httpcomponents-client: mysterious vulnerability

Posted Jun 16, 2011 6:09 UTC (Thu) by geofft (subscriber, #59789)
Parent article: httpcomponents-client: credentials disclosure

This isn't that mysterious. The release notes say the security issue is 1061, not 1069 (which you quoted), which is:

* [HTTPCLIENT-1061] Fixed critical bug causing Proxy-Authorization header to be sent to the target
host when tunneling requests through a proxy server that requires authentication.
Contributed by Oleg Kalnichevski <olegk at apache.org>

Or, in other words, it seems like HttpClient sends your proxy credentials to the proxy server, and then also sends those credentials to whatever random websites you're visiting through the proxy. A malicious website can grab those credentials and then log in to your proxy and use it.

I agree that the English isn't the world's best (see also "This update fixes several bug." from the Fedora alert), but there's no mystery as to what the actual bug here is.

Fixed

Posted Jun 16, 2011 13:12 UTC (Thu) by corbet (editor, #1) [Link]

You're right, I misread that. I've fixed the entry, thanks.

It's nice to know people actually read these vulnerability entries! :)