apache-commons-httpclient/apache-commons-httpclient-CVE-2015-5262.patch

From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001
From: Fabio Valentini <decathorpe@gmail.com>
Date: Sat, 18 Jul 2020 19:48:18 +0200
Subject: [PATCH 5/6] CVE-2015-5262

---
 .../httpclient/protocol/SSLProtocolSocketFactory.java        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
index e6ce513..b7550a2 100644
--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
         }
         int timeout = params.getConnectionTimeout();
         if (timeout == 0) {
-            Socket sslSocket =  createSocket(host, port, localAddress, localPort);
+            Socket sslSocket = SSLSocketFactory.getDefault().createSocket(
+                host, port, localAddress, localPort);
+            sslSocket.setSoTimeout(params.getSoTimeout());
             verifyHostName(host, (SSLSocket) sslSocket);
             return sslSocket;
         } else {
@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
             	sslSocket = ControllerThreadSocketFactory.createSocket(
                     this, host, port, localAddress, localPort, timeout);
             }
+            sslSocket.setSoTimeout(params.getSoTimeout());
             verifyHostName(host, (SSLSocket) sslSocket);
             return sslSocket;
         }
-- 
2.26.2
Accepting request 844266 from home:pmonrealgonzalez:branches:Java:packages - Security fix [bsc#945190, CVE-2015-5262] * http/conn/ssl/SSLConnectionSocketFactory.java ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. - Add apache-commons-httpclient-CVE-2015-5262.patch - Security fix [bsc#1178171, CVE-2014-3577] * org.apache.http.conn.ssl.AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows MITM attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate. - Add apache-commons-httpclient-CVE-2014-3577.patch OBS-URL: https://build.opensuse.org/request/show/844266 OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-commons-httpclient?expand=0&rev=25 2020-11-02 15:43:49 +01:00			`From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001`
			`From: Fabio Valentini <decathorpe@gmail.com>`
			`Date: Sat, 18 Jul 2020 19:48:18 +0200`
			`Subject: [PATCH 5/6] CVE-2015-5262`

			`---`
			`.../httpclient/protocol/SSLProtocolSocketFactory.java \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java`
			`index e6ce513..b7550a2 100644`
			`--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java`
			`+++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java`
			`@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {`
			`}`
			`int timeout = params.getConnectionTimeout();`
			`if (timeout == 0) {`
			`- Socket sslSocket = createSocket(host, port, localAddress, localPort);`
			`+ Socket sslSocket = SSLSocketFactory.getDefault().createSocket(`
			`+ host, port, localAddress, localPort);`
			`+ sslSocket.setSoTimeout(params.getSoTimeout());`
			`verifyHostName(host, (SSLSocket) sslSocket);`
			`return sslSocket;`
			`} else {`
			`@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {`
			`sslSocket = ControllerThreadSocketFactory.createSocket(`
			`this, host, port, localAddress, localPort, timeout);`
			`}`
			`+ sslSocket.setSoTimeout(params.getSoTimeout());`
			`verifyHostName(host, (SSLSocket) sslSocket);`
			`return sslSocket;`
			`}`
			`--`
			`2.26.2`