Hello community, here is the log from the commit of package jakarta-commons-httpclient3.1340 for openSUSE:12.1:Update checked in at 2013-02-27 17:05:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update/jakarta-commons-httpclient3.1340 (Old) and /work/SRC/openSUSE:12.1:Update/.jakarta-commons-httpclient3.1340.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "jakarta-commons-httpclient3.1340", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-02-26 18:15:11.936010755 +0100 +++ /work/SRC/openSUSE:12.1:Update/.jakarta-commons-httpclient3.1340.new/jakarta-commons-httpclient3.changes 2013-02-27 17:05:06.000000000 +0100 @@ -0,0 +1,41 @@ +------------------------------------------------------------------- +Thu Feb 14 08:47:07 UTC 2013 - mvyskocil@suse.com + +- fix bnc#803332: no ssl certificate hostname checking (CVE-2012-5783) + * commons-httpclient-CVE-2012-5783.patch +- use versioned provides/obsoletes + +------------------------------------------------------------------- +Thu Jul 17 07:45:10 CEST 2008 - coolo@suse.de + +- avoid another build cycle + +------------------------------------------------------------------- +Mon Oct 2 15:47:26 CEST 2006 - dbornkessel@suse.de + +- update to v3.0.1 +- fixes necessary to compile with Java 1.5.0 (in 3.0.1 version) + - set source="1.4" and target="1.4" for ant "javac" tasks + - set source="1.4" for ant "javadoc" tasks + +------------------------------------------------------------------- +Mon Sep 25 12:47:02 CEST 2006 - skh@suse.de + +- don't use icecream +- use source="1.4" and target="1.4" for build with java 1.5 + +------------------------------------------------------------------- +Wed Jan 25 21:46:37 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Jan 4 18:21:39 CET 2006 - dbornkessel@suse.de + +- disabled and 'test' target as that was specially written for sun JRE and hence fails with other JREs + +------------------------------------------------------------------- +Mon Dec 19 21:02:45 CET 2005 - dbornkessel@suse.de + +- Current version 3.0 from JPackage.org + New: ---- commons-httpclient-3.0.1-src.tar.bz2 commons-httpclient-CVE-2012-5783.patch jakarta-commons-httpclient3.changes jakarta-commons-httpclient3.spec java150_build.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jakarta-commons-httpclient3.spec ++++++ # # spec file for package jakarta-commons-httpclient3 # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # icecream 0 Name: jakarta-commons-httpclient3 BuildRequires: ant-junit BuildRequires: jaf BuildRequires: jakarta-commons-codec BuildRequires: jakarta-commons-discovery BuildRequires: java2-devel-packages BuildRequires: javamail BuildRequires: log4j-mini BuildRequires: servletapi5 BuildRequires: wsdl4j %define short_name httpclient3 %define name jakarta-commons-%{short_name} %define version 3.0.1 %define release 0.rc4.1jpp %define section free Version: 3.0.1 Release: 0 Summary: Feature rich package for accessing resources via HTTP License: Apache-2.0 Group: Development/Libraries/Java #Source0: http://archive.apache.org/dist/jakarta/commons/httpclient/source/commons-htt... Source0: commons-httpclient-%{version}-src.tar.bz2 #PATCH-FIX-UPSTREAM: bnc#803332 #http://svn.apache.org/viewvc?view=revision&revision=483925 Patch0: commons-httpclient-CVE-2012-5783.patch Patch150: java150_build.patch Url: http://jakarta.apache.org/commons/httpclient/ BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: jakarta-commons-logging >= 1.0.3 Provides: commons-%{short_name} = %{version}-%{release} Obsoletes: commons-%{short_name} < %{version}-%{release} %description Although