CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Debian Bug report logs - #798650
CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Date: Fri, 11 Sep 2015 15:12:37 +0200

Source: commons-httpclient
Version: 3.1-11
Severity: important

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892

Cheers,
 -- Guido

-- System Information:
Debian Release: 8.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 798650@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: Guido Günther <agx@sigxcpu.org>, 798650@bugs.debian.org

Subject: Re: Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Date: Fri, 11 Sep 2015 16:20:42 +0200

Le 11/09/2015 15:12, Guido Günther a écrit :

> Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892

Thank you for the report Guido. A hanging connection is certainly
annoying but I fail to understand why it's flagged as a security
vulnerability.

Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
the version 4.3.6. So if this is really a security issue the
httpcomponents-client package in stable and oldstable is also affected.

[1] https://issues.apache.org/jira/browse/HTTPCLIENT-1478

Message #15 received at 798650@bugs.debian.org (full text, mbox, reply):

From: Guido Günther <agx@sigxcpu.org>

To: Emmanuel Bourg <ebourg@apache.org>

Cc: 798650@bugs.debian.org

Subject: Re: Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Date: Fri, 11 Sep 2015 16:47:22 +0200

Hi,
On Fri, Sep 11, 2015 at 04:20:42PM +0200, Emmanuel Bourg wrote:
> Le 11/09/2015 15:12, Guido Günther a écrit :
> 
> > Please see https://bugzilla.redhat.com/show_bug.cgi?id=1259892
> 
> Thank you for the report Guido. A hanging connection is certainly
> annoying but I fail to understand why it's flagged as a security
> vulnerability.

Since a malicious server can starve client connections _although_ the
client took countermeasures to prevent this (by setting a timeout).

> Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> the version 4.3.6. So if this is really a security issue the
> httpcomponents-client package in stable and oldstable is also affected.

I do think so but I haven't checked yet and

https://bugzilla.redhat.com/show_bug.cgi?id=1261538

as well as

https://issues.apache.org/jira/browse/HTTPCLIENT-1478?focusedCommentId=13926162&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13926162

claim that it's not yet reproduced for httpcomponents-client 4.2.x
that's why I didn't file a but for httpcomponents-client yet until
this is investigated further.

Cheers,
 -- Guido

Message #20 received at 798650@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Guido Günther <agx@sigxcpu.org>

Cc: Emmanuel Bourg <ebourg@apache.org>, 798650@bugs.debian.org

Subject: Re: Bug#798650: CVE-2015-5262: https calls ignore http.socket.timeout during SSL Handshake

Date: Mon, 28 Sep 2015 16:27:41 +0200

Control: tag -1 + security patch

(this is not about commons-httpclient but about httpcomponents-client)

On Fri, 11 Sep 2015, Guido Günther wrote:
> > Note that according to HTTPCLIENT-1478 [1] this was completely fixed in
> > the version 4.3.6. So if this is really a security issue the
> > httpcomponents-client package in stable and oldstable is also affected.
> 
> I do think so but I haven't checked yet and
[...]
> claim that it's not yet reproduced for httpcomponents-client 4.2.x
> that's why I didn't file a but for httpcomponents-client yet until
> this is investigated further.

I did look into the source code and it looks like that this was a
regression in 4.3.x. So only jessie is affected. squeeze, wheezy (and
likely sid) seem to be fine.

Coming back to commons-httpclient:

RedHat produced a patch here:
https://bugzilla.redhat.com/attachment.cgi?id=1072467&action=diff
Part of https://bugzilla.redhat.com/show_bug.cgi?id=1259892

BTW, would it not be possible to get rid of commons-httpclient
if it has been obsoleted by httpcomponents-client ?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #27 received at 798650-close@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <sunweaver@debian.org>

