This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository commons-httpclient.
commit 724f010e4e1fc950b3608bdccafa8500b2be6e2a Author: Markus Koschany <[email protected]> Date: Mon Nov 2 14:41:40 2015 +0000 Release 3.1-12. Fix CVE-2015-5262 --- debian/changelog | 15 +++++++++--- debian/control | 38 +++++++++++++++++++++--------- debian/libcommons-httpclient-java-doc.docs | 2 +- debian/patches/CVE-2015-5262.patch | 38 ++++++++++++++++++++++++++++++ debian/patches/series | 1 + 5 files changed, 79 insertions(+), 15 deletions(-) diff --git a/debian/changelog b/debian/changelog index 5a72d00..6ae69de 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,14 +1,16 @@ -commons-httpclient (3.1-12) UNRELEASED; urgency=medium +commons-httpclient (3.1-12) unstable; urgency=high + + * Team upload. [ Kumar Appaiah ] * debian/control: + Remove Kumar Appaiah from uploaders [ Emmanuel Bourg ] + * Add myself to Uploaders. * Switch to debhelper level 9 * debian/control: - Use canonical URLs for the Vcs-* fields - - Standards-Version updated to 3.9.5 (no changes) - Improved the package description - Removed Michael Koch from the uploaders (Closes: #654007) * debian/rules: Improved the clean target @@ -17,7 +19,14 @@ commons-httpclient (3.1-12) UNRELEASED; urgency=medium * Remove trailing spaces from package description of libcommons-httpclient-java-doc in debian/control. (Closes: #783931) - -- Kumar Appaiah <[email protected]> Sat, 29 Mar 2014 15:40:00 -0400 + [ Markus Koschany ] + * wrap-and-sort -sa. + * Declare compliance with Debian Policy 3.9.6. + * Add CVE-2015-5262.patch. + Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore + http.socket.timeout during SSL Handshake. (Closes: #798650) + + -- Markus Koschany <[email protected]> Mon, 02 Nov 2015 15:32:33 +0100 commons-httpclient (3.1-11) unstable; urgency=high diff --git a/debian/control b/debian/control index b263d08..07231dd 100644 --- a/debian/control +++ b/debian/control @@ -2,20 +2,34 @@ Source: commons-httpclient Section: java Priority: optional Maintainer: Debian Java Maintainers <[email protected]> -Uploaders: Emmanuel Bourg <[email protected]>, - Varun Hiremath <[email protected]>, Torsten Werner <[email protected]>, +Uploaders: + Emmanuel Bourg <[email protected]>, + Varun Hiremath <[email protected]>, + Torsten Werner <[email protected]>, Damien Raude-Morvan <[email protected]> -Build-Depends: debhelper (>= 9), cdbs -Build-Depends-Indep: maven-repo-helper, ant, default-jdk, libcommons-codec-java, libcommons-logging-java, junit -Standards-Version: 3.9.5 +Build-Depends: + cdbs, + debhelper (>= 9) +Build-Depends-Indep: + ant, + default-jdk, + junit, + libcommons-codec-java, + libcommons-logging-java, + maven-repo-helper +Standards-Version: 3.9.6 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/commons-httpclient -Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/commons-httpclient +Vcs-Browser: https://anonscm.debian.org/viewvc/pkg-java/trunk/commons-httpclient Homepage: http://hc.apache.org/httpclient-3.x Package: libcommons-httpclient-java Architecture: all -Suggests: libcommons-httpclient-java-doc -Depends: libcommons-logging-java, libcommons-codec-java, ${misc:Depends} +Suggests: + libcommons-httpclient-java-doc +Depends: + libcommons-codec-java, + libcommons-logging-java, + ${misc:Depends} Description: Commons HTTPClient - Java library for creating HTTP clients The Jakarta Commons HTTPClient library provides an efficient, up-to-date, and feature-rich package implementing the client side of @@ -24,12 +38,14 @@ Description: Commons HTTPClient - Java library for creating HTTP clients Package: libcommons-httpclient-java-doc Section: doc Architecture: all -Depends: ${misc:Depends} -Suggests: libcommons-httpclient-java +Depends: + ${misc:Depends} +Suggests: + libcommons-httpclient-java Description: Documentation for libcommons-httpclient-java The Jakarta Commons HTTPClient library provides an efficient, up-to-date, and feature-rich package implementing the client side of the most recent HTTP standards and recommendations. . - This package contains the documentation for the Jakarta Commons + This package contains the documentation for the Jakarta Commons HTTPClient library. diff --git a/debian/libcommons-httpclient-java-doc.docs b/debian/libcommons-httpclient-java-doc.docs index 657b577..d60fe81 100644 --- a/debian/libcommons-httpclient-java-doc.docs +++ b/debian/libcommons-httpclient-java-doc.docs @@ -1,2 +1,2 @@ -docs README +docs diff --git a/debian/patches/CVE-2015-5262.patch b/debian/patches/CVE-2015-5262.patch new file mode 100644 index 0000000..a807546 --- /dev/null +++ b/debian/patches/CVE-2015-5262.patch @@ -0,0 +1,38 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 2 Nov 2015 15:15:37 +0100 +Subject: CVE-2015-5262 + +Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during +SSL Handshake +See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892 +Thanks to Mikolaj Izdebski for the patch. + +Bug: https://bugs.debian.org/798650 +Forwarded: no +--- + .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index e6ce513..b7550a2 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + } + int timeout = params.getConnectionTimeout(); + if (timeout == 0) { +- Socket sslSocket = createSocket(host, port, localAddress, localPort); ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( ++ host, port, localAddress, localPort); ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } else { +@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + sslSocket = ControllerThreadSocketFactory.createSocket( + this, host, port, localAddress, localPort, timeout); + } ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } diff --git a/debian/patches/series b/debian/patches/series index 959af1a..82e5c72 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ 05_osgi_metadata 06_fix_CVE-2012-5783.patch CVE-2014-3577.patch +CVE-2015-5262.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/commons-httpclient.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
