Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu Hi folks, I have prepared an upload to fix #628727 / CVE-2011-1498. This bug affects httpcomponents-client 4.0.1-1 in stable. Also affected 4.0.3-2 in testing and unstable but Tony Mancill kindly sponsored my upload for 4.1.1-1 that fix this issue there. I'm attaching the backported patch that fix this issue and the updated package meant for squeeze. Sadly, I can't provide a way to test exploits but in a discussion at LWN website ( http://lwn.net/Articles/447625/ ) the issue is described reasonably well. Are you OK with uploading a fix for this to s-p-u? If you need any more information about this, just let me know. Cheers, -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (800, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/ "Faith means not wanting to know what is true." -- Nietzsche
Format: 3.0 (quilt) Source: httpcomponents-client Binary: libhttpclient-java, libhttpmime-java Architecture: all Version: 4.0.1-1squeeze1 Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Uploaders: Miguel Landaeta <miguel@miguel.cc> Homepage: http://hc.apache.org/httpcomponents-client/index.html Standards-Version: 3.9.0 Vcs-Browser: http://git.debian.org/?p=collab-maint/httpcomponents-client.git;a=summary Vcs-Git: git://git.debian.org/collab-maint/httpcomponents-client.git Build-Depends: debhelper (>= 7.0.50~), openjdk-6-jdk | default-jdk, maven-debian-helper, maven-repo-helper Build-Depends-Indep: libmaven-antrun-plugin-java, libmaven-javadoc-plugin-java, libmaven-assembly-plugin-java, libhttpcore-java, libapache-mime4j-java, junit, libcommons-codec-java Checksums-Sha1: be8750a8ab1a2c244b329fdcab5f2c27a1ebe2a9 399134 httpcomponents-client_4.0.1.orig.tar.gz 0835e3061403cc32cbe6aa9381228439b62a418e 4484 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz Checksums-Sha256: d7b463a9f055933aae09fd6660bf8f300b96a21b6707c730375e5b63d8d7e26d 399134 httpcomponents-client_4.0.1.orig.tar.gz 213ece07b85ec1ddbba654ce56a8c07df7ba80d1beb98f26ce07a011f8341eca 4484 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz Files: cc3b533fb4296b60690dcce16bedf90e 399134 httpcomponents-client_4.0.1.orig.tar.gz c9614b082c5bf12e234b943032629b68 4484 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
Attachment:
httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
Description: Binary data
From: Oleg Kalnichevski <olegk@apache.org> Subject: CVE-2011-1498 Forwarded: not-needed --- httpcomponents-client-4.0.1.orig/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java +++ httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java @@ -41,6 +41,9 @@ import org.apache.http.auth.AuthScheme; import org.apache.http.auth.AuthState; import org.apache.http.auth.AuthenticationException; import org.apache.http.auth.Credentials; +import org.apache.http.conn.HttpRoutedConnection; +import org.apache.http.conn.routing.HttpRoute; +import org.apache.http.protocol.ExecutionContext; import org.apache.http.protocol.HttpContext; /** @@ -71,6 +74,13 @@ public class RequestProxyAuthentication return; } + HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute( + ExecutionContext.HTTP_CONNECTION); + HttpRoute route = conn.getRoute(); + if (route.isTunnelled()) { + return; + } + // Obtain authentication state AuthState authState = (AuthState) context.getAttribute( ClientContext.PROXY_AUTH_STATE); --- /dev/null +++ httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/conn/HttpRoutedConnection.java @@ -0,0 +1,78 @@ +/* + * ==================================================================== + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * <http://www.apache.org/>. + * + */ + +package org.apache.http.conn; + +import javax.net.ssl.SSLSession; + +import org.apache.http.HttpInetConnection; +import org.apache.http.conn.routing.HttpRoute; + +/** + * Interface to access routing information of a client side connection. + * + * @since 4.1 + */ +public interface HttpRoutedConnection extends HttpInetConnection { + + /** + * Indicates whether this connection is secure. + * The return value is well-defined only while the connection is open. + * It may change even while the connection is open. + * + * @return <code>true</code> if this connection is secure, + * <code>false</code> otherwise + */ + boolean isSecure(); + + /** + * Obtains the current route of this connection. + * + * @return the route established so far, or + * <code>null</code> if not connected + */ + HttpRoute getRoute(); + + /** + * Obtains the SSL session of the underlying connection, if any. + * If this connection is open, and the underlying socket is an + * {@link javax.net.ssl.SSLSocket SSLSocket}, the SSL session of + * that socket is obtained. This is a potentially blocking operation. + * <br/> + * <b>Note:</b> Whether the underlying socket is an SSL socket + * can not necessarily be determined via {@link #isSecure}. + * Plain sockets may be considered secure, for example if they are + * connected to a known host in the same network segment. + * On the other hand, SSL sockets may be considered insecure, + * for example depending on the chosen cipher suite. + * + * @return the underlying SSL session if available, + * <code>null</code> otherwise + */ + SSLSession getSSLSession(); + +} --- httpcomponents-client-4.0.1.orig/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java +++ httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java @@ -33,7 +33,6 @@ import java.util.concurrent.TimeUnit; import javax.net.ssl.SSLSession; import org.apache.http.HttpClientConnection; -import org.apache.http.HttpInetConnection; import org.apache.http.HttpHost; import org.apache.http.params.HttpParams; import org.apache.http.protocol.HttpContext; @@ -47,7 +46,7 @@ import org.apache.http.conn.routing.Http * @since 4.0 */ public interface ManagedClientConnection extends - HttpClientConnection, HttpInetConnection, ConnectionReleaseTrigger { + HttpClientConnection, HttpRoutedConnection, ConnectionReleaseTrigger { /** * Indicates whether this connection is secure.