Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package async-http-client. It fixes CVE-2013-7397.
unblock async-http-client/1.6.5-3
Debdiff:
diff -Nru async-http-client-1.6.5/debian/changelog
async-http-client-1.6.5/debian/changelog
--- async-http-client-1.6.5/debian/changelog 2014-02-13 07:21:48.000000000
+0100
+++ async-http-client-1.6.5/debian/changelog 2014-12-17 19:15:20.000000000
+0100
@@ -1,3 +1,22 @@
+async-http-client (1.6.5-3) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Emmanuel Bourg ]
+ * Fixed CVE-2013-7397: SSL/TLS certificate verification is disabled
+ under certain conditions (Closes: #773364)
+ * Fixed a compilation error with Java 8 (Closes: #773372)
+ * debian/control:
+ - Standards-Version updated to 3.9.6 (no changes)
+ - Removed the unnecessary build dependency on libclirr-maven-plugin-java
+ - Use canonical URLs for the Vcs-* fields
+ * debian/rules: Improved the clean target
+
+ [ Tony Mancill ]
+ * Update debian/watch
+
+ -- Emmanuel Bourg <ebo...@apache.org> Wed, 17 Dec 2014 19:14:38 +0100
+
async-http-client (1.6.5-2) unstable; urgency=medium
* Team upload.
diff -Nru async-http-client-1.6.5/debian/control
async-http-client-1.6.5/debian/control
--- async-http-client-1.6.5/debian/control 2014-02-13 07:21:48.000000000
+0100
+++ async-http-client-1.6.5/debian/control 2014-12-17 16:50:25.000000000
+0100
@@ -6,7 +6,6 @@
Build-Depends: cdbs, debhelper (>= 9), default-jdk, maven-debian-helper (>=
1.4)
Build-Depends-Indep: default-jdk-doc,
libanimal-sniffer-java,
- libclirr-maven-plugin-java,
libcommons-logging-java-doc,
libmaven-bundle-plugin-java,
libmaven-enforcer-plugin-java,
@@ -14,10 +13,10 @@
libmaven-shade-plugin-java,
libnetty-java (>= 1:3.2.5),
libslf4j-java
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
+Vcs-Git: git://anonscm.debian.org/pkg-java/async-http-client.git
+Vcs-Browser: http://anonscm.debian.org/cgit/pkg-java/async-http-client.git
Homepage: https://github.com/AsyncHttpClient/async-http-client
-Vcs-Git: git://git.debian.org/git/pkg-java/async-http-client.git
-Vcs-Browser: http://git.debian.org/?p=pkg-java/async-http-client.git
Package: libasync-http-client-java
Architecture: all
diff -Nru async-http-client-1.6.5/debian/maven.ignoreRules
async-http-client-1.6.5/debian/maven.ignoreRules
--- async-http-client-1.6.5/debian/maven.ignoreRules 2014-02-13
07:21:48.000000000 +0100
+++ async-http-client-1.6.5/debian/maven.ignoreRules 2014-12-17
19:21:45.000000000 +0100
@@ -29,3 +29,4 @@
org.eclipse.jetty jetty-servlet * * * *
org.eclipse.jetty jetty-servlets * * * *
org.testng testng * * * *
+org.codehaus.mojo clirr-maven-plugin * * * *
diff -Nru async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch
async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch
--- async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch
1970-01-01 01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/01-java8-compatibility.patch
2014-12-17 17:22:29.000000000 +0100
@@ -0,0 +1,27 @@
+Description: Fix a compilation error with Java 8. This has been fixed upstream
+ in the version 1.9 by renaming the replace() method to replaceWith().
