Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

[Alberto Fernández]

Hi

I've uploaded new packages to mentors. I'll be out until Monday, so feel
free to review the patches and sponsor the new version if all you are
confident it's all ok

I think now it's fine , but if you find some other bug or improvement,
I'll be happy to correct it.

I'll insist next week upstream to include the last fix.

El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
> Hi Alberto,
> 
> thanks for your continuous work on this.  As I said in my previous mail
> please remember to reopen the according bugs to make sure the previous
> solution will not migrate to testing.  I'll volunteer to sponsor your
> new version if you confirm that this is needed to finally fix the issue.
> 
> Kind regards
> 
>        Andreas.
> 
> On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> > Hi All,
> > 
> > I've prepared the patch with the problem pointed by David fixed (thanks
> > David). It also fixes a bug related to wildcard certificates.
> > 
> > The first patch is backported from httpclient 4.0 and apache synapse. 
> > 
> > This second patch backports some fixes from httpclient 4.2
> > 
> > The patch differ a lot from 4.x line for two reasons: first, the code
> > arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> > so all methods are private and only apply to one class.
> > 
> > The patch for axis and commons-httpclient is the same. In the function
> > they create a SSLSocket, I've put the same routine to validate the
> > hostname against certificate valid names.
> > 
> > I'll upload the new patches in their place.
> > Please review them and when ready I can upload a new package to mentors.
> > 
> > Thanks
> > 
> > 
> > 
> > 
> > 
>