Hello community,
here is the log from the commit of package jakarta-commons-httpclient.1351 for
openSUSE:12.3:Update checked in at 2013-02-21 13:25:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/jakarta-commons-httpclient.1351 (Old)
and /work/SRC/openSUSE:12.3:Update/.jakarta-commons-httpclient.1351.new
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jakarta-commons-httpclient.1351", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-02-09 11:18:20.872010756 +0100
+++
/work/SRC/openSUSE:12.3:Update/.jakarta-commons-httpclient.1351.new/jakarta-commons-httpclient.changes
2013-02-21 13:25:23.000000000 +0100
@@ -0,0 +1,48 @@
+-------------------------------------------------------------------
+Thu Feb 14 09:10:48 UTC 2013 - [email protected]
+
+- fix bnc#803332: no ssl certificate hostname checking (CVE-2012-5783)
+ * commons-httpclient-CVE-2012-5783.patch
+
+-------------------------------------------------------------------
+Fri May 25 11:18:20 UTC 2012 - [email protected]
+
+- update to 3.1 (bugfix release)
+- make sure it works with jdk7
+- improve spec (ie non-versioned javadoc dir)
+- rename to jakarta-commons-httpclient to remain compatible
+
+-------------------------------------------------------------------
+Thu Jul 17 07:45:10 CEST 2008 - [email protected]
+
+- avoid another build cycle
+
+-------------------------------------------------------------------
+Mon Oct 2 15:47:26 CEST 2006 - [email protected]
+
+- update to v3.0.1
+- fixes necessary to compile with Java 1.5.0 (in 3.0.1 version)
+ - set source="1.4" and target="1.4" for ant "javac" tasks
+ - set source="1.4" for ant "javadoc" tasks
+
+-------------------------------------------------------------------
+Mon Sep 25 12:47:02 CEST 2006 - [email protected]
+
+- don't use icecream
+- use source="1.4" and target="1.4" for build with java 1.5
+
+-------------------------------------------------------------------
+Wed Jan 25 21:46:37 CET 2006 - [email protected]
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Wed Jan 4 18:21:39 CET 2006 - [email protected]
+
+- disabled and 'test' target as that was specially written for sun JRE and
hence fails with other JREs
+
+-------------------------------------------------------------------
+Mon Dec 19 21:02:45 CET 2005 - [email protected]
+
+- Current version 3.0 from JPackage.org
+
New:
----
commons-httpclient-3.1-src.tar.gz
commons-httpclient-CVE-2012-5783.patch
jakarta-commons-httpclient-addosgimanifest.patch
jakarta-commons-httpclient-disablecryptotests.patch
jakarta-commons-httpclient-encoding.patch
jakarta-commons-httpclient.changes
jakarta-commons-httpclient.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jakarta-commons-httpclient.spec ++++++
#
# spec file for package jakarta-commons-httpclient
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# icecream 0
%define short_name commons-httpclient
Name: jakarta-commons-httpclient
Version: 3.1
Release: 0
Summary: Feature rich package for accessing resources via HTTP
License: Apache-2.0
Group: Development/Libraries/Java
Url: http://jakarta.apache.org/commons/httpclient/
#Source0:
http://archive.apache.org/dist/jakarta/commons/httpclient/source/commons-httpclient-3.0-rc4-src.tar.gz
Source0: commons-httpclient-%{version}-src.tar.gz
Patch0: %{name}-disablecryptotests.patch
# Add OSGi MANIFEST.MF bits
Patch1: %{name}-addosgimanifest.patch
Patch2: %{name}-encoding.patch
#PATCH-FIX-UPSTREAM: bnc#803332
#http://svn.apache.org/viewvc?view=revision&revision=483925
Patch3: commons-httpclient-CVE-2012-5783.patch
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: ant
BuildRequires: commons-codec
BuildRequires: commons-logging >= 1.0.3
#BuildRequires: java-javadoc
#BuildRequires: apache-commons-logging-javadoc
BuildRequires: java-devel
BuildRequires: junit
Requires: commons-codec
Requires: commons-logging >= 1.0.3
Provides: %{short_name} = %{version}-%{release}
Provides: %{name}3 = %{version}-%{release}
Obsoletes: %{name}3 < %{version}-%{release}
%description
Although the java.net package provides basic functionality for
accessing resources via HTTP, it doesn't provide the full flexibility
or functionality needed by many applications. The Jakarta Commons
HttpClient component seeks to fill this void by providing an efficient,
up-to-date, and feature-rich package implementing the client side of
the most recent HTTP standards and recommendations.
