Bug#1003403: maven: Warning running mvn about which beeing deprecated
Package: maven Version: 3.6.3-5 Severity: normal X-Debbugs-Cc: inf...@gmail.com Dear Maintainer, When running mvn command, a warning message shows: /usr/bin/which: this version of `which' is deprecated; use `command -v' in scripts instead. -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-2-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages maven depends on: ii default-jre-headless [java7-runtime-headless] 2:1.11-72 ii libjansi-java 1.18-1 ii libmaven3-core-java 3.6.3-5 ii libwagon-file-java3.3.4-1 ii libwagon-http-shaded-java 3.3.4-1 ii openjdk-10-jre-headless [java7-runtime-headless] 10.0.2+13-2 ii openjdk-11-jre-headless [java7-runtime-headless] 11.0.13+8-1 ii openjdk-17-jre-headless [java7-runtime-headless] 17.0.1+12-1 ii openjdk-7-jre-headless [java7-runtime-headless] 7u101-2.6.6-1 ii openjdk-8-jre-headless [java7-runtime-headless] 8u312-b07-1 ii openjdk-9-jre-headless [java7-runtime-headless] 9.0.4+12-4 ii oracle-java8-jdk [java7-runtime-headless] 8u151 maven recommends no packages. maven suggests no packages. -- no debconf information
Bug#603284: Patch proposed
Hi I've developped a patch to make iText not modify metadata on PdfStamperImp.java unless explicitily instructed. Patch attached --- a/core/com/lowagie/text/pdf/PdfStamperImp.java +++ b/core/com/lowagie/text/pdf/PdfStamperImp.java @@ -234,24 +234,9 @@ altMetadata = xmpMetadata; } // if there is XMP data to add: add it -PdfDate date = new PdfDate(); if (altMetadata != null) { PdfStream xmp; - try { - XmpReader xmpr = new XmpReader(altMetadata); - if (!xmpr.replace(http://ns.adobe.com/pdf/1.3/;, Producer, producer)) - xmpr.add(rdf:Description, http://ns.adobe.com/pdf/1.3/;, pdf:Producer, producer); - if (!xmpr.replace(http://ns.adobe.com/xap/1.0/;, ModifyDate, date.getW3CDate())) - xmpr.add(rdf:Description, http://ns.adobe.com/xap/1.0/;, xmp:ModifyDate, date.getW3CDate()); - xmpr.replace(http://ns.adobe.com/xap/1.0/;, MetadataDate, date.getW3CDate()); - xmp = new PdfStream(xmpr.serializeDoc()); - } - catch(SAXException e) { - xmp = new PdfStream(altMetadata); - } - catch(IOException e) { - xmp = new PdfStream(altMetadata); - } + xmp = new PdfStream(altMetadata); xmp.