Package: commons-httpclient / 3.1-12

Metadata

Package Version Patches format
commons-httpclient 3.1-12 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
00_build_xml_no_external_links.patch | (download)

build.xml | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

---
01_build_xml_version_jar.patch | (download)

build.xml | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
02_upstream_disable_examples_classes.patch | (download)

build.xml | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

---
03_upstream_qualify_ConnectionPool_declaration.patch | (download)

src/java/org/apache/commons/httpclient/MultiThreadedHttpConnectionManager.java | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
04_fix_classpath.patch | (download)

src/conf/MANIFEST.MF | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---
05_osgi_metadata | (download)

src/conf/MANIFEST.MF | 20 20 + 0 - 0 !
1 file changed, 20 insertions(+)

---
06_fix_CVE 2012 5783.patch | (download)

src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 301 293 + 8 - 0 !
1 file changed, 293 insertions(+), 8 deletions(-)

 fixed cn extraction from dn of x500 principal and wildcard validation

 commons-httpclient (3.1-10.2) unstable; urgency=low

   * Fixed CN extraction from DN of X500 principal and wildcard validation


CVE 2014 3577.patch | (download)

src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 57 37 + 20 - 0 !
1 file changed, 37 insertions(+), 20 deletions(-)

 cve-2014-3577

It was found that the fix for CVE-2012-6153 was incomplete: the code added to
check that the server hostname matches the domain name in a subject's Common
Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker
could use this flaw to spoof an SSL server using a specially crafted X.509
certificate.
The fix for CVE-2012-6153 was intended to address the incomplete patch for
CVE-2012-5783. This means the issue is now completely resolved by applying
this patch and the 06_fix_CVE-2012-5783.patch.

References:

upstream announcement:
https://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

Fedora-Fix:
http://pkgs.fedoraproject.org/cgit/jakarta-commons-httpclient.git/tree/jakarta-commons-httpclient-CVE-2014-3577.patch

CentOS-Fix:
https://git.centos.org/blob/rpms!jakarta-commons-httpclient/SOURCES!jakarta-commons-httpclient-CVE-2014-3577.patch

Debian-Bug: https://bugs.debian.org/758086
CVE 2015 5262.patch | (download)

src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

 cve-2015-5262

Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore http.socket.timeout during
SSL Handshake
See also https://bugzilla.redhat.com/show_bug.cgi?id=1259892
Thanks to Mikolaj Izdebski for the patch.

Bug: https://bugs.debian.org/798650