forked from pool/apache-commons-httpclient
		
	- Security fix [bsc#945190, CVE-2015-5262]
  * http/conn/ssl/SSLConnectionSocketFactory.java ignores the
    http.socket.timeout configuration setting during an SSL handshake,
    which allows remote attackers to cause a denial of service (HTTPS
    call hang) via unspecified vectors.
- Add apache-commons-httpclient-CVE-2015-5262.patch
- Security fix [bsc#1178171, CVE-2014-3577]
  * org.apache.http.conn.ssl.AbstractVerifier does not properly
    verify that the server hostname matches a domain name in the
    subject's Common Name (CN) or subjectAltName field of the X.509
    certificate, which allows MITM attackers to spoof SSL servers
    via a "CN=" string in a field in the distinguished name (DN)
    of a certificate.
- Add apache-commons-httpclient-CVE-2014-3577.patch
OBS-URL: https://build.opensuse.org/request/show/844266
OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-commons-httpclient?expand=0&rev=25
		
	
		
			
				
	
	
		
			36 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			36 lines
		
	
	
		
			1.6 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001
 | |
| From: Fabio Valentini <decathorpe@gmail.com>
 | |
| Date: Sat, 18 Jul 2020 19:48:18 +0200
 | |
| Subject: [PATCH 5/6] CVE-2015-5262
 | |
| 
 | |
| ---
 | |
|  .../httpclient/protocol/SSLProtocolSocketFactory.java        | 5 ++++-
 | |
|  1 file changed, 4 insertions(+), 1 deletion(-)
 | |
| 
 | |
| diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
 | |
| index e6ce513..b7550a2 100644
 | |
| --- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
 | |
| +++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
 | |
| @@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
 | |
|          }
 | |
|          int timeout = params.getConnectionTimeout();
 | |
|          if (timeout == 0) {
 | |
| -            Socket sslSocket =  createSocket(host, port, localAddress, localPort);
 | |
| +            Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
 | |
| +                host, port, localAddress, localPort);
 | |
| +            sslSocket.setSoTimeout(params.getSoTimeout());
 | |
|              verifyHostName(host, (SSLSocket) sslSocket);
 | |
|              return sslSocket;
 | |
|          } else {
 | |
| @@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
 | |
|              	sslSocket = ControllerThreadSocketFactory.createSocket(
 | |
|                      this, host, port, localAddress, localPort, timeout);
 | |
|              }
 | |
| +            sslSocket.setSoTimeout(params.getSoTimeout());
 | |
|              verifyHostName(host, (SSLSocket) sslSocket);
 | |
|              return sslSocket;
 | |
|          }
 | |
| -- 
 | |
| 2.26.2
 | |
| 
 |