RHSA-2014:1098: Important: devtoolset-2-httpcomponents-client security update

Published Aug 26, 2014
·
Updated

HttpClient is an HTTP/1.1 compliant HTTP agent implementation based onhttpcomponents HttpCore.It was discovered that the HttpClient incorrectly extracted host name froman X.509 certificate subject's Common Name (CN) field. A man-in-the-middleattacker could use this flaw to spoof an SSL server using a speciallycrafted X.509 certificate. (CVE-2012-6153)This issue was discovered by Florian Weimer of Red Hat Product Security.For additional information on this flaw, refer to the Knowledgebase articlein the References section.All devtoolset-2-httpcomponents-client users are advised to upgrade tothese updated packages, which contain a backported patch to correct thisissue.

Affected Software

3 affected componentsFixes available
redhat/devtoolset<2-httpcomponents-client-4.2.1-6.el6
2-httpcomponents-client-4.2.1-6.el6
redhat/devtoolset<2-httpcomponents-client-4.2.1-6.el6
2-httpcomponents-client-4.2.1-6.el6
redhat/devtoolset<2-httpcomponents-client-javadoc-4.2.1-6.el6
2-httpcomponents-client-javadoc-4.2.1-6.el6

Remediation

Event History

Aug 26, 2014
Advisory Published
12:00 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of RHSA-2014:1098?

The severity of RHSA-2014:1098 is classified as important.

2

How do I fix RHSA-2014:1098?

To fix RHSA-2014:1098, upgrade to the package 2-httpcomponents-client-4.2.1-6.el6 or later.

3

Which software is affected by RHSA-2014:1098?

RHSA-2014:1098 affects the devtoolset packages, specifically the HTTP components client.

4

What type of vulnerability is described in RHSA-2014:1098?

RHSA-2014:1098 describes a vulnerability where HttpClient could incorrectly extract the host name from an X.509 certificate.

5

Can a man-in-the-middle attack occur due to RHSA-2014:1098?

Yes, a man-in-the-middle attacker could exploit the vulnerability described in RHSA-2014:1098.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203