diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2dca575 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/httpcomponents-client-4.2.5-src.tar.gz diff --git a/.httpcomponents-client.metadata b/.httpcomponents-client.metadata new file mode 100644 index 0000000..13f6dc5 --- /dev/null +++ b/.httpcomponents-client.metadata @@ -0,0 +1 @@ +038fdb0619a1f28a0ce504b9339c0f4e5e720934 SOURCES/httpcomponents-client-4.2.5-src.tar.gz diff --git a/SOURCES/0001-Fix-CVE-2014-3577.patch b/SOURCES/0001-Fix-CVE-2014-3577.patch new file mode 100644 index 0000000..6ed428a --- /dev/null +++ b/SOURCES/0001-Fix-CVE-2014-3577.patch @@ -0,0 +1,140 @@ +From 3e3515b42a5c782219ba898f9cb79812c8895349 Mon Sep 17 00:00:00 2001 +From: Michal Srb +Date: Tue, 12 Aug 2014 14:07:29 +0200 +Subject: [PATCH] Fix CVE-2014-3577 + +--- + .../org/apache/http/conn/ssl/AbstractVerifier.java | 87 +++++++++++----------- + 1 file changed, 44 insertions(+), 43 deletions(-) + +diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +index a7cad68..7245781 100644 +--- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java ++++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +@@ -28,7 +28,6 @@ + package org.apache.http.conn.ssl; + + import org.apache.http.annotation.Immutable; +- + import org.apache.http.conn.util.InetAddressUtils; + + import java.io.IOException; +@@ -36,14 +35,21 @@ import java.io.InputStream; + import java.security.cert.Certificate; + import java.security.cert.CertificateParsingException; + import java.security.cert.X509Certificate; ++import java.util.ArrayList; + import java.util.Arrays; + import java.util.Collection; + import java.util.Iterator; + import java.util.LinkedList; + import java.util.List; + import java.util.Locale; +-import java.util.StringTokenizer; +- ++import java.util.NoSuchElementException; ++ ++import javax.naming.InvalidNameException; ++import javax.naming.NamingException; ++import javax.naming.directory.Attribute; ++import javax.naming.directory.Attributes; ++import javax.naming.ldap.LdapName; ++import javax.naming.ldap.Rdn; + import javax.net.ssl.SSLException; + import javax.net.ssl.SSLSession; + import javax.net.ssl.SSLSocket; +@@ -142,7 +148,8 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + + public final void verify(String host, X509Certificate cert) + throws SSLException { +- String[] cns = getCNs(cert); ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ final String[] cns = extractCNs(subjectPrincipal); + String[] subjectAlts = getSubjectAlts(cert, host); + verify(host, cns, subjectAlts); + } +@@ -236,48 +243,42 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { + return Arrays.binarySearch(BAD_COUNTRY_2LDS, parts[1]) < 0; + } + +- public static String[] getCNs(X509Certificate cert) { +- LinkedList cnList = new LinkedList(); +- /* +- Sebastian Hauer's original StrictSSLProtocolSocketFactory used +- getName() and had the following comment: +- +- Parses a X.500 distinguished name for the value of the +- "Common Name" field. This is done a bit sloppy right +- now and should probably be done a bit more according to +- RFC 2253. +- +- I've noticed that toString() seems to do a better job than +- getName() on these X500Principal objects, so I'm hoping that +- addresses Sebastian's concern. +- +- For example, getName() gives me this: +- 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d +- +- whereas toString() gives me this: +- EMAILADDRESS=juliusdavies@cucbc.com +- +- Looks like toString() even works with non-ascii domain names! +- I tested it with "花子.co.jp" and it worked fine. +- */ +- +- String subjectPrincipal = cert.getSubjectX500Principal().toString(); +- StringTokenizer st = new StringTokenizer(subjectPrincipal, ","); +- while(st.hasMoreTokens()) { +- String tok = st.nextToken().trim(); +- if (tok.length() > 3) { +- if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { +- cnList.add(tok.substring(3)); +- } +- } ++ public static String[] getCNs(final X509Certificate cert) { ++ final String subjectPrincipal = cert.getSubjectX500Principal().toString(); ++ try { ++ return extractCNs(subjectPrincipal); ++ } catch (SSLException ex) { ++ return null; + } +- if(!cnList.isEmpty()) { +- String[] cns = new String[cnList.size()]; +- cnList.toArray(cns); +- return cns; +- } else { ++ } ++ ++ static String[] extractCNs(final String subjectPrincipal) throws SSLException { ++ if (subjectPrincipal == null) { + return null; + } ++ final List cns = new ArrayList(); ++ try { ++ final LdapName subjectDN = new LdapName(subjectPrincipal); ++ final List rdns = subjectDN.getRdns(); ++ for (int i = rdns.size() - 1; i >= 0; i--) { ++ final Rdn rds = rdns.get(i); ++ final Attributes attributes = rds.toAttributes(); ++ final Attribute cn = attributes.get("cn"); ++ if (cn != null) { ++ try { ++ final Object value = cn.get(); ++ if (value != null) { ++ cns.add(value.toString()); ++ } ++ } catch (NoSuchElementException ignore) { ++ } catch (NamingException ignore) { ++ } ++ } ++ } ++ } catch (InvalidNameException e) { ++ throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); ++ } ++ return cns.isEmpty() ? null : cns.toArray(new String[cns.size()]); + } + + /** +-- +1.9.3 + diff --git a/SPECS/httpcomponents-client.spec b/SPECS/httpcomponents-client.spec new file mode 100644 index 0000000..13d73cd --- /dev/null +++ b/SPECS/httpcomponents-client.spec @@ -0,0 +1,235 @@ +%global base_name httpcomponents + +Name: httpcomponents-client +Summary: HTTP agent implementation based on httpcomponents HttpCore +Version: 4.2.5 +Release: 5%{?dist} +Group: Development/Libraries +License: ASL 2.0 +URL: http://hc.apache.org/ +Source0: http://archive.apache.org/dist/httpcomponents/httpclient/source/%{name}-%{version}-src.tar.gz +Patch0: 0001-Fix-CVE-2014-3577.patch + +BuildArch: noarch + +BuildRequires: maven-local +BuildRequires: mvn(commons-codec:commons-codec) +BuildRequires: mvn(commons-logging:commons-logging) +BuildRequires: mvn(org.apache.httpcomponents:httpcore) +BuildRequires: mvn(org.apache.httpcomponents:project) +%if 0%{?fedora} +# Test dependencies +BuildRequires: mvn(org.mockito:mockito-core) +BuildRequires: mvn(junit:junit) +%endif + +%description +HttpClient is a HTTP/1.1 compliant HTTP agent implementation based on +httpcomponents HttpCore. It also provides reusable components for +client-side authentication, HTTP state management, and HTTP connection +management. HttpComponents Client is a successor of and replacement +for Commons HttpClient 3.x. Users of Commons HttpClient are strongly +encouraged to upgrade. + +%package javadoc +Summary: API documentation for %{name} +Group: Documentation + +%description javadoc +%{summary}. + + +%prep +%setup -q + +%patch0 -p1 + +# Remove optional build deps not available in Fedora +%pom_disable_module httpclient-cache +%pom_disable_module httpclient-osgi +%pom_disable_module fluent-hc +%pom_remove_plugin :maven-notice-plugin +%pom_remove_plugin :docbkx-maven-plugin +%pom_remove_plugin :clirr-maven-plugin +%pom_remove_plugin :maven-clover2-plugin httpclient +%if !0%{?fedora} +%pom_remove_dep :mockito-core httpclient +%endif + +# Add proper Apache felix bundle plugin instructions +# so that we get a reasonable OSGi manifest. +for module in httpclient httpmime; do + %pom_xpath_remove "pom:project/pom:packaging" $module + %pom_xpath_inject "pom:project" "bundle" $module +done + +# Make httpmime into bundle +%pom_xpath_inject pom:build/pom:plugins " + + org.apache.felix + maven-bundle-plugin + true + " httpmime + +# Make httpclient into bundle +%pom_xpath_inject pom:reporting/pom:plugins " + + org.apache.felix + maven-bundle-plugin + + + * + + !org.apache.avalon.framework.logger,!org.apache.log,!org.apache.log4j,* + + + " httpclient +%pom_xpath_inject pom:build/pom:plugins " + + org.apache.felix + maven-bundle-plugin + true + + + org.apache.http.