Uočena je i ispravljena sigurnosna ranjivost kod paketa httpcomponents-client, distribuiranog s operacijskim sustavom Fedora 15. Napadači ju mogu iskoristiti za otkrivanje pojedinih informacija.
Paket:
httpcomponents-client 4.x
Operacijski sustavi:
Fedora 15
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
lokalno
Posljedica:
otkrivanje osjetljivih informacija
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-1498
Izvorni ID preporuke:
FEDORA-2011-7747
Izvor:
Fedora
Problem:
Propust se javlja prilikom tuneliranja zahtjeva preko posrednog poslužitelja koji zahtijeva autentikaciju.
Posljedica:
Propust je moguće iskoristiti za otkrivanje potencijalno osjetljivih podataka.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7747
2011-06-02 10:19:35
--------------------------------------------------------------------------------
Name : httpcomponents-client
Product : Fedora 15
Version : 4.1.1
Release : 2.fc15
URL : http://hc.apache.org/
Summary : HTTP agent implementation based on httpcomponents HttpCore
Description :
HttpClient is a HTTP/1.1 compliant HTTP agent implementation based on
httpcomponents HttpCore. It also provides reusable components for
client-side authentication, HTTP state management, and HTTP connection
management. HttpComponents Client is a successor of and replacement
for Commons HttpClient 3.x. Users of Commons HttpClient are strongly
encouraged to upgrade.
--------------------------------------------------------------------------------
Update Information:
This updated fixes several bug. See
http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.1.x.txt for
details
--------------------------------------------------------------------------------
ChangeLog:
* Thu Apr 7 2011 Severin Gehwolf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 4.1.1-2
- Add BR/R apache-commons-codec, since httpcomponents-client's
MANIFEST.MF has an Import-Package: org.apache.commons.codec
header.
* Tue Mar 29 2011 Stanislav Ochotnicky <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 4.1.1-1
- New upstream bugfix version (4.1.1)
* Tue Mar 15 2011 Severin Gehwolf <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 4.1-6
- Explicitly set PrivatePackage to the empty set, so as to
export all packages.
* Thu Mar 10 2011 Alexander Kurtakov <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 4.1-5
- OSGi export more packages.
* Fri Feb 25 2011 Alexander Kurtakov <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 4.1-4
- Build httpmime module.
* Fri Feb 18 2011 Alexander Kurtakov <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 4.1-3
- Don't use basename as an identifier.
* Fri Feb 18 2011 Alexander Kurtakov <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 4.1-2
- OSGify properly.
- Install into /usr/share/java/.
* Thu Feb 17 2011 Alexander Kurtakov <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 4.1-1
- Update to latest upstream version.
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #709531 - CVE-2011-1498 httpcomponents-client: sends
Proxy-Authorization header to host when tunneling requests through authenticated
proxy server
https://bugzilla.redhat.com/show_bug.cgi?id=709531
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update httpcomponents-client' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke