Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-11 Thread Alberto Fernández
Hi.

Both patches attached at upstream JIRA and reopened HTTPCLIENT-1265.
Waiting for response.

Kind regards
 Alberto

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-09 Thread David Jorm
Thanks Alberto! Could I ask that to finalize this, you attach both 
revised patches to the upstream bugs (HTTPCLIENT-1265 and AXIS-2883) and 
ask upstream to commit them?


Thanks again
David

On 12/07/2012 04:02 AM, Alberto Fernández wrote:

Hi

I've uploaded new packages to mentors. I'll be out until Monday, so feel
free to review the patches and sponsor the new version if all you are
confident it's all ok

I think now it's fine , but if you find some other bug or improvement,
I'll be happy to correct it.

I'll insist next week upstream to include the last fix.

El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:

Hi Alberto,

thanks for your continuous work on this.  As I said in my previous mail
please remember to reopen the according bugs to make sure the previous
solution will not migrate to testing.  I'll volunteer to sponsor your
new version if you confirm that this is needed to finally fix the issue.

Kind regards

Andreas.

On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:

Hi All,

I've prepared the patch with the problem pointed by David fixed (thanks
David). It also fixes a bug related to wildcard certificates.

The first patch is backported from httpclient 4.0 and apache synapse.

This second patch backports some fixes from httpclient 4.2

The patch differ a lot from 4.x line for two reasons: first, the code
arquitecture changes, second , I want to mantain the 3.1 api unchanged,
so all methods are private and only apply to one class.

The patch for axis and commons-httpclient is the same. In the function
they create a SSLSocket, I've put the same routine to validate the
hostname against certificate valid names.

I'll upload the new patches in their place.
Please review them and when ready I can upload a new package to mentors.

Thanks







__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-06 Thread Alberto Fernández
Hi All,

I've prepared the patch with the problem pointed by David fixed (thanks
David). It also fixes a bug related to wildcard certificates.

The first patch is backported from httpclient 4.0 and apache synapse. 

This second patch backports some fixes from httpclient 4.2

The patch differ a lot from 4.x line for two reasons: first, the code
arquitecture changes, second , I want to mantain the 3.1 api unchanged,
so all methods are private and only apply to one class.

The patch for axis and commons-httpclient is the same. In the function
they create a SSLSocket, I've put the same routine to validate the
hostname against certificate valid names.

I'll upload the new patches in their place.
Please review them and when ready I can upload a new package to mentors.

Thanks

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-06 Thread Andreas Tille
Hi Alberto,

thanks for your continuous work on this.  As I said in my previous mail
please remember to reopen the according bugs to make sure the previous
solution will not migrate to testing.  I'll volunteer to sponsor your
new version if you confirm that this is needed to finally fix the issue.

Kind regards

   Andreas.

On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
 Hi All,
 
 I've prepared the patch with the problem pointed by David fixed (thanks
 David). It also fixes a bug related to wildcard certificates.
 
 The first patch is backported from httpclient 4.0 and apache synapse. 
 
 This second patch backports some fixes from httpclient 4.2
 
 The patch differ a lot from 4.x line for two reasons: first, the code
 arquitecture changes, second , I want to mantain the 3.1 api unchanged,
 so all methods are private and only apply to one class.
 
 The patch for axis and commons-httpclient is the same. In the function
 they create a SSLSocket, I've put the same routine to validate the
 hostname against certificate valid names.
 
 I'll upload the new patches in their place.
 Please review them and when ready I can upload a new package to mentors.
 
 Thanks
 
 
 
 
 

-- 
http://fam-tille.de

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-06 Thread Andreas Tille
Hi,

On Thu, Dec 06, 2012 at 07:02:54PM +0100, Alberto Fernández wrote:
 Hi
 
 I've uploaded new packages to mentors. I'll be out until Monday, so feel
 free to review the patches and sponsor the new version if all you are
 confident it's all ok

I admit I'm no Java programmer and I do not feel competent to serve as a
reviewer for security relevant problems.  So again:  If the recently
uploaded packages

axis 1.4-16.1
commons-httpclient 3.1-10.1

remain a security risk we *definitely* need to reopen the bugs that were
closed with the upload.  This is needed for two reasons:

  1. Keep a record in BTS about the remaining problem
  2. Make sure release managers will accept only those packages that
 are closing RC bugs.

Can you please confirm whether the security risk remains or whether
there is just a bug that is not nice but no real security risk.

 I think now it's fine , but if you find some other bug or improvement,
 I'll be happy to correct it.
 
 I'll insist next week upstream to include the last fix.

Its a good thing to convince upstream but for the moment the Debian
release we need to decide what fix will make it into our release (the
one just uploaded or your newly prepared patch).

Thanks for your work on this

 Andreas.
 
 El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
  Hi Alberto,
  
  thanks for your continuous work on this.  As I said in my previous mail
  please remember to reopen the according bugs to make sure the previous
  solution will not migrate to testing.  I'll volunteer to sponsor your
  new version if you confirm that this is needed to finally fix the issue.
  
  Kind regards
  
 Andreas.
  
  On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
   Hi All,
   
   I've prepared the patch with the problem pointed by David fixed (thanks
   David). It also fixes a bug related to wildcard certificates.
   
   The first patch is backported from httpclient 4.0 and apache synapse. 
   
   This second patch backports some fixes from httpclient 4.2
   
   The patch differ a lot from 4.x line for two reasons: first, the code
   arquitecture changes, second , I want to mantain the 3.1 api unchanged,
   so all methods are private and only apply to one class.
   
