Bug#773933: marked as done (unblock: async-http-client/1.6.5-3)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 26 Dec 2014 11:53:22 +0100
with message-id <20141226105322.GC20702@ugent.be>
and subject line Re: Bug#773933: unblock: async-http-client/1.6.5-3
has caused the Debian Bug report #773933,
regarding unblock: async-http-client/1.6.5-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773933: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773933
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: async-http-client/1.6.5-3
• From: Moritz Muehlenhoff <jmm@debian.org>
• Date: Fri, 26 Dec 2014 00:54:55 +0100
• Message-id: <[🔎] 20141225235455.6052.61507.reportbug@pisco.westfalen.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package async-http-client. It fixes CVE-2013-7397.

unblock async-http-client/1.6.5-3

Debdiff:

diff -Nru async-http-client-1.6.5/debian/changelog async-http-client-1.6.5/debian/changelog
--- async-http-client-1.6.5/debian/changelog	2014-02-13 07:21:48.000000000 +0100
+++ async-http-client-1.6.5/debian/changelog	2014-12-17 19:15:20.000000000 +0100
@@ -1,3 +1,22 @@
+async-http-client (1.6.5-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Emmanuel Bourg ]
+  * Fixed CVE-2013-7397: SSL/TLS certificate verification is disabled
+    under certain conditions (Closes: #773364)
+  * Fixed a compilation error with Java 8 (Closes: #773372)
+  * debian/control:
+    - Standards-Version updated to 3.9.6 (no changes)
+    - Removed the unnecessary build dependency on libclirr-maven-plugin-java
+    - Use canonical URLs for the Vcs-* fields
+  * debian/rules: Improved the clean target
+
+  [ Tony Mancill ]
+  * Update debian/watch
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Wed, 17 Dec 2014 19:14:38 +0100
+
 async-http-client (1.6.5-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru async-http-client-1.6.5/debian/control async-http-client-1.6.5/debian/control
--- async-http-client-1.6.5/debian/control	2014-02-13 07:21:48.000000000 +0100
+++ async-http-client-1.6.5/debian/control	2014-12-17 16:50:25.000000000 +0100
@@ -6,7 +6,6 @@
 Build-Depends: cdbs, debhelper (>= 9), default-jdk, maven-debian-helper (>= 1.4)
 Build-Depends-Indep: default-jdk-doc,
                      libanimal-sniffer-java,
-                     libclirr-maven-plugin-java,
                      libcommons-logging-java-doc,
                      libmaven-bundle-plugin-java,
                      libmaven-enforcer-plugin-java,
@@ -14,10 +13,10 @@
                      libmaven-shade-plugin-java,
                      libnetty-java (>= 1:3.2.5),
                      libslf4j-java
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
+Vcs-Git: git://anonscm.debian.org/pkg-java/async-http-client.git
+Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/async-http-client.git
 Homepage: https://github.com/AsyncHttpClient/async-http-client
-Vcs-Git: git://git.debian.org/git/pkg-java/async-http-client.git
-Vcs-Browser: http://git.debian.org/?p=pkg-java/async-http-client.git
 
 Package: libasync-http-client-java
 Architecture: all
diff -Nru async-http-client-1.6.5/debian/maven.ignoreRules async-http-client-1.6.5/debian/maven.ignoreRules
--- async-http-client-1.6.5/debian/maven.ignoreRules	2014-02-13 07:21:48.000000000 +0100
+++ async-http-client-1.6.5/debian/maven.ignoreRules	2014-12-17 19:21:45.000000000 +0100
@@ -29,3 +29,4 @@
 org.eclipse.jetty jetty-servlet * * * *
 org.eclipse.jetty jetty-servlets * * * *
 org.testng testng * * * *
+org.codehaus.mojo clirr-maven-plugin * * * *
diff -Nru async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch
--- async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch	1970-01-01 01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch	2014-12-17 17:22:29.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix a compilation error with Java 8. This has been fixed upstream
+ in the version 1.9 by renaming the replace() method to replaceWith().
+Author: Emmanuel Bourg <ebourg@apache.org>
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/773372
+--- a/src/main/java/com/ning/http/client/FluentStringsMap.java
++++ b/src/main/java/com/ning/http/client/FluentStringsMap.java
+@@ -148,7 +148,7 @@
+      * @return This object
+      */
+     public FluentStringsMap replace(final String key, final String... values) {
+-        return replace(key, Arrays.asList(values));
++        return replace(key, (Collection<String>) Arrays.asList(values));
+     }
+ 
+     /**
+--- a/src/main/java/com/ning/http/client/FluentCaseInsensitiveStringsMap.java
++++ b/src/main/java/com/ning/http/client/FluentCaseInsensitiveStringsMap.java
+@@ -162,7 +162,7 @@
+      * @return This object
+      */
+     public FluentCaseInsensitiveStringsMap replace(final String key, final String... values) {
+-        return replace(key, Arrays.asList(values));
++        return replace(key, (Collection<String>) Arrays.asList(values));
+     }
+ 
+     /**
diff -Nru async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch
--- async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch	1970-01-01 01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch	2014-12-17 19:09:54.000000000 +0100
@@ -0,0 +1,148 @@
+Description: Remove the code disabling the SSL certificate validation
+Author: Emmanuel Bourg <ebourg@apache.org>
+Forwarded: not-needed
+--- a/src/main/java/com/ning/http/util/SslUtils.java
++++ b/src/main/java/com/ning/http/util/SslUtils.java
+@@ -51,11 +51,7 @@
+     public static SSLContext getSSLContext()
+             throws GeneralSecurityException, IOException {
+         SSLConfig config = new SSLConfig();
+-        if (config.keyStoreLocation == null || config.trustStoreLocation == null) {
+-            return getLooseSSLContext();
+-        } else {
+-            return getStrictSSLContext(config);
+-        }
++        return getStrictSSLContext(config);
+     }
+ 
+     static SSLContext getStrictSSLContext(SSLConfig config)
+@@ -95,29 +91,6 @@
+         return context;
+     }
+ 
+-    static SSLContext getLooseSSLContext()
+-            throws GeneralSecurityException {
+-        SSLContext sslContext = SSLContext.getInstance("TLS");
+-        sslContext.init(null, new TrustManager[]{LooseTrustManager.INSTANCE}, new SecureRandom());
+-        return sslContext;
+-    }
+-
+-    static class LooseTrustManager
+-            implements X509TrustManager {
+-
+-        public static final LooseTrustManager INSTANCE = new LooseTrustManager();
+-
+-        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+-            return null;
+-        }
+-
+-        public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+-        }
+-
+-        public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+-        }
+-    }
+-
+     private final static class SSLConfig {
+ 
+         public String keyStoreLocation;
+--- a/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
++++ b/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
+@@ -130,24 +130,6 @@
+     private final MultiThreadedHttpConnectionManager connectionManager;
+     private final HttpClientParams params;
+ 
+-    static {
+-        final SocketFactory factory = new TrustingSSLSocketFactory();
+-        Protocol.registerProtocol("https", new Protocol("https", new ProtocolSocketFactory() {
+-            public Socket createSocket(String string, int i, InetAddress inetAddress, int i1) throws IOException {
+-                return factory.createSocket(string, i, inetAddress, i1);
+-            }
+-
+-            public Socket createSocket(String string, int i, InetAddress inetAddress, int i1, HttpConnectionParams httpConnectionParams)
+-                    throws IOException {
+-                return factory.createSocket(string, i, inetAddress, i1);
+-            }
+-
+-            public Socket createSocket(String string, int i) throws IOException {
+-                return factory.createSocket(string, i);
+-            }
+-        }, 443));
+-    }
+-
+     public ApacheAsyncHttpProvider(AsyncHttpClientConfig config) {
+         this.config = config;
+         connectionManager = new MultiThreadedHttpConnectionManager();
+@@ -732,72 +714,6 @@
+         }
+     }
+ 
+-    private static class TrustingSSLSocketFactory extends SSLSocketFactory {
+-        private SSLSocketFactory delegate;
+-
+-        private TrustingSSLSocketFactory() {
+-            try {
+-                SSLContext sslcontext = SSLContext.getInstance("SSL");
+-
+-                sslcontext.init(null, new TrustManager[]{new TrustEveryoneTrustManager()}, new SecureRandom());
+-                delegate = sslcontext.getSocketFactory();
+-            } catch (KeyManagementException e) {
+-                throw new IllegalStateException();
+-            } catch (NoSuchAlgorithmException e) {
+-                throw new IllegalStateException();
+-            }
+-        }
+-
+-        @Override
+-        public Socket createSocket(String s, int i) throws IOException, UnknownHostException {
+-            return delegate.createSocket(s, i);
+-        }
+-
+-        @Override
+-        public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws IOException, UnknownHostException {
+-            return delegate.createSocket(s, i, inetAddress, i1);
+-        }
+-
+-        @Override
+-        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
+-            return delegate.createSocket(inetAddress, i);
+-        }
+-
+-        @Override
+-        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int i1) throws IOException {
+-            return delegate.createSocket(inetAddress, i, inetAddress1, i1);
+-        }
+-
+-        @Override
+-        public String[] getDefaultCipherSuites() {
+-            return delegate.getDefaultCipherSuites();
+-        }
+-
+-        @Override
+-        public String[] getSupportedCipherSuites() {
+-            return delegate.getSupportedCipherSuites();
+-        }
+-
+-        @Override
+-        public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException {
+-            return delegate.createSocket(socket, s, i, b);
+-        }
+-    }
+-
+-    private static class TrustEveryoneTrustManager implements X509TrustManager {
+-        public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+-            // do nothing
+-        }
+-
+-        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+-            // do nothing
+-        }
+-
+-        public X509Certificate[] getAcceptedIssuers() {
+-            return new X509Certificate[0];
+-        }
+-    }
+-
+     private final class ReaperFuture implements Future, Runnable {
+         private Future scheduledFuture;
+         private ApacheResponseFuture<?> apacheResponseFuture;
diff -Nru async-http-client-1.6.5/debian/patches/series async-http-client-1.6.5/debian/patches/series
--- async-http-client-1.6.5/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/series	2014-12-17 18:13:01.000000000 +0100
@@ -0,0 +1,2 @@
+01-java8-compatibility.patch
+02-CVE-2013-7397.patch
diff -Nru async-http-client-1.6.5/debian/rules async-http-client-1.6.5/debian/rules
--- async-http-client-1.6.5/debian/rules	2014-02-13 07:21:48.000000000 +0100
+++ async-http-client-1.6.5/debian/rules	2014-12-17 17:28:37.000000000 +0100
@@ -7,3 +7,6 @@
 