+Author: Emmanuel Bourg <ebo...@apache.org>
+Forwarded: not-needed
+Bug-Debian: http://bugs.debian.org/773372
+--- a/src/main/java/com/ning/http/client/FluentStringsMap.java
++++ b/src/main/java/com/ning/http/client/FluentStringsMap.java
+@@ -148,7 +148,7 @@
+ * @return This object
+ */
+ public FluentStringsMap replace(final String key, final String... values)
{
+- return replace(key, Arrays.asList(values));
++ return replace(key, (Collection<String>) Arrays.asList(values));
+ }
+
+ /**
+--- a/src/main/java/com/ning/http/client/FluentCaseInsensitiveStringsMap.java
++++ b/src/main/java/com/ning/http/client/FluentCaseInsensitiveStringsMap.java
+@@ -162,7 +162,7 @@
+ * @return This object
+ */
+ public FluentCaseInsensitiveStringsMap replace(final String key, final
String... values) {
+- return replace(key, Arrays.asList(values));
++ return replace(key, (Collection<String>) Arrays.asList(values));
+ }
+
+ /**
diff -Nru async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch
async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch
--- async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch
1970-01-01 01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/02-CVE-2013-7397.patch
2014-12-17 19:09:54.000000000 +0100
@@ -0,0 +1,148 @@
+Description: Remove the code disabling the SSL certificate validation
+Author: Emmanuel Bourg <ebo...@apache.org>
+Forwarded: not-needed
+--- a/src/main/java/com/ning/http/util/SslUtils.java
++++ b/src/main/java/com/ning/http/util/SslUtils.java
+@@ -51,11 +51,7 @@
+ public static SSLContext getSSLContext()
+ throws GeneralSecurityException, IOException {
+ SSLConfig config = new SSLConfig();
+- if (config.keyStoreLocation == null || config.trustStoreLocation ==
null) {
+- return getLooseSSLContext();
+- } else {
+- return getStrictSSLContext(config);
+- }
++ return getStrictSSLContext(config);
+ }
+
+ static SSLContext getStrictSSLContext(SSLConfig config)
+@@ -95,29 +91,6 @@
+ return context;
+ }
+
+- static SSLContext getLooseSSLContext()
+- throws GeneralSecurityException {
+- SSLContext sslContext = SSLContext.getInstance("TLS");
+- sslContext.init(null, new TrustManager[]{LooseTrustManager.INSTANCE},
new SecureRandom());
+- return sslContext;
+- }
+-
+- static class LooseTrustManager
+- implements X509TrustManager {
+-
+- public static final LooseTrustManager INSTANCE = new
LooseTrustManager();
+-
+- public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+- return null;
+- }
+-
+- public void checkClientTrusted(java.security.cert.X509Certificate[]
certs, String authType) {
+- }
+-
+- public void checkServerTrusted(java.security.cert.X509Certificate[]
certs, String authType) {
+- }
+- }
+-
+ private final static class SSLConfig {
+
+ public String keyStoreLocation;
+---
a/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
++++
b/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
+@@ -130,24 +130,6 @@
+ private final MultiThreadedHttpConnectionManager connectionManager;
+ private final HttpClientParams params;
+
+- static {
+- final SocketFactory factory = new TrustingSSLSocketFactory();
+- Protocol.registerProtocol("https", new Protocol("https", new
ProtocolSocketFactory() {
+- public Socket createSocket(String string, int i, InetAddress
inetAddress, int i1) throws IOException {
+- return factory.createSocket(string, i, inetAddress, i1);
+- }
+-
+- public Socket createSocket(String string, int i, InetAddress
inetAddress, int i1, HttpConnectionParams httpConnectionParams)
+- throws IOException {
+- return factory.createSocket(string, i, inetAddress, i1);
+- }
+-
+- public Socket createSocket(String string, int i) throws
IOException {
+- return factory.createSocket(string, i);
+- }
+- }, 443));
+- }
+-
