From 6f51036dc3ebb873d046160e2d06a122c0b87fe062d0fab70412d46b51a21529 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Mon, 2 Nov 2020 14:43:49 +0000 Subject: [PATCH] Accepting request 844266 from home:pmonrealgonzalez:branches:Java:packages - Security fix [bsc#945190, CVE-2015-5262] * http/conn/ssl/SSLConnectionSocketFactory.java ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. - Add apache-commons-httpclient-CVE-2015-5262.patch - Security fix [bsc#1178171, CVE-2014-3577] * org.apache.http.conn.ssl.AbstractVerifier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows MITM attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate. - Add apache-commons-httpclient-CVE-2014-3577.patch OBS-URL: https://build.opensuse.org/request/show/844266 OBS-URL: https://build.opensuse.org/package/show/Java:packages/apache-commons-httpclient?expand=0&rev=25 --- apache-commons-httpclient-CVE-2014-3577.patch | 92 +++++++++++++++++++ apache-commons-httpclient-CVE-2015-5262.patch | 35 +++++++ apache-commons-httpclient.changes | 22 +++++ apache-commons-httpclient.spec | 8 +- 4 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 apache-commons-httpclient-CVE-2014-3577.patch create mode 100644 apache-commons-httpclient-CVE-2015-5262.patch diff --git a/apache-commons-httpclient-CVE-2014-3577.patch b/apache-commons-httpclient-CVE-2014-3577.patch new file mode 100644 index 0000000..00811cf --- /dev/null +++ b/apache-commons-httpclient-CVE-2014-3577.patch @@ -0,0 +1,92 @@ +From 1bef0d6f6e8f2f68e996737d7be598613e2060b2 Mon Sep 17 00:00:00 2001 +From: Fabio Valentini +Date: Sat, 18 Jul 2020 19:48:08 +0200 +Subject: [PATCH 4/6] CVE-2014-3577 + +--- + .../protocol/SSLProtocolSocketFactory.java | 57 ++++++++++++------- + 1 file changed, 37 insertions(+), 20 deletions(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index fa0acc7..e6ce513 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -44,9 +44,15 @@ import java.util.Iterator; + import java.util.LinkedList; + import java.util.List; + import java.util.Locale; +-import java.util.StringTokenizer; ++import java.util.NoSuchElementException; + import java.util.regex.Pattern; + ++import javax.naming.InvalidNameException; ++import javax.naming.NamingException; ++import javax.naming.directory.Attribute; ++import javax.naming.directory.Attributes; ++import javax.naming.ldap.LdapName; ++import javax.naming.ldap.Rdn; + import javax.net.ssl.SSLException; + import javax.net.ssl.SSLSession; + import javax.net.ssl.SSLSocket; +@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + return dots; + } + +- private static String getCN(X509Certificate cert) { +- // Note: toString() seems to do a better job than getName() +- // +- // For example, getName() gives me this: +- // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d +- // +- // whereas toString() gives me this: +- // EMAILADDRESS=juliusdavies@cucbc.com +- String subjectPrincipal = cert.getSubjectX500Principal().toString(); +- +- return getCN(subjectPrincipal); +- ++ private static String getCN(final X509Certificate cert) { ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ try { ++ return extractCN(subjectPrincipal); ++ } catch (SSLException ex) { ++ return null; ++ } + } +- private static String getCN(String subjectPrincipal) { +- StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); +- while(st.hasMoreTokens()) { +- String tok = st.nextToken().trim(); +- if (tok.length() > 3) { +- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { +- return tok.substring(3); ++ ++ private static String extractCN(final String subjectPrincipal) throws SSLException { ++ if (subjectPrincipal == null) { ++ return null; ++ } ++ try { ++ final LdapName subjectDN = new LdapName(subjectPrincipal); ++ final List rdns = subjectDN.getRdns(); ++ for (int i = rdns.size() - 1; i >= 0; i--) { ++ final Rdn rds = rdns.get(i); ++ final Attributes attributes = rds.toAttributes(); ++ final Attribute cn = attributes.get("cn"); ++ if (cn != null) { ++ try { ++ final Object value = cn.get(); ++ if (value != null) { ++ return value.toString(); ++ } ++ } catch (NoSuchElementException ignore) { ++ } catch (NamingException ignore) { ++ } + } + } ++ } catch (InvalidNameException e) { ++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); + } + return null; + } +-- +2.26.2 + diff --git a/apache-commons-httpclient-CVE-2015-5262.patch b/apache-commons-httpclient-CVE-2015-5262.patch new file mode 100644 index 0000000..56a42e6 --- /dev/null +++ b/apache-commons-httpclient-CVE-2015-5262.patch @@ -0,0 +1,35 @@ +From a42239d4dbf88dc577061203c234a91d847a8615 Mon Sep 17 00:00:00 2001 +From: Fabio Valentini +Date: Sat, 18 Jul 2020 19:48:18 +0200 +Subject: [PATCH 5/6] CVE-2015-5262 + +--- + .../httpclient/protocol/SSLProtocolSocketFactory.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +index e6ce513..b7550a2 100644 +--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java ++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +@@ -152,7 +152,9 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + } + int timeout = params.getConnectionTimeout(); + if (timeout == 0) { +- Socket sslSocket = createSocket(host, port, localAddress, localPort); ++ Socket sslSocket = SSLSocketFactory.getDefault().createSocket( ++ host, port, localAddress, localPort); ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } else { +@@ -163,6 +165,7 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory { + sslSocket = ControllerThreadSocketFactory.createSocket( + this, host, port, localAddress, localPort, timeout); + } ++ sslSocket.setSoTimeout(params.getSoTimeout()); + verifyHostName(host, (SSLSocket) sslSocket); + return sslSocket; + } +-- +2.26.2 + diff --git a/apache-commons-httpclient.changes b/apache-commons-httpclient.changes index 7319e7f..e40299d 100644 --- a/apache-commons-httpclient.changes +++ b/apache-commons-httpclient.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Tue Oct 27 10:39:27 UTC 2020 - Pedro Monreal + +- Security fix [bsc#945190, CVE-2015-5262] + * http/conn/ssl/SSLConnectionSocketFactory.java ignores the + http.socket.timeout configuration setting during an SSL handshake, + which allows remote attackers to cause a denial of service (HTTPS + call hang) via unspecified vectors. +- Add apache-commons-httpclient-CVE-2015-5262.patch + +------------------------------------------------------------------- +Tue Oct 27 10:38:45 UTC 2020 - Pedro Monreal + +- Security fix [bsc#1178171, CVE-2014-3577] + * org.apache.http.conn.ssl.AbstractVerifier does not properly + verify that the server hostname matches a domain name in the + subject's Common Name (CN) or subjectAltName field of the X.509 + certificate, which allows MITM attackers to spoof SSL servers + via a "CN=" string in a field in the distinguished name (DN) + of a certificate. +- Add apache-commons-httpclient-CVE-2014-3577.patch + ------------------------------------------------------------------- Mon Apr 1 23:15:55 UTC 2019 - Jan Engelhardt diff --git a/apache-commons-httpclient.spec b/apache-commons-httpclient.spec index f2b0b90..ae174ff 100644 --- a/apache-commons-httpclient.spec +++ b/apache-commons-httpclient.spec @@ -1,7 +1,7 @@ # # spec file for package apache-commons-httpclient # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,6 +33,10 @@ Patch2: %{name}-encoding.patch #PATCH-FIX-UPSTREAM: bnc#803332 #https://issues.apache.org/jira/secure/attachment/12560251/CVE-2012-5783-2.patch Patch3: %{short_name}-CVE-2012-5783-2.patch +#PATCH-FIX-UPSTREAM bsc#1178171 CVE-2014-3577 MITM security vulnerability +Patch4: apache-commons-httpclient-CVE-2014-3577.patch +#PATCH-FIX-UPSTREAM bsc#945190 CVE-2015-5262 Missing HTTPS connection timeout +Patch5: apache-commons-httpclient-CVE-2015-5262.patch BuildRequires: ant BuildRequires: ant-junit BuildRequires: commons-codec @@ -108,6 +112,8 @@ popd %patch2 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 # Use javax classes, not com.sun ones # assume no filename contains spaces