the java.net package provides basic functionality for accessing resources via HTTP, it doesn't provide the full flexibility or functionality needed by many applications. The Jakarta Commons HttpClient component seeks to fill this void by providing an efficient, up-to-date, and feature-rich package implementing the client side of the most recent HTTP standards and recommendations. Designed for extension while providing robust support for the base HTTP protocol, the HttpClient component may be of interest to anyone building HTTP-aware client applications such as web browsers, web service clients, or systems that leverage or extend the HTTP protocol for distributed communication. Authors: -------- Adrian Sutton Alex Chaffee Arun Mammen Thomas Juozas Baliuka Henri Yandell Jeff Brekke Bruno D'Avanzo Costin Manolache Craig R. McClanahan Daniel F. Savarese David Graham Davanum Srinivas Dion Gillard Dirk Verbeeck Daniel Rall Dmitri Plotnikov Eric Pugh Fredrik Westermarck Geir Magnusson Jr. Gary Gregory Glenn Nielsen Henning P. Schmiedehausen Ted Husted Mario Ivankovits James Carman Sung-Gu Park Jean-Frederic Clere John Keyes John McNally Jon Stevens Jeff Dever James Strachan Jason van Zyl Jan Luehe Martin Cooper Matthew Hawthorne Michael Becke Mark R. Diggory Morgan Delagrange Martin Poeschl Mladen Turk Martin van den Bemt Noel J. Bergman Ortwin Gluck Oleg Kalnichevski Patrick Luby Peter Royal Phil Steitz Robert Burrell Donkin Remy Maucherat Robert Leland Richard Sitze Rodney Waldhoff Scott Sanders Serge Knystautas Steve Cohen Stephen Colebourne Shawn Bayern Simon Kitching Steven Caswell Sean Sullivan Tim O'Brien James Turner Bob McWhirter Yoav Shapira %package javadoc PreReq: coreutils Summary: Developer documentation for jakarta-commons-httpclient3 Group: Development/Libraries/Java %description javadoc Developer documentation for jakarta-commons-httpclient3 in JavaDoc format. Authors: -------- Adrian Sutton Alex Chaffee Arun Mammen Thomas Juozas Baliuka Henri Yandell Jeff Brekke Bruno D'Avanzo Costin Manolache Craig R. McClanahan Daniel F. Savarese David Graham Davanum Srinivas Dion Gillard Dirk Verbeeck Daniel Rall Dmitri Plotnikov Eric Pugh Fredrik Westermarck Geir Magnusson Jr. Gary Gregory Glenn Nielsen Henning P. Schmiedehausen Ted Husted Mario Ivankovits James Carman Sung-Gu Park Jean-Frederic Clere John Keyes John McNally Jon Stevens Jeff Dever James Strachan Jason van Zyl Jan Luehe Martin Cooper Matthew Hawthorne Michael Becke Mark R. Diggory Morgan Delagrange Martin Poeschl Mladen Turk Martin van den Bemt Noel J. Bergman Ortwin Gluck Oleg Kalnichevski Patrick Luby Peter Royal Phil Steitz Robert Burrell Donkin Remy Maucherat Robert Leland Richard Sitze Rodney Waldhoff Scott Sanders Serge Knystautas Steve Cohen Stephen Colebourne Shawn Bayern Simon Kitching Steven Caswell Sean Sullivan Tim O'Brien James Turner Bob McWhirter Yoav Shapira %{summary}. %package demo Summary: Demonstration files for jakarta-commons-httpclient3 Group: Development/Libraries/Java Requires: %{name} = %{version}-%{release} %description demo Demonstration files for jakarta-commons-httpclient3. NOTE: It is possible that some demonstration files are specially prepared for SUN Java runtime environment. If they fail with IBM or BEA Java, the package itself does not need to be broken. Authors: -------- Adrian Sutton Alex Chaffee Arun Mammen Thomas Juozas Baliuka Henri Yandell Jeff Brekke Bruno D'Avanzo Costin Manolache Craig R. McClanahan Daniel F. Savarese David Graham Davanum Srinivas Dion Gillard Dirk Verbeeck Daniel Rall Dmitri Plotnikov Eric Pugh Fredrik