Bug#773933: marked as done (unblock: async-http-client/1.6.5-3)

Fri, 26 Dec 2014 02:55:07 -0800 

Your message dated Fri, 26 Dec 2014 11:53:22 +0100
with message-id <[email protected]>
and subject line Re: Bug#773933: unblock: async-http-client/1.6.5-3
has caused the Debian Bug report #773933,
regarding unblock: async-http-client/1.6.5-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
773933: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773933
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package async-http-client. It fixes CVE-2013-7397.

unblock async-http-client/1.6.5-3

Debdiff:

diff -Nru async-http-client-1.6.5/debian/changelog 
async-http-client-1.6.5/debian/changelog
--- async-http-client-1.6.5/debian/changelog    2014-02-13 07:21:48.000000000 
+0100
+++ async-http-client-1.6.5/debian/changelog    2014-12-17 19:15:20.000000000 
+0100
@@ -1,3 +1,22 @@
+async-http-client (1.6.5-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Emmanuel Bourg ]
+  * Fixed CVE-2013-7397: SSL/TLS certificate verification is disabled
+    under certain conditions (Closes: #773364)
+  * Fixed a compilation error with Java 8 (Closes: #773372)
+  * debian/control:
+    - Standards-Version updated to 3.9.6 (no changes)
+    - Removed the unnecessary build dependency on libclirr-maven-plugin-java
+    - Use canonical URLs for the Vcs-* fields
+  * debian/rules: Improved the clean target
+
+  [ Tony Mancill ]
+  * Update debian/watch
+
+ -- Emmanuel Bourg <[email protected]>  Wed, 17 Dec 2014 19:14:38 +0100
+
 async-http-client (1.6.5-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru async-http-client-1.6.5/debian/control 
async-http-client-1.6.5/debian/control
--- async-http-client-1.6.5/debian/control      2014-02-13 07:21:48.000000000 
+0100
+++ async-http-client-1.6.5/debian/control      2014-12-17 16:50:25.000000000 
+0100
@@ -6,7 +6,6 @@
 Build-Depends: cdbs, debhelper (>= 9), default-jdk, maven-debian-helper (>= 
1.4)
 Build-Depends-Indep: default-jdk-doc,
                      libanimal-sniffer-java,
-                     libclirr-maven-plugin-java,
                      libcommons-logging-java-doc,
                      libmaven-bundle-plugin-java,
                      libmaven-enforcer-plugin-java,
@@ -14,10 +13,10 @@
                      libmaven-shade-plugin-java,
                      libnetty-java (>= 1:3.2.5),
                      libslf4j-java
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
+Vcs-Git: git://anonscm.debian.org/pkg-java/async-http-client.git
+Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/async-http-client.git
 Homepage: https://github.com/AsyncHttpClient/async-http-client
-Vcs-Git: git://git.debian.org/git/pkg-java/async-http-client.git
-Vcs-Browser: http://git.debian.org/?p=pkg-java/async-http-client.git
 