*,!org.apache.http.param + + <_nouses>true + !org.apache.avalon.framework.logger,!org.apache.log,!org.apache.log4j,* + + true + + " httpclient + + + +%build +%mvn_file ":{*}" httpcomponents/@1 + +# Build with tests enabled on Fedora +%if 0%{?fedora} +%mvn_build +%else +%mvn_build -f +%endif + + +%install +%mvn_install + + +%files -f .mfiles +%doc LICENSE.txt NOTICE.txt +%doc README.txt RELEASE_NOTES.txt + +%files javadoc -f .mfiles-javadoc +%doc LICENSE.txt NOTICE.txt + +%changelog +* Tue Aug 12 2014 Michal Srb - 4.2.5-5 +- Fix MITM security vulnerability +- Resolves: CVE-2014-3577 + +* Fri Dec 27 2013 Daniel Mach - 4.2.5-4 +- Mass rebuild 2013-12-27 + +* Fri Jun 28 2013 Mikolaj Izdebski - 4.2.5-3 +- Rebuild to regenerate API documentation +- Resolves: CVE-2013-1571 + +* Mon Jun 10 2013 Michal Srb - 4.2.5-2 +- Enable tests on Fedora + +* Thu Apr 25 2013 Michal Srb - 4.2.5-1 +- Update to upstream version 4.2.5 + +* Thu Apr 11 2013 Michal Srb - 4.2.4-1 +- Update to upstream version 4.2.4 + +* Wed Feb 06 2013 Java SIG - 4.2.3-3 +- Update for https://fedoraproject.org/wiki/Fedora_19_Maven_Rebuild +- Replace maven BuildRequires with maven-local + +* Fri Jan 25 2013 Michal Srb - 4.2.3-2 +- Build with xmvn +- Disable fluent-hc module + +* Thu Jan 24 2013 Mikolaj Izdebski - 4.2.3-1 +- Update to upstream version 4.2.3 + +* Thu Oct 25 2012 Mikolaj Izdebski - 4.2.2-1 +- Update to upstream version 4.2.2 + +* Wed Aug 1 2012 Mikolaj Izdebski - 4.2.1-3 +- Fix OSGi manifest in httpmime + +* Fri Jul 27 2012 Mikolaj Izdebski - 4.2.1-2 +- Install NOTICE.txt file +- Fix javadir directory ownership +- Fix directory permissions +- Preserve timestamps +- Replace add_to_maven_depmap with add_maven_depmap + +* Fri Jul 27 2012 Mikolaj Izdebski - 4.2.1-1 +- Update to upstream version 4.2.1 +- Convert patches to POM macros + +* Thu Jul 19 2012 Fedora Release Engineering - 4.1.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed May 2 2012 Alexander Kurtakov 4.1.3-3 +- Do not export org.apache.http.param in osgi. + +* Mon Mar 26 2012 Alexander Kurtakov 4.1.3-2 +- Do not export * but only org.apache.http.* . +- Do not generate uses clauses in the manifest. + +* Thu Mar 1 2012 Stanislav Ochotnicky 4.1.3-1 +- Update to latest upstream bugfix + +* Fri Jan 13 2012 Fedora Release Engineering - 4.1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Aug 16 2011 Stanislav Ochotnicky - 4.1.2-1 +- Update to latest upstream (4.1.2) +- Minor tweaks according to guidelines + +* Fri Jul 15 2011 Severin Gehwolf 4.1.1-3 +- Fix for RH Bz#718830. Add instructions so as to not + Import-Package optional dependencies. + +* Thu Apr 7 2011 Severin Gehwolf 4.1.1-2 +- Add BR/R apache-commons-codec, since httpcomponents-client's + MANIFEST.MF has an Import-Package: org.apache.commons.codec + header. + +* Tue Mar 29 2011 Stanislav Ochotnicky - 4.1.1-1 +- New upstream bugfix version (4.1.1) + +* Tue Mar 15 2011 Severin Gehwolf 4.1-6 +- Explicitly set PrivatePackage to the empty set, so as to + export all packages. + +* Thu Mar 10 2011 Alexander Kurtakov 4.1-5 +- OSGi export more packages. + +* Fri Feb 25 2011 Alexander Kurtakov 4.1-4 +- Build httpmime module. + +* Fri Feb 18 2011 Alexander Kurtakov 4.1-3 +- Don't use basename as an identifier. + +* Fri Feb 18 2011 Alexander Kurtakov 4.1-2 +- OSGify properly. +- Install into %{_javadir}/%{basename}. + +* Thu Feb 17 2011 Alexander Kurtakov 4.1-1 +- Update to latest upstream version. + +* Wed Feb 09 2011 Fedora Release Engineering - 4.0.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Dec 22 2010 Stanislav Ochotnicky - 4.0.3-2 +- Added license to javadoc subpackage + +* Mon Dec 20 2010 Stanislav Ochotnicky - 4.0.3-1 +- Initial version