You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by rf...@apache.org on 2017/08/09 19:27:47 UTC
svn commit: r1804602 - /maven/site/trunk/content/markdown/security.md
Author: rfscholte
Date: Wed Aug 9 19:27:46 2017
New Revision: 1804602
URL: http://svn.apache.org/viewvc?rev=1804602&view=rev
Log:
CVE-2012-6153
Modified:
maven/site/trunk/content/markdown/security.md
Modified: maven/site/trunk/content/markdown/security.md
URL: http://svn.apache.org/viewvc/maven/site/trunk/content/markdown/security.md?rev=1804602&r1=1804601&r2=1804602&view=diff
==============================================================================
--- maven/site/trunk/content/markdown/security.md (original)
+++ maven/site/trunk/content/markdown/security.md Wed Aug 9 19:27:46 2017
@@ -32,3 +32,24 @@ All users are recommended to upgrade to
Credit: This issue was identified by Graham Leggett
+### CVE-2012-6153
+
+Severity: Medium
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Apache Maven Wagon WebDAV Provider 2.12 and earlier
+
+Description: http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient
+before 4.2.3 does not properly verify that the server hostname matches a
+domain name in the subject's Common Name (CN) or subjectAltName field of the
+X.509 certificate, which allows man-in-the-middle attackers to spoof SSL
+servers via a certificate with a subject that specifies a common name in a
+field that is not the CN field.
+
+[CVE-2012-6153](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153)
+
+Users of this provider are recommended to upgrade to [Apache Maven Wagon ::
+WebDAV Provider 3.0.0](./download.cgi)
\ No newline at end of file