 Package: libasync-http-client-java
 Architecture: all
diff -Nru async-http-client-1.6.5/debian/maven.ignoreRules 
async-http-client-1.6.5/debian/maven.ignoreRules
--- async-http-client-1.6.5/debian/maven.ignoreRules    2014-02-13 
07:21:48.000000000 +0100
+++ async-http-client-1.6.5/debian/maven.ignoreRules    2014-12-17 
19:21:45.000000000 +0100
@@ -29,3 +29,4 @@
 org.eclipse.jetty jetty-servlet * * * *
 org.eclipse.jetty jetty-servlets * * * *
 org.testng testng * * * *
+org.codehaus.mojo clirr-maven-plugin * * * *
diff -Nru async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch 
async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch
--- async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch 
1970-01-01 01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch 
2014-12-17 17:22:29.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix a compilation error with Java 8. This has been fixed upstream
+ in the version 1.9 by renaming the replace() method to replaceWith().
+Author: Emmanuel Bourg <[email protected]>
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/773372
+--- a/src/main/java/com/ning/http/client/FluentStringsMap.java
++++ b/src/main/java/com/ning/http/client/FluentStringsMap.java
+@@ -148,7 +148,7 @@
+      * @return This object
+      */
+     public FluentStringsMap replace(final String key, final String... values) 
{
+-        return replace(key, Arrays.asList(values));
++        return replace(key, (Collection<String>) Arrays.asList(values));
+     }
+ 
+     /**
+--- a/src/main/java/com/ning/http/client/FluentCaseInsensitiveStringsMap.java
++++ b/src/main/java/com/ning/http/client/FluentCaseInsensitiveStringsMap.java
+@@ -162,7 +162,7 @@
+      * @return This object
+      */
+     public FluentCaseInsensitiveStringsMap replace(final String key, final 
String... values) {
+-        return replace(key, Arrays.asList(values));
++        return replace(key, (Collection<String>) Arrays.asList(values));
+     }
+ 
+     /**
diff -Nru async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch 
async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch
--- async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch       
1970-01-01 01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch       
2014-12-17 19:09:54.000000000 +0100
@@ -0,0 +1,148 @@
+Description: Remove the code disabling the SSL certificate validation
+Author: Emmanuel Bourg <[email protected]>
+Forwarded: not-needed
+--- a/src/main/java/com/ning/http/util/SslUtils.java
++++ b/src/main/java/com/ning/http/util/SslUtils.java
+@@ -51,11 +51,7 @@
+     public static SSLContext getSSLContext()
+             throws GeneralSecurityException, IOException {
+         SSLConfig config = new SSLConfig();
+-        if (config.keyStoreLocation == null || config.trustStoreLocation == 
null) {
+-            return getLooseSSLContext();
+-        } else {
+-            return getStrictSSLContext(config);
+-        }
++        return getStrictSSLContext(config);
+     }
+ 
+     static SSLContext getStrictSSLContext(SSLConfig config)
+@@ -95,29 +91,6 @@
+         return context;
+     }
+ 
+-    static SSLContext getLooseSSLContext()
+-            throws GeneralSecurityException {
+-        SSLContext sslContext = SSLContext.getInstance("TLS");
+-        sslContext.init(null, new TrustManager[]{LooseTrustManager.INSTANCE}, 
new SecureRandom());
+-        return sslContext;
+-    }
+-
+-    static class LooseTrustManager
+-            implements X509TrustManager {
+-
+-        public static final LooseTrustManager INSTANCE = new 
LooseTrustManager();
+-
+-        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+-            return null;
+-        }
+-
+-        public void checkClientTrusted(java.security.cert.X509Certificate[] 
certs, String authType) {
+-        }
+-
+-        public void checkServerTrusted(java.security.cert.X509Certificate[] 
certs, String authType) {
+-        }
+-    }
+-
+     private final static class SSLConfig {
+ 
+         public String keyStoreLocation;
+--- 
a/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
++++ 
b/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
+@@ -130,24 +130,6 @@
+     private final MultiThreadedHttpConnectionManager connectionManager;
+     private final HttpClientParams params;
+ 
+-    static {
+-        final SocketFactory factory = new TrustingSSLSocketFactory();
+-        Protocol.registerProtocol("https", new Protocol("https", new 
ProtocolSocketFactory() {
+-            public Socket createSocket(String string, int i, InetAddress 
inetAddress, int i1) throws IOException {
+-                return factory.createSocket(string, i, inetAddress, i1);
+-            }
+-
+-            public Socket createSocket(String string, int i, InetAddress 
inetAddress, int i1, HttpConnectionParams httpConnectionParams)
