Hello community,
here is the log from the commit of package apache-commons-httpclient for
openSUSE:Factory checked in at 2020-11-06 23:43:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache-commons-httpclient (Old)
and /work/SRC/openSUSE:Factory/.apache-commons-httpclient.new.11331 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache-commons-httpclient"
Fri Nov 6 23:43:49 2020 rev:11 rq:845452 version:3.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/apache-commons-httpclient/apache-commons-httpclient.changes
2019-04-04 14:11:28.569270493 +0200
+++
/work/SRC/openSUSE:Factory/.apache-commons-httpclient.new.11331/apache-commons-httpclient.changes
2020-11-06 23:44:05.851379178 +0100
@@ -1,0 +2,22 @@
+Tue Oct 27 10:39:27 UTC 2020 - Pedro Monreal <[email protected]>
+
+- Security fix [bsc#945190, CVE-2015-5262]
+ * http/conn/ssl/SSLConnectionSocketFactory.java ignores the
+ http.socket.timeout configuration setting during an SSL handshake,
+ which allows remote attackers to cause a denial of service (HTTPS
+ call hang) via unspecified vectors.
+- Add apache-commons-httpclient-CVE-2015-5262.patch
+
+-------------------------------------------------------------------
+Tue Oct 27 10:38:45 UTC 2020 - Pedro Monreal <[email protected]>
+
+- Security fix [bsc#1178171, CVE-2014-3577]
+ * org.apache.http.conn.ssl.AbstractVerifier does not properly
+ verify that the server hostname matches a domain name in the
+ subject's Common Name (CN) or subjectAltName field of the X.509
+ certificate, which allows MITM attackers to spoof SSL servers
+ via a "CN=" string in a field in the distinguished name (DN)
+ of a certificate.
+- Add apache-commons-httpclient-CVE-2014-3577.patch
+
+-------------------------------------------------------------------
New:
----
apache-commons-httpclient-CVE-2014-3577.patch
apache-commons-httpclient-CVE-2015-5262.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache-commons-httpclient.spec ++++++
--- /var/tmp/diff_new_pack.kipWmL/_old 2020-11-06 23:44:06.535377863 +0100
+++ /var/tmp/diff_new_pack.kipWmL/_new 2020-11-06 23:44:06.535377863 +0100
@@ -1,7 +1,7 @@
#
# spec file for package apache-commons-httpclient
#
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -33,6 +33,10 @@
#PATCH-FIX-UPSTREAM: bnc#803332
#https://issues.apache.org/jira/secure/attachment/12560251/CVE-2012-5783-2.patch
Patch3: %{short_name}-CVE-2012-5783-2.patch
+#PATCH-FIX-UPSTREAM bsc#1178171 CVE-2014-3577 MITM security vulnerability
+Patch4: apache-commons-httpclient-CVE-2014-3577.patch
+#PATCH-FIX-UPSTREAM bsc#945190 CVE-2015-5262 Missing HTTPS connection timeout
+Patch5: apache-commons-httpclient-CVE-2015-5262.patch
BuildRequires: ant
BuildRequires: ant-junit
BuildRequires: commons-codec
@@ -108,6 +112,8 @@
%patch2
%patch3 -p1
+%patch4 -p1
+%patch5 -p1
# Use javax classes, not com.sun ones
# assume no filename contains spaces
++++++ apache-commons-httpclient-CVE-2014-3577.patch ++++++
>From 1bef0d6f6e8f2f68e996737d7be598613e2060b2 Mon Sep 17 00:00:00 2001
From: Fabio Valentini <[email protected]>
Date: Sat, 18 Jul 2020 19:48:08 +0200
Subject: [PATCH 4/6] CVE-2014-3577
---
.../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++-------
1 file changed, 37 insertions(+), 20 deletions(-)
diff --git
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
index fa0acc7..e6ce513 100644
---
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+++
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
@@ -44,9 +44,15 @@ import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
-import java.util.StringTokenizer;
+import java.util.NoSuchElementException;
import java.util.regex.Pattern;
+import javax.naming.InvalidNameException;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements
SecureProtocolSocketFactory {
return dots;
}
- private static String getCN(X509Certificate cert) {
- // Note: toString() seems to do a better job than getName()
- //
- // For example, getName() gives me this:
- //
1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
- //
- // whereas toString() gives me this:
- // [email protected]
- String subjectPrincipal =
cert.getSubjectX500Principal().toString();
-
- return getCN(subjectPrincipal);
-
+ private static String getCN(final X509Certificate cert) {
+ final String subjectPrincipal =
cert.getSubjectX500Principal().toString();
+ try {
+ return extractCN(subjectPrincipal);
+ } catch (SSLException ex) {
+ return null;
+ }
}
- private static String getCN(String subjectPrincipal) {
- StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
- while(st.hasMoreTokens()) {
- String tok = st.nextToken().trim();
- if (tok.length() > 3) {
- if (tok.substring(0,
3).equalsIgnoreCase("CN=")) {
- return tok.substring(3);
+
+ private static String extractCN(final String subjectPrincipal) throws
SSLException {
+ if (subjectPrincipal == null) {
+ return null;
+ }
+ try {
+ final LdapName subjectDN = new
LdapName(subjectPrincipal);
+ final List<Rdn> rdns = subjectDN.getRdns();
+ for (int i = rdns.size() - 1; i >= 0; i--) {
+ final Rdn rds = rdns.get(i);
+ final Attributes attributes =
rds.toAttributes();
+ final Attribute cn = attributes.get("cn");
+ if (cn != null) {
+ try {
+ final Object value = cn.get();
+ if (value != null) {
+ return value.toString();
+ }
+ } catch (NoSuchElementException ignore)
{
+ } catch (NamingException ignore) {
+ }
}
}
+ } catch (InvalidNameException e) {
+ throw new SSLException(subjectPrincipal + " is not a
valid X500 distinguished name");
}
return null;
}
--
2.26.2
++++++ apache-commons-httpclient-CVE-2015-5262.patch ++++++
>From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001
From: Fabio Valentini <[email protected]>
Date: Sat, 18 Jul 2020 19:48:18 +0200
Subject: [PATCH 5/6] CVE-2015-5262
---
.../httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
index e6ce513..b7550a2 100644
---
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+++
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements
SecureProtocolSocketFactory {
}
int timeout = params.getConnectionTimeout();
if (timeout == 0) {
- Socket sslSocket = createSocket(host, port, localAddress,
localPort);
+ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
+ host, port, localAddress, localPort);
+ sslSocket.setSoTimeout(params.getSoTimeout());
verifyHostName(host, (SSLSocket) sslSocket);
return sslSocket;
} else {
@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements
SecureProtocolSocketFactory {
sslSocket = ControllerThreadSocketFactory.createSocket(
this, host, port, localAddress, localPort, timeout);
}
+ sslSocket.setSoTimeout(params.getSoTimeout());
verifyHostName(host, (SSLSocket) sslSocket);
return sslSocket;
}
--
2.26.2
