commit jakarta-commons-httpclient.1340 for openSUSE:12.2:Update

Hello community, here is the log from the commit of package jakarta-commons-httpclient.1340 for openSUSE:12.2:Update checked in at 2013-02-27 17:05:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/jakarta-commons-httpclient.1340 (Old) and /work/SRC/openSUSE:12.2:Update/.jakarta-commons-httpclient.1340.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "jakarta-commons-httpclient.1340", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.2:Update/.jakarta-commons-httpclient.1340.new/jakarta-commons-httpclient.changes 2013-02-27 17:05:03.000000000 +0100 @@ -0,0 +1,48 @@ +------------------------------------------------------------------- +Thu Feb 14 09:10:48 UTC 2013 - mvyskocil@suse.com + +- fix bnc#803332: no ssl certificate hostname checking (CVE-2012-5783) + * commons-httpclient-CVE-2012-5783.patch + +------------------------------------------------------------------- +Fri May 25 11:18:20 UTC 2012 - mvyskocil@suse.cz + +- update to 3.1 (bugfix release) +- make sure it works with jdk7 +- improve spec (ie non-versioned javadoc dir) +- rename to jakarta-commons-httpclient to remain compatible + +------------------------------------------------------------------- +Thu Jul 17 07:45:10 CEST 2008 - coolo@suse.de + +- avoid another build cycle + +------------------------------------------------------------------- +Mon Oct 2 15:47:26 CEST 2006 - dbornkessel@suse.de + +- update to v3.0.1 +- fixes necessary to compile with Java 1.5.0 (in 3.0.1 version) + - set source="1.4" and target="1.4" for ant "javac" tasks + - set source="1.4" for ant "javadoc" tasks + +------------------------------------------------------------------- +Mon Sep 25 12:47:02 CEST 2006 - skh@suse.de + +- don't use icecream +- use source="1.4" and target="1.4" for build with java 1.5 + +------------------------------------------------------------------- +Wed Jan 25 21:46:37 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Jan 4 18:21:39 CET 2006 - dbornkessel@suse.de + +- disabled and 'test' target as that was specially written for sun JRE and hence fails with other JREs + +------------------------------------------------------------------- +Mon Dec 19 21:02:45 CET 2005 - dbornkessel@suse.de + +- Current version 3.0 from JPackage.org + New: ---- commons-httpclient-3.1-src.tar.gz commons-httpclient-CVE-2012-5783.patch jakarta-commons-httpclient-addosgimanifest.patch jakarta-commons-httpclient-disablecryptotests.patch jakarta-commons-httpclient-encoding.patch jakarta-commons-httpclient.changes jakarta-commons-httpclient.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jakarta-commons-httpclient.spec ++++++ # # spec file for package jakarta-commons-httpclient # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # icecream 0 %define short_name commons-httpclient Name: jakarta-commons-httpclient Version: 3.1 Release: 0 Summary: Feature rich package for accessing resources via HTTP License: Apache-2.0 Group: Development/Libraries/Java Url: http://jakarta.apache.org/commons/httpclient/ #Source0: http://archive.apache.org/dist/jakarta/commons/httpclient/source/commons-htt... Source0: commons-httpclient-%{version}-src.tar.gz Patch0: %{name}-disablecryptotests.patch # Add OSGi MANIFEST.MF bits Patch1: %{name}-addosgimanifest.patch Patch2: %{name}-encoding.patch #PATCH-FIX-UPSTREAM: bnc#803332 #http://svn.apache.org/viewvc?view=revision&revision=483925 Patch3: commons-httpclient-CVE-2012-5783.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: ant BuildRequires: commons-codec BuildRequires: commons-logging >= 1.0.3 #BuildRequires: java-javadoc #BuildRequires: apache-commons-logging-javadoc BuildRequires: java-devel BuildRequires: junit Requires: commons-codec Requires: commons-logging >= 1.0.3 Provides: %{short_name} = %{version}-%{release} Provides: %{name}3 = %{version}-%{release} Obsoletes: %{name}3 < %{version}-%{release} %description Although the java.net package provides basic functionality for accessing resources via HTTP, it doesn't provide the full flexibility or functionality needed by many applications. The Jakarta Commons HttpClient component seeks to fill this void by