Bug#692650: Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

David Jorm djorm at redhat.com
Mon Dec 10 03:08:15 UTC 2012


Thanks Alberto! Could I ask that to finalize this, you attach both 
revised patches to the upstream bugs (HTTPCLIENT-1265 and AXIS-2883) and 
ask upstream to commit them?

Thanks again
David

On 12/07/2012 04:02 AM, Alberto Fernández wrote:
> Hi
>
> I've uploaded new packages to mentors. I'll be out until Monday, so feel
> free to review the patches and sponsor the new version if all you are
> confident it's all ok
>
> I think now it's fine , but if you find some other bug or improvement,
> I'll be happy to correct it.
>
> I'll insist next week upstream to include the last fix.
>
> El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
>> Hi Alberto,
>>
>> thanks for your continuous work on this.  As I said in my previous mail
>> please remember to reopen the according bugs to make sure the previous
>> solution will not migrate to testing.  I'll volunteer to sponsor your
>> new version if you confirm that this is needed to finally fix the issue.
>>
>> Kind regards
>>
>>         Andreas.
>>
>> On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
>>> Hi All,
>>>
>>> I've prepared the patch with the problem pointed by David fixed (thanks
>>> David). It also fixes a bug related to wildcard certificates.
>>>
>>> The first patch is backported from httpclient 4.0 and apache synapse.
>>>
>>> This second patch backports some fixes from httpclient 4.2
>>>
>>> The patch differ a lot from 4.x line for two reasons: first, the code
>>> arquitecture changes, second , I want to mantain the 3.1 api unchanged,
>>> so all methods are private and only apply to one class.
>>>
>>> The patch for axis and commons-httpclient is the same. In the function
>>> they create a SSLSocket, I've put the same routine to validate the
>>> hostname against certificate valid names.
>>>
>>> I'll upload the new patches in their place.
>>> Please review them and when ready I can upload a new package to mentors.
>>>
>>> Thanks
>>>
>>>
>>>
>>>
>>>



More information about the pkg-java-maintainers mailing list