You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2014/08/27 12:04:58 UTC

[jira] [Resolved] (HTTPCLIENT-1549) CVE-2014-3577 patch may not be RFC-compliant

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1549?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski resolved HTTPCLIENT-1549.
-------------------------------------------

       Resolution: Fixed
    Fix Version/s: 4.4 Alpha2

Already fixed in SVN trunk

http://svn.apache.org/viewvc?view=revision&revision=1618698
http://svn.apache.org/viewvc?view=revision&revision=1618867

Please note the redesign / rewrite of the hostname verification APIs / code is still ongoing, so things may still change drastically before 4.4 GA release.

Oleg

> CVE-2014-3577 patch may not be RFC-compliant
> --------------------------------------------
>
>                 Key: HTTPCLIENT-1549
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1549
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3.5
>            Reporter: David Jorm
>            Priority: Minor
>             Fix For: 4.4 Alpha2
>
>
> The fix for CVE-2014-3577 may not be RFC-compliant:
> http://svn.apache.org/viewvc?view=revision&revision=1614065
> RFC 2818 says that "the (most specific) Common Name field in the Subject field of the certificate MUST be used". I'm not sure if the most specific is the right most or the left most, but I don't believe it should pick multiple CN values from the certificate subject. Please let me know if this analysis is accurate.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org