+ public ApacheAsyncHttpProvider(AsyncHttpClientConfig config) {
+ this.config = config;
+ connectionManager = new MultiThreadedHttpConnectionManager();
+@@ -732,72 +714,6 @@
+ }
+ }
+
+- private static class TrustingSSLSocketFactory extends SSLSocketFactory {
+- private SSLSocketFactory delegate;
+-
+- private TrustingSSLSocketFactory() {
+- try {
+- SSLContext sslcontext = SSLContext.getInstance("SSL");
+-
+- sslcontext.init(null, new TrustManager[]{new
TrustEveryoneTrustManager()}, new SecureRandom());
+- delegate = sslcontext.getSocketFactory();
+- } catch (KeyManagementException e) {
+- throw new IllegalStateException();
+- } catch (NoSuchAlgorithmException e) {
+- throw new IllegalStateException();
+- }
+- }
+-
+- @Override
+- public Socket createSocket(String s, int i) throws IOException,
UnknownHostException {
+- return delegate.createSocket(s, i);
+- }
+-
+- @Override
+- public Socket createSocket(String s, int i, InetAddress inetAddress,
int i1) throws IOException, UnknownHostException {
+- return delegate.createSocket(s, i, inetAddress, i1);
+- }
+-
+- @Override
+- public Socket createSocket(InetAddress inetAddress, int i) throws
IOException {
+- return delegate.createSocket(inetAddress, i);
+- }
+-
+- @Override
+- public Socket createSocket(InetAddress inetAddress, int i,
InetAddress inetAddress1, int i1) throws IOException {
+- return delegate.createSocket(inetAddress, i, inetAddress1, i1);
+- }
+-
+- @Override
+- public String[] getDefaultCipherSuites() {
+- return delegate.getDefaultCipherSuites();
+- }
+-
+- @Override
+- public String[] getSupportedCipherSuites() {
+- return delegate.getSupportedCipherSuites();
+- }
+-
+- @Override
+- public Socket createSocket(Socket socket, String s, int i, boolean b)
throws IOException {
+- return delegate.createSocket(socket, s, i, b);
+- }
+- }
+-
+- private static class TrustEveryoneTrustManager implements
X509TrustManager {
+- public void checkClientTrusted(X509Certificate[] x509Certificates,
String s) throws CertificateException {
+- // do nothing
+- }
+-
+- public void checkServerTrusted(X509Certificate[] x509Certificates,
String s) throws CertificateException {
+- // do nothing
+- }
+-
+- public X509Certificate[] getAcceptedIssuers() {
+- return new X509Certificate[0];
+- }
+- }
+-
+ private final class ReaperFuture implements Future, Runnable {
+ private Future scheduledFuture;
+ private ApacheResponseFuture<?> apacheResponseFuture;
diff -Nru async-http-client-1.6.5/debian/patches/series
async-http-client-1.6.5/debian/patches/series
--- async-http-client-1.6.5/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ async-http-client-1.6.5/debian/patches/series 2014-12-17
18:13:01.000000000 +0100
@@ -0,0 +1,2 @@
+01-java8-compatibility.patch
+02-CVE-2013-7397.patch
diff -Nru async-http-client-1.6.5/debian/rules
async-http-client-1.6.5/debian/rules
--- async-http-client-1.6.5/debian/rules 2014-02-13 07:21:48.000000000
+0100
+++ async-http-client-1.6.5/debian/rules 2014-12-17 17:28:37.000000000
+0100
@@ -7,3 +7,6 @@
get-orig-source:
uscan --download-version $(DEB_UPSTREAM_VERSION) --force-download
--rename
+
+clean::
+ rm -Rf META-INF/MANIFEST.MF
diff -Nru async-http-client-1.6.5/debian/watch
async-http-client-1.6.5/debian/watch
--- async-http-client-1.6.5/debian/watch 2014-02-13 07:21:48.000000000
+0100
+++ async-http-client-1.6.5/debian/watch 2014-12-17 16:03:19.000000000
+0100
@@ -1,3 +1,3 @@
version=3
-http://githubredir.debian.net/github/sonatype/async-http-client/async-http-client-(.*).tar.gz
\
- debian debian/orig-tar.sh
\ Kein Zeilenumbruch am Dateiende.
+https://github.com/AsyncHttpClient/async-http-client/tags
.*/async-http-client-(.*).tar.gz \
+ debian debian/orig-tar.sh
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
