Author: apo-guest
Date: 2015-11-02 14:41:40 +0000 (Mon, 02 Nov 2015)
New Revision: 18884
Added:
trunk/commons-httpclient/debian/patches/CVE-2015-5262.patch
Modified:
trunk/commons-httpclient/debian/changelog
trunk/commons-httpclient/debian/control
trunk/commons-httpclient/debian/libcommons-httpclient-java-doc.docs
trunk/commons-httpclient/debian/patches/series
Log:
Release 3.1-12. Fix CVE-2015-5262
Modified: trunk/commons-httpclient/debian/changelog
===================================================================
--- trunk/commons-httpclient/debian/changelog 2015-11-02 13:46:22 UTC (rev
18883)
+++ trunk/commons-httpclient/debian/changelog 2015-11-02 14:41:40 UTC (rev
18884)
@@ -1,14 +1,16 @@
-commons-httpclient (3.1-12) UNRELEASED; urgency=medium
+commons-httpclient (3.1-12) unstable; urgency=high
+ * Team upload.
+
[ Kumar Appaiah ]
* debian/control:
+ Remove Kumar Appaiah from uploaders
[ Emmanuel Bourg ]
+ * Add myself to Uploaders.
* Switch to debhelper level 9
* debian/control:
- Use canonical URLs for the Vcs-* fields
- - Standards-Version updated to 3.9.5 (no changes)
- Improved the package description
- Removed Michael Koch from the uploaders (Closes: #654007)
* debian/rules: Improved the clean target
@@ -17,8 +19,15 @@
* Remove trailing spaces from package description of
libcommons-httpclient-java-doc in debian/control. (Closes: #783931)
- -- Kumar Appaiah <[email protected]> Sat, 29 Mar 2014 15:40:00 -0400
+ [ Markus Koschany ]
+ * wrap-and-sort -sa.
+ * Declare compliance with Debian Policy 3.9.6.
+ * Add CVE-2015-5262.patch.
+ Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore
+ http.socket.timeout during SSL Handshake. (Closes: #798650)
+ -- Markus Koschany <[email protected]> Mon, 02 Nov 2015 15:32:33 +0100
+
commons-httpclient (3.1-11) unstable; urgency=high
* Team upload.
Modified: trunk/commons-httpclient/debian/control
===================================================================
--- trunk/commons-httpclient/debian/control 2015-11-02 13:46:22 UTC (rev
18883)
+++ trunk/commons-httpclient/debian/control 2015-11-02 14:41:40 UTC (rev
18884)
@@ -2,20 +2,34 @@
Section: java
Priority: optional
Maintainer: Debian Java Maintainers
<[email protected]>
-Uploaders: Emmanuel Bourg <[email protected]>,
- Varun Hiremath <[email protected]>, Torsten Werner <[email protected]>,
+Uploaders:
+ Emmanuel Bourg <[email protected]>,
+ Varun Hiremath <[email protected]>,
+ Torsten Werner <[email protected]>,
Damien Raude-Morvan <[email protected]>
-Build-Depends: debhelper (>= 9), cdbs
-Build-Depends-Indep: maven-repo-helper, ant, default-jdk,
libcommons-codec-java, libcommons-logging-java, junit
-Standards-Version: 3.9.5
+Build-Depends:
+ cdbs,
+ debhelper (>= 9)
+Build-Depends-Indep:
+ ant,
+ default-jdk,
+ junit,
+ libcommons-codec-java,
+ libcommons-logging-java,
+ maven-repo-helper
+Standards-Version: 3.9.6
Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/commons-httpclient
-Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/commons-httpclient
+Vcs-Browser:
https://anonscm.debian.org/viewvc/pkg-java/trunk/commons-httpclient
Homepage: http://hc.apache.org/httpclient-3.x
Package: libcommons-httpclient-java
Architecture: all
-Suggests: libcommons-httpclient-java-doc
-Depends: libcommons-logging-java, libcommons-codec-java, ${misc:Depends}
+Suggests:
+ libcommons-httpclient-java-doc
+Depends:
+ libcommons-codec-java,
+ libcommons-logging-java,
+ ${misc:Depends}
Description: Commons HTTPClient - Java library for creating HTTP clients
The Jakarta Commons HTTPClient library provides an efficient,
up-to-date, and feature-rich package implementing the client side of
@@ -24,12 +38,14 @@
Package: libcommons-httpclient-java-doc
Section: doc
Architecture: all
-Depends: ${misc:Depends}
-Suggests: libcommons-httpclient-java
+Depends:
+ ${misc:Depends}
+Suggests:
+ libcommons-httpclient-java
Description: Documentation for libcommons-httpclient-java
The Jakarta Commons HTTPClient library provides an efficient,
up-to-date, and feature-rich package implementing the client side of
the most recent HTTP standards and recommendations.
.
- This package contains the documentation for the Jakarta Commons
+ This package contains the documentation for the Jakarta Commons
HTTPClient library.
Modified: trunk/commons-httpclient/debian/libcommons-httpclient-java-doc.docs
===================================================================
--- trunk/commons-httpclient/debian/libcommons-httpclient-java-doc.docs
2015-11-02 13:46:22 UTC (rev 18883)
+++ trunk/commons-httpclient/debian/libcommons-httpclient-java-doc.docs
2015-11-02 14:41:40 UTC (rev 18884)
@@ -1,2 +1,2 @@
+README
docs
-README
Added: trunk/commons-httpclient/debian/patches/CVE-2015-5262.patch
===================================================================
--- trunk/commons-httpclient/debian/patches/CVE-2015-5262.patch
(rev 0)
+++ trunk/commons-httpclient/debian/patches/CVE-2015-5262.patch 2015-11-02
14:41:40 UTC (rev 18884)
@@ -0,0 +1,38 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 2 Nov 2015 15:15:37 +0100
+Subject: CVE-2015-5262
+
+Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore
http.socket.timeout during
+SSL Handshake
+See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892
+Thanks to Mikolaj Izdebski for the patch.
+
+Bug: https://bugs.debian.org/798650
+Forwarded: no
+---
+ .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index e6ce513..b7550a2 100644
+---
a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++
b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements
SecureProtocolSocketFactory {
+ }
+ int timeout = params.getConnectionTimeout();
+ if (timeout == 0) {
+- Socket sslSocket = createSocket(host, port, localAddress,
localPort);
++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
++ host, port, localAddress, localPort);
++ sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ } else {
+@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements
SecureProtocolSocketFactory {
+ sslSocket = ControllerThreadSocketFactory.createSocket(
+ this, host, port, localAddress, localPort, timeout);
+ }
++ sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ }
Modified: trunk/commons-httpclient/debian/patches/series
===================================================================
--- trunk/commons-httpclient/debian/patches/series 2015-11-02 13:46:22 UTC
(rev 18883)
+++ trunk/commons-httpclient/debian/patches/series 2015-11-02 14:41:40 UTC
(rev 18884)
@@ -6,3 +6,4 @@
05_osgi_metadata
06_fix_CVE-2012-5783.patch
CVE-2014-3577.patch
+CVE-2015-5262.patch
_______________________________________________
pkg-java-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