 get-orig-source:
 	uscan --download-version $(DEB_UPSTREAM_VERSION) --force-download --rename
+
+clean::
+	rm -Rf META-INF/MANIFEST.MF
diff -Nru async-http-client-1.6.5/debian/watch async-http-client-1.6.5/debian/watch
--- async-http-client-1.6.5/debian/watch	2014-02-13 07:21:48.000000000 +0100
+++ async-http-client-1.6.5/debian/watch	2014-12-17 16:03:19.000000000 +0100
@@ -1,3 +1,3 @@
 version=3
-http://githubredir.debian.net/github/sonatype/async-http-client/async-http-client-(.*).tar.gz \
- debian debian/orig-tar.sh
\ Kein Zeilenumbruch am Dateiende.
+https://github.com/AsyncHttpClient/async-http-client/tags .*/async-http-client-(.*).tar.gz \
+ debian debian/orig-tar.sh

--- End Message ---

--- Begin Message ---

• To: Moritz Muehlenhoff <jmm@debian.org>, 773933-done@bugs.debian.org
• Subject: Re: Bug#773933: unblock: async-http-client/1.6.5-3
• From: Ivo De Decker <ivodd@debian.org>
• Date: Fri, 26 Dec 2014 11:53:22 +0100
• Message-id: <20141226105322.GC20702@ugent.be>
• In-reply-to: <[🔎] 20141225235455.6052.61507.reportbug@pisco.westfalen.local>
• References: <[🔎] 20141225235455.6052.61507.reportbug@pisco.westfalen.local>

Hi,

On Fri, Dec 26, 2014 at 12:54:55AM +0100, Moritz Muehlenhoff wrote:
> unblock async-http-client/1.6.5-3

Unblocked.

Cheers,

Ivo

--- End Message ---