debian/0000775000000000000000000000000013333370527007176 5ustar debian/libhttpclient-java.poms0000664000000000000000000000007112272230466013656 0ustar pom.xml --no-parent httpclient/pom.xml fluent-hc/pom.xml debian/maven.ignoreRules0000664000000000000000000000171512272231511012516 0ustar # Maven ignore rules - ignore some Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., this dependency is then removed # from the POM # junit junit jar s/3\..*/3.x/ org.apache.httpcomponents httpclient jar * tests * * maven-checkstyle-plugin * maven-clover2-plugin * maven-source-plugin * maven-release-plugin * docbkx-maven-plugin * maven-notice-plugin * clirr-maven-plugin debian/patches/0000775000000000000000000000000013333374120010616 5ustar debian/patches/01-generate_osgi_metadata.patch0000664000000000000000000000350412306610342016530 0ustar From: Jakub Adam Date: Wed, 28 Mar 2012 22:20:33 +0200 Subject: generate-osgi-metadata --- httpclient/pom.xml | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) --- a/httpclient/pom.xml +++ b/httpclient/pom.xml @@ -98,13 +98,38 @@ maven-jar-plugin + + + ${project.build.outputDirectory}/META-INF/MANIFEST.MF + + + + + org.apache.felix + maven-bundle-plugin + 2.3.5 + true + bundle-manifest + process-classes - test-jar + manifest + + + Apache ${project.name} + ${project.groupId}.httpclient + ${debian.originalVersion} + org.apache.http.auth.*,org.apache.http.client.*,org.apache.http.conn.*,org.apache.http.cookie.*,org.apache.http.impl.* + + <_nouses>true + + <_removeheaders>JAVA_1_3_HOME,JAVA_1_4_HOME + + debian/patches/00-fix_build.patch0000664000000000000000000000053512306611104014017 0ustar Description: Disable build of httpclient-osgi Author: David Paleino Forwarded: no --- a/pom.xml +++ b/pom.xml @@ -163,8 +163,6 @@ httpclient httpmime fluent-hc - httpclient-cache - httpclient-osgi debian/patches/CVE-2014-3577.patch0000664000000000000000000002040713333374365013261 0ustar From: Markus Koschany Date: Sat, 18 Apr 2015 00:42:07 +0200 Subject: CVE-2014-3577 It was found that the fix for CVE-2012-6153 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. This patch was taken from http://pkgs.fedoraproject.org/cgit/httpcomponents-client.git/diff/0001-Fix-CVE-2014-3577.patch?h=f20 More information: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3577 Links to upstream commits: https://bugzilla.redhat.com/show_bug.cgi?id=1129074#c4 --- .../http/conn/ssl/AbstractVerifier.java | 75 +++++++++---------- .../http/conn/ssl/TestHostnameVerifier.java | 32 +++++--- 2 files changed, 57 insertions(+), 50 deletions(-) diff --git a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java index e717ebb..589308a 100644 --- a/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java +++ b/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java @@ -34,14 +34,20 @@ import java.net.UnknownHostException; import java.security.cert.Certificate; import java.security.cert.CertificateParsingException; import java.security.cert.X509Certificate; +import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Locale; -import java.util.StringTokenizer; +import javax.naming.InvalidNameException; +import javax.naming.NamingException; +import javax.naming.directory.Attribute; +import javax.naming.directory.Attributes; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; @@ -253,47 +259,40 @@ public abstract class AbstractVerifier implements X509HostnameVerifier { } public static String[] getCNs(final X509Certificate cert) { - final LinkedList cnList = new LinkedList(); - /* - Sebastian Hauer's original StrictSSLProtocolSocketFactory used - getName() and had the following comment: - - Parses a X.500 distinguished name for the value of the - "Common Name" field. This is done a bit sloppy right - now and should probably be done a bit more according to - RFC 2253. - - I've noticed that toString() seems to do a better job than - getName() on these X500Principal objects, so I'm hoping that - addresses Sebastian's concern. - - For example, getName() gives me this: - 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d - - whereas toString() gives me this: - EMAILADDRESS=juliusdavies@cucbc.com - - Looks like toString() even works with non-ascii domain names! - I tested it with "花子.co.jp" and it worked fine. - */ - final String subjectPrincipal = cert.getSubjectX500Principal().toString(); - final StringTokenizer st = new StringTokenizer(subjectPrincipal, ",+"); - while(st.hasMoreTokens()) { - final String tok = st.nextToken().trim(); - if (tok.length() > 3) { - if (tok.substring(0, 3).equalsIgnoreCase("CN=")) { - cnList.add(tok.substring(3)); - } - } + try { + return extractCNs(subjectPrincipal); + } catch (SSLException ex) { + return null; } - if(!cnList.isEmpty()) { - final String[] cns = new String[cnList.size()]; - cnList.toArray(cns); - return cns; - } else { + } + + static String[] extractCNs(final String subjectPrincipal) throws SSLException { + if (subjectPrincipal == null) { return null; } + final List cns = new ArrayList(); + try { + final LdapName subjectDN = new LdapName(subjectPrincipal); + final List rdns = subjectDN.getRdns(); + for (int i = rdns.size() - 1; i >= 0; i--) { + final Rdn rds = rdns.get(i); + final Attributes attributes = rds.toAttributes(); + final Attribute cn = attributes.get("cn"); + if (cn != null) { + try { + final Object value = cn.get(); + if (value != null) { + cns.add(value.toString()); + } + } catch (NamingException ignore) { + } + } + } + } catch (InvalidNameException e) { + throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name"); + } + return cns.isEmpty() ? null : cns.toArray(new String[ cns.size() ]); } /** diff --git a/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java b/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java index d3c37aa..0c0ccb6 100644 --- a/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java +++ b/httpclient/src/test/java/org/apache/http/conn/ssl/TestHostnameVerifier.java @@ -29,7 +29,6 @@ package org.apache.http.conn.ssl; import java.io.ByteArrayInputStream; import java.io.InputStream; -import java.security.Principal; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Arrays; @@ -38,7 +37,6 @@ import javax.net.ssl.SSLException; import org.junit.Assert; import org.junit.Test; -import org.mockito.Mockito; /** * Unit tests for {@link X509HostnameVerifier}. @@ -349,16 +347,26 @@ public class TestHostnameVerifier { checkMatching(shv, "mail.a.b.c.com", cns, alt, false); // OK } - public void testGetCNs() { - final Principal principal = Mockito.mock(Principal.class); - final X509Certificate cert = Mockito.mock(X509Certificate.class); - Mockito.when(cert.getSubjectDN()).thenReturn(principal); - Mockito.when(principal.toString()).thenReturn("bla, bla, blah"); - Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert)); - Mockito.when(principal.toString()).thenReturn("Cn=, Cn= , CN, OU=CN="); - Assert.assertArrayEquals(new String[] {}, AbstractVerifier.getCNs(cert)); - Mockito.when(principal.toString()).thenReturn(" Cn=blah, CN= blah , OU=CN=yada"); - Assert.assertArrayEquals(new String[] {"blah", " blah"}, AbstractVerifier.getCNs(cert)); + @Test + public void testExtractCN() throws Exception { + Assert.assertArrayEquals(new String[] {"blah"}, AbstractVerifier.extractCNs("cn=blah, ou=blah, o=blah")); + Assert.assertArrayEquals(new String[] {"blah", "yada", "booh"}, AbstractVerifier.extractCNs("cn=blah, cn=yada, cn=booh")); + Assert.assertArrayEquals(new String[] {"blah"}, AbstractVerifier.extractCNs("c = pampa , cn = blah , ou = blah , o = blah")); + Assert.assertArrayEquals(new String[] {"blah"}, AbstractVerifier.extractCNs("cn=\"blah\", ou=blah, o=blah")); + Assert.assertArrayEquals(new String[] {"blah blah"}, AbstractVerifier.extractCNs("cn=\"blah blah\", ou=blah, o=blah")); + Assert.assertArrayEquals(new String[] {"blah, blah"}, AbstractVerifier.extractCNs("cn=\"blah, blah\", ou=blah, o=blah")); + Assert.assertArrayEquals(new String[] {"blah, blah"}, AbstractVerifier.extractCNs("cn=blah\\, blah, ou=blah, o=blah")); + Assert.assertArrayEquals(new String[] {"blah"}, AbstractVerifier.extractCNs("c = cn=uuh, cn=blah, ou=blah, o=blah")); + Assert.assertArrayEquals(new String[] {""}, AbstractVerifier.extractCNs("cn= , ou=blah, o=blah")); + } + + @Test(expected = SSLException.class) + public void testExtractCNInvalid1() throws Exception { + AbstractVerifier.extractCNs("blah,blah"); } + @Test(expected = SSLException.class) + public void testExtractCNInvalid2() throws Exception { + AbstractVerifier.extractCNs("cn,o=blah"); + } } -- 2.17.1 debian/patches/series0000664000000000000000000000010713333374365012044 0ustar 00-fix_build.patch 01-generate_osgi_metadata.patch CVE-2014-3577.patch debian/copyright0000664000000000000000000000202012272230466011121 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: HttpComponents Client Files: * Copyright: © 1999-2011, The Apache Software Foundation License: Apache-2.0 Files: debian/* Copyright: © 2010, David Paleino © 2011, Miguel Landaeta License: Apache-2.0 License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. X-Comment: on Debian systems, the complete text of the Apache version 2.0 license can be found in "/usr/share/common-licenses/Apache-2.0". debian/maven.rules0000664000000000000000000000007712272230466011362 0ustar * junit * s/.