Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Andreas Tille
tille at debian.org
Thu Dec 6 12:58:08 UTC 2012
Hi Alberto,
thanks for your continuous work on this. As I said in my previous mail
please remember to reopen the according bugs to make sure the previous
solution will not migrate to testing. I'll volunteer to sponsor your
new version if you confirm that this is needed to finally fix the issue.
Kind regards
Andreas.
On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> Hi All,
>
> I've prepared the patch with the problem pointed by David fixed (thanks
> David). It also fixes a bug related to wildcard certificates.
>
> The first patch is backported from httpclient 4.0 and apache synapse.
>
> This second patch backports some fixes from httpclient 4.2
>
> The patch differ a lot from 4.x line for two reasons: first, the code
> arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> so all methods are private and only apply to one class.
>
> The patch for axis and commons-httpclient is the same. In the function
> they create a SSLSocket, I've put the same routine to validate the
> hostname against certificate valid names.
>
> I'll upload the new patches in their place.
> Please review them and when ready I can upload a new package to mentors.
>
> Thanks
>
>
>
>
>
--
http://fam-tille.de
More information about the pkg-java-maintainers
mailing list