Westermarck Geir Magnusson Jr. Gary Gregory Glenn Nielsen Henning P. Schmiedehausen Ted Husted Mario Ivankovits James Carman Sung-Gu Park Jean-Frederic Clere John Keyes John McNally Jon Stevens Jeff Dever James Strachan Jason van Zyl Jan Luehe Martin Cooper Matthew Hawthorne Michael Becke Mark R. Diggory Morgan Delagrange Martin Poeschl Mladen Turk Martin van den Bemt Noel J. Bergman Ortwin Gluck Oleg Kalnichevski Patrick Luby Peter Royal Phil Steitz Robert Burrell Donkin Remy Maucherat Robert Leland Richard Sitze Rodney Waldhoff Scott Sanders Serge Knystautas Steve Cohen Stephen Colebourne Shawn Bayern Simon Kitching Steven Caswell Sean Sullivan Tim O'Brien James Turner Bob McWhirter Yoav Shapira %{summary}. %package manual Summary: Manual for jakarta-commons-httpclient3 Group: Development/Libraries/Java %description manual Manual for jakarta-commons-httpclient3 Authors: -------- Adrian Sutton Alex Chaffee Arun Mammen Thomas Juozas Baliuka Henri Yandell Jeff Brekke Bruno D'Avanzo Costin Manolache Craig R. McClanahan Daniel F. Savarese David Graham Davanum Srinivas Dion Gillard Dirk Verbeeck Daniel Rall Dmitri Plotnikov Eric Pugh Fredrik Westermarck Geir Magnusson Jr. Gary Gregory Glenn Nielsen Henning P. Schmiedehausen Ted Husted Mario Ivankovits James Carman Sung-Gu Park Jean-Frederic Clere John Keyes John McNally Jon Stevens Jeff Dever James Strachan Jason van Zyl Jan Luehe Martin Cooper Matthew Hawthorne Michael Becke Mark R. Diggory Morgan Delagrange Martin Poeschl Mladen Turk Martin van den Bemt Noel J. Bergman Ortwin Gluck Oleg Kalnichevski Patrick Luby Peter Royal Phil Steitz Robert Burrell Donkin Remy Maucherat Robert Leland Richard Sitze Rodney Waldhoff Scott Sanders Serge Knystautas Steve Cohen Stephen Colebourne Shawn Bayern Simon Kitching Steven Caswell Sean Sullivan Tim O'Brien James Turner Bob McWhirter Yoav Shapira %{summary}. %prep %setup -q -n commons-httpclient-%{version} %patch150 -p1 mkdir lib # duh rm -rf docs/apidocs docs/*.patch docs/*.orig docs/*.rej %build export CLASSPATH=%(build-classpath jsse jce junit jakarta-commons-codec jakarta-commons-logging) ant \ -Dbuild.sysclasspath=first \ -Djavadoc.j2sdk.link=%{_javadocdir}/java \ -Djavadoc.logging.link=%{_javadocdir}/jakarta-commons-logging \ dist %install # jars mkdir -p $RPM_BUILD_ROOT%{_javadir} cp -p dist/commons-httpclient.jar \ $RPM_BUILD_ROOT%{_javadir}/%{name}-%{version}.jar (cd $RPM_BUILD_ROOT%{_javadir} && for jar in *-%{version}.jar; do ln -sf ${jar} `echo $jar| sed "s|jakarta-||g"`; done) (cd $RPM_BUILD_ROOT%{_javadir} && for jar in *-%{version}.jar; do ln -sf ${jar} `echo $jar| sed "s|-%{version}||g"`; done) # javadoc mkdir -p $RPM_BUILD_ROOT%{_javadocdir} mv dist/docs/api $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ln -s %{name}-%{version} $RPM_BUILD_ROOT%{_javadocdir}/%{name} # ghost symlink # demo mkdir -p $RPM_BUILD_ROOT%{_datadir}/%{name} cp -pr src/examples src/contrib $RPM_BUILD_ROOT%{_datadir}/%{name} # manual and docs rm -f dist/docs/{BUILDING,TESTING}.txt ln -s %{_javadocdir}/%{name} dist/docs/apidocs %clean rm -rf $RPM_BUILD_ROOT %post javadoc rm -f %{_javadocdir}/%{name} ln -s %{name}-%{version} %{_javadocdir}/%{name} %files %defattr(0644,root,root,0755) %doc LICENSE.txt README.txt RELEASE_NOTES.txt %{_javadir}/* %files javadoc %defattr(0644,root,root,0755) %doc %{_javadocdir}/%{name}-%{version} %ghost %doc %{_javadocdir}/%{name} %files demo %defattr(0644,root,root,0755) %{_datadir}/%{name} %files manual %defattr(0644,root,root,0755) %doc dist/docs/* %changelog ++++++ commons-httpclient-CVE-2012-5783.patch ++++++ Index: commons-httpclient-3.0.