Debian Patches

Status for commons-httpclient/3.1-16

Patch Description Author Forwarded Bugs Origin Last update
04_fix_classpath.patch no
01_build_xml_version_jar.patch no
02_upstream_disable_examples_classes.patch no
03_upstream_qualify_ConnectionPool_declaration.patch no
00_build_xml_no_external_links.patch no
06_fix_CVE-2012-5783.patch Fixed CN extraction from DN of X500 principal and wildcard validation
commons-httpclient (3.1-10.2) unstable; urgency=low

* Fixed CN extraction from DN of X500 principal and wildcard validation
Alberto Fernández Martínez <> yes debian other 2012-12-06
CVE-2014-3577.patch CVE-2014-3577
It was found that the fix for CVE-2012-6153 was incomplete: the code added to
check that the server hostname matches the domain name in a subject's Common
Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker
could use this flaw to spoof an SSL server using a specially crafted X.509
The fix for CVE-2012-6153 was intended to address the incomplete patch for
CVE-2012-5783. This means the issue is now completely resolved by applying
this patch and the 06_fix_CVE-2012-5783.patch.


upstream announcement:


Markus Koschany <> not-needed 2015-03-23
CVE-2015-5262.patch CVE-2015-5262
Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during
SSL Handshake
See also
Thanks to Mikolaj Izdebski for the patch.
Markus Koschany <> no upstream 2015-11-02
07_java17-compatibility.patch Fixes the compatibility with Java 17 Emmanuel Bourg <> not-needed

All known versions for source package 'commons-httpclient'