[commons-httpclient] 59/66: Release 3.1-12. Fix CVE-2015-5262

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Tue Jul 4 08:04:06 UTC 2017 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository commons-httpclient.

commit 724f010e4e1fc950b3608bdccafa8500b2be6e2a
Author: Markus Koschany <apo at debian.org>
Date:   Mon Nov 2 14:41:40 2015 +0000

    Release 3.1-12. Fix CVE-2015-5262
---
 debian/changelog                           | 15 +++++++++---
 debian/control                             | 38 +++++++++++++++++++++---------
 debian/libcommons-httpclient-java-doc.docs |  2 +-
 debian/patches/CVE-2015-5262.patch         | 38 ++++++++++++++++++++++++++++++
 debian/patches/series                      |  1 +
 5 files changed, 79 insertions(+), 15 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 5a72d00..6ae69de 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,14 +1,16 @@
-commons-httpclient (3.1-12) UNRELEASED; urgency=medium
+commons-httpclient (3.1-12) unstable; urgency=high
+
+  * Team upload.
 
   [ Kumar Appaiah ]
   * debian/control:
     + Remove Kumar Appaiah from uploaders
 
   [ Emmanuel Bourg ]
+  * Add myself to Uploaders.
   * Switch to debhelper level 9
   * debian/control:
     - Use canonical URLs for the Vcs-* fields
-    - Standards-Version updated to 3.9.5 (no changes)
     - Improved the package description
     - Removed Michael Koch from the uploaders (Closes: #654007)
   * debian/rules: Improved the clean target
@@ -17,7 +19,14 @@ commons-httpclient (3.1-12) UNRELEASED; urgency=medium
   * Remove trailing spaces from package description of
     libcommons-httpclient-java-doc in debian/control. (Closes: #783931)
 
- -- Kumar Appaiah <akumar at debian.org>  Sat, 29 Mar 2014 15:40:00 -0400
+  [ Markus Koschany ]
+  * wrap-and-sort -sa.
+  * Declare compliance with Debian Policy 3.9.6.
+  * Add CVE-2015-5262.patch.
+    Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore
+    http.socket.timeout during SSL Handshake. (Closes: #798650)
+
+ -- Markus Koschany <apo at debian.org>  Mon, 02 Nov 2015 15:32:33 +0100
 
 commons-httpclient (3.1-11) unstable; urgency=high
 
diff --git a/debian/control b/debian/control
index b263d08..07231dd 100644
--- a/debian/control
+++ b/debian/control
@@ -2,20 +2,34 @@ Source: commons-httpclient
 Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
-Uploaders: Emmanuel Bourg <ebourg at apache.org>,
- Varun Hiremath <varun at debian.org>, Torsten Werner <twerner at debian.org>,
+Uploaders:
+ Emmanuel Bourg <ebourg at apache.org>,
+ Varun Hiremath <varun at debian.org>,
+ Torsten Werner <twerner at debian.org>,
  Damien Raude-Morvan <drazzib at debian.org>
-Build-Depends: debhelper (>= 9), cdbs
-Build-Depends-Indep: maven-repo-helper, ant, default-jdk, libcommons-codec-java, libcommons-logging-java, junit
-Standards-Version: 3.9.5
+Build-Depends:
+ cdbs,
+ debhelper (>= 9)
+Build-Depends-Indep:
+ ant,
+ default-jdk,
+ junit,
+ libcommons-codec-java,
+ libcommons-logging-java,
+ maven-repo-helper
+Standards-Version: 3.9.6
 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/commons-httpclient
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/commons-httpclient
+Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/commons-httpclient
 Homepage: http://hc.apache.org/httpclient-3.x
 
 Package: libcommons-httpclient-java
 Architecture: all
-Suggests: libcommons-httpclient-java-doc
-Depends: libcommons-logging-java, libcommons-codec-java, ${misc:Depends}
+Suggests:
+ libcommons-httpclient-java-doc
+Depends:
+ libcommons-codec-java,
+ libcommons-logging-java,
+ ${misc:Depends}
 Description: Commons HTTPClient - Java library for creating HTTP clients
  The Jakarta Commons HTTPClient library provides an efficient,
  up-to-date, and feature-rich package implementing the client side of
@@ -24,12 +38,14 @@ Description: Commons HTTPClient - Java library for creating HTTP clients
 Package: libcommons-httpclient-java-doc
 Section: doc
 Architecture: all
-Depends: ${misc:Depends}
-Suggests: libcommons-httpclient-java
+Depends:
+ ${misc:Depends}
+Suggests:
+ libcommons-httpclient-java
 Description: Documentation for libcommons-httpclient-java
  The Jakarta Commons HTTPClient library provides an efficient,
  up-to-date, and feature-rich package implementing the client side of
  the most recent HTTP standards and recommendations.
  .
- This package contains the documentation for the Jakarta Commons 
+ This package contains the documentation for the Jakarta Commons
  HTTPClient library.
diff --git a/debian/libcommons-httpclient-java-doc.docs b/debian/libcommons-httpclient-java-doc.docs
index 657b577..d60fe81 100644
--- a/debian/libcommons-httpclient-java-doc.docs
+++ b/debian/libcommons-httpclient-java-doc.docs
@@ -1,2 +1,2 @@
-docs
 README
+docs
diff --git a/debian/patches/CVE-2015-5262.patch b/debian/patches/CVE-2015-5262.patch
new file mode 100644
index 0000000..a807546
--- /dev/null
+++ b/debian/patches/CVE-2015-5262.patch
@@ -0,0 +1,38 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 2 Nov 2015 15:15:37 +0100
+Subject: CVE-2015-5262
+
+Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during
+SSL Handshake
+See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892
+Thanks to Mikolaj Izdebski for the patch.
+
+Bug: https://bugs.debian.org/798650
+Forwarded: no
+---
+ .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index e6ce513..b7550a2 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+         }
+         int timeout = params.getConnectionTimeout();
+         if (timeout == 0) {
+-            Socket sslSocket =  createSocket(host, port, localAddress, localPort);
++            Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
++                host, port, localAddress, localPort);
++            sslSocket.setSoTimeout(params.getSoTimeout());
+             verifyHostName(host, (SSLSocket) sslSocket);
+             return sslSocket;
+         } else {
+@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+             	sslSocket = ControllerThreadSocketFactory.createSocket(
+                     this, host, port, localAddress, localPort, timeout);
+             }
++            sslSocket.setSoTimeout(params.getSoTimeout());
+             verifyHostName(host, (SSLSocket) sslSocket);
+             return sslSocket;
+         }
diff --git a/debian/patches/series b/debian/patches/series
index 959af1a..82e5c72 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@
 05_osgi_metadata
 06_fix_CVE-2012-5783.patch
 CVE-2014-3577.patch
+CVE-2015-5262.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/commons-httpclient.git

More information about the pkg-java-commits mailing list