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java =================================================================== --- commons-httpclient-3.0.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.0.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -30,10 +30,17 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; + +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; @@ -78,12 +85,17 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { - return SSLSocketFactory.getDefault().createSocket( + SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); + + verifyHostName( host, (SSLSocket) socket ); + + // verifyHostName() didn't blowup - good! + return socket; } /** @@ -123,15 +135,18 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { - return createSocket(host, port, localAddress, localPort); + SSLSocket socket = (SSLSocket) createSocket(host, port, localAddress, localPort); + verifyHostName(host, (SSLSocket) socket); + return socket; } else { // To be eventually deprecated when migrated to Java 1.4 or above - Socket socket = ReflectionSocketFactory.createSocket( + SSLSocket socket =(SSLSocket) ReflectionSocketFactory.createSocket( "javax.net.ssl.SSLSocketFactory", host, port, localAddress, localPort, timeout); if (socket == null) { - socket = ControllerThreadSocketFactory.createSocket( + socket = (SSLSocket) ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } + verifyHostName(host, (SSLSocket) socket); return socket; } } @@ -141,10 +156,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { - return SSLSocketFactory.getDefault().createSocket( + SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket( host, port ); + verifyHostName( host, (SSLSocket) socket ); + return socket; } /** @@ -156,14 +173,133 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { - return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( + SSLSocket s = (SSLSocket) ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); + verifyHostName( host, (SSLSocket) socket ); + + // verifyHostName() didn't blowup - good! + return s; + } + + private static void verifyHostName( String host, SSLSocket ssl ) + throws IOException { + if ( host == null ) { + throw new NullPointerException( "host to verify was null" ); + } + + SSLSession session = ssl.getSession(); + if ( session == null ) { + // In our experience this only happens under IBM 1.4.x when + // spurious (unrelated) certificates show up in the server's chain. + // Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); + /* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + + #1. Clean up the certificate chain that your server + is presenting (e.g. edit "/etc/apache2/server.crt" or + wherever it is your server's certificate chain is + defined). + + OR + + #2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + + // If ssl.getInputStream().available() didn't cause an exception, + // maybe at least now the session is available? + session = ssl.getSession(); + if ( session == null ) { + // If it's still null, probably a startHandshake() will + // unearth the real problem. + ssl.startHandshake(); + + // Okay, if we still haven't managed to cause an exception, + // might as well go for the NPE. Or maybe we're okay now? + session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + X509Certificate x509 = (X509Certificate) certs[ 0 ]; + String cn = getCN( x509 ); + if ( cn == null ) { + String subject = x509.getSubjectX500Principal().toString(); + String msg = "certificate doesn't contain CN: " + subject; + throw new SSLException( msg ); + } + // I'm okay with being case-insensitive