*/3.x/ * maven-assembly-plugin * s/.*/2.2-beta-5/ debian/libhttpmime-java.classpath0000664000000000000000000000013012272230466014327 0ustar usr/share/java/httpmime.jar /usr/share/java/httpcore.jar /usr/share/java/httpclient.jar debian/source/0000775000000000000000000000000012272230466010474 5ustar debian/source/format0000664000000000000000000000001412272230466011702 0ustar 3.0 (quilt) debian/changelog0000664000000000000000000001067213333370527011056 0ustar httpcomponents-client (4.3.3-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: It was found that the fix for CVE-2012-5783 and CVE-2012-6153 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. - debian/patches/CVE-2014-3577.patch: fix in AbstractVerifier.java - CVE-2014-3577 -- Eduardo Barretto Fri, 10 Aug 2018 17:06:26 -0300 httpcomponents-client (4.3.3-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Removed the unused build dependency on libmaven-assembly-plugin-java [ Jakub Adam ] * Fix OSGi metadata - prevent org.apache.http.impl.execchain to appear in package imports. -- Emmanuel Bourg Sat, 08 Mar 2014 11:38:26 +0100 httpcomponents-client (4.3.2-1) unstable; urgency=low * New upstream release - Refreshed the patches - New build dependency on libbuild-helper-maven-plugin-java * Removed the unused dependency on libapache-mime4j-java * Switch to debhelper level 9 * Standards-Version updated to 3.9.5 (no changes) -- Emmanuel Bourg Wed, 29 Jan 2014 18:47:37 +0100 httpcomponents-client (4.2.5-2) unstable; urgency=low [ Jakub Adam ] * Fix OSGi metadata generation. [ Niels Thykier ] * Fix problem with the clean target. -- Jakub Adam Mon, 08 Jul 2013 21:48:32 +0200 httpcomponents-client (4.2.5-1) unstable; urgency=low * New upstream release. * d/rules: Add get-orig-source target. * d/patches/02-700268.patch: Drop, included in upstream release. * d/control: Update Homepage field. * d/control: Use canonical URL for Vcs-* fields. -- Damien Raude-Morvan Tue, 07 May 2013 23:58:33 +0200 httpcomponents-client (4.2.1-2) experimental; urgency=low * Team upload. * Apply upstream patch for wildcard certificate match security bug. (Closes: #700268) * Remove duplicate Copyright: in d/copyright (lintian warning). * Bump Standards-Version to 3.9.4 (no changes). * Update Vcs-Git field to be "/git/pkg-java" -- tony mancill Sun, 10 Feb 2013 16:28:27 -0800 httpcomponents-client (4.2.1-1) experimental; urgency=low [ James Page ] * Transition package to default java implementation: - d/control: Drop preferred BD on openjdk-6-jdk. (Closes: #683534) [ Damien Raude-Morvan ] * New upstream release. * Add myself as Uploaders. * Refresh all patches. * Depends and B-D on libhttpcore-java (>= 4.2.1). * Also install fluent-hc API. -- Damien Raude-Morvan Sun, 19 Aug 2012 15:39:42 +0200 httpcomponents-client (4.1.1-2) unstable; urgency=low * Add OSGi metadata to JAR manifest. * Add Jakub Adam to Uploaders. * Bump Standards-Version to 3.9.3. No changes were required. * Updated copyright file format. * Add httpcore.jar and httpclient.jar to httpmime.jar Class-Path. -- Jakub Adam Tue, 27 Mar 2012 21:33:50 +0200 httpcomponents-client (4.1.1-1) unstable; urgency=high * New upstream release: Fixed critical bug causing Proxy-Authorization header to be sent to the target host when tunneling requests through a proxy server that requires authentication: CVE-2011-1498. (Closes: #628727). * New maintainer. (Closes: #628731). * Bump Standards-Version to 3.9.2. No changes were required. * Add Build-Depends on libmockito-java. * Update Vcs-* fields. -- Miguel Landaeta Wed, 29 Jun 2011 00:13:18 -0430 httpcomponents-client (4.0.3-2) unstable; urgency=low * Upload to unstable * Package orphaned * Tests