On Fri, Jul 01, 2011 at 06:47:18PM +0100, Adam D. Barratt wrote:
> Please could you provide a debdiff between the current stable source
> package and your proposed update? (i.e. debdiff $stable.dsc $new.dsc)
Yes, sure. Please see it attached.
> Has the package been tested on stable to ensure that the changes do not
> introduce any functionality regressions?
I adopted this package recently because it is a dependency of another
package that I'm interested to maintain. That said, with this patch
applied, the package continues to pass all its unit tests during
build-time (the patched method is well covered with unit tests).
Its only reverse Build-Depends on stable (oauth-signpost) also
builds without issues, passing all its tests.
That's the level of testing that I have done and I didn't observe
any regressions.
Cheers,
--
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
diff -Nru httpcomponents-client-4.0.1/debian/changelog
httpcomponents-client-4.0.1/debian/changelog
--- httpcomponents-client-4.0.1/debian/changelog 2010-07-14
11:27:42.000000000 -0430
+++ httpcomponents-client-4.0.1/debian/changelog 2011-07-01
10:09:49.000000000 -0430
@@ -1,3 +1,12 @@
+httpcomponents-client (4.0.1-1squeeze1) stable-security; urgency=high
+
+ * Fixed critical bug causing Proxy-Authorization header to be
+ sent to the target host when tunneling requests through a proxy
+ server that requires authentication: CVE-2011-1498. (Closes: #628727).
+ * Set Debian Java Team as Maintainer and add myself to Uploaders.
+
+ -- Miguel Landaeta <mig...@miguel.cc> Wed, 29 Jun 2011 20:32:56 -0430
+
httpcomponents-client (4.0.1-1) unstable; urgency=low
* Initial release (Closes: #575327)
diff -Nru httpcomponents-client-4.0.1/debian/control
httpcomponents-client-4.0.1/debian/control
--- httpcomponents-client-4.0.1/debian/control 2010-07-14 11:27:31.000000000
-0430
+++ httpcomponents-client-4.0.1/debian/control 2011-07-01 10:01:14.000000000
-0430
@@ -1,7 +1,8 @@
Source: httpcomponents-client
Section: java
Priority: optional
-Maintainer: David Paleino <da...@debian.org>
+Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
+Uploaders: Miguel Landaeta <mig...@miguel.cc>
Build-Depends:
debhelper (>= 7.0.50~)
, openjdk-6-jdk | default-jdk
diff -Nru httpcomponents-client-4.0.1/debian/patches/01-CVE-2011-1498.patch
httpcomponents-client-4.0.1/debian/patches/01-CVE-2011-1498.patch
--- httpcomponents-client-4.0.1/debian/patches/01-CVE-2011-1498.patch
1969-12-31 20:00:00.000000000 -0400
+++ httpcomponents-client-4.0.1/debian/patches/01-CVE-2011-1498.patch
2011-07-01 10:01:14.000000000 -0430
@@ -0,0 +1,130 @@
+From: Oleg Kalnichevski <ol...@apache.org>
+Subject: CVE-2011-1498
+Forwarded: not-needed
+
+---
httpcomponents-client-4.0.1.orig/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
++++
httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/client/protocol/RequestProxyAuthentication.java
+@@ -41,6 +41,9 @@ import org.apache.http.auth.AuthScheme;
+ import org.apache.http.auth.AuthState;
+ import org.apache.http.auth.AuthenticationException;
+ import org.apache.http.auth.Credentials;
++import org.apache.http.conn.HttpRoutedConnection;
++import org.apache.http.conn.routing.HttpRoute;
++import org.apache.http.protocol.ExecutionContext;
+ import org.apache.http.protocol.HttpContext;
+
+ /**
+@@ -71,6 +74,13 @@ public class RequestProxyAuthentication
+ return;
+ }
+
++ HttpRoutedConnection conn = (HttpRoutedConnection)
context.getAttribute(
++ ExecutionContext.HTTP_CONNECTION);
++ HttpRoute route = conn.getRoute();
++ if (route.isTunnelled()) {
++ return;
++ }
++
+ // Obtain authentication state
+ AuthState authState = (AuthState) context.getAttribute(
+ ClientContext.PROXY_AUTH_STATE);
+--- /dev/null
++++
httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/conn/HttpRoutedConnection.java
+@@ -0,0 +1,78 @@
++/*
++ * ====================================================================
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied. See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ * ====================================================================
++ *
++ * This software consists of voluntary contributions made by many
++ * individuals on behalf of the Apache Software Foundation. For more
++ * information on the Apache Software Foundation, please see
++ * <http://www.apache.org/>.
++ *
++ */
++
++package org.apache.http.conn;
++
++import javax.net.ssl.SSLSession;
++
++import org.apache.http.HttpInetConnection;
++import org.apache.http.conn.routing.HttpRoute;
++
++/**
++ * Interface to access routing information of a client side connection.
++ *
++ * @since 4.1
++ */
++public interface HttpRoutedConnection extends HttpInetConnection {
++
++ /**
++ * Indicates whether this connection is secure.
++ * The return value is well-defined only while the connection is open.
++ * It may change even while the connection is open.
++ *
++ * @return <code>true</code> if this connection is secure,
++ * <code>false</code> otherwise
++ */
++ boolean isSecure();
++
++ /**
++ * Obtains the current route of this connection.
++ *
++ * @return the route established so far, or
++ * <code>null</code> if not connected
++ */
++ HttpRoute getRoute();
++
++ /**
++ * Obtains the SSL session of the underlying connection, if any.
++ * If this connection is open, and the underlying socket is an
++ * {@link javax.net.ssl.SSLSocket SSLSocket}, the SSL session of
++ * that socket is obtained. This is a potentially blocking operation.
++ * <br/>
++ * <b>Note:</b> Whether the underlying socket is an SSL socket
++ * can not necessarily be determined via {@link #isSecure}.
++ * Plain sockets may be considered secure, for example if they are
++ * connected to a known host in the same network segment.
++ * On the other hand, SSL sockets may be considered insecure,
++ * for example depending on the chosen cipher suite.
++ *
++ * @return the underlying SSL session if available,
++ * <code>null</code> otherwise
++ */
++ SSLSession getSSLSession();
++
++}
+---
httpcomponents-client-4.0.1.orig/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java
++++
httpcomponents-client-4.0.1/httpclient/src/main/java/org/apache/http/conn/ManagedClientConnection.java
+@@ -33,7 +33,6 @@ import java.util.concurrent.TimeUnit;
+ import javax.net.ssl.SSLSession;
+
+ import org.apache.http.HttpClientConnection;
+-import org.apache.http.HttpInetConnection;
+ import org.apache.http.HttpHost;
+ import org.apache.http.params.HttpParams;
+ import org.apache.http.protocol.HttpContext;
+@@ -47,7 +46,7 @@ import org.apache.http.conn.routing.Http
+ * @since 4.0
+ */
+ public interface ManagedClientConnection extends
+- HttpClientConnection, HttpInetConnection, ConnectionReleaseTrigger {
++ HttpClientConnection, HttpRoutedConnection, ConnectionReleaseTrigger {
+
+ /**
+ * Indicates whether this connection is secure.
diff -Nru httpcomponents-client-4.0.1/debian/patches/series
httpcomponents-client-4.0.1/debian/patches/series
--- httpcomponents-client-4.0.1/debian/patches/series 2010-07-12
18:38:16.000000000 -0430
+++ httpcomponents-client-4.0.1/debian/patches/series 2011-07-01
10:01:07.000000000 -0430
@@ -1 +1,2 @@
00-fix_build.patch
+01-CVE-2011-1498.patch
