{"id":"USN-2769-1","summary":"commons-httpclient vulnerabilities","details":"It was discovered that Apache Commons HttpClient did not properly verify the\nCommon Name or subjectAltName fields of X.509 certificates. An attacker could\nexploit this to perform a machine-in-the-middle attack to view sensitive\ninformation or alter encrypted communications. This issue only affected Ubuntu\n12.04 LTS. (CVE-2012-5783)\n\nFlorian Weimer discovered the fix for CVE-2012-5783 was incomplete for Apache\nCommons HttpClient. An attacker could exploit this to perform a\nmachine-in-the-middle attack to view sensitive information or alter\nencrypted communications. This issue only affected Ubuntu 12.04 LTS.\n(CVE-2012-6153)\n\nSubodh Iyengar and Will Shackleton discovered the fix for CVE-2012-5783 was\nincomplete for Apache Commons HttpClient. An attacker could exploit this to\nperform a machine-in-the-middle attack to view sensitive information or alter\nencrypted communications. (CVE-2014-3577)\n\nIt was discovered that Apache Commons HttpClient did not properly handle read\ntimeouts during HTTPS handshakes. A remote attacker could trigger this flaw to\ncause a denial of service. (CVE-2015-5262)\n","modified":"2026-02-10T04:40:55Z","published":"2015-10-14T15:43:52Z","related":["UBUNTU-CVE-2014-3577","UBUNTU-CVE-2015-5262"],"upstream":["CVE-2012-5783","CVE-2012-6153","CVE-2014-3577","CVE-2015-5262","UBUNTU-CVE-2012-5783","UBUNTU-CVE-2012-6153","UBUNTU-CVE-2014-3577","UBUNTU-CVE-2015-5262"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2769-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2012-5783"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2012-6153"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3577"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-5262"}],"affected":[{"package":{"name":"commons-httpclient","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/commons-httpclient@3.1-10.2ubuntu0.14.04.1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1-10.2ubuntu0.14.04.1"}]}],"versions":["3.1-10.2"],"ecosystem_specific":{"binaries":[{"binary_name":"libcommons-httpclient-java","binary_version":"3.1-10.2ubuntu0.14.04.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2769-1.json","cves_map":{"ecosystem":"Ubuntu:14.04:LTS","cves":[{"id":"CVE-2014-3577","severity":[{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-5262","severity":[{"type":"Ubuntu","score":"medium"}]}]}}}],"schema_version":"1.7.3"}