Designed for extension while providing robust support for the base HTTP
protocol, the HttpClient component may be of interest to anyone
building HTTP-aware client applications such as web browsers, web
service clients, or systems that leverage or extend the HTTP protocol
for distributed communication.
%package javadoc
PreReq: coreutils
Summary: Developer documentation for jakarta-commons-httpclient
Group: Development/Libraries/Java
%description javadoc
Developer documentation for jakarta-commons-httpclient in JavaDoc
format.
%{summary}.
%package demo
Summary: Demonstration files for jakarta-commons-httpclient
Group: Development/Libraries/Java
Requires: %{name} = %{version}-%{release}
%description demo
Demonstration files for jakarta-commons-httpclient. NOTE: It is
possible that some demonstration files are specially prepared for SUN
Java runtime environment. If they fail with IBM or BEA Java, the
package itself does not need to be broken.
%{summary}.
%package manual
Summary: Manual for jakarta-commons-httpclient
Group: Development/Libraries/Java
%description manual
Manual for jakarta-commons-httpclient
%{summary}.
%prep
%setup -q -n commons-httpclient-%{version}
mkdir lib # duh
rm -rf docs/apidocs docs/*.patch docs/*.orig docs/*.rej
%patch0
pushd src/conf
%{__sed} -i 's/\r//' MANIFEST.MF
%patch1
popd
%patch2
%patch3 -p1
# Use javax classes, not com.sun ones
# assume no filename contains spaces
pushd src
for j in $(find . -name "*.java" -exec grep -l 'com\.sun\.net\.ssl' {} \;);
do
sed -e 's|com\.sun\.net\.ssl|javax.net.ssl|' $j > tempf
cp tempf $j
done
rm tempf
popd
%{__sed} -i 's/\r//' RELEASE_NOTES.txt
%{__sed} -i 's/\r//' README.txt
%{__sed} -i 's/\r//' LICENSE.txt
%build
ant \
-Dbuild.sysclasspath=first \
-Djavadoc.j2sdk.link=%{_javadocdir}/java \
-Djavadoc.logging.link=%{_javadocdir}/apache-commons-logging \
-Dtest.failonerror=false \
-Dlib.dir=%{_javadir} \
-Djavac.encoding=UTF-8 \
dist test
%install
# jars
mkdir -p $RPM_BUILD_ROOT%{_javadir}
cp -p dist/commons-httpclient.jar \
$RPM_BUILD_ROOT%{_javadir}/%{name}.jar
# compat symlink
pushd $RPM_BUILD_ROOT%{_javadir}
ln -s jakarta-commons-httpclient.jar jakarta-commons-httpclient3.jar
ln -s jakarta-commons-httpclient.jar commons-httpclient3.jar
ln -s jakarta-commons-httpclient.jar commons-httpclient.jar
popd
# javadoc
mkdir -p $RPM_BUILD_ROOT%{_javadocdir}
mv dist/docs/api $RPM_BUILD_ROOT%{_javadocdir}/%{name}
# demo
mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name}
cp -pr src/examples src/contrib $RPM_BUILD_ROOT%{_datadir}/%{name}
# manual and docs
rm -f dist/docs/{BUILDING,TESTING}.txt
ln -s %{_javadocdir}/%{name} dist/docs/apidocs
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(0644,root,root,0755)
%doc LICENSE.txt README.txt RELEASE_NOTES.txt
%{_javadir}/%{name}.jar
%{_javadir}/jakarta-commons-httpclient3.jar
%{_javadir}/commons-httpclient3.jar
%{_javadir}/commons-httpclient.jar
%files javadoc
%defattr(0644,root,root,0755)
%doc %{_javadocdir}/%{name}
%files demo
%defattr(0644,root,root,0755)
%{_datadir}/%{name}
%files manual
%defattr(0644,root,root,0755)
%doc dist/docs/*
%changelog
++++++ commons-httpclient-CVE-2012-5783.patch ++++++
Index:
commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
===================================================================
---
commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+++
commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
@@ -31,10 +31,17 @@
package org.apache.commons.httpclient.protocol;
import java.io.IOException;
+import java.io.InputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import org.apache.commons.httpclient.ConnectTimeoutException;
@@ -79,12 +86,17 @@ public class SSLProtocolSocketFactory im
InetAddress clientHost,
int clientPort)
throws IOException, UnknownHostException {
- return SSLSocketFactory.getDefault().createSocket(
+ SSLSocket socket = (SSLSocket)
SSLSocketFactory.getDefault().createSocket(
host,
port,
clientHost,
clientPort
);
+
+ verifyHostName( host, (SSLSocket) socket );
+
+ // verifyHostName() didn't blowup - good!
+ return socket;
}
/**
@@ -124,15 +136,18 @@ public class SSLProtocolSocketFactory im
}
int timeout = params.getConnectionTimeout();
if (timeout == 0) {
- return createSocket(host, port, localAddress, localPort);
+ SSLSocket socket = (SSLSocket) createSocket(host, port,
localAddress, localPort);
+ verifyHostName(host, (SSLSocket) socket);
+ return socket;
} else {
// To be eventually deprecated when migrated to Java 1.4 or above
- Socket socket = ReflectionSocketFactory.createSocket(
+ SSLSocket socket =(SSLSocket) ReflectionSocketFactory.createSocket(
"javax.net.ssl.SSLSocketFactory", host, port, localAddress,
localPort, timeout);
if (socket == null) {
- socket = ControllerThreadSocketFactory.createSocket(
+ socket = (SSLSocket)
ControllerThreadSocketFactory.createSocket(
this, host, port, localAddress, localPort, timeout);
}
+ verifyHostName(host, (SSLSocket) socket);
return socket;
}
}
@@ -142,10 +157,12 @@ public class SSLProtocolSocketFactory im
*/
public Socket createSocket(String host, int port)
throws IOException, UnknownHostException {
- return SSLSocketFactory.getDefault().createSocket(
+ SSLSocket socket = (SSLSocket)
SSLSocketFactory.getDefault().createSocket(
host,
port
);
+ verifyHostName( host, (SSLSocket) socket );
+ return socket;
}
/**
@@ -157,14 +174,133 @@ public class SSLProtocolSocketFactory im
int port,
boolean autoClose)
throws IOException, UnknownHostException {
- return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket(
+ SSLSocket s = (SSLSocket) ((SSLSocketFactory)
SSLSocketFactory.getDefault()).createSocket(
socket,
host,
port,
autoClose
);
+ verifyHostName( host, (SSLSocket) socket );
+
+ // verifyHostName() didn't blowup - good!
+ return s;
+ }
+
+ private static void verifyHostName( String host, SSLSocket ssl )
+ throws IOException {
+ if ( host == null ) {
+ throw new NullPointerException( "host to verify was null" );
+ }
+
+ SSLSession session = ssl.getSession();
+ if ( session == null ) {
+ // In our experience this only happens under IBM 1.4.x when
+ // spurious (unrelated) certificates show up in the server's chain.
+ // Hopefully this will unearth the real problem:
+ InputStream in = ssl.getInputStream();
+ in.available();
+ /*
+ If you're looking at the 2 lines of code above because you're
+ running into a problem, you probably have two options:
+
+ #1. Clean up the certificate chain that your server
+ is presenting (e.g. edit "/etc/apache2/server.crt" or
+ wherever it is your server's certificate chain is
+ defined).
+
+ OR
+
+ #2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a
+ non-IBM JVM.
