Bug#804157: jessie-pu: package commons-httpclient/3.1-11
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
the Debian Java Team would like to update commons-httpclient in Jessie
to fix CVE-2015-5262. We don't think that this issue warrants a DSA
from the security team but nevertheless it is important enough that it
should be fixed in an upcoming point release.
This is Debian bug:
https://bugs.debian.org/798650
I am attaching the proposed debdiff against the current version in
Jessie. I will also file another bug report for an wheezy-pu soon.
Regards,
Markus
diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog
--- commons-httpclient-3.1/debian/changelog 2015-04-13 18:15:49.000000000 +0200
+++ commons-httpclient-3.1/debian/changelog 2015-11-05 15:37:42.000000000 +0100
@@ -1,3 +1,12 @@
+commons-httpclient (3.1-11+deb8u1) jessie; urgency=high
+
+ * Team upload.
+ * Add CVE-2015-5262.patch.
+ Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore
+ http.socket.timeout during SSL Handshake. (Closes: #798650)
+
+ -- Markus Koschany <apo@debian.org> Thu, 05 Nov 2015 15:31:50 +0100
+
commons-httpclient (3.1-11) unstable; urgency=high
* Team upload.
diff -Nru commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch
--- commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 1970-01-01 01:00:00.000000000 +0100
+++ commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 2015-11-05 15:37:42.000000000 +0100
@@ -0,0 +1,38 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 2 Nov 2015 15:15:37 +0100
+Subject: CVE-2015-5262
+
+Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during
+SSL Handshake
+See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892
+Thanks to Mikolaj Izdebski for the patch.
+
+Bug: https://bugs.debian.org/798650
+Forwarded: no
+---
+ .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index e6ce513..b7550a2 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ }
+ int timeout = params.getConnectionTimeout();
+ if (timeout == 0) {
+- Socket sslSocket = createSocket(host, port, localAddress, localPort);
++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
++ host, port, localAddress, localPort);
++ sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ } else {
+@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ sslSocket = ControllerThreadSocketFactory.createSocket(
+ this, host, port, localAddress, localPort, timeout);
+ }
++ sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ }
diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series
--- commons-httpclient-3.1/debian/patches/series 2015-04-13 18:15:49.000000000 +0200
+++ commons-httpclient-3.1/debian/patches/series 2015-11-05 15:37:42.000000000 +0100
@@ -6,3 +6,4 @@
05_osgi_metadata
06_fix_CVE-2012-5783.patch
CVE-2014-3577.patch
+CVE-2015-5262.patch
Reply to: