diff --git a/SOURCES/0001-Fix-CVE-2014-3577.patch b/SOURCES/0001-Fix-CVE-2014-3577.patch
new file mode 100644
index 0000000..6ed428a
--- /dev/null
+++ b/SOURCES/0001-Fix-CVE-2014-3577.patch
@@ -0,0 +1,140 @@
+From 3e3515b42a5c782219ba898f9cb79812c8895349 Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@redhat.com>
+Date: Tue, 12 Aug 2014 14:07:29 +0200
+Subject: [PATCH] Fix CVE-2014-3577
+
+---
+ .../org/apache/http/conn/ssl/AbstractVerifier.java | 87 +++++++++++-----------
+ 1 file changed, 44 insertions(+), 43 deletions(-)
+
+diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+index a7cad68..7245781 100644
+--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+@@ -28,7 +28,6 @@
+ package org.apache.http.conn.ssl;
+
+ import org.apache.http.annotation.Immutable;
+-
+ import org.apache.http.conn.util.InetAddressUtils;
+
+ import java.io.IOException;
+@@ -36,14 +35,21 @@ import java.io.InputStream;
+ import java.security.cert.Certificate;
+ import java.security.cert.CertificateParsingException;
+ import java.security.cert.X509Certificate;
++import java.util.ArrayList;
+ import java.util.Arrays;
+ import java.util.Collection;
+ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
+-
++import java.util.NoSuchElementException;
++
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -142,7 +148,8 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
+
+ public final void verify(String host, X509Certificate cert)
+ throws SSLException {
+- String[] cns = getCNs(cert);
++ final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++ final String[] cns = extractCNs(subjectPrincipal);
+ String[] subjectAlts = getSubjectAlts(cert, host);
+ verify(host, cns, subjectAlts);
+ }
+@@ -236,48 +243,42 @@ public abstract class AbstractVerifier implements X509HostnameVerifier {
+ return Arrays.binarySearch(BAD_COUNTRY_2LDS, parts[1]) < 0;
+ }
+
+- public static String[] getCNs(X509Certificate cert) {
+- LinkedList<String> cnList = new LinkedList<String>();
+- /*
+- Sebastian Hauer's original StrictSSLProtocolSocketFactory used
+- getName() and had the following comment:
+-
+- Parses a X.500 distinguished name for the value of the
+- "Common Name" field. This is done a bit sloppy right
+- now and should probably be done a bit more according to
+- <code>RFC 2253</code>.
+-
+- I've noticed that toString() seems to do a better job than
+- getName() on these X500Principal objects, so I'm hoping that
+- addresses Sebastian's concern.
+-
+- For example, getName() gives me this:
+- 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+-
+- whereas toString() gives me this:
+- EMAILADDRESS=juliusdavies@cucbc.com
+-
+- Looks like toString() even works with non-ascii domain names!
+- I tested it with "花子.co.jp" and it worked fine.
+- */
+-
+- String subjectPrincipal = cert.getSubjectX500Principal().toString();
+- StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+- while(st.hasMoreTokens()) {
+- String tok = st.nextToken().trim();
+- if (tok.length() > 3) {
+- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+- cnList.add(tok.substring(3));
+- }
+- }
++ public static String[] getCNs(final X509Certificate cert) {
++ final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++ try {
++ return extractCNs(subjectPrincipal);
++ } catch (SSLException ex) {
++ return null;
+ }
+- if(!cnList.isEmpty()) {
+- String[] cns = new String[cnList.size()];
+- cnList.toArray(cns);
+- return cns;
+- } else {
++ }
++
++ static String[] extractCNs(final String subjectPrincipal) throws SSLException {
++ if (subjectPrincipal == null) {
+ return null;
+ }
++ final List<String> cns = new ArrayList<String>();
++ try {
++ final LdapName subjectDN = new LdapName(subjectPrincipal);
++ final List<Rdn> rdns = subjectDN.getRdns();
++ for (int i = rdns.size() - 1; i >= 0; i--) {
++ final Rdn rds = rdns.get(i);
++ final Attributes attributes = rds.toAttributes();
++ final Attribute cn = attributes.get("cn");
++ if (cn != null) {
++ try {
++ final Object value = cn.get();
++ if (value != null) {
++ cns.add(value.toString());
++ }
++ } catch (NoSuchElementException ignore) {
++ } catch (NamingException ignore) {
++ }
++ }
++ }
++ } catch (InvalidNameException e) {
++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name");
++ }
++ return cns.isEmpty() ? null : cns.toArray(new String[cns.size()]);
+ }
+
+ /**
+--
+1.9.3
+
diff --git a/SPECS/httpcomponents-client.spec b/SPECS/httpcomponents-client.spec
index a454368..13d73cd 100644
--- a/SPECS/httpcomponents-client.spec
+++ b/SPECS/httpcomponents-client.spec
@@ -3,11 +3,12 @@
Name: httpcomponents-client
Summary: HTTP agent implementation based on httpcomponents HttpCore
Version: 4.2.5
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Libraries
License: ASL 2.0
URL: http://hc.apache.org/
Source0: http://archive.apache.org/dist/httpcomponents/httpclient/source/%{name}-%{version}-src.tar.gz
+Patch0: 0001-Fix-CVE-2014-3577.patch
BuildArch: noarch
@@ -41,6 +42,8 @@ Group: Documentation
%prep
%setup -q
+%patch0 -p1
+
# Remove optional build deps not available in Fedora
%pom_disable_module httpclient-cache
%pom_disable_module httpclient-osgi
@@ -122,6 +125,10 @@ done
%doc LICENSE.txt NOTICE.txt
%changelog
+* Tue Aug 12 2014 Michal Srb <msrb@redhat.com> - 4.2.5-5
+- Fix MITM security vulnerability
+- Resolves: CVE-2014-3577
+
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 4.2.5-4
- Mass rebuild 2013-12-27