+ */
+
+ // If ssl.getInputStream().available() didn't cause an exception,
+ // maybe at least now the session is available?
+ session = ssl.getSession();
+ if ( session == null ) {
+ // If it's still null, probably a startHandshake() will
+ // unearth the real problem.
+ ssl.startHandshake();
+
+ // Okay, if we still haven't managed to cause an exception,
+ // might as well go for the NPE. Or maybe we're okay now?
+ session = ssl.getSession();
+ }
+ }
+
+ Certificate[] certs = session.getPeerCertificates();
+ X509Certificate x509 = (X509Certificate) certs[ 0 ];
+ String cn = getCN( x509 );
+ if ( cn == null ) {
+ String subject = x509.getSubjectX500Principal().toString();
+ String msg = "certificate doesn't contain CN: " + subject;
+ throw new SSLException( msg );
+ }
+ // I'm okay with being case-insensitive when comparing the host we used
+ // to establish the socket to the hostname in the certificate.
+ // Don't trim the CN, though.
+ cn = cn.toLowerCase();
+ host = host.trim().toLowerCase();
+ boolean doWildcard = false;
+ if ( cn.startsWith( "*." ) ) {
+ // The CN better have at least two dots if it wants wildcard
action,
+ // but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc...
+ String withoutCountryCode = "";
+ if ( cn.length() >= 7 && cn.length() <= 9 ) {
+ withoutCountryCode = cn.substring( 2, cn.length() - 2 );
+ }
+ doWildcard = cn.lastIndexOf( '.' ) >= 0 &&
+ !"ac.".equals( withoutCountryCode ) &&
+ !"co.".equals( withoutCountryCode ) &&
+ !"com.".equals( withoutCountryCode ) &&
+ !"ed.".equals( withoutCountryCode ) &&
+ !"edu.".equals( withoutCountryCode ) &&
+ !"go.".equals( withoutCountryCode ) &&
+ !"gouv.".equals( withoutCountryCode ) &&
+ !"gov.".equals( withoutCountryCode ) &&
+ !"info.".equals( withoutCountryCode ) &&
+ !"lg.".equals( withoutCountryCode ) &&
+ !"ne.".equals( withoutCountryCode ) &&
+ !"net.".equals( withoutCountryCode ) &&
+ !"or.".equals( withoutCountryCode ) &&
+ !"org.".equals( withoutCountryCode );
+
+ // The [*.co.uk] problem is an interesting one. Should we just
+ // hope that CA's would never foolishly allow such a
+ // certificate to happen?
+ }
+
+ boolean match;
+ if ( doWildcard ) {
+ match = host.endsWith( cn.substring( 1 ) );
+ } else {
+ match = host.equals( cn );
+ }
+ if ( !match ) {
+ throw new SSLException( "hostname in certificate didn't match: <"
+ host + "> != <" + cn + ">" );
+ }
}
+ private static String getCN( X509Certificate cert ) {
+ // Note: toString() seems to do a better job than getName()
+ //
+ // For example, getName() gives me this:
+ //
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+ //
+ // whereas toString() gives me this:
+ // [email protected]
+ String subjectPrincipal = cert.getSubjectX500Principal().toString();
+ int x = subjectPrincipal.indexOf( "CN=" );
+ if ( x >= 0 ) {
+ int y = subjectPrincipal.indexOf( ',', x );
+ // If there are no more commas, then CN= is the last entry.
+ y = ( y >= 0 ) ? y : subjectPrincipal.length();
+ return subjectPrincipal.substring( x + 3, y );
+ } else {
+ return null;
+ }
+ }
+
/**
* All instances of SSLProtocolSocketFactory are the same.