providing an efficient, up-to-date, and feature-rich package implementing the client side of the most recent HTTP standards and recommendations. Designed for extension while providing robust support for the base HTTP protocol, the HttpClient component may be of interest to anyone building HTTP-aware client applications such as web browsers, web service clients, or systems that leverage or extend the HTTP protocol for distributed communication. %package javadoc PreReq: coreutils Summary: Developer documentation for jakarta-commons-httpclient Group: Development/Libraries/Java %description javadoc Developer documentation for jakarta-commons-httpclient in JavaDoc format. %{summary}. %package demo Summary: Demonstration files for jakarta-commons-httpclient Group: Development/Libraries/Java Requires: %{name} = %{version}-%{release} %description demo Demonstration files for jakarta-commons-httpclient. NOTE: It is possible that some demonstration files are specially prepared for SUN Java runtime environment. If they fail with IBM or BEA Java, the package itself does not need to be broken. %{summary}. %package manual Summary: Manual for jakarta-commons-httpclient Group: Development/Libraries/Java %description manual Manual for jakarta-commons-httpclient %{summary}. %prep %setup -q -n commons-httpclient-%{version} mkdir lib # duh rm -rf docs/apidocs docs/*.patch docs/*.orig docs/*.rej %patch0 pushd src/conf %{__sed} -i 's/\r//' MANIFEST.MF %patch1 popd %patch02 %patch03 -p1 # Use javax classes, not com.sun ones # assume no filename contains spaces pushd src for j in $(find . -name "*.java" -exec grep -l 'com\.sun\.net\.ssl' {} \;); do sed -e 's|com\.sun\.net\.ssl|javax.net.ssl|' $j > tempf cp tempf $j done rm tempf popd %{__sed} -i 's/\r//' RELEASE_NOTES.txt %{__sed} -i 's/\r//' README.txt %{__sed} -i 's/\r//' LICENSE.txt %build ant \ -Dbuild.sysclasspath=first \ -Djavadoc.j2sdk.link=%{_javadocdir}/java \ -Djavadoc.logging.link=%{_javadocdir}/apache-commons-logging \ -Dtest.failonerror=false \ -Dlib.dir=%{_javadir} \ -Djavac.encoding=UTF-8 \ dist test %install # jars mkdir -p $RPM_BUILD_ROOT%{_javadir} cp -p dist/commons-httpclient.jar \ $RPM_BUILD_ROOT%{_javadir}/%{name}.jar # compat symlink pushd $RPM_BUILD_ROOT%{_javadir} ln -s jakarta-commons-httpclient.jar jakarta-commons-httpclient3.jar ln -s jakarta-commons-httpclient.jar commons-httpclient3.jar ln -s jakarta-commons-httpclient.jar commons-httpclient.jar popd # javadoc mkdir -p $RPM_BUILD_ROOT%{_javadocdir} mv dist/docs/api $RPM_BUILD_ROOT%{_javadocdir}/%{name} # demo mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name} cp -pr src/examples src/contrib $RPM_BUILD_ROOT%{_datadir}/%{name} # manual and docs rm -f dist/docs/{BUILDING,TESTING}.txt ln -s %{_javadocdir}/%{name} dist/docs/apidocs %clean rm -rf $RPM_BUILD_ROOT %files %defattr(0644,root,root,0755) %doc LICENSE.txt README.txt RELEASE_NOTES.txt %{_javadir}/%{name}.jar %{_javadir}/jakarta-commons-httpclient3.jar %{_javadir}/commons-httpclient3.jar %{_javadir}/commons-httpclient.jar %files javadoc %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name} %files demo %defattr(0644,root,root,0755) %{_datadir}/%{name} %files manual %defattr(0644,root,root,0755) %doc dist/docs/* %changelog ++++++ commons-httpclient-CVE-2012-5783.patch ++++++ Index: commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java =================================================================== --- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -31,10 +31,17 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; + +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; @@ -79,12 +86,17 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { - return SSLSocketFactory.getDefault().createSocket( + SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); + + verifyHostName( host, (SSLSocket) socket ); + + // verifyHostName() didn't blowup - good! + return socket; } /** @@ -124,15 +136,18 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { - return createSocket(host, port, localAddress, localPort); + SSLSocket socket = (SSLSocket) createSocket(host, port, localAddress, localPort); + verifyHostName(host, (SSLSocket) socket); + return