SCIENTIFIC-LINUX-USERS Archives

September 2014

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Important: jakarta-commons-httpclient on SL5.x, SL6.x i386/x86_64
From:
Pat Riehecky <[log in to unmask]>
Reply To:
Pat Riehecky <[log in to unmask]>
Date:
Tue, 9 Sep 2014 11:03:19 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (90 lines) 
Something went wrong with our publication process.  You do not need to 
modify your parsing scripts at this time.

Pat

On 09/09/2014 11:00 AM, Jake Edge wrote:
> On Tue, 9 Sep 2014 10:56:27 -0500 Pat Riehecky wrote:
>> Sorry for the error.
>>
>> You are correct, the Synopsis line should have read:
>>
>> Synopsis:          Important: jakarta-commons-httpclient security update
>>
>> Thank you for the report.
> In addition, the subject line is missing the "Security ERRATA" that
> usually precedes the severity ... is that a long-term change or just
> an oversight?
>
> (this may sound like I am picking on minor changes, but we have
> scripts that recognize and ingest the advisories, so we are sensitive
> to any changes -- I am happy to change our scripts if needed, but I
> just want to make sure it *is* needed)
>
> thanks,
>
> jake
>
>> On 09/09/2014 10:50 AM, Jake Edge wrote:
>>> This advisory looks different than usual, and in fact looks wrong
>>> (the subject is about jakarta-commons-httpclient but the synopsis
>>> mentions thunderbird ...
>>>
>>> is this some new format for advisories?  or is this just a mistake
>>> that will be corrected soon?
>>>
>>> thanks!
>>>
>>> jake
>>>
>>> On Mon, 8 Sep 2014 19:16:30 +0000 Pat Riehecky wrote:
>>>> Synopsis:          Important: thunderbird security update
>>>> Advisory ID:       SLSA-2014:1166-1
>>>> Issue Date:        2014-09-08
>>>> CVE Numbers:       CVE-2014-3577
>>>> --
>>>>
>>>> It was discovered that the HTTPClient incorrectly extracted host
>>>> name from an X.509 certificate subject's Common Name (CN) field. A
>>>> man-in-the-middle attacker could use this flaw to spoof an SSL
>>>> server using a specially crafted X.509 certificate. (CVE-2014-3577)
>>>> --
>>>>
>>>> SL5
>>>>     x86_64
>>>>       jakarta-commons-httpclient-debuginfo-3.0-7jpp.4.el5_10.x86_64.rpm
>>>>       jakarta-commons-httpclient-demo-3.0-7jpp.4.el5_10.x86_64.rpm
>>>>       jakarta-commons-httpclient-javadoc-3.0-7jpp.4.el5_10.x86_64.rpm
>>>>       jakarta-commons-httpclient-manual-3.0-7jpp.4.el5_10.x86_64.rpm
>>>>     i386
>>>>       jakarta-commons-httpclient-3.0-7jpp.4.el5_10.i386.rpm
>>>>       jakarta-commons-httpclient-debuginfo-3.0-7jpp.4.el5_10.i386.rpm
>>>>       jakarta-commons-httpclient-demo-3.0-7jpp.4.el5_10.i386.rpm
>>>>       jakarta-commons-httpclient-javadoc-3.0-7jpp.4.el5_10.i386.rpm
>>>>       jakarta-commons-httpclient-manual-3.0-7jpp.4.el5_10.i386.rpm
>>>> SL6
>>>>     x86_64
>>>>       jakarta-commons-httpclient-3.1-0.9.el6_5.x86_64.rpm
>>>>       jakarta-commons-httpclient-debuginfo-3.1-0.9.el6_5.x86_64.rpm
>>>>       jakarta-commons-httpclient-demo-3.1-0.9.el6_5.x86_64.rpm
>>>>       jakarta-commons-httpclient-javadoc-3.1-0.9.el6_5.x86_64.rpm
>>>>       jakarta-commons-httpclient-manual-3.1-0.9.el6_5.x86_64.rpm
>>>>     i386
>>>>       jakarta-commons-httpclient-3.1-0.9.el6_5.i686.rpm
>>>>       jakarta-commons-httpclient-debuginfo-3.1-0.9.el6_5.i686.rpm
>>>>       jakarta-commons-httpclient-demo-3.1-0.9.el6_5.i686.rpm
>>>>       jakarta-commons-httpclient-javadoc-3.1-0.9.el6_5.i686.rpm
>>>>       jakarta-commons-httpclient-manual-3.1-0.9.el6_5.i686.rpm
>>>>
>>>> - Scientific Linux Development Team
>>>>
>>
>


-- 
Pat Riehecky

Scientific Linux developer
http://www.scientificlinux.org/

ATOM RSS1 RSS2