*/
++++++ jakarta-commons-httpclient-addosgimanifest.patch ++++++
--- MANIFEST.MF 2007-09-06 12:31:02.000000000 -0400
+++ MANIFEST.MF 2007-09-06 12:30:45.000000000 -0400
@@ -3,4 +3,27 @@
Specification-Version: 1.0
Implementation-Vendor: Apache Software Foundation
Implementation-Version: @version@
-
+Bundle-ManifestVersion: 2
+Bundle-Name: %bundleName
+Bundle-SymbolicName: org.apache.commons.httpclient
+Bundle-Version: 3.1.0.v20080605-1935
+Import-Package: javax.crypto;resolution:=optional,
+ javax.crypto.spec;resolution:=optional,
+ javax.net;resolution:=optional,
+ javax.net.ssl;resolution:=optional,
+ org.apache.commons.codec;version="[1.2.0,2.0.0)",
+ org.apache.commons.codec.binary;version="[1.2.0,2.0.0)",
+ org.apache.commons.codec.net;version="[1.2.0,2.0.0)",
+ org.apache.commons.logging;version="[1.0.4,2.0.0)"
+Export-Package: org.apache.commons.httpclient;version="3.1.0",
+ org.apache.commons.httpclient.auth;version="3.1.0",
+ org.apache.commons.httpclient.cookie;version="3.1.0",
+ org.apache.commons.httpclient.methods;version="3.1.0",
+ org.apache.commons.httpclient.methods.multipart;version="3.1.0",
+ org.apache.commons.httpclient.params;version="3.1.0",
+ org.apache.commons.httpclient.protocol;version="3.1.0",
+ org.apache.commons.httpclient.util;version="3.1.0"
+Bundle-Vendor: %bundleProvider
+Bundle-Localization: plugin
+Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0,
+ J2SE-1.2
++++++ jakarta-commons-httpclient-disablecryptotests.patch ++++++
--- ./src/test/org/apache/commons/httpclient/params/TestParamsAll.java.sav
2006-07-20 18:42:17.000000000 -0400
+++ ./src/test/org/apache/commons/httpclient/params/TestParamsAll.java
2006-07-20 18:42:26.000000000 -0400
@@ -43,7 +43,6 @@
public static Test suite() {
TestSuite suite = new TestSuite();
suite.addTest(TestHttpParams.suite());
- suite.addTest(TestSSLTunnelParams.suite());
return suite;
}
--- ./src/test/org/apache/commons/httpclient/TestAll.java.sav 2006-07-20
18:42:56.000000000 -0400
+++ ./src/test/org/apache/commons/httpclient/TestAll.java 2006-07-20
18:43:01.000000000 -0400
@@ -100,7 +100,6 @@
// Non compliant behaviour
suite.addTest(TestNoncompliant.suite());
// Proxy
- suite.addTest(TestProxy.suite());
suite.addTest(TestProxyWithRedirect.suite());
return suite;
}
++++++ jakarta-commons-httpclient-encoding.patch ++++++
--- build.xml 2007-08-18 05:02:14.000000000 -0400
+++ build.xml 2012-01-23 09:52:50.405796336 -0500
@@ -179,6 +179,7 @@
description="Compile shareable components">
<javac srcdir ="${source.home}/java"
destdir ="${build.home}/classes"
+ encoding ="ISO-8859-1"
debug ="${compile.debug}"
deprecation ="${compile.deprecation}"
optimize ="${compile.optimize}">
@@ -186,6 +187,7 @@
</javac>
<javac srcdir ="${source.home}/examples"
destdir ="${build.home}/examples"
+ encoding ="ISO-8859-1"
debug ="${compile.debug}"
deprecation ="${compile.deprecation}"
optimize ="${compile.optimize}">
@@ -197,6 +199,7 @@
description="Compile unit test cases">
<javac srcdir ="${test.home}"
destdir ="${build.home}/tests"
+ encoding ="ISO-8859-1"
debug ="${compile.debug}"
deprecation ="${compile.deprecation}"
optimize ="${compile.optimize}">
@@ -244,6 +244,7 @@
<mkdir dir="${dist.home}/docs/api"/>
<javadoc sourcepath ="${source.home}/java"
destdir ="${dist.home}/docs/api"
+ encoding ="ISO-8859-1"
packagenames ="org.apache.commons.*"
author ="true"
protected ="true"
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