   The patch for axis and commons-httpclient is the same. In the function
   they create a SSLSocket, I've put the same routine to validate the
   hostname against certificate valid names.
   
   I'll upload the new patches in their place.
   Please review them and when ready I can upload a new package to mentors.
   
   Thanks
   
   
   
   
   
  
 
 
 

-- 
http://fam-tille.de

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-05 Thread Andreas Tille
Hi Alberto,

On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
 I've uploaded the two packages to mentors.debian.net.
 
 We must solve the two bugs at the same time because axis uses
 commons-httpclient.

I guess you mean bug #692442, right?
 
 Upstream seems End-of-life and rejected the patches.

Did upstream actively *rejected* the patch because of technical flaws or
did they just ignored it because of the end-of-life status.  There is no
real need to have a patch accepted upstream if we as Debian maintainers
agree that the patch is technically solving the reported problem.  We
actually do *not* want new upstream versions.

So as far as I see we currently have the following situation:  A package
for axis that solves #692650 is waiting on mentors for sponsering.  I'd
volunteer to do this.  Did you uploaded commons-httpclient fixing
#692442 to mentors as well?  If not I could also apply the patch in BTS
and upload both to unstable.

Just tell me if there is any reason to not upload these both packages?

Kind regards and thanks for providing the patches

Andreas.

-- 
http://fam-tille.de

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-05 Thread Alberto Fernández
Hi Andreas

I've uploaded both packages to mentors.

commons-httpclient - bug #692442 CVE-2012-5783
axis - bug #692650 CVE-2012-5784

Since axis uses commons-httpclient, we need fix and upload both
packages. 

Upstream has ignored axis patch, and rejected commons-httpclient patch.
Basically, they say commons-httpclient is EOL and they don't want to
spend time on it. They maybe would apply the patch to the SVN, but
without revision and without releasing.

I've tested the patches and they work ok. So I think it's fine to
upload.

Kind regards

Alberto

El mié, 05-12-2012 a las 21:51 +0100, Andreas Tille escribió:
 Hi Alberto,
 
 On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote:
  I've uploaded the two packages to mentors.debian.net.
  
  We must solve the two bugs at the same time because axis uses
  commons-httpclient.
 
 I guess you mean bug #692442, right?
  
  Upstream seems End-of-life and rejected the patches.
 
 Did upstream actively *rejected* the patch because of technical flaws or
 did they just ignored it because of the end-of-life status.  There is no
 real need to have a patch accepted upstream if we as Debian maintainers
 agree that the patch is technically solving the reported problem.  We
 actually do *not* want new upstream versions.
 
 So as far as I see we currently have the following situation:  A package
 for axis that solves #692650 is waiting on mentors for sponsering.  I'd
 volunteer to do this.  Did you uploaded commons-httpclient fixing
 #692442 to mentors as well?  If not I could also apply the patch in BTS
 and upload both to unstable.
 
 Just tell me if there is any reason to not upload these both packages?
 
 Kind regards and thanks for providing the patches
 
 Andreas.
 

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-05 Thread Michael Gilbert
 Hi Andreas

 I've uploaded both packages to mentors.

 commons-httpclient - bug #692442 CVE-2012-5783
 axis - bug #692650 CVE-2012-5784

 Since axis uses commons-httpclient, we need fix and upload both
 packages.

 Upstream has ignored axis patch, and rejected commons-httpclient patch.
 Basically, they say commons-httpclient is EOL and they don't want to
 spend time on it. They maybe would apply the patch to the SVN, but
 without revision and without releasing.

According to redhat, there is already an upstream patch for
httpclient, and it differs from yours in some ways:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5783

Please coordinate with them on that fix.

 I've tested the patches and they work ok. So I think it's fine to
 upload.

Please coordinate the axis patch with redhat since they don't have a
solution in their bug tracker yet either.  They will review your work:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5784

Best wishes,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-11-22 Thread Michael Gilbert
 I've backported the routine to validate certificate name, and I've made
 a patch (attached).

 I'm not sure  it's a good idea apply the patch, it can break programs
 that connect with bad hostnames (ips, host in /etc/hostname, etc)

Would you mind getting your patches for these issues reviewed and
applied by the appropriate upstreams?

Thanks,
Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-11-22 Thread Alberto Fernández
Hi Mike,

I don't understand what you expect from me.
I've uploaded the patches to the BTS, I don't know what next steep is.
I suppose a maintainer would pick it from there.

If there's something I can do let me know.

Thanks,
Alberto

El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió:
  I've backported the routine to validate certificate name, and I've made
  a patch (attached).
 
  I'm not sure  it's a good idea apply the patch, it can break programs
  that connect with bad hostnames (ips, host in /etc/hostname, etc)
 
 Would you mind getting your patches for these issues reviewed and
 applied by the appropriate upstreams?
 
 Thanks,
 Mike

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.


Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-11-22 Thread Alberto Fernández
El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió:
  I've backported the routine to validate certificate name, and I've made
  a patch (attached).
 
  I'm not sure  it's a good idea apply the patch, it can break programs
  that connect with bad hostnames (ips, host in /etc/hostname, etc)
 
 Would you mind getting your patches for these issues reviewed and
 applied by the appropriate upstreams?
 
 Thanks,
 Mike

Hi Mike

I've read your tip again.  Sorry for not understanding in the first
time.

I'll prepare the patch again upstream, and post it on their BTS.

__
This is the maintainer address of Debian's Java team
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. 
Please use
debian-j...@lists.debian.org for discussions and questions.