To: 798650-close@bugs.debian.org

Subject: Bug#798650: fixed in commons-httpclient 3.1-9+deb6u2

Date: Wed, 30 Sep 2015 15:35:04 +0000

Source: commons-httpclient
Source-Version: 3.1-9+deb6u2

We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 798650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated commons-httpclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 30 Sep 2015 16:10:18 +0200
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source all
Version: 3.1-9+deb6u2
Distribution: squeeze-lts
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Description: 
 libcommons-httpclient-java - A Java(TM) library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 798650
Changes: 
 commons-httpclient (3.1-9+deb6u2) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Debian LTS Team.
   * debian/patches:
     + CVE-2015-5262.patch. Respect configured SO_TIMEOUT during SSL handshake.
       (CVE-2015-5262). (Closes: #798650).
Checksums-Sha1: 
 c17f62809423ae857db62a14a6c50be4cb5ddef6 2433 commons-httpclient_3.1-9+deb6u2.dsc
 6aa4a05e47d5b953196e38ed60396ba3c21be6d8 13340 commons-httpclient_3.1-9+deb6u2.diff.gz
 aeacbe1f03aa60dec7119844d0aea8322d29be50 299660 libcommons-httpclient-java_3.1-9+deb6u2_all.deb
 6f86b61b348fe41fade11b8c726ee1b30163c135 1548082 libcommons-httpclient-java-doc_3.1-9+deb6u2_all.deb
Checksums-Sha256: 
 6cfdc1b50cc92a6cdf28851b6787013f7fc98fee933462f92f91c9e4da5694dc 2433 commons-httpclient_3.1-9+deb6u2.dsc
 d9761a0a93cf117a4986f5d2553364eb55d9e78ca11147e2da5fb86be571536c 13340 commons-httpclient_3.1-9+deb6u2.diff.gz
 2dc95b882c3d7784a5ed4ccecdc78a80ae3fcee0969f88f077a6ffdf932a2ea5 299660 libcommons-httpclient-java_3.1-9+deb6u2_all.deb
 078bae7d2c0b4ee0016330a9200890f1a75bda6c797f45858a2a34260773fdd7 1548082 libcommons-httpclient-java-doc_3.1-9+deb6u2_all.deb
Files: 
 cae20482aacfa17a4beb089492a4427f 2433 java optional commons-httpclient_3.1-9+deb6u2.dsc
 2a0b3f191dd4a211a1b97fdcc2575751 13340 java optional commons-httpclient_3.1-9+deb6u2.diff.gz
 348dec40ce6d4a1ae66dbed9c19bea7a 299660 java optional libcommons-httpclient-java_3.1-9+deb6u2_all.deb
 1f5b21892a3ab06bf2eb5c82c75e7e73 1548082 doc optional libcommons-httpclient-java-doc_3.1-9+deb6u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWC/EAAAoJEJr0azAldxsxtesP/0JnEkU+OHgLLb+GFlq2a0lw
K7jaNNdfkU7KCbyDbGF5ELf5dfevOso6xjuHRQ/VkuiBnzXdC+HJ5bJAa43Mm21L
TgF/HOJ/TgmYIfJ0+nJ8kx6MzSujJYSM7gPF9PBivCaha+6dXBqRds2sEytGVaa7
Lv9nH9UMGFJIvaouO/o2rOHiNcojlBzS4lW80Q9VjqKfpYjNHzsWPEpcTe39eiNc
UKeyIkIL+uBaMNDCBLa/WgGu7pjTT/piSZNbuBd2IKlqb7eLTgmBfY8gUYQCoJtx
RX3XqbLiv9n+JpYpUEEtx8uwuen3ZnGGGUXIfu82nmC22a+sWAiNJ+NJ6VBYv4ai
Xb2Roc7QIhuRr1hF4lSnLSuresPCUQn8GvGlUDkMOcLq5cbbvU/H4Y56hx8v8F44
EZrzfcJo2Fpjy+fx9PSLw9I92thazUelaFO82E72YdKZx6phb0u07r3NcJpAxNJ2
mCRqTBsniO9gMMmcOyKix92c3CwuBwntbg1np3PDCJJVUCiSmww0hko1gfEsHZx2
noLTXARE5XPmcr3/C3MJQVrDoXfW9BkjXN+hmSTMoTLBX+hVe/Wvq5ERkF5n8S20
VHDsO16U2JvMajzAsp4OCN2AcuQknFwBWoKjwtn4vcoMw5LlQb9SwTadtPvrm0eq
gnev/jOhImY+9GucoLh4
=2waL
-----END PGP SIGNATURE-----

Message #32 received at 798650@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 798650@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#798650: fixed in commons-httpclient 3.1-9+deb6u2

Date: Wed, 07 Oct 2015 19:23:22 +0200

[Message part 1 (text/plain, inline)]

reopen 798650
notfixed 798650 3.1-10.2+deb7u1
notfixed 798650 3.1-11
clone 798650 -1
reassign -1 src:httpcomponents-client
found -1 4.0.1-1squeeze1
notfound -1 4.4.1-1
thanks

On Wed, 30 Sep 2015 15:35:04 +0000 Mike Gabriel <sunweaver@debian.org>
wrote:
> Source: commons-httpclient
> Source-Version: 3.1-9+deb6u2
> 
> We believe that the bug you reported is fixed in the latest version of
> commons-httpclient, which is due to be installed in the Debian FTP archive.

Hi,

this bug is still not fixed in oldstable, stable, testing and unstable.
Moreover it is also present in httpcomponents-client in oldstable and
stable but was fixed in testing and unstable.

