This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository commons-httpclient.
commit 8c2492d17d7b7df6cc00dd21939ff2e80b0e7b17 Author: Markus Koschany <[email protected]> Date: Thu Apr 16 10:00:06 2015 +0000 Add CVE-2014-3577.patch --- debian/patches/CVE-2014-3577.patch | 110 +++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/debian/patches/CVE-2014-3577.patch b/debian/patches/CVE-2014-3577.patch new file mode 100644 index 0000000..0e44c07 --- /dev/null +++ b/debian/patches/CVE-2014-3577.patch @@ -0,0 +1,110 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 23 Mar 2015 22:45:14 +0100 +Subject: CVE-2014-3577 + +It was found that the fix for CVE-2012-6153 was incomplete: the code added to +check that the server hostname matches the domain name in a subject's Common +Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker +could use this flaw to spoof an SSL server using a specially crafted X.509 +certificate. +The fix for CVE-2012-6153 was intended to address the incomplete patch for +CVE-2012-5783. This means the issue is now completely resolved by applying +this patch and the 06_fix_CVE-2012-5783.patch. + +References: + +upstream announcement: +https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577 + +Fedora-Fix: +http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch + +CentOS-Fix: +https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch + +Debian-Bug: https://bugs.debian.org/758086 +Forwarded: not-needed, already fixed +--- + .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++++-------- + 1 file changed, 37 insertions(+), 20 deletions(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index fa0acc7..e6ce513 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -44,9 +44,15 @@ import java.util.Iterator; + import java.util.LinkedList; + import java.util.List; + import java.util.Locale; +-import java.util.StringTokenizer; ++import java.util.NoSuchElementException; + import java.util.regex.Pattern; + ++import javax.naming.InvalidNameException; ++import javax.naming.NamingException; ++import javax.naming.directory.Attribute; ++import javax.naming.directory.Attributes; ++import javax.naming.ldap.LdapName; ++import javax.naming.ldap.Rdn; + import javax.net.ssl.SSLException; + import javax.net.ssl.SSLSession; + import javax.net.ssl.SSLSocket; +@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + return dots; + } + +- private static String getCN(X509Certificate cert) { +- // Note: toString() seems to do a better job than getName() +- // +- // For example, getName() gives me this: +- // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d +- // +- // whereas toString() gives me this: +- // [email protected] +- String subjectPrincipal = cert.getSubjectX500Principal().toString(); +- +- return getCN(subjectPrincipal); +- ++ private static String getCN(final X509Certificate cert) { ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ try { ++ return extractCN(subjectPrincipal); ++ } catch (SSLException ex) { ++ return null; ++ } + } +- private static String getCN(String subjectPrincipal) { +- StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); +- while(st.hasMoreTokens()) { +- String tok = st.nextToken().trim(); +- if (tok.length() > 3) { +- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { +- return tok.substring(3); ++ ++ private static String extractCN(final String subjectPrincipal) throws SSLException { ++ if (subjectPrincipal == null) { ++ return null; ++ } ++ try { ++ final LdapName subjectDN = new LdapName(subjectPrincipal); ++ final List<Rdn> rdns = subjectDN.getRdns(); ++ for (int i = rdns.size() - 1; i >= 0; i--) { ++ final Rdn rds = rdns.get(i); ++ final Attributes attributes = rds.toAttributes(); ++ final Attribute cn = attributes.get("cn"); ++ if (cn != null) { ++ try { ++ final Object value = cn.get(); ++ if (value != null) { ++ return value.toString(); ++ } ++ } catch (NoSuchElementException ignore) { ++ } catch (NamingException ignore) { ++ } + } + } ++ } catch (InvalidNameException e) { ++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); + } + return null; + } -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/commons-httpclient.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
