{"affected":[{"ecosystem_specific":{"binaries":[{"apache-commons-httpclient":"3.1-11.3.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP2","name":"apache-commons-httpclient","purl":"pkg:rpm/suse/apache-commons-httpclient&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.1-11.3.2"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for apache-commons-httpclient fixes the following issues:\n\n- http/conn/ssl/SSLConnectionSocketFactory.java ignores the\n    http.socket.timeout configuration setting during an SSL handshake,\n    which allows remote attackers to cause a denial of service (HTTPS\n    call hang) via unspecified vectors. [bsc#945190, CVE-2015-5262]\n- org.apache.http.conn.ssl.AbstractVerifier does not properly\n    verify that the server hostname matches a domain name in the\n    subject's Common Name (CN) or subjectAltName field of the X.509\n    certificate, which allows MITM attackers to spoof SSL servers\n    via a 'CN=' string in a field in the distinguished name (DN)\n    of a certificate. [bsc#1178171, CVE-2014-3577]\n","id":"SUSE-SU-2020:3152-1","modified":"2020-11-04T10:07:13Z","published":"2020-11-04T10:07:13Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2020/suse-su-20203152-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1178171"},{"type":"REPORT","url":"https://bugzilla.suse.com/945190"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2014-3577"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-5262"}],"related":["CVE-2014-3577","CVE-2015-5262"],"summary":"Security update for apache-commons-httpclient","upstream":["CVE-2014-3577","CVE-2015-5262"]}