Path: csiph.com!goblin2!goblin.stu.neva.ru!aioe.org!bofh.it!news.nic.it!robomod From: Markus Koschany Newsgroups: linux.debian.bugs.dist,linux.debian.maint.java,linux.debian.devel.release Subject: Bug#804157: jessie-pu: package commons-httpclient/3.1-11 Date: Thu, 05 Nov 2015 16:00:02 +0100 Message-ID: X-Original-To: Debian Bug Tracking System X-Mailbox-Line: From debian-bugs-dist-request@lists.debian.org Thu Nov 5 14:51:12 2015 Old-Return-Path: X-Spam-Flag: NO X-Spam-Score: -4.21 Reply-To: Markus Koschany , 804157@bugs.debian.org Resent-To: debian-bugs-dist@lists.debian.org Resent-Cc: apo@gambaru.de, debian-java@lists.debian.org, Debian Release Team X-Debian-Pr-Message: report 804157 X-Debian-Pr-Package: release.debian.org X-Debian-Pr-Keywords: jessie X-Spam-Bayes: score:0.0000 Tokens: new, 15; hammy, 150; neutral, 161; spammy, 0. spammytokens: hammytokens:0.000-+--UD:release.debian.org, 0.000-+--releasedebianorg, 0.000-+--release.debian.org, 0.000-+--U*release.debian.org, 0.000-+--release.debian.org@packages.debian.org Content-Type: multipart/mixed; boundary="===============6648857630290192622==" MIME-Version: 1.0 X-Mailer: reportbug 6.6.5 X-Debian-Message: from BTS X-Mailing-List: archive/latest/1222624 List-ID: List-URL: Approved: robomod@news.nic.it Lines: 106 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Date: Thu, 05 Nov 2015 15:50:04 +0100 X-Original-Message-ID: <144673500448.18005.12188339112381202846.reportbug@conan> Xref: csiph.com linux.debian.bugs.dist:692121 linux.debian.maint.java:8535 linux.debian.devel.release:58911 This is a multi-part MIME message sent by reportbug. --===============6648857630290192622== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Dear release team, the Debian Java Team would like to update commons-httpclient in Jessie to fix CVE-2015-5262. We don't think that this issue warrants a DSA from the security team but nevertheless it is important enough that it should be fixed in an upcoming point release. This is Debian bug: https://bugs.debian.org/798650 I am attaching the proposed debdiff against the current version in Jessie. I will also file another bug report for an wheezy-pu soon. Regards, Markus --===============6648857630290192622== Content-Type: text/x-diff; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="commons-httpclient.debdiff" diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog --- commons-httpclient-3.1/debian/changelog 2015-04-13 18:15:49.000000000 +0200 +++ commons-httpclient-3.1/debian/changelog 2015-11-05 15:37:42.000000000 +0100 @@ -1,3 +1,12 @@ +commons-httpclient (3.1-11+deb8u1) jessie; urgency=high + + * Team upload. + * Add CVE-2015-5262.patch. + Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore + http.socket.timeout during SSL Handshake. (Closes: #798650) + + -- Markus Koschany Thu, 05 Nov 2015 15:31:50 +0100 + commons-httpclient (3.1-11) unstable; urgency=high * Team upload. diff -Nru commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch --- commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 1970-01-01 01:00:00.000000000 +0100 +++ commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 2015-11-05 15:37:42.000000000 +0100 @@ -0,0 +1,38 @@ +From: Markus Koschany +Date: Mon, 2 Nov 2015 15:15:37 +0100 +Subject: CVE-2015-5262 + +Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during +SSL Handshake +See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892 +Thanks to Mikolaj Izdebski for the patch. + +Bug: https://bugs.debian.org/798650 +Forwarded: no +--- + .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index e6ce513..b7550a2 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + } + int timeout = params.getConnectionTimeout(); + if (timeout == 0) { +- Socket sslSocket = createSocket(host, port, localAddress, localPort); ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( ++ host, port, localAddress, localPort); ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } else { +@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + sslSocket = ControllerThreadSocketFactory.createSocket( + this, host, port, localAddress, localPort, timeout); + } ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series --- commons-httpclient-3.1/debian/patches/series 2015-04-13 18:15:49.000000000 +0200 +++ commons-httpclient-3.1/debian/patches/series 2015-11-05 15:37:42.000000000 +0100 @@ -6,3 +6,4 @@ 05_osgi_metadata 06_fix_CVE-2012-5783.patch CVE-2014-3577.patch +CVE-2015-5262.patch --===============6648857630290192622==--