disabled, they make the package FTBFS -- David Paleino Tue, 31 May 2011 21:56:38 +0200 httpcomponents-client (4.0.3-1) experimental; urgency=low * New upstream version -- David Paleino Wed, 22 Sep 2010 08:50:04 +0200 httpcomponents-client (4.0.2-1) experimental; urgency=low * New upstream version * debian/control: - Standards-Version bumped to 3.9.1, no changes needed -- David Paleino Thu, 16 Sep 2010 11:52:49 +0200 httpcomponents-client (4.0.1-1) unstable; urgency=low * Initial release (Closes: #575327) -- David Paleino Wed, 14 Jul 2010 17:57:40 +0200 debian/control0000664000000000000000000000457313333370533010607 0ustar Source: httpcomponents-client Section: java Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Miguel Landaeta , Jakub Adam , Damien Raude-Morvan , Emmanuel Bourg Build-Depends: debhelper (>= 9), default-jdk, javahelper, maven-debian-helper Build-Depends-Indep: junit, libbuild-helper-maven-plugin-java (>= 1.8), libcommons-codec-java, libhttpcore-java (>= 4.3.1), libmaven-antrun-plugin-java, libmaven-bundle-plugin-java, libmaven-javadoc-plugin-java, libmockito-java Standards-Version: 3.9.5 Vcs-Git: git://anonscm.debian.org/pkg-java/httpcomponents-client.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/httpcomponents-client.git Homepage: http://hc.apache.org/httpcomponents-client-ga/index.html Package: libhttpclient-java Architecture: all Depends: libcommons-codec-java, libcommons-logging-java, libhttpcore-java (>= 4.3.1), ${misc:Depends} Description: HTTP/1.1 compliant HTTP agent implementation HttpClient is a HTTP/1.1 compliant HTTP agent implementation based on HttpCore. It also provides reusable components for client-side authentication, HTTP state management, and HTTP connection management. . HttpComponents Client is a successor of and replacement for Commons HttpClient 3.x. Users of Commons HttpClient are strongly encouraged to upgrade. Package: libhttpmime-java Architecture: all Depends: libhttpclient-java (= ${source:Version}), ${misc:Depends} Description: HTTP/1.1 compliant HTTP agent implementation - MIME extension HttpClient is a HTTP/1.1 compliant HTTP agent implementation based on HttpCore. It also provides reusable components for client-side authentication, HTTP state management, and HTTP connection management. . HttpComponents Client is a successor of and replacement for Commons HttpClient 3.x. Users of Commons HttpClient are strongly encouraged to upgrade. . This package provides support for MIME multipart encoded entities to be used with HttpComponents Client. debian/rules0000775000000000000000000000270012306571426010255 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 M2_HOME=/usr/share/maven2 UPVER=$(shell dpkg-parsechangelog | grep ^Version | cut -d' ' -f2 | cut -d- -f1) # let's skip tests, they FTBFS. #SKIPTEST=false SKIPTEST=true ifneq ($(filter nocheck,$(DEB_BUILD_OPTIONS)),) SKIPTEST=true endif %: dh $@ override_dh_installchangelogs: dh_installchangelogs RELEASE_NOTES.txt override_dh_auto_build: for pkg in libhttpclient-java libhttpmime-java; do \ mh_patchpoms -p$$pkg --debian-build --keep-pom-version ; \ done $(M2_HOME)/bin/mvn -o -s /etc/maven2/settings-debian.xml \ -Dmaven.test.skip=$(SKIPTEST) -Dmaven.javadoc.skip=true package override_dh_auto_install: dh_auto_install for pkg in libhttpclient-java libhttpmime-java; do \ mh_installpoms -p$$pkg -e$(UPVER); \ done mh_installjar -plibhttpclient-java -l httpclient/pom.xml -j$(UPVER) -e$(UPVER) \ httpclient/target/httpclient-*.jar mh_installjar -plibhttpmime-java -l httpmime/pom.xml -j$(UPVER) -e$(UPVER)\ httpmime/target/httpmime-*.jar mh_installjar -plibhttpmime-java -l fluent-hc/pom.xml -j$(UPVER) -e$(UPVER)\ fluent-hc/target/fluent-hc-*.jar jh_classpath -plibhttpmime-java override_dh_clean: dh_clean for pkg in libhttpclient-java libhttpmime-java; do \ mh_unpatchpoms -p$$pkg ; \ done mh_clean rm -rf http*/target/ fluent-hc/target/ get-orig-source: uscan --download-version $(UPVER) --force-download --rename debian/libhttpmime-java.poms0000664000000000000000000000002112272230466013322 0ustar httpmime/pom.xml debian/watch0000664000000000000000000000017112272230466010224 0ustar version=3 http://www.apache.org/dist/httpcomponents/httpclient/source/httpcomponents-client-(\d+[^a-zA-Z]*)-src\.tar\.gz debian/compat0000664000000000000000000000000212272230466010372 0ustar 9