socket; } else { // To be eventually deprecated when migrated to Java 1.4 or above - Socket socket = ReflectionSocketFactory.createSocket( + SSLSocket socket =(SSLSocket) ReflectionSocketFactory.createSocket( "javax.net.ssl.SSLSocketFactory", host, port, localAddress, localPort, timeout); if (socket == null) { - socket = ControllerThreadSocketFactory.createSocket( + socket = (SSLSocket) ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } + verifyHostName(host, (SSLSocket) socket); return socket; } } @@ -142,10 +157,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { - return SSLSocketFactory.getDefault().createSocket( + SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket( host, port ); + verifyHostName( host, (SSLSocket) socket ); + return socket; } /** @@ -157,14 +174,133 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { - return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( + SSLSocket s = (SSLSocket) ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); + verifyHostName( host, (SSLSocket) socket ); + + // verifyHostName() didn't blowup - good! + return s; + } + + private static void verifyHostName( String host, SSLSocket ssl ) + throws IOException { + if ( host == null ) { + throw new NullPointerException( "host to verify was null" ); + } + + SSLSession session = ssl.getSession(); + if ( session == null ) { + // In our experience this only happens under IBM 1.4.x when + // spurious (unrelated) certificates show up in the server's chain. + // Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); + /* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + + #1. Clean up the certificate chain that your server + is presenting (e.g. edit "/etc/apache2/server.crt" or + wherever it is your server's certificate chain is + defined). + + OR + + #2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + + // If ssl.getInputStream().available() didn't cause an exception, + // maybe at least now the session is available? + session = ssl.getSession(); + if ( session == null ) { + // If it's still null, probably a startHandshake() will + // unearth the real problem. + ssl.startHandshake(); + + // Okay, if we still haven't managed to cause an exception, + // might as well go for the NPE. Or maybe we're okay now? + session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + X509Certificate x509 = (X509Certificate) certs[ 0 ]; + String cn = getCN( x509 ); + if ( cn == null ) { + String subject = x509.getSubjectX500Principal().toString(); + String msg = "certificate doesn't contain CN: " + subject; + throw new SSLException( msg ); + } + // I'm okay with being case-insensitive when comparing the host we used + // to establish the socket to the hostname in the certificate. + // Don't trim the CN, though. + cn = cn.toLowerCase(); + host = host.trim().toLowerCase(); + boolean doWildcard = false; + if ( cn.startsWith( "*." ) ) { + // The CN better have at least two dots if it wants wildcard action, + // but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc... + String withoutCountryCode = ""; + if ( cn.length() >= 7 && cn.length() <= 9 ) { + withoutCountryCode = cn.substring( 2, cn.length() - 2 ); + } + doWildcard = cn.lastIndexOf( '.' ) >= 0 && + !"ac.".equals( withoutCountryCode ) && + !"co.".equals( withoutCountryCode ) && + !"com.".equals( withoutCountryCode ) && + !"ed.".equals( withoutCountryCode ) && + !"edu.".equals( withoutCountryCode ) && + !"go.".equals( withoutCountryCode ) && + !"gouv.".equals( withoutCountryCode ) && + !"gov.".equals( withoutCountryCode ) && + !"info.".equals( withoutCountryCode ) && + !"lg.".equals( withoutCountryCode ) && + !"ne.".equals( withoutCountryCode ) && + !"net.".equals( withoutCountryCode ) && + !"or.".equals( withoutCountryCode ) && + !"org.".equals( withoutCountryCode ); + + // The [*.co.uk] problem is an interesting one. Should we just + // hope that CA's would never foolishly allow such a + // certificate to happen? + } + + boolean match; + if ( doWildcard ) { + match = host.endsWith( cn.substring( 1 ) ); + } else { + match = host.equals( cn ); + } + if ( !match ) { + throw new SSLException( "hostname in certificate didn't match: <" + host + "> != <" + cn + ">" ); + } } + private static String getCN( X509Certificate cert ) { + // Note: toString() seems to do a better job than getName() + // + // For example, getName() gives me this: + // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d + // + // whereas toString() gives me this: + // EMAILADDRESS=juliusdavies@cucbc.com + String subjectPrincipal = cert.getSubjectX500Principal().toString(); + int x = subjectPrincipal.indexOf( "CN=" ); + if ( x >= 0 ) { + int y = subjectPrincipal.indexOf( ',', x ); + // If there are no more commas, then CN= is the last entry. + y = ( y >= 0 ) ? y : subjectPrincipal.length(); + return subjectPrincipal.substring( x + 3, y ); + } else { + return null; + } + } + /** * All instances of SSLProtocolSocketFactory are the same. */ ++++++ jakarta-commons-httpclient-addosgimanifest.patch ++++++ --- MANIFEST.MF 2007-09-06 12:31:02.000000000 -0400 +++ MANIFEST.MF 2007-09-06 12:30:45.000000000 -0400 @@ -3,4 +3,27 @@ Specification-Version: 1.0 Implementation-Vendor: Apache Software Foundation Implementation-Version: @version@ - +Bundle-ManifestVersion: 2 +Bundle-Name: %bundleName +Bundle-SymbolicName: org.apache.commons.httpclient +Bundle-Version: 3.1.0.v20080605-1935 +Import-Package: javax.crypto;resolution:=optional, + javax.crypto.spec;resolution:=optional, + javax.net;resolution:=optional, + javax.net.ssl;resolution:=optional, + org.apache.commons.codec;version="[1.2.0,2.0.0)", + org.apache.commons.codec.binary;version="[1.2.0,2.0.0)", + org.apache.commons.codec.net;version="[1.2.0,2.0.0)", + org.apache.commons.logging;version="[1.0.4,2.0.0)" +Export-Package: org.apache.commons.httpclient;version="3.1.0", + org.apache.commons.httpclient.auth;version="3.1.0", + org.apache.commons.httpclient.cookie;version="3.1.0", + org.apache.commons.httpclient.methods;version="3.1.0", + org.apache.commons.httpclient.methods.multipart;version="3.1.0", + org.apache.commons.httpclient.params;version="3.1.0", + org.apache.commons.httpclient.protocol;version="3.1.0", + org.apache.commons.httpclient.util;version="3.1.0" +Bundle-Vendor: %bundleProvider +Bundle-Localization: plugin +Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0, + J2SE-1.2 ++++++ jakarta-commons-httpclient-disablecryptotests.patch ++++++ --- ./src/test/org/apache/commons/httpclient/params/TestParamsAll.java.sav 2006-07-20 18:42:17.000000000 -0400 +++ ./src/test/org/apache/commons/httpclient/params/TestParamsAll.java 2006-07-20 18:42:26.000000000 -0400 @@ -43,7 +43,6 @@ public static Test suite() { TestSuite suite = new TestSuite(); suite.addTest(TestHttpParams.suite()); - suite.addTest(TestSSLTunnelParams.suite()); return suite; } --- ./src/test/org/apache/commons/httpclient/TestAll.java.sav 2006-07-20 18:42:56.000000000 -0400 +++ ./src/test/org/apache/commons/httpclient/TestAll.java 2006-07-20 18:43:01.000000000 -0400 @@ -100,7 +100,6 @@ // Non compliant behaviour suite.addTest(TestNoncompliant.suite()); // Proxy - suite.addTest(TestProxy.suite()); suite.addTest(TestProxyWithRedirect.suite()); return suite; } ++++++ jakarta-commons-httpclient-encoding.patch ++++++ --- build.xml 2007-08-18 05:02:14.000000000 -0400 +++ build.xml 2012-01-23 09:52:50.405796336 -0500 @@ -179,6 +179,7 @@ description="Compile shareable components"> <javac srcdir ="${source.home}/java" destdir ="${build.home}/classes" + encoding ="ISO-8859-1" debug ="${compile.debug}" deprecation ="${compile.deprecation}" optimize ="${compile.optimize}"> @@ -186,6 +187,7 @@ </javac> <javac srcdir ="${source.home}/examples" destdir ="${build.home}/examples" + encoding ="ISO-8859-1" debug ="${compile.debug}" deprecation ="${compile.deprecation}" optimize ="${compile.optimize}"> @@ -197,6 +199,7 @@ description="Compile unit test cases"> <javac srcdir ="${test.home}" destdir ="${build.home}/tests" + encoding ="ISO-8859-1" debug ="${compile.debug}" deprecation ="${compile.deprecation}" optimize ="${compile.optimize}"> @@ -244,6 +244,7 @@ <mkdir dir="${dist.home}/docs/api"/> <javadoc sourcepath ="${source.home}/java" destdir ="${dist.home}/docs/api" + encoding ="ISO-8859-1" packagenames ="org.apache.commons.*" author ="true" protected ="true" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org