According to https://issues.apache.org/jira/browse/HTTPCLIENT-1478
this issue was fixed in httpcomponents-client >= 4.3.6.

Reopening

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #47 received at 798650-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 798650-close@bugs.debian.org

Subject: Bug#798650: fixed in commons-httpclient 3.1-12

Date: Mon, 02 Nov 2015 15:50:42 +0000

Source: commons-httpclient
Source-Version: 3.1-12

We believe that the bug you reported is fixed in the latest version of
commons-httpclient, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 798650@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated commons-httpclient package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 02 Nov 2015 15:32:33 +0100
Source: commons-httpclient
Binary: libcommons-httpclient-java libcommons-httpclient-java-doc
Architecture: source
Version: 3.1-12
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libcommons-httpclient-java - Commons HTTPClient - Java library for creating HTTP clients
 libcommons-httpclient-java-doc - Documentation for libcommons-httpclient-java
Closes: 654007 783931 798650
Changes:
 commons-httpclient (3.1-12) unstable; urgency=high
 .
   * Team upload.
 .
   [ Kumar Appaiah ]
   * debian/control:
     + Remove Kumar Appaiah from uploaders
 .
   [ Emmanuel Bourg ]
   * Add myself to Uploaders.
   * Switch to debhelper level 9
   * debian/control:
     - Use canonical URLs for the Vcs-* fields
     - Improved the package description
     - Removed Michael Koch from the uploaders (Closes: #654007)
   * debian/rules: Improved the clean target
 .
   [ tony mancill ]
   * Remove trailing spaces from package description of
     libcommons-httpclient-java-doc in debian/control. (Closes: #783931)
 .
   [ Markus Koschany ]
   * wrap-and-sort -sa.
   * Declare compliance with Debian Policy 3.9.6.
   * Add CVE-2015-5262.patch.
     Fix CVE-2015-5262 jakarta-commons-httpclient: https calls ignore
     http.socket.timeout during SSL Handshake. (Closes: #798650)
Checksums-Sha1:
 7f6e4219895a5d60a829f4c6e2bd036901167de5 2480 commons-httpclient_3.1-12.dsc
 50654599f42d71e9430cf6a1a7d55c533c9c9697 12888 commons-httpclient_3.1-12.debian.tar.xz
Checksums-Sha256:
 42b996fd84d32166e2c1a3bd2cacc787dd52bb873538c2c92d48f3ffeeaeba88 2480 commons-httpclient_3.1-12.dsc
 b7ee9e0d81f90d7cbe2a03dc5828ab63411778b6c42de2952fd4c27b42402e3d 12888 commons-httpclient_3.1-12.debian.tar.xz
Files:
 016ef22b50d13d5acddc115f9e244bb3 2480 java optional commons-httpclient_3.1-12.dsc
 6eeda411cfcf9dc046204f4f8d47ec0c 12888 java optional commons-httpclient_3.1-12.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJWN3W+XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkGOEP/2CZ76lZB8nE+W2NJhMtBcJs
RSEQp0QcHFf69IK2UQpsqMh6ilqivP5oFl6Yf84xNtYpM4npfFO5dm/Rxy8dGG/L
2i9pGGw/qW8JSLwxywnkEzyHkZWqzZmBIlxTHKpXNPr5Iq5MUiJrsYJShg/FoK3J
JdzoHfg1BmT0dzxwL3GthTILJydUoH6r6XsIGUy1yN3QL1O100o7NhIz3ad/59QZ
NJfSGi4BpvEV6IY1dOX8n83ZhQH3IYXStI7nGyzahJg0ClxlMGCuTclGHrByo3kg
ypMVV7uP6I/aPyPLaHD2VXj8p9ZAyK+jgWJweB8bxzQUWK8LYqAtAUe7GwHfSfNZ
7L4G/lM81f7BaAQswBDKyNwLCLMRB1qCGb8oaTjdFG405TW5/1eOqpo0sgLsS1nq
hNxhLx14vbBIQkEkCgMRzGuUI93LUuH1RGmYFxgvcWHMBYipoCa4Jk3kT3bAqIfV
qI6k6gvsqnYHssWoHJZSquB9+o4NR7fQGHqDYFDENDmdOrMzJz3Ia3b2ZF30cIpg
TrPC+szRKK00CsDiAfHu8RmpiMzoa3cS6NcHNBhlU1t/FCkx9mBr/wQ5v+3x4LKf
sGCSk8/pVOXnXr9BmLNEW/qqzph6n7B+akTYWAQFwWgoPWq6LCdktB2tkswyxmwH
rV/Jy32OLrIqgpK9iJ6H
=M2ER
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.