+-                    throws IOException {
+-                return factory.createSocket(string, i, inetAddress, i1);
+-            }
+-
+-            public Socket createSocket(String string, int i) throws 
IOException {
+-                return factory.createSocket(string, i);
+-            }
+-        }, 443));
+-    }
+-
+     public ApacheAsyncHttpProvider(AsyncHttpClientConfig config) {
+         this.config = config;
+         connectionManager = new MultiThreadedHttpConnectionManager();
+@@ -732,72 +714,6 @@
+         }
+     }
+ 
+-    private static class TrustingSSLSocketFactory extends SSLSocketFactory {
+-        private SSLSocketFactory delegate;
+-
+-        private TrustingSSLSocketFactory() {
+-            try {
+-                SSLContext sslcontext = SSLContext.getInstance("SSL");
+-
+-                sslcontext.init(null, new TrustManager[]{new 
TrustEveryoneTrustManager()}, new SecureRandom());
+-                delegate = sslcontext.getSocketFactory();
+-            } catch (KeyManagementException e) {
+-                throw new IllegalStateException();
+-            } catch (NoSuchAlgorithmException e) {
+-                throw new IllegalStateException();
+-            }
+-        }
+-
+-        @Override
+-        public Socket createSocket(String s, int i) throws IOException, 
UnknownHostException {
+-            return delegate.createSocket(s, i);
+-        }
+-
+-        @Override
+-        public Socket createSocket(String s, int i, InetAddress inetAddress, 
int i1) throws IOException, UnknownHostException {
+-            return delegate.createSocket(s, i, inetAddress, i1);
+-        }
+-
+-        @Override
+-        public Socket createSocket(InetAddress inetAddress, int i) throws 
IOException {
+-            return delegate.createSocket(inetAddress, i);
+-        }
+-
+-        @Override
+-        public Socket createSocket(InetAddress inetAddress, int i, 
InetAddress inetAddress1, int i1) throws IOException {
+-            return delegate.createSocket(inetAddress, i, inetAddress1, i1);
+-        }
+-
+-        @Override
+-        public String[] getDefaultCipherSuites() {
+-            return delegate.getDefaultCipherSuites();
+-        }
+-
+-        @Override
+-        public String[] getSupportedCipherSuites() {
+-            return delegate.getSupportedCipherSuites();
+-        }
+-
+-        @Override
+-        public Socket createSocket(Socket socket, String s, int i, boolean b) 
throws IOException {
+-            return delegate.createSocket(socket, s, i, b);
+-        }
+-    }
+-
+-    private static class TrustEveryoneTrustManager implements 
X509TrustManager {
+-        public void checkClientTrusted(X509Certificate[] x509Certificates, 
String s) throws CertificateException {
+-            // do nothing
+-        }
+-
+-        public void checkServerTrusted(X509Certificate[] x509Certificates, 
String s) throws CertificateException {
+-            // do nothing
+-        }
+-
+-        public X509Certificate[] getAcceptedIssuers() {
+-            return new X509Certificate[0];
+-        }
+-    }
+-
+     private final class ReaperFuture implements Future, Runnable {
+         private Future scheduledFuture;
+         private ApacheResponseFuture<?> apacheResponseFuture;
diff -Nru async-http-client-1.6.5/debian/patches/series 
async-http-client-1.6.5/debian/patches/series
--- async-http-client-1.6.5/debian/patches/series       1970-01-01 
01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/series       2014-12-17 
18:13:01.000000000 +0100
@@ -0,0 +1,2 @@
+01-java8-compatibility.patch
+02-CVE-2013-7397.patch
diff -Nru async-http-client-1.6.5/debian/rules 
async-http-client-1.6.5/debian/rules
--- async-http-client-1.6.5/debian/rules        2014-02-13 07:21:48.000000000 
+0100
+++ async-http-client-1.6.5/debian/rules        2014-12-17 17:28:37.000000000 
+0100
@@ -7,3 +7,6 @@
 
 get-orig-source:
        uscan --download-version $(DEB_UPSTREAM_VERSION) --force-download 
--rename
+
+clean::
+       rm -Rf META-INF/MANIFEST.MF
diff -Nru async-http-client-1.6.5/debian/watch 
async-http-client-1.6.5/debian/watch
--- async-http-client-1.6.5/debian/watch        2014-02-13 07:21:48.000000000 
+0100
+++ async-http-client-1.6.5/debian/watch        2014-12-17 16:03:19.000000000 
+0100
@@ -1,3 +1,3 @@
 version=3
-http://githubredir.debian.net/github/sonatype/async-http-client/async-http-client-(.*).tar.gz
 \
- debian debian/orig-tar.sh
\ Kein Zeilenumbruch am Dateiende.
+https://github.com/AsyncHttpClient/async-http-client/tags 
.*/async-http-client-(.*).tar.gz \
+ debian debian/orig-tar.sh

--- End Message ---
--- Begin Message --- 
Hi,

On Fri, Dec 26, 2014 at 12:54:55AM +0100, Moritz Muehlenhoff wrote:
> unblock async-http-client/1.6.5-3

Unblocked.

Cheers,

Ivo

--- End Message ---

Reply via email to