[SCM] httpcomponents-client: HTTP/1.1 compliant HTTP agent Java implementation branch, master, updated. debian/4.2.1-1-7-g26be4ba

tony mancill tmancill at debian.org
Mon Feb 11 01:16:19 UTC 2013 

The following commit has been merged in the master branch:
commit ec5d458b768b782f3e713e688547d0f9e0df9773
Author: tony mancill <tmancill at debian.org>
Date:   Sun Feb 10 16:50:06 2013 -0800

    apply upstream patch for 700268

diff --git a/debian/patches/02-700268.patch b/debian/patches/02-700268.patch
new file mode 100644
index 0000000..7627e31
--- /dev/null
+++ b/debian/patches/02-700268.patch
@@ -0,0 +1,91 @@
+Description: Corrects security defect: 
+ Wildcard matching in hostname verifier incorrect
+Source: https://fisheye6.atlassian.com/rdiff/httpcomponents?csid=1406213&u&N
+Forwarded: not-needed
+
+Index: httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
+===================================================================
+diff -u -N -r1356672 -r1406213
+--- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java	(.../TestHostnameVerifier.java)	(revision 1356672)
++++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java	(.../TestHostnameVerifier.java)	(revision 1406213)
+@@ -300,7 +300,7 @@
+     }
+ 
+     @Test
+-    public void HTTPCLIENT_1097() {
++    public void testHTTPCLIENT_1097() {
+         String cns[];
+         String alt[] = {};
+         X509HostnameVerifier bhv = new BrowserCompatHostnameVerifier();
+@@ -318,6 +318,17 @@
+         checkWildcard("s*.gouv.uk", false); // 2 character TLD, invalid 2TLD
+     }
+ 
++    @Test
++    public void testHTTPCLIENT_1255() {
++        X509HostnameVerifier bhv = new BrowserCompatHostnameVerifier();
++        X509HostnameVerifier shv = new StrictHostnameVerifier();
++
++        String cns[] = new String []{"m*.a.b.c.com"}; // component part
++        String alt[] = {};
++        checkMatching(bhv, "mail.a.b.c.com", cns, alt, false); // OK
++        checkMatching(shv, "mail.a.b.c.com", cns, alt, false); // OK
++    }
++
+     // Helper
+     private void checkWildcard(String host, boolean isOK) {
+         Assert.assertTrue(host+" should be "+isOK, isOK==AbstractVerifier.acceptableCountryWildcard(host));
+Index: libhttpclient-java/RELEASE_NOTES.txt
+===================================================================
+diff -u -N -r1400612 -r1406213
+--- a/RELEASE_NOTES.txt	(.../RELEASE_NOTES.txt)	(revision 1400612)
++++ b/RELEASE_NOTES.txt	(.../RELEASE_NOTES.txt)	(revision 1406213)
+@@ -1,3 +1,11 @@
++Changes since 4.2.1
++-------------------
++
++* [HTTPCLIENT-1255] AbstractVerifier incorrectly parses certificate CN containing wildcard
++  Contributed by Oleg Kalnichevski <olegk at apache.org>
++
++
++
+ Release 4.2.1 
+ -------------------
+ 
+Index: libhttpclient-java/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+===================================================================
+diff -u -N -r1356672 -r1406213
+--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java	(.../AbstractVerifier.java)	(revision 1356672)
++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java	(.../AbstractVerifier.java)	(revision 1406213)
+@@ -43,8 +43,6 @@
+ import java.util.List;
+ import java.util.Locale;
+ import java.util.StringTokenizer;
+-import java.util.logging.Logger;
+-import java.util.logging.Level;
+ 
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+@@ -204,9 +202,10 @@
+                                  !isIPAddress(host);
+ 
+             if(doWildcard) {
+-                if (parts[0].length() > 1) { // e.g. server*
+-                    String prefix = parts[0].substring(0, parts.length-2); // e.g. server
+-                    String suffix = cn.substring(parts[0].length()); // skip wildcard part from cn
++                String firstpart = parts[0];
++                if (firstpart.length() > 1) { // e.g. server*
++                    String prefix = firstpart.substring(0, firstpart.length() - 1); // e.g. server
++                    String suffix = cn.substring(firstpart.length()); // skip wildcard part from cn
+                     String hostSuffix = hostName.substring(prefix.length()); // skip wildcard part from host
+                     match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
+                 } else {
+@@ -302,8 +301,6 @@
+             c = cert.getSubjectAlternativeNames();
+         }
+         catch(CertificateParsingException cpe) {
+-            Logger.getLogger(AbstractVerifier.class.getName())
+-                    .log(Level.FINE, "Error parsing certificate.", cpe);
+         }
+         if(c != null) {
+             for (List<?> aC : c) {
diff --git a/debian/patches/series b/debian/patches/series
index d39b602..44d53ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 00-fix_build.patch
 01-generate_osgi_metadata.patch
+02-700268.patch

-- 
httpcomponents-client: HTTP/1.1 compliant HTTP agent Java implementation

More information about the pkg-java-commits mailing list