RHSA-2013:0680: Moderate: jakarta-commons-httpclient security update
The Jakarta Commons HttpClient component can be used to build HTTP-awareclient applications (such as web browsers and web service clients).The Jakarta Commons HttpClient component did not verify that the serverhostname matched the domain name in the subject's Common Name (CN) orsubjectAltName field in X.509 certificates. This could allow aman-in-the-middle attacker to spoof an SSL server if they had a certificatethat was valid for any domain name. (CVE-2012-5783)Warning: Before applying this update, back up your existing JBossEnterprise Application Platform installation (including all applicationsand configuration files).All users of JBoss Enterprise Application Platform 5.2.0 on Red HatEnterprise Linux 4, 5, and 6 are advised to upgrade to this updatedpackage. The JBoss server process must be restarted for the update to takeeffect.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2013:0680?
The severity of RHSA-2013:0680 is classified as moderate.
How do I fix RHSA-2013:0680?
You can fix RHSA-2013:0680 by updating the jakarta-commons-httpclient package to version 3.1-2_patch_01.ep5.el6 or 3.1-2.1_patch_01.ep5.el5.
Which versions of jakarta-commons-httpclient are affected by RHSA-2013:0680?
Versions of jakarta-commons-httpclient up to 3.1-2.1_patch_01.ep5.el5 are affected by RHSA-2013:0680.
What vulnerabilities does RHSA-2013:0680 address?
RHSA-2013:0680 addresses vulnerabilities related to improper hostname verification in the Jakarta Commons HttpClient component.
Is RHSA-2013:0680 applicable to both EL5 and EL6?
Yes, RHSA-2013:0680 is applicable to both EL5 and EL6 versions of jakarta-commons-httpclient.