Debian Package Tracker - async-http-client

A new upstream version is available: project-2.1.0-alpha24

high

A new upstream version project-2.1.0-alpha24 is available, you should consider packaging it.

Created: 2017-08-12 Last update: 2017-09-22 13:22

1 security issue in sid

high

There is 1 open security issue in sid.

1 important issue:

CVE-2017-14063: Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

Please fix it.

Created: 2017-08-31 Last update: 2017-09-15 07:23

2 security issues in wheezy

high

There are 2 open security issues in wheezy.

1 important issue:

CVE-2017-14063: Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

1 issue skipped by the security teams:

CVE-2013-7397: Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates.

Please fix them.

Created: 2015-07-12 Last update: 2017-09-15 07:23

1 security issue in buster

high

There is 1 open security issue in buster.

1 important issue:

CVE-2017-14063: Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

Please fix it.

Created: 2017-08-31 Last update: 2017-09-15 07:23

1 security issue in jessie

high

There is 1 open security issue in jessie.

1 important issue:

CVE-2017-14063: Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

Please fix it.

Created: 2017-08-31 Last update: 2017-09-15 07:23

1 security issue in stretch

high

There is 1 open security issue in stretch.

1 important issue:

CVE-2017-14063: Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.

Please fix it.

Created: 2017-08-31 Last update: 2017-09-15 07:23

Does not build reproducibly during testing

normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2016-04-06 Last update: 2017-09-22 13:29

lintian reports 1 warning

normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2016-09-13 Last update: 2016-09-13 06:45