Package: release.debian.org Severity: normal Tags: jessie User: [email protected] Usertags: pu
Dear release team, the Debian Java Team would like to update commons-httpclient in Jessie to fix CVE-2015-5262. We don't think that this issue warrants a DSA from the security team but nevertheless it is important enough that it should be fixed in an upcoming point release. This is Debian bug: https://bugs.debian.org/798650 I am attaching the proposed debdiff against the current version in Jessie. I will also file another bug report for an wheezy-pu soon. Regards, Markus
diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog --- commons-httpclient-3.1/debian/changelog 2015-04-13 18:15:49.000000000 +0200 +++ commons-httpclient-3.1/debian/changelog 2015-11-05 15:37:42.000000000 +0100 @@ -1,3 +1,12 @@ +commons-httpclient (3.1-11+deb8u1) jessie; urgency=high + + * Team upload. + * Add CVE-2015-5262.patch. + Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore + http.socket.timeout during SSL Handshake. (Closes: #798650) + + -- Markus Koschany <[email protected]> Thu, 05 Nov 2015 15:31:50 +0100 + commons-httpclient (3.1-11) unstable; urgency=high * Team upload. diff -Nru commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch --- commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 1970-01-01 01:00:00.000000000 +0100 +++ commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 2015-11-05 15:37:42.000000000 +0100 @@ -0,0 +1,38 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 2 Nov 2015 15:15:37 +0100 +Subject: CVE-2015-5262 + +Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during +SSL Handshake +See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892 +Thanks to Mikolaj Izdebski for the patch. + +Bug: https://bugs.debian.org/798650 +Forwarded: no +--- + .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index e6ce513..b7550a2 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + } + int timeout = params.getConnectionTimeout(); + if (timeout == 0) { +- Socket sslSocket = createSocket(host, port, localAddress, localPort); ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( ++ host, port, localAddress, localPort); ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } else { +@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + sslSocket = ControllerThreadSocketFactory.createSocket( + this, host, port, localAddress, localPort, timeout); + } ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series --- commons-httpclient-3.1/debian/patches/series 2015-04-13 18:15:49.000000000 +0200 +++ commons-httpclient-3.1/debian/patches/series 2015-11-05 15:37:42.000000000 +0100 @@ -6,3 +6,4 @@ 05_osgi_metadata 06_fix_CVE-2012-5783.patch CVE-2014-3577.patch +CVE-2015-5262.patch