when comparing the host we used + // to establish the socket to the hostname in the certificate. + // Don't trim the CN, though. + cn = cn.toLowerCase(); + host = host.trim().toLowerCase(); + boolean doWildcard = false; + if ( cn.startsWith( "*." ) ) { + // The CN better have at least two dots if it wants wildcard action, + // but can't be [*.co.uk] or [*.co.jp] or [*.org.uk], etc... + String withoutCountryCode = ""; + if ( cn.length() >= 7 && cn.length() <= 9 ) { + withoutCountryCode = cn.substring( 2, cn.length() - 2 ); + } + doWildcard = cn.lastIndexOf( '.' ) >= 0 && + !"ac.".equals( withoutCountryCode ) && + !"co.".equals( withoutCountryCode ) && + !"com.".equals( withoutCountryCode ) && + !"ed.".equals( withoutCountryCode ) && + !"edu.".equals( withoutCountryCode ) && + !"go.".equals( withoutCountryCode ) && + !"gouv.".equals( withoutCountryCode ) && + !"gov.".equals( withoutCountryCode ) && + !"info.".equals( withoutCountryCode ) && + !"lg.".equals( withoutCountryCode ) && + !"ne.".equals( withoutCountryCode ) && + !"net.".equals( withoutCountryCode ) && + !"or.".equals( withoutCountryCode ) && + !"org.".equals( withoutCountryCode ); + + // The [*.co.uk] problem is an interesting one. Should we just + // hope that CA's would never foolishly allow such a + // certificate to happen? + } + + boolean match; + if ( doWildcard ) { + match = host.endsWith( cn.substring( 1 ) ); + } else { + match = host.equals( cn ); + } + if ( !match ) { + throw new SSLException( "hostname in certificate didn't match: <" + host + "> != <" + cn + ">" ); + } } + private static String getCN( X509Certificate cert ) { + // Note: toString() seems to do a better job than getName() + // + // For example, getName() gives me this: + // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d + // + // whereas toString() gives me this: + // EMAILADDRESS=juliusdavies@cucbc.com + String subjectPrincipal = cert.getSubjectX500Principal().toString(); + int x = subjectPrincipal.indexOf( "CN=" ); + if ( x >= 0 ) { + int y = subjectPrincipal.indexOf( ',', x ); + // If there are no more commas, then CN= is the last entry. + y = ( y >= 0 ) ? y : subjectPrincipal.length(); + return subjectPrincipal.substring( x + 3, y ); + } else { + return null; + } + } + /** * All instances of SSLProtocolSocketFactory are the same. */ ++++++ java150_build.patch ++++++ Index: commons-httpclient-3.0.1/build.xml =================================================================== --- commons-httpclient-3.0.1.orig/build.xml +++ commons-httpclient-3.0.1/build.xml @@ -180,6 +180,7 @@ <target name="compile" depends="static" description="Compile shareable components"> <javac srcdir ="${source.home}/java" + source="1.4" target="1.4" destdir ="${build.home}/classes" debug ="${compile.debug}" deprecation ="${compile.deprecation}" @@ -187,6 +188,7 @@ <classpath refid="compile.classpath"/> </javac> <javac srcdir ="${source.home}/examples" + source="1.4" target="1.4" destdir ="${build.home}/examples" debug ="${compile.debug}" deprecation ="${compile.deprecation}" @@ -198,6 +200,7 @@ <target name="compile.tests" depends="compile" description="Compile unit test cases"> <javac srcdir ="${test.home}" + source="1.4" target="1.4" destdir ="${build.home}/tests" debug ="${compile.debug}" deprecation ="${compile.deprecation}" @@ -240,6 +243,7 @@ <mkdir dir="${dist.home}/docs"/> <mkdir dir="${dist.home}/docs/api"/> <javadoc sourcepath ="${source.home}/java" + source="1.4" destdir ="${dist.home}/docs/api" packagenames ="org.apache.commons.*" author ="true" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org