java-packages/apache-commons-httpclient
SHA256
6
0
Fork 0
forked from pool/apache-commons-httpclient
Code Pull Requests Activity

Accepting request 844266 from home:pmonrealgonzalez:branches:Java:packages

Browse Source 
- Security fix [bsc#945190, CVE-2015-5262]
  * http/conn/ssl/SSLConnectionSocketFactory.java ignores the
    http.socket.timeout configuration setting during an SSL handshake,
    which allows remote attackers to cause a denial of service (HTTPS
    call hang) via unspecified vectors.
- Add apache-commons-httpclient-CVE-2015-5262.patch

- Security fix [bsc#1178171, CVE-2014-3577]
  * org.apache.http.conn.ssl.AbstractVerifier does not properly
    verify that the server hostname matches a domain name in the
    subject's Common Name (CN) or subjectAltName field of the X.509
    certificate, which allows MITM attackers to spoof SSL servers
    via a "CN=" string in a field in the distinguished name (DN)
    of a certificate.
- Add apache-commons-httpclient-CVE-2014-3577.patch

OBS-URL: https://build.opensuse.org/request/show/844266
OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-commons-httpclient?expand=0&rev=25
This commit is contained in:
Fridrich Strba
2020-11-02 14:43:49 +00:00
committed by Git OBS Bridge
parent bcbe0ca3bf
commit 6f51036dc3
4 changed files with 156 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
apache-commons-httpclient-CVE-2015-5262.patch Normal file
View File

@@ -0,0 +1,35 @@
From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001
From: Fabio Valentini <decathorpe@gmail.com>
Date: Sat, 18 Jul 2020 19:48:18 +0200
Subject: [PATCH 5/6] CVE-2015-5262
---
.../httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
index e6ce513..b7550a2 100644
--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
}
int timeout = params.getConnectionTimeout();
if (timeout == 0) {
- Socket sslSocket = createSocket(host, port, localAddress, localPort);
+ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
+ host, port, localAddress, localPort);
+ sslSocket.setSoTimeout(params.getSoTimeout());
verifyHostName(host, (SSLSocket) sslSocket);
return sslSocket;
} else {
@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
sslSocket = ControllerThreadSocketFactory.createSocket(
this, host, port, localAddress, localPort, timeout);
}
+ sslSocket.setSoTimeout(params.getSoTimeout());
verifyHostName(host, (SSLSocket) sslSocket);
return sslSocket;
}
--
2.26.2