Accepting request 1170965 from Java:packages

Clean the spec: remove old macros and change to working urls

OBS-URL: https://build.opensuse.org/request/show/1170965
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache-commons-httpclient?expand=0&rev=13

apache-commons-httpclient-CVE-2014-3577.patch

@@ -0,0 +1,92 @@
+From 1bef0d6f6e8f2f68e996737d7be598613e2060b2 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:48:08 +0200
+Subject: [PATCH 4/6] CVE-2014-3577
+
+---
+ .../protocol/SSLProtocolSocketFactory.java    | 57 ++++++++++++-------
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+ 
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ 		return dots;
+ 	}
+ 
+-	private static String getCN(X509Certificate cert) {
+-        // Note:  toString() seems to do a better job than getName()
+-        //
+-        // For example, getName() gives me this:
+-        // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+-        //
+-        // whereas toString() gives me this:
+-        // EMAILADDRESS=juliusdavies@cucbc.com        
+-		String subjectPrincipal = cert.getSubjectX500Principal().toString();
+-		
+-		return getCN(subjectPrincipal);
+-
++	private static String getCN(final X509Certificate cert) {
++		final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++		try {
++			return extractCN(subjectPrincipal);
++		} catch (SSLException ex) {
++			return null;
++		}
+ 	}
+-	private static String getCN(String subjectPrincipal) {
+-		StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+-		while(st.hasMoreTokens()) {
+-			String tok = st.nextToken().trim();
+-			if (tok.length() > 3) {
+-				if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+-					return tok.substring(3);
++
++	private static String extractCN(final String subjectPrincipal) throws SSLException {
++		if (subjectPrincipal == null) {
++			return null;
++		}
++		try {
++			final LdapName subjectDN = new LdapName(subjectPrincipal);
++			final List<Rdn> rdns = subjectDN.getRdns();
++			for (int i = rdns.size() - 1; i >= 0; i--) {
++				final Rdn rds = rdns.get(i);
++				final Attributes attributes = rds.toAttributes();
++				final Attribute cn = attributes.get("cn");
++				if (cn != null) {
++					try {
++						final Object value = cn.get();
++						if (value != null) {
++							return value.toString();
++						}
++					} catch (NoSuchElementException ignore) {
++					} catch (NamingException ignore) {
++					}
+ 				}
+ 			}
++		} catch (InvalidNameException e) {
++			throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name");
+ 		}
+ 		return null;
+ 	}
+-- 
+2.26.2
+

apache-commons-httpclient-CVE-2015-5262.patch

@@ -0,0 +1,35 @@
+From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001
+From: Fabio Valentini <decathorpe@gmail.com>
+Date: Sat, 18 Jul 2020 19:48:18 +0200
+Subject: [PATCH 5/6] CVE-2015-5262
+
+---
+ .../httpclient/protocol/SSLProtocolSocketFactory.java        | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index e6ce513..b7550a2 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+         }
+         int timeout = params.getConnectionTimeout();
+         if (timeout == 0) {
+-            Socket sslSocket =  createSocket(host, port, localAddress, localPort);
++            Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
++                host, port, localAddress, localPort);
++            sslSocket.setSoTimeout(params.getSoTimeout());
+             verifyHostName(host, (SSLSocket) sslSocket);
+             return sslSocket;
+         } else {
+@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+             	sslSocket = ControllerThreadSocketFactory.createSocket(
+                     this, host, port, localAddress, localPort, timeout);
+             }
++            sslSocket.setSoTimeout(params.getSoTimeout());
+             verifyHostName(host, (SSLSocket) sslSocket);
+             return sslSocket;
+         }
+-- 
+2.26.2
+

apache-commons-httpclient.changes

@@ -1,3 +1,45 @@
+-------------------------------------------------------------------
+Tue Apr 30 11:15:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Clean the spec: remove old macros and change to working urls
+
+-------------------------------------------------------------------
+Tue Feb 20 10:19:53 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Use %patch -P N instead of deprecated %patchN.
+
+-------------------------------------------------------------------
+Tue Oct 27 10:39:27 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix [bsc#945190, CVE-2015-5262]
+  * http/conn/ssl/SSLConnectionSocketFactory.java ignores the
+    http.socket.timeout configuration setting during an SSL handshake,
+    which allows remote attackers to cause a denial of service (HTTPS
+    call hang) via unspecified vectors.
+- Add apache-commons-httpclient-CVE-2015-5262.patch
+
+-------------------------------------------------------------------
+Tue Oct 27 10:38:45 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
+
+- Security fix [bsc#1178171, CVE-2014-3577]
+  * org.apache.http.conn.ssl.AbstractVerifier does not properly
+    verify that the server hostname matches a domain name in the
+    subject's Common Name (CN) or subjectAltName field of the X.509
+    certificate, which allows MITM attackers to spoof SSL servers
+    via a "CN=" string in a field in the distinguished name (DN)
+    of a certificate.
+- Add apache-commons-httpclient-CVE-2014-3577.patch
+
+-------------------------------------------------------------------
+Mon Apr  1 23:15:55 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
+
+- Trim conjecture from description.
+
+-------------------------------------------------------------------
+Mon Jan 21 15:28:32 UTC 2019 - Fridrich Strba <fstrba@suse.com>
+
+- Add maven pom file and clean-up the spec file
+
 -------------------------------------------------------------------
 Tue May 15 10:34:34 UTC 2018 - fstrba@suse.com
 

