Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu Hi folks, I have prepared an upload to fix #628727 / CVE-2011-1498. This bug affects httpcomponents-client 4.0.1-1 in stable. Also affected 4.0.3-2 in testing and unstable but Tony Mancill kindly sponsored my upload for 4.1.1-1 that fix this issue there. I'm attaching the backported patch that fix this issue and the updated package meant for squeeze. Sadly, I can't provide a way to test exploits but in a discussion at LWN website ( http://lwn.net/Articles/447625/ ) the issue is described reasonably well. Are you OK with uploading a fix for this to s-p-u? If you need any more information about this, just let me know. Cheers, -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (800, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/ "Faith means not wanting to know what is true." -- Nietzsche
Format: 3.0 (quilt) Source: httpcomponents-client Binary: libhttpclient-java, libhttpmime-java Architecture: all Version: 4.0.1-1squeeze1 Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Uploaders: Miguel Landaeta <miguel@miguel.cc> Homepage: http://hc.apache.org/httpcomponents-client/index.html Standards-Version: 3.9.0 Vcs-Browser: http://git.debian.org/?p=collab-maint/httpcomponents-client.git;a=summary Vcs-Git: git://git.debian.org/collab-maint/httpcomponents-client.git Build-Depends: debhelper (>= 7.0.50~), openjdk-6-jdk | default-jdk, maven-debian-helper, maven-repo-helper Build-Depends-Indep: libmaven-antrun-plugin-java, libmaven-javadoc-plugin-java, libmaven-assembly-plugin-java, libhttpcore-java, libapache-mime4j-java, junit, libcommons-codec-java Checksums-Sha1: be8750a8ab1a2c244b329fdcab5f2c27a1ebe2a9 399134 httpcomponents-client_4.0.1.orig.tar.gz 0835e3061403cc32cbe6aa9381228439b62a418e 4484 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz Checksums-Sha256: d7b463a9f055933aae09fd6660bf8f300b96a21b6707c730375e5b63d8d7e26d 399134 httpcomponents-client_4.0.1.orig.tar.gz 213ece07b85ec1ddbba654ce56a8c07df7ba80d1beb98f26ce07a011f8341eca 4484 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz Files: cc3b533fb4296b60690dcce16bedf90e 399134 httpcomponents-client_4.0.1.orig.tar.gz c9614b082c5bf12e234b943032629b68 4484 httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
Attachment:
httpcomponents-client_4.0.1-1squeeze1.debian.tar.gz
Description: Binary data
From: Oleg Kalnichevski <olegk@apache.org>
Subject: CVE-2011-1498
Forwarded: not-needed
--- httpcomponents-client-4.0.1.orig/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
+++ httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
@@ -41,6 +41,9 @@ import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.AuthState;
import org.apache.http.auth.AuthenticationException;
import org.apache.http.auth.Credentials;
+import org.apache.http.conn.HttpRoutedConnection;
+import org.apache.http.conn.routing.HttpRoute;
+import org.apache.http.protocol.ExecutionContext;
import org.apache.http.protocol.HttpContext;
/**
@@ -71,6 +74,13 @@ public class RequestProxyAuthentication
return;
}
+ HttpRoutedConnection conn = (HttpRoutedConnection) context.getAttribute(
+ ExecutionContext.HTTP_CONNECTION);
+ HttpRoute route = conn.getRoute();
+ if (route.isTunnelled()) {
+ return;
+ }
+
// Obtain authentication state
AuthState authState = (AuthState) context.getAttribute(
ClientContext.PROXY_AUTH_STATE);
--- /dev/null
+++ httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/conn/HttpRoutedConnection.java
@@ -0,0 +1,78 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+
+package org.apache.http.conn;
+
+import javax.net.ssl.SSLSession;
+
+import org.apache.http.HttpInetConnection;
+import org.apache.http.conn.routing.HttpRoute;
+
+/**
+ * Interface to access routing information of a client side connection.
+ *
+ * @since 4.1
+ */
+public interface HttpRoutedConnection extends HttpInetConnection {
+
+ /**
+ * Indicates whether this connection is secure.
+ * The return value is well-defined only while the connection is open.
+ * It may change even while the connection is open.
+ *
+ * @return <code>true</code> if this connection is secure,
+ * <code>false</code> otherwise
+ */
+ boolean isSecure();
+
+ /**
+ * Obtains the current route of this connection.
+ *
+ * @return the route established so far, or
+ * <code>null</code> if not connected
+ */
+ HttpRoute getRoute();
+
+ /**
+ * Obtains the SSL session of the underlying connection, if any.
+ * If this connection is open, and the underlying socket is an
+ * {@link javax.net.ssl.SSLSocket SSLSocket}, the SSL session of
+ * that socket is obtained. This is a potentially blocking operation.
+ * <br/>
+ * <b>Note:</b> Whether the underlying socket is an SSL socket
+ * can not necessarily be determined via {@link #isSecure}.
+ * Plain sockets may be considered secure, for example if they are
+ * connected to a known host in the same network segment.
+ * On the other hand, SSL sockets may be considered insecure,
+ * for example depending on the chosen cipher suite.
+ *
+ * @return the underlying SSL session if available,
+ * <code>null</code> otherwise
+ */
+ SSLSession getSSLSession();
+
+}
--- httpcomponents-client-4.0.1.orig/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java
+++ httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java
@@ -33,7 +33,6 @@ import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLSession;
import org.apache.http.HttpClientConnection;
-import org.apache.http.HttpInetConnection;
import org.apache.http.HttpHost;
import org.apache.http.params.HttpParams;
import org.apache.http.protocol.HttpContext;
@@ -47,7 +46,7 @@ import org.apache.http.conn.routing.Http
* @since 4.0
*/
public interface ManagedClientConnection extends
- HttpClientConnection, HttpInetConnection, ConnectionReleaseTrigger {
+ HttpClientConnection, HttpRoutedConnection, ConnectionReleaseTrigger {
/**
* Indicates whether this connection is secure.