Your message dated Sat, 05 Sep 2015 14:33:54 +0100
with message-id <[email protected]>
and subject line Closing bugs for 7.9
has caused the Debian Bug report #782663,
regarding wheezy-pu: package commons-httpclient/3.1-10.2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
782663: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782663
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: wheezy
User: [email protected]
Usertags: pu
Hello release team,
the Debian Java team would like to fix commons-httpclient in wheezy
which is currently affected by CVE-2014-3577. The vulnerability is
marked "no-dsa" by the security team. [1] I am attaching the
debdiff against the version in wheezy. The fix is identical to the one
for Jessie / Sid.
Regards,
Markus
[1] https://security-tracker.debian.org/tracker/CVE-2014-3577
diff -Nru commons-httpclient-3.1/debian/ant.properties commons-httpclient-3.1/debian/ant.properties
--- commons-httpclient-3.1/debian/ant.properties 2011-08-30 11:42:03.000000000 +0200
+++ commons-httpclient-3.1/debian/ant.properties 2015-04-15 21:48:49.000000000 +0200
@@ -1,5 +1,5 @@
# JSSE stub classes required for build
lib.dir=/usr/share/java
#jsse.jar=/usr/share/java/jsse.jar
-ant.build.javac.source=1.4
-ant.build.javac.target=1.4
+ant.build.javac.source=1.5
+ant.build.javac.target=1.5
diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog
--- commons-httpclient-3.1/debian/changelog 2012-12-06 14:41:48.000000000 +0100
+++ commons-httpclient-3.1/debian/changelog 2015-04-15 21:48:49.000000000 +0200
@@ -1,3 +1,20 @@
+commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high
+
+ * Team upload.
+ * Add CVE-2014-3577.patch. (Closes: #758086)
+ It was found that the fix for CVE-2012-6153 was incomplete: the code added
+ to check that the server hostname matches the domain name in a subject's
+ Common Name (CN) field in X.509 certificates was flawed. A
+ man-in-the-middle attacker could use this flaw to spoof an SSL server using
+ a specially crafted X.509 certificate. The fix for CVE-2012-6153 was
+ intended to address the incomplete patch for CVE-2012-5783. The issue is
+ now completely resolved by applying this patch and the
+ 06_fix_CVE-2012-5783.patch.
+ * Change java.source and java.target ant properties to 1.5, otherwise
+ commons-httpclient will not compile with this patch.
+
+ -- Markus Koschany <[email protected]> Wed, 15 Apr 2015 21:24:48 +0200
+
commons-httpclient (3.1-10.2) unstable; urgency=low
* Non-maintainer upload.
diff -Nru commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch
--- commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch 1970-01-01 01:00:00.000000000 +0100
+++ commons-httpclient-3.1/debian/patches/CVE-2014-3577.patch 2015-04-15 21:48:49.000000000 +0200
@@ -0,0 +1,110 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 23 Mar 2015 22:45:14 +0100
+Subject: CVE-2014-3577
+
+It was found that the fix for CVE-2012-6153 was incomplete: the code added to
+check that the server hostname matches the domain name in a subject's Common
+Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker
+could use this flaw to spoof an SSL server using a specially crafted X.509
+certificate.
+The fix for CVE-2012-6153 was intended to address the incomplete patch for
+CVE-2012-5783. This means the issue is now completely resolved by applying
+this patch and the 06_fix_CVE-2012-5783.patch.
+
+References:
+
+upstream announcement:
+https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577
+
+Fedora-Fix:
+http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch
+
+CentOS-Fix:
+https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch
+
+Debian-Bug: https://bugs.debian.org/758086
+Forwarded: not-needed, already fixed
+---
+ .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++++--------
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ return dots;
+ }
+
+- private static String getCN(X509Certificate cert) {
+- // Note: toString() seems to do a better job than getName()
+- //
+- // For example, getName() gives me this:
+- // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+- //
+- // whereas toString() gives me this:
+- // [email protected]
+- String subjectPrincipal = cert.getSubjectX500Principal().toString();
+-
+- return getCN(subjectPrincipal);
+-
++ private static String getCN(final X509Certificate cert) {
++ final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++ try {
++ return extractCN(subjectPrincipal);
++ } catch (SSLException ex) {
++ return null;
++ }
+ }
+- private static String getCN(String subjectPrincipal) {
+- StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+- while(st.hasMoreTokens()) {
+- String tok = st.nextToken().trim();
+- if (tok.length() > 3) {
+- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+- return tok.substring(3);
++
++ private static String extractCN(final String subjectPrincipal) throws SSLException {
++ if (subjectPrincipal == null) {
++ return null;
++ }
++ try {
++ final LdapName subjectDN = new LdapName(subjectPrincipal);
++ final List<Rdn> rdns = subjectDN.getRdns();
++ for (int i = rdns.size() - 1; i >= 0; i--) {
++ final Rdn rds = rdns.get(i);
++ final Attributes attributes = rds.toAttributes();
++ final Attribute cn = attributes.get("cn");
++ if (cn != null) {
++ try {
++ final Object value = cn.get();
++ if (value != null) {
++ return value.toString();
++ }
++ } catch (NoSuchElementException ignore) {
++ } catch (NamingException ignore) {
++ }
+ }
+ }
++ } catch (InvalidNameException e) {
++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name");
+ }
+ return null;
+ }
diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series
--- commons-httpclient-3.1/debian/patches/series 2012-12-05 17:34:20.000000000 +0100
+++ commons-httpclient-3.1/debian/patches/series 2015-04-15 21:48:49.000000000 +0200
@@ -5,3 +5,4 @@
04_fix_classpath.patch
05_osgi_metadata
06_fix_CVE-2012-5783.patch
+CVE-2014-3577.patch
--- End Message ---
--- Begin Message ---
Version: 7.9
Hi,
These bugs relate to updates which were included in the 7.9 point
release.
Regards,
Adam
--- End Message ---
