Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.3539 httpcomponents-client security update 15 October 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: httpcomponents-client Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2020-13956 Reference: ESB-2020.3500 Original Bulletin: https://lists.debian.org/debian-security-announce/2020/msg00179.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4772-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 14, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : httpcomponents-client CVE ID : CVE-2020-13956 Priyank Nigam discovered that HttpComponents Client, a Java HTTP agent implementation, could misinterpret malformed authority component in a request URI and pick the wrong target host for request execution. For the stable distribution (buster), this problem has been fixed in version 4.5.7-1+deb10u1. We recommend that you upgrade your httpcomponents-client packages. For the detailed security status of httpcomponents-client please refer to its security tracker page at: https://security-tracker.debian.org/tracker/httpcomponents-client Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl+HXPcACgkQEMKTtsN8 TjbcAQ/9HBtUQKc4/JL0IaRLG5rOsZFU5WKLfliLjmMPHF7bfKgBze001EFMhh69 Tj4jXercJl/uCDkTpT8M5soAEioOI4hH536PtN9HUWj8kQFRYLAef3VKEOkndjcd sNYsRM36gvxgSE4381ink0dShbZ5xa5rpCVCMGOvxlbgrWJ7ilDe1zNReP+xJ9ZG 9KRlhiBtF2+j/EVtzmyCuYZ1I21DmOMAWZ3Z/sxAFFlfMTxB/PU3iq0XlPYLbkKj gXsLM8vCQCZKGWZ7oo4JocBNMaxpSb+j7mGyL/T3O1BbOeiupIspJlOnOfSCFpRG OoqSzrRW7FSSeEHHk5JgPYCfQK8h0w4LXSBFO3od+HIN4zVg/VTOCp4HeahSBbF7 sh9XX3HJYmFch5N4P9JpVil3dpPzVBDq7Wwa3QUH35E/pqsV0mjkhJVslOmmDpoO QyF+6RR9NJEo3OTiJ3cDuW/64x6eckUZY/1F+UMoOzN9yzzOrczt57p+sUzjXFlA /grLavSXmjC+vgbrWKjP2nQRZFWor5TsJ+BQPkQ/NmIUxxv4IRjJg6zXUwfE1wi2 RWQNvlkrjWYRpCXl+ZL1XsoIdIuamJq2PewAXgA2zJXxgNj+PV1Zy/uQSPaiVNei PrVkarrPgiGOUYXeZv1PYgteO2bVcFOnFQV511VOczJ2bwr5oS8= =hRen - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX4eNWuNLKJtyKPYoAQgI7g/+OBU8F5XuJ+dmDbfONOCExvKKwhPKtW+J 2du2vpb0o4xUcVW2uYGyxkkms00uJqg7jPKoYlmCszq+qAxWtbEcwGe/byb7xRG3 fQBbS1ImRS2HqruMf1Thee4Di/gklj7lamupC8VIDQLwtSTSZxsD4yFblXluvHiR gBR1tLEx6rPHUOibdK/Epobo8LBvwfmewtUV7juDIwOnGeM4WbcSURY1RlZtqjJx /iiMdx2QWjKENfDkapsCq+K4PbcezOTAjStAasteC5zAp/hUeH99YqgnSD4QhQIz YJzF0WWIiFff/uzsXXU9Sxyy5agJsNxfRu2Rkh4GE8JCNXiUrPGrGV/z+GnWrCCP A8mtXde80GULZy7slwRy6EOBB8o6Bcfa6Nxrts8IzdhrAUPXgc2+Pqo7DS+CW+ye 6gLMr74qZrQ7FGiPKPXX5NazAwSpi2MxRVKqJM9Z9qHTUQZ8nhkS81HHTi8N2tz3 GYYB/ORene9qfQLexg54E2Au7m8wuqLHKo5rC+JD2sKhSAh4HA6ytfHLdu0Z/aZC p40wV6o2MWySFalWpxX2pveqL0dXKimR6RISl9owLKMmO+fear6qkfZ3jYLeYxyE DPj4KlC966/B+g7qjuY3Sic4qboEuasubv2Ze+76R8G0sc57EKf3wCU6pwMaDi2m sJ6PDtx9J6A= =GcpL -----END PGP SIGNATURE-----