Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.3539
httpcomponents-client security update
15 October 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: httpcomponents-client
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Unauthorised Access -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13956
Reference: ESB-2020.3500
Original Bulletin:
https://lists.debian.org/debian-security-announce/2020/msg00179.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4772-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 14, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : httpcomponents-client
CVE ID : CVE-2020-13956
Priyank Nigam discovered that HttpComponents Client, a Java HTTP agent
implementation, could misinterpret malformed authority component in a
request URI and pick the wrong target host for request execution.
For the stable distribution (buster), this problem has been fixed in
version 4.5.7-1+deb10u1.
We recommend that you upgrade your httpcomponents-client packages.
For the detailed security status of httpcomponents-client please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/httpcomponents-client
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl+HXPcACgkQEMKTtsN8
TjbcAQ/9HBtUQKc4/JL0IaRLG5rOsZFU5WKLfliLjmMPHF7bfKgBze001EFMhh69
Tj4jXercJl/uCDkTpT8M5soAEioOI4hH536PtN9HUWj8kQFRYLAef3VKEOkndjcd
sNYsRM36gvxgSE4381ink0dShbZ5xa5rpCVCMGOvxlbgrWJ7ilDe1zNReP+xJ9ZG
9KRlhiBtF2+j/EVtzmyCuYZ1I21DmOMAWZ3Z/sxAFFlfMTxB/PU3iq0XlPYLbkKj
gXsLM8vCQCZKGWZ7oo4JocBNMaxpSb+j7mGyL/T3O1BbOeiupIspJlOnOfSCFpRG
OoqSzrRW7FSSeEHHk5JgPYCfQK8h0w4LXSBFO3od+HIN4zVg/VTOCp4HeahSBbF7
sh9XX3HJYmFch5N4P9JpVil3dpPzVBDq7Wwa3QUH35E/pqsV0mjkhJVslOmmDpoO
QyF+6RR9NJEo3OTiJ3cDuW/64x6eckUZY/1F+UMoOzN9yzzOrczt57p+sUzjXFlA
/grLavSXmjC+vgbrWKjP2nQRZFWor5TsJ+BQPkQ/NmIUxxv4IRjJg6zXUwfE1wi2
RWQNvlkrjWYRpCXl+ZL1XsoIdIuamJq2PewAXgA2zJXxgNj+PV1Zy/uQSPaiVNei
PrVkarrPgiGOUYXeZv1PYgteO2bVcFOnFQV511VOczJ2bwr5oS8=
=hRen
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX4eNWuNLKJtyKPYoAQgI7g/+OBU8F5XuJ+dmDbfONOCExvKKwhPKtW+J
2du2vpb0o4xUcVW2uYGyxkkms00uJqg7jPKoYlmCszq+qAxWtbEcwGe/byb7xRG3
fQBbS1ImRS2HqruMf1Thee4Di/gklj7lamupC8VIDQLwtSTSZxsD4yFblXluvHiR
gBR1tLEx6rPHUOibdK/Epobo8LBvwfmewtUV7juDIwOnGeM4WbcSURY1RlZtqjJx
/iiMdx2QWjKENfDkapsCq+K4PbcezOTAjStAasteC5zAp/hUeH99YqgnSD4QhQIz
YJzF0WWIiFff/uzsXXU9Sxyy5agJsNxfRu2Rkh4GE8JCNXiUrPGrGV/z+GnWrCCP
A8mtXde80GULZy7slwRy6EOBB8o6Bcfa6Nxrts8IzdhrAUPXgc2+Pqo7DS+CW+ye
6gLMr74qZrQ7FGiPKPXX5NazAwSpi2MxRVKqJM9Z9qHTUQZ8nhkS81HHTi8N2tz3
GYYB/ORene9qfQLexg54E2Au7m8wuqLHKo5rC+JD2sKhSAh4HA6ytfHLdu0Z/aZC
p40wV6o2MWySFalWpxX2pveqL0dXKimR6RISl9owLKMmO+fear6qkfZ3jYLeYxyE
DPj4KlC966/B+g7qjuY3Sic4qboEuasubv2Ze+76R8G0sc57EKf3wCU6pwMaDi2m
sJ6PDtx9J6A=
=GcpL
-----END PGP SIGNATURE-----