Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi. Both patches attached at upstream JIRA and reopened HTTPCLIENT-1265. Waiting for response. Kind regards Alberto __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Thanks Alberto! Could I ask that to finalize this, you attach both revised patches to the upstream bugs (HTTPCLIENT-1265 and AXIS-2883) and ask upstream to commit them? Thanks again David On 12/07/2012 04:02 AM, Alberto Fernández wrote: Hi I've uploaded new packages to mentors. I'll be out until Monday, so feel free to review the patches and sponsor the new version if all you are confident it's all ok I think now it's fine , but if you find some other bug or improvement, I'll be happy to correct it. I'll insist next week upstream to include the last fix. El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió: Hi Alberto, thanks for your continuous work on this. As I said in my previous mail please remember to reopen the according bugs to make sure the previous solution will not migrate to testing. I'll volunteer to sponsor your new version if you confirm that this is needed to finally fix the issue. Kind regards Andreas. On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote: Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Alberto, thanks for your continuous work on this. As I said in my previous mail please remember to reopen the according bugs to make sure the previous solution will not migrate to testing. I'll volunteer to sponsor your new version if you confirm that this is needed to finally fix the issue. Kind regards Andreas. On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote: Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks -- http://fam-tille.de __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi, On Thu, Dec 06, 2012 at 07:02:54PM +0100, Alberto Fernández wrote: Hi I've uploaded new packages to mentors. I'll be out until Monday, so feel free to review the patches and sponsor the new version if all you are confident it's all ok I admit I'm no Java programmer and I do not feel competent to serve as a reviewer for security relevant problems. So again: If the recently uploaded packages axis 1.4-16.1 commons-httpclient 3.1-10.1 remain a security risk we *definitely* need to reopen the bugs that were closed with the upload. This is needed for two reasons: 1. Keep a record in BTS about the remaining problem 2. Make sure release managers will accept only those packages that are closing RC bugs. Can you please confirm whether the security risk remains or whether there is just a bug that is not nice but no real security risk. I think now it's fine , but if you find some other bug or improvement, I'll be happy to correct it. I'll insist next week upstream to include the last fix. Its a good thing to convince upstream but for the moment the Debian release we need to decide what fix will make it into our release (the one just uploaded or your newly prepared patch). Thanks for your work on this Andreas. El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió: Hi Alberto, thanks for your continuous work on this. As I said in my previous mail please remember to reopen the according bugs to make sure the previous solution will not migrate to testing. I'll volunteer to sponsor your new version if you confirm that this is needed to finally fix the issue. Kind regards Andreas. On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote: Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks -- http://fam-tille.de __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Alberto, On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote: I've uploaded the two packages to mentors.debian.net. We must solve the two bugs at the same time because axis uses commons-httpclient. I guess you mean bug #692442, right? Upstream seems End-of-life and rejected the patches. Did upstream actively *rejected* the patch because of technical flaws or did they just ignored it because of the end-of-life status. There is no real need to have a patch accepted upstream if we as Debian maintainers agree that the patch is technically solving the reported problem. We actually do *not* want new upstream versions. So as far as I see we currently have the following situation: A package for axis that solves #692650 is waiting on mentors for sponsering. I'd volunteer to do this. Did you uploaded commons-httpclient fixing #692442 to mentors as well? If not I could also apply the patch in BTS and upload both to unstable. Just tell me if there is any reason to not upload these both packages? Kind regards and thanks for providing the patches Andreas. -- http://fam-tille.de __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Andreas I've uploaded both packages to mentors. commons-httpclient - bug #692442 CVE-2012-5783 axis - bug #692650 CVE-2012-5784 Since axis uses commons-httpclient, we need fix and upload both packages. Upstream has ignored axis patch, and rejected commons-httpclient patch. Basically, they say commons-httpclient is EOL and they don't want to spend time on it. They maybe would apply the patch to the SVN, but without revision and without releasing. I've tested the patches and they work ok. So I think it's fine to upload. Kind regards Alberto El mié, 05-12-2012 a las 21:51 +0100, Andreas Tille escribió: Hi Alberto, On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote: I've uploaded the two packages to mentors.debian.net. We must solve the two bugs at the same time because axis uses commons-httpclient. I guess you mean bug #692442, right? Upstream seems End-of-life and rejected the patches. Did upstream actively *rejected* the patch because of technical flaws or did they just ignored it because of the end-of-life status. There is no real need to have a patch accepted upstream if we as Debian maintainers agree that the patch is technically solving the reported problem. We actually do *not* want new upstream versions. So as far as I see we currently have the following situation: A package for axis that solves #692650 is waiting on mentors for sponsering. I'd volunteer to do this. Did you uploaded commons-httpclient fixing #692442 to mentors as well? If not I could also apply the patch in BTS and upload both to unstable. Just tell me if there is any reason to not upload these both packages? Kind regards and thanks for providing the patches Andreas. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Andreas I've uploaded both packages to mentors. commons-httpclient - bug #692442 CVE-2012-5783 axis - bug #692650 CVE-2012-5784 Since axis uses commons-httpclient, we need fix and upload both packages. Upstream has ignored axis patch, and rejected commons-httpclient patch. Basically, they say commons-httpclient is EOL and they don't want to spend time on it. They maybe would apply the patch to the SVN, but without revision and without releasing. According to redhat, there is already an upstream patch for httpclient, and it differs from yours in some ways: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5783 Please coordinate with them on that fix. I've tested the patches and they work ok. So I think it's fine to upload. Please coordinate the axis patch with redhat since they don't have a solution in their bug tracker yet either. They will review your work: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5784 Best wishes, Mike __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Mike, I don't understand what you expect from me. I've uploaded the patches to the BTS, I don't know what next steep is. I suppose a maintainer would pick it from there. If there's something I can do let me know. Thanks, Alberto El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike Hi Mike I've read your tip again. Sorry for not understanding in the first time. I'll prepare the patch again upstream, and post it on their BTS. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.