[SCM] httpcomponents-client: HTTP/1.1 compliant HTTP agent Java implementation branch, master, updated. debian/4.2.1-1-7-g26be4ba
tony mancill
tmancill at debian.org
Mon Feb 11 01:16:19 UTC 2013
The following commit has been merged in the master branch:
commit ec5d458b768b782f3e713e688547d0f9e0df9773
Author: tony mancill <tmancill at debian.org>
Date: Sun Feb 10 16:50:06 2013 -0800
apply upstream patch for 700268
diff --git a/debian/patches/02-700268.patch b/debian/patches/02-700268.patch
new file mode 100644
index 0000000..7627e31
--- /dev/null
+++ b/debian/patches/02-700268.patch
@@ -0,0 +1,91 @@
+Description: Corrects security defect:
+ Wildcard matching in hostname verifier incorrect
+Source: https://fisheye6.atlassian.com/rdiff/httpcomponents?csid=1406213&u&N
+Forwarded: not-needed
+
+Index: httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java
+===================================================================
+diff -u -N -r1356672 -r1406213
+--- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java (.../TestHostnameVerifier.java) (revision 1356672)
++++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java (.../TestHostnameVerifier.java) (revision 1406213)
+@@ -300,7 +300,7 @@
+ }
+
+ @Test
+- public void HTTPCLIENT_1097() {
++ public void testHTTPCLIENT_1097() {
+ String cns[];
+ String alt[] = {};
+ X509HostnameVerifier bhv = new BrowserCompatHostnameVerifier();
+@@ -318,6 +318,17 @@
+ checkWildcard("s*.gouv.uk", false); // 2 character TLD, invalid 2TLD
+ }
+
++ @Test
++ public void testHTTPCLIENT_1255() {
++ X509HostnameVerifier bhv = new BrowserCompatHostnameVerifier();
++ X509HostnameVerifier shv = new StrictHostnameVerifier();
++
++ String cns[] = new String []{"m*.a.b.c.com"}; // component part
++ String alt[] = {};
++ checkMatching(bhv, "mail.a.b.c.com", cns, alt, false); // OK
++ checkMatching(shv, "mail.a.b.c.com", cns, alt, false); // OK
++ }
++
+ // Helper
+ private void checkWildcard(String host, boolean isOK) {
+ Assert.assertTrue(host+" should be "+isOK, isOK==AbstractVerifier.acceptableCountryWildcard(host));
+Index: libhttpclient-java/RELEASE_NOTES.txt
+===================================================================
+diff -u -N -r1400612 -r1406213
+--- a/RELEASE_NOTES.txt (.../RELEASE_NOTES.txt) (revision 1400612)
++++ b/RELEASE_NOTES.txt (.../RELEASE_NOTES.txt) (revision 1406213)
+@@ -1,3 +1,11 @@
++Changes since 4.2.1
++-------------------
++
++* [HTTPCLIENT-1255] AbstractVerifier incorrectly parses certificate CN containing wildcard
++ Contributed by Oleg Kalnichevski <olegk at apache.org>
++
++
++
+ Release 4.2.1
+ -------------------
+
+Index: libhttpclient-java/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
+===================================================================
+diff -u -N -r1356672 -r1406213
+--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java (.../AbstractVerifier.java) (revision 1356672)
++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java (.../AbstractVerifier.java) (revision 1406213)
+@@ -43,8 +43,6 @@
+ import java.util.List;
+ import java.util.Locale;
+ import java.util.StringTokenizer;
+-import java.util.logging.Logger;
+-import java.util.logging.Level;
+
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+@@ -204,9 +202,10 @@
+ !isIPAddress(host);
+
+ if(doWildcard) {
+- if (parts[0].length() > 1) { // e.g. server*
+- String prefix = parts[0].substring(0, parts.length-2); // e.g. server
+- String suffix = cn.substring(parts[0].length()); // skip wildcard part from cn
++ String firstpart = parts[0];
++ if (firstpart.length() > 1) { // e.g. server*
++ String prefix = firstpart.substring(0, firstpart.length() - 1); // e.g. server
++ String suffix = cn.substring(firstpart.length()); // skip wildcard part from cn
+ String hostSuffix = hostName.substring(prefix.length()); // skip wildcard part from host
+ match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
+ } else {
+@@ -302,8 +301,6 @@
+ c = cert.getSubjectAlternativeNames();
+ }
+ catch(CertificateParsingException cpe) {
+- Logger.getLogger(AbstractVerifier.class.getName())
+- .log(Level.FINE, "Error parsing certificate.", cpe);
+ }
+ if(c != null) {
+ for (List<?> aC : c) {
diff --git a/debian/patches/series b/debian/patches/series
index d39b602..44d53ad 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
00-fix_build.patch
01-generate_osgi_metadata.patch
+02-700268.patch
--
httpcomponents-client: HTTP/1.1 compliant HTTP agent Java implementation
More information about the pkg-java-commits
mailing list