Bug#804159: wheezy-pu: package commons-httpclient/3.1-10.2+deb7u2
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
similar to https://bugs.debian.org/804157, the Debian Java Team would
like to update commons-httpclient in Wheezy. The same information
apply here too. Please find attached the debdiff against the
version in Wheezy.
Regards,
Markus
diff -Nru commons-httpclient-3.1/debian/changelog commons-httpclient-3.1/debian/changelog
--- commons-httpclient-3.1/debian/changelog 2015-05-14 21:18:25.000000000 +0200
+++ commons-httpclient-3.1/debian/changelog 2015-11-05 15:55:53.000000000 +0100
@@ -1,3 +1,12 @@
+commons-httpclient (3.1-10.2+deb7u2) wheezy; urgency=high
+
+ * Team upload.
+ * Add CVE-2015-5262.patch.
+ Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore
+ http.socket.timeout during SSL Handshake. (Closes: #798650)
+
+ -- Markus Koschany <apo@debian.org> Thu, 05 Nov 2015 15:54:22 +0100
+
commons-httpclient (3.1-10.2+deb7u1) wheezy; urgency=high
* Team upload.
diff -Nru commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch
--- commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 1970-01-01 01:00:00.000000000 +0100
+++ commons-httpclient-3.1/debian/patches/CVE-2015-5262.patch 2015-11-05 15:55:53.000000000 +0100
@@ -0,0 +1,38 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 2 Nov 2015 15:15:37 +0100
+Subject: CVE-2015-5262
+
+Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during
+SSL Handshake
+See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892
+Thanks to Mikolaj Izdebski for the patch.
+
+Bug: https://bugs.debian.org/798650
+Forwarded: no
+---
+ .../apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index e6ce513..b7550a2 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ }
+ int timeout = params.getConnectionTimeout();
+ if (timeout == 0) {
+- Socket sslSocket = createSocket(host, port, localAddress, localPort);
++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
++ host, port, localAddress, localPort);
++ sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ } else {
+@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ sslSocket = ControllerThreadSocketFactory.createSocket(
+ this, host, port, localAddress, localPort, timeout);
+ }
++ sslSocket.setSoTimeout(params.getSoTimeout());
+ verifyHostName(host, (SSLSocket) sslSocket);
+ return sslSocket;
+ }
diff -Nru commons-httpclient-3.1/debian/patches/series commons-httpclient-3.1/debian/patches/series
--- commons-httpclient-3.1/debian/patches/series 2015-05-14 21:18:25.000000000 +0200
+++ commons-httpclient-3.1/debian/patches/series 2015-11-05 15:55:53.000000000 +0100
@@ -6,3 +6,4 @@
05_osgi_metadata
06_fix_CVE-2012-5783.patch
CVE-2014-3577.patch
+CVE-2015-5262.patch
Reply to: