Hello community, here is the log from the commit of package apache-commons-httpclient for openSUSE:Factory checked in at 2020-11-06 23:43:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache-commons-httpclient (Old) and /work/SRC/openSUSE:Factory/.apache-commons-httpclient.new.11331 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache-commons-httpclient" Fri Nov 6 23:43:49 2020 rev:11 rq:845452 version:3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/apache-commons-httpclient/apache-commons-httpclient.changes 2019-04-04 14:11:28.569270493 +0200 +++ /work/SRC/openSUSE:Factory/.apache-commons-httpclient.new.11331/apache-commons-httpclient.changes 2020-11-06 23:44:05.851379178 +0100 @@ -1,0 +2,22 @@ +Tue Oct 27 10:39:27 UTC 2020 - Pedro Monreal <pmonr...@suse.com> + +- Security fix [bsc#945190, CVE-2015-5262] + * http/conn/ssl/SSLConnectionSocketFactory.java ignores the + http.socket.timeout configuration setting during an SSL handshake, + which allows remote attackers to cause a denial of service (HTTPS + call hang) via unspecified vectors. +- Add apache-commons-httpclient-CVE-2015-5262.patch + +------------------------------------------------------------------- +Tue Oct 27 10:38:45 UTC 2020 - Pedro Monreal <pmonr...@suse.com> + +- Security fix [bsc#1178171, CVE-2014-3577] + * org.apache.http.conn.ssl.AbstractVerifier does not properly + verify that the server hostname matches a domain name in the + subject's Common Name (CN) or subjectAltName field of the X.509 + certificate, which allows MITM attackers to spoof SSL servers + via a "CN=" string in a field in the distinguished name (DN) + of a certificate. +- Add apache-commons-httpclient-CVE-2014-3577.patch + +------------------------------------------------------------------- New: ---- apache-commons-httpclient-CVE-2014-3577.patch apache-commons-httpclient-CVE-2015-5262.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache-commons-httpclient.spec ++++++ --- /var/tmp/diff_new_pack.kipWmL/_old 2020-11-06 23:44:06.535377863 +0100 +++ /var/tmp/diff_new_pack.kipWmL/_new 2020-11-06 23:44:06.535377863 +0100 @@ -1,7 +1,7 @@ # # spec file for package apache-commons-httpclient # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,6 +33,10 @@ #PATCH-FIX-UPSTREAM: bnc#803332 #https://issues.apache.org/jira/secure/attachment/12560251/CVE-2012-5783-2.patch Patch3: %{short_name}-CVE-2012-5783-2.patch +#PATCH-FIX-UPSTREAM bsc#1178171 CVE-2014-3577 MITM security vulnerability +Patch4: apache-commons-httpclient-CVE-2014-3577.patch +#PATCH-FIX-UPSTREAM bsc#945190 CVE-2015-5262 Missing HTTPS connection timeout +Patch5: apache-commons-httpclient-CVE-2015-5262.patch BuildRequires: ant BuildRequires: ant-junit BuildRequires: commons-codec @@ -108,6 +112,8 @@ %patch2 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 # Use javax classes, not com.sun ones # assume no filename contains spaces ++++++ apache-commons-httpclient-CVE-2014-3577.patch ++++++ >From 1bef0d6f6e8f2f68e996737d7be598613e2060b2 Mon Sep 17 00:00:00 2001 From: Fabio Valentini <decatho...@gmail.com> Date: Sat, 18 Jul 2020 19:48:08 +0200 Subject: [PATCH 4/6] CVE-2014-3577 --- .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++------- 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java index fa0acc7..e6ce513 100644 --- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -44,9 +44,15 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Locale; -import java.util.StringTokenizer; +import java.util.NoSuchElementException; import java.util.regex.Pattern; +import javax.naming.InvalidNameException; +import javax.naming.NamingException; +import javax.naming.directory.Attribute; +import javax.naming.directory.Attributes; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { return dots; } - private static String getCN(X509Certificate cert) { - // Note: toString() seems to do a better job than getName() - // - // For example, getName() gives me this: - // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d - // - // whereas toString() gives me this: - // EMAILADDRESS=juliusdav...@cucbc.com - String subjectPrincipal = cert.getSubjectX500Principal().toString(); - - return getCN(subjectPrincipal); - + private static String getCN(final X509Certificate cert) { + final String subjectPrincipal = cert.getSubjectX500Principal().toString(); + try { + return extractCN(subjectPrincipal); + } catch (SSLException ex) { + return null; + } } - private static String getCN(String subjectPrincipal) { - StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); - while(st.hasMoreTokens()) { - String tok = st.nextToken().trim(); - if (tok.length() > 3) { - if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { - return tok.substring(3); + + private static String extractCN(final String subjectPrincipal) throws SSLException { + if (subjectPrincipal == null) { + return null; + } + try { + final LdapName subjectDN = new LdapName(subjectPrincipal); + final List<Rdn> rdns = subjectDN.getRdns(); + for (int i = rdns.size() - 1; i >= 0; i--) { + final Rdn rds = rdns.get(i); + final Attributes attributes = rds.toAttributes(); + final Attribute cn = attributes.get("cn"); + if (cn != null) { + try { + final Object value = cn.get(); + if (value != null) { + return value.toString(); + } + } catch (NoSuchElementException ignore) { + } catch (NamingException ignore) { + } } } + } catch (InvalidNameException e) { + throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); } return null; } -- 2.26.2 ++++++ apache-commons-httpclient-CVE-2015-5262.patch ++++++ >From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001 From: Fabio Valentini <decatho...@gmail.com> Date: Sat, 18 Jul 2020 19:48:18 +0200 Subject: [PATCH 5/6] CVE-2015-5262 --- .../httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java index e6ce513..b7550a2 100644 --- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { } int timeout = params.getConnectionTimeout(); if (timeout == 0) { - Socket sslSocket = createSocket(host, port, localAddress, localPort); + Socket sslSocket = SSLSocketFactory.getDefault().createSocket( + host, port, localAddress, localPort); + sslSocket.setSoTimeout(params.getSoTimeout()); verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } else { @@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } + sslSocket.setSoTimeout(params.getSoTimeout()); verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } -- 2.26.2