Package: release.debian.org Severity: normal Tags: wheezy User: [email protected] Usertags: pu
Hi, similar to https://bugs.debian.org/804157, the Debian Java Team would like to update commons-httpclient in Wheezy. The same information apply here too. Please find attached the debdiff against the version in Wheezy. Regards, Markus
diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog --- commons-httpclient-3.1/debian/changelog 2015-05-14 21:18:25.000000000 +0200 +++ commons-httpclient-3.1/debian/changelog 2015-11-05 15:55:53.000000000 +0100 @@ -1,3 +1,12 @@ +commons-httpclient (3.1-10.2+deb7u2) wheezy; urgency=high + + * Team upload. + * Add CVE-2015-5262.patch. + Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore + http.socket.timeout during SSL Handshake. (Closes: #798650) + + -- Markus Koschany <[email protected]> Thu, 05 Nov 2015 15:54:22 +0100 + commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high * Team upload. diff -Nru commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch --- commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 1970-01-01 01:00:00.000000000 +0100 +++ commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 2015-11-05 15:55:53.000000000 +0100 @@ -0,0 +1,38 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 2 Nov 2015 15:15:37 +0100 +Subject: CVE-2015-5262 + +Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during +SSL Handshake +See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892 +Thanks to Mikolaj Izdebski for the patch. + +Bug: https://bugs.debian.org/798650 +Forwarded: no +--- + .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index e6ce513..b7550a2 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + } + int timeout = params.getConnectionTimeout(); + if (timeout == 0) { +- Socket sslSocket = createSocket(host, port, localAddress, localPort); ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( ++ host, port, localAddress, localPort); ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } else { +@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + sslSocket = ControllerThreadSocketFactory.createSocket( + this, host, port, localAddress, localPort, timeout); + } ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series --- commons-httpclient-3.1/debian/patches/series 2015-05-14 21:18:25.000000000 +0200 +++ commons-httpclient-3.1/debian/patches/series 2015-11-05 15:55:53.000000000 +0100 @@ -6,3 +6,4 @@ 05_osgi_metadata 06_fix_CVE-2012-5783.patch CVE-2014-3577.patch +CVE-2015-5262.patch