apache-commons-httpclient.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package apache-commons-httpclient
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,9 +23,9 @@ Release:        0
 Summary:        Feature rich package for accessing resources via HTTP
 License:        Apache-2.0
 Group:          Development/Libraries/Java
-URL:            http://hc.apache.org/httpclient-3.x/
-Source0:        http://www.apache.org/dist/httpcomponents/commons-httpclient/source/%{short_name}-%{version}-src.tar.gz
-Source1:        http://repo.maven.apache.org/maven2/%{short_name}/%{short_name}/%{version}/%{short_name}-%{version}.pom
+URL:            https://hc.apache.org/httpclient-3.x/
+Source0:        https://archive.apache.org/dist/httpcomponents/%{short_name}/source/%{short_name}-%{version}-src.tar.gz
+Source1:        https://repo1.maven.org/maven2/%{short_name}/%{short_name}/%{version}/%{short_name}-%{version}.pom
 Patch0:         %{name}-disablecryptotests.patch
 # Add OSGi MANIFEST.MF bits
 Patch1:         %{name}-addosgimanifest.patch
@@ -33,16 +33,18 @@ Patch2:         %{name}-encoding.patch
 #PATCH-FIX-UPSTREAM: bnc#803332
 #https://issues.apache.org/jira/secure/attachment/12560251/CVE-2012-5783-2.patch
 Patch3:         %{short_name}-CVE-2012-5783-2.patch
+#PATCH-FIX-UPSTREAM bsc#1178171 CVE-2014-3577 MITM security vulnerability
+Patch4:         apache-commons-httpclient-CVE-2014-3577.patch
+#PATCH-FIX-UPSTREAM bsc#945190 CVE-2015-5262 Missing HTTPS connection timeout
+Patch5:         apache-commons-httpclient-CVE-2015-5262.patch
 BuildRequires:  ant
 BuildRequires:  ant-junit
 BuildRequires:  commons-codec
 BuildRequires:  commons-logging >= 1.0.3
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
-BuildRequires:  javapackages-local
+BuildRequires:  javapackages-local >= 6
 BuildRequires:  junit
-Requires:       commons-codec
-Requires:       commons-logging >= 1.0.3
 Provides:       %{short_name} = %{version}
 Provides:       jakarta-%{short_name} = %{version}
 Obsoletes:      jakarta-%{short_name} < %{version}
@@ -54,15 +56,13 @@ BuildArch:      noarch
 Although the java.net  package provides basic functionality for
 accessing resources via HTTP, it doesn't provide the full flexibility
 or functionality needed by many applications. The Apache Commons
-HttpClient component seeks to fill this void by providing an efficient,
-up-to-date, and feature-rich package implementing the client side of
-the most recent HTTP standards and recommendations.
+HttpClient component provides a package implementing the client side
+of the most recent HTTP standards and recommendations.
 
-Designed for extension while providing robust support for the base HTTP
-protocol, the HttpClient component may be of interest to anyone
-building HTTP-aware client applications such as web browsers, web
-service clients, or systems that leverage or extend the HTTP protocol
-for distributed communication.
+The HttpClient component may be of interest to anyone building
+HTTP-aware client applications such as web browsers, web service
+clients, or systems that leverage or extend the HTTP protocol for
+distributed communication.
 
 %package        javadoc
 Summary:        Developer documentation for %{name}
@@ -101,15 +101,17 @@ Manual for %{name}
 mkdir lib # duh
 rm -rf docs/apidocs docs/*.patch docs/*.orig docs/*.rej
 
-%patch0
+%patch -P 0
 
 pushd src/conf
 sed -i 's/\r//' MANIFEST.MF
-%patch1
+%patch -P 1
 popd
 
-%patch2
-%patch3 -p1
+%patch -P 2
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
 
 # Use javax classes, not com.sun ones
 # assume no filename contains spaces
@@ -151,17 +153,17 @@ ln -s %{name}.jar jakarta-%{short_name}3.jar
 popd
 
 # pom
-mkdir -p %{buildroot}%{_mavenpomdir}
-cp -p %{SOURCE1} %{buildroot}%{_mavenpomdir}/%{name}.pom
+install -d -m 0755 %{buildroot}%{_mavenpomdir}
+%{mvn_install_pom} %{SOURCE1} %{buildroot}%{_mavenpomdir}/%{name}.pom
 %add_maven_depmap %{name}.pom %{name}.jar -a apache:commons-httpclient
 
 # javadoc
-mkdir -p %{buildroot}%{_javadocdir}
+install -d -m 0755 %{buildroot}%{_javadocdir}
 mv dist/docs/api %{buildroot}%{_javadocdir}/%{name}
 %fdupes -s %{buildroot}%{_javadocdir}/%{name}
 
 # demo
-mkdir -p %{buildroot}%{_datadir}/%{name}
+install -d -m 0755 %{buildroot}%{_datadir}/%{name}
 cp -pr src/examples src/contrib %{buildroot}%{_datadir}/%{name}
 %fdupes -s %{buildroot}%{_datadir}/%{name}
 
@@ -170,22 +172,15 @@ rm -f dist/docs/{BUILDING,TESTING}.txt
 ln -s %{_javadocdir}/%{name} dist/docs/apidocs
 %fdupes -s dist/docs
 
-%files
+%files -f .mfiles
 %defattr(0644,root,root,0755)
 %license LICENSE.txt
 %doc README.txt RELEASE_NOTES.txt
-%{_javadir}/%{name}.jar
 %{_javadir}/%{name}3.jar
 %{_javadir}/%{short_name}3.jar
 %{_javadir}/%{short_name}.jar
 %{_javadir}/jakarta-%{short_name}3.jar
 %{_javadir}/jakarta-%{short_name}.jar
-%{_mavenpomdir}/*
-%if %{defined _maven_repository}
-%{_mavendepmapfragdir}/%{name}
-%else
-%{_datadir}/maven-metadata/%{name}.xml*
-%endif
 
 %files javadoc
 %defattr(0644,root,root,0755)