Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784

Andreas Tille tille at debian.org
Thu Dec 6 19:40:12 UTC 2012 

Hi,

On Thu, Dec 06, 2012 at 07:02:54PM +0100, Alberto Fernández wrote:
> Hi
> 
> I've uploaded new packages to mentors. I'll be out until Monday, so feel
> free to review the patches and sponsor the new version if all you are
> confident it's all ok

I admit I'm no Java programmer and I do not feel competent to serve as a
reviewer for security relevant problems.  So again:  If the recently
uploaded packages

    axis 1.4-16.1
    commons-httpclient 3.1-10.1

remain a security risk we *definitely* need to reopen the bugs that were
closed with the upload.  This is needed for two reasons:

  1. Keep a record in BTS about the remaining problem
  2. Make sure release managers will accept only those packages that
     are closing RC bugs.

Can you please confirm whether the security risk remains or whether
there is just a bug that is not nice but no real security risk.

> I think now it's fine , but if you find some other bug or improvement,
> I'll be happy to correct it.
> 
> I'll insist next week upstream to include the last fix.

Its a good thing to convince upstream but for the moment the Debian
release we need to decide what fix will make it into our release (the
one just uploaded or your newly prepared patch).

Thanks for your work on this

     Andreas.
 
> El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió:
> > Hi Alberto,
> > 
> > thanks for your continuous work on this.  As I said in my previous mail
> > please remember to reopen the according bugs to make sure the previous
> > solution will not migrate to testing.  I'll volunteer to sponsor your
> > new version if you confirm that this is needed to finally fix the issue.
> > 
> > Kind regards
> > 
> >        Andreas.
> > 
> > On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote:
> > > Hi All,
> > > 
> > > I've prepared the patch with the problem pointed by David fixed (thanks
> > > David). It also fixes a bug related to wildcard certificates.
> > > 
> > > The first patch is backported from httpclient 4.0 and apache synapse. 
> > > 
> > > This second patch backports some fixes from httpclient 4.2
> > > 
> > > The patch differ a lot from 4.x line for two reasons: first, the code
> > > arquitecture changes, second , I want to mantain the 3.1 api unchanged,
> > > so all methods are private and only apply to one class.
> > > 
> > > The patch for axis and commons-httpclient is the same. In the function
> > > they create a SSLSocket, I've put the same routine to validate the
> > > hostname against certificate valid names.
> > > 
> > > I'll upload the new patches in their place.
> > > Please review them and when ready I can upload a new package to mentors.
> > > 
> > > Thanks
> > > 
> > > 
> > > 
> > > 
> > > 
> > 
> 
> 
> 

-- 
http://fam-tille.de

More information about the pkg-java-maintainers mailing list