 06_fix_CVE-2012-5783.patch and fix CVE-2012-5783 and CVE-2012-6153.
     Apache Commons HttpClient 3.1 did not verify that the server hostname
     matches a domain name in the subject's Common Name (CN) or subjectAltName
     field of the X.509 certificate, which allows man-in-the-middle attackers to
     spoof SSL servers via an arbitrary valid certificate.
     Thanks to Alberto Fernández Martínez for the patch.
   * Add CVE-2014-3577.patch.
     It was found that the fix for CVE-2012-6153 was incomplete: the code added
     to check that the server hostname matches the domain name in a subject's
     Common Name (CN) field in X.509 certificates was flawed. A
     man-in-the-middle attacker could use this flaw to spoof an SSL server using
     a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
     intended to address the incomplete patch for CVE-2012-5783. The issue is
     now completely resolved by applying this patch and the
     06_fix_CVE-2012-5783.patch.
   * Change java.source and java.target ant properties to 1.5, otherwise
     commons-httpclient will not compile with this patch.
Checksums-Sha1: 
 8e24832b4ffb5596622e50772a2f7c1f75e7c7a2 2453 commons-httpclient_3.1-9+deb6u1.dsc
 5c604f102e0716597b3d2659ac3e77f80a02f22d 1882664 commons-httpclient_3.1.orig.tar.gz
 de7fe38b9a0b27de10c7ac5487294d8ab8c88f63 13097 commons-httpclient_3.1-9+deb6u1.diff.gz
 fc4e43bd48500d294f03890eaf38920e1b8e73dc 299390 libcommons-httpclient-java_3.1-9+deb6u1_all.deb
 dcc46ecd62c1c5fa1bbedf5f942c95f4d27f144c 1550868 libcommons-httpclient-java-doc_3.1-9+deb6u1_all.deb
Checksums-Sha256: 
 57330b115fd688c8681e2b1f3c309bed864a2ea365a2640a180821143e7c4046 2453 commons-httpclient_3.1-9+deb6u1.dsc
 f9a496d3418b0e15894fb351652cd4fa5ca434ebfc3ce3bb8da40defd8b097f2 1882664 commons-httpclient_3.1.orig.tar.gz
 c00eb623bb3b2e3760eba4de4dfc205e186d759ad56754a8c0a26ebb63c0f679 13097 commons-httpclient_3.1-9+deb6u1.diff.gz
 102ea992d529dcb4976b58d52c75631511ec0f564abb58bca32eb5e22b5204c7 299390 libcommons-httpclient-java_3.1-9+deb6u1_all.deb
 f9315d45ac43aa4e2d8323dd8f736131783c4f3569170ce7acde61bbbf2da794 1550868 libcommons-httpclient-java-doc_3.1-9+deb6u1_all.deb
Files: 
 7ade4bf90da001560b757b3494dfccfb 2453 java optional commons-httpclient_3.1-9+deb6u1.dsc
 2c9b0f83ed5890af02c0df1c1776f39b 1882664 java optional commons-httpclient_3.1.orig.tar.gz
 298f57c9f2ba0c70fe30b6b1100a38dc 13097 java optional commons-httpclient_3.1-9+deb6u1.diff.gz
 0ad2be79de06a355cdcc244b4bcb5bfc 299390 java optional libcommons-httpclient-java_3.1-9+deb6u1_all.deb
 d2f5db3c43ef62e82c04314eef650df6 1550868 doc optional libcommons-httpclient-java-doc_3.1-9+deb6u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJVVwa0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHsPQQAMEOFAhvLPpAYCX1Bj1cJiQ3
GOO/zRH3GXumRBsSybPYgRzXelij2SKtKAjM/zEKfn2YV+FmufU3YeIzDO9A9c1j
1Ksu7sqZppguDSOlM/AJaBx4MRnVjlmWol+vIa9cLNUSTMgV+m3GIrW+3AdKwfNN
z9HbBB2VqEdc2jZ/UJnLFmfOzvjtp0UqyBy3V+BbqZjTD348FcpcYhTthwE1SIBQ
v0E9kDZ1+ccGE8l+YZth0jtwDAXvzOBTA9q5XXSjjlzWEXSub2quSzLNG1EKC1tx
bqcJcSabj7ZhmkFU58ZAn3xPmWPGqLhtB8iQ/Qrr5oRsZphr6C7857L5kfkaSnSK
raOTswjjAygjWI/ne/M5x7sky1MU77HkanJN2AhWzPCQ0IeYQykfwEYE1kDkhx2T
EYKvo4SmFwKUfQ4Wmfb8GtqA9m6gbbwDd8b0hV64zcvep61ynNhE9vo4fhvNWt52
bCdByCjGcFYeh4scT9LZMSPxdDpPITUt5rbkDBnBdPKUmTS/m7Frl3ZgH3cIgAxk
IOM/VSNOzsAzyy7RwAUi3hvr+zokmoJxSOQxljXNLMs6U1JMY9kfSMAJ7Ir1aHPm
wl2w6C9GAq2V49KFfyl03h3klX/h40HXKH4528wkcLAJ5ZdG4Y2ak8SSf5tk0DeG
fZdde1/etwOOHv9zMFpU
=3l2v
-----END PGP SIGNATURE-----
News for package commons-httpclient
