- Vulnerability/
- RHSA-2014:1166
RHSA-2014:1166: Important: jakarta-commons-httpclient security update
First published: Mon Sep 08 2014(Updated: )
Jakarta Commons HTTPClient implements the client side of HTTP standards.<br>It was discovered that the HTTPClient incorrectly extracted host name from<br>an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle<br>attacker could use this flaw to spoof an SSL server using a specially<br>crafted X.509 certificate. (CVE-2014-3577)<br>For additional information on this flaw, refer to the Knowledgebase<br>article in the References section.<br>All jakarta-commons-httpclient users are advised to upgrade to these<br>updated packages, which contain a backported patch to correct this issue.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jakarta-commons-httpclient | <3.1-16.el7_0 | 3.1-16.el7_0 |
| redhat/jakarta-commons-httpclient | <3.1-16.el7_0 | 3.1-16.el7_0 |
| redhat/jakarta-commons-httpclient-demo | <3.1-16.el7_0 | 3.1-16.el7_0 |
| redhat/jakarta-commons-httpclient-javadoc | <3.1-16.el7_0 | 3.1-16.el7_0 |
| redhat/jakarta-commons-httpclient-manual | <3.1-16.el7_0 | 3.1-16.el7_0 |
| redhat/jakarta-commons-httpclient | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-debuginfo | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-demo | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-javadoc | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-manual | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-debuginfo | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-demo | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-javadoc | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient-manual | <3.1-0.9.el6_5 | 3.1-0.9.el6_5 |
| redhat/jakarta-commons-httpclient | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-debuginfo | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-demo | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-javadoc | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-manual | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-debuginfo | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-demo | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-javadoc | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
| redhat/jakarta-commons-httpclient-manual | <3.0-7jpp.4.el5_10 | 3.0-7jpp.4.el5_10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of RHSA-2014:1166?
The severity of RHSA-2014:1166 is classified as important.
How do I fix RHSA-2014:1166?
To fix RHSA-2014:1166, update to the packages jakarta-commons-httpclient 3.1-16.el7_0 or higher.
What does RHSA-2014:1166 affect?
RHSA-2014:1166 affects the Jakarta Commons HTTPClient versions prior to 3.1-16.el7_0.
What kind of vulnerability is addressed in RHSA-2014:1166?
RHSA-2014:1166 addresses a man-in-the-middle vulnerability that allows SSL server spoofing.
Which packages are impacted by RHSA-2014:1166?
The impacted packages include jakarta-commons-httpclient, jakarta-commons-httpclient-demo, and jakarta-commons-httpclient-manual, among others.
- collector/redhat-errata
- anchor-id/RHSA-2014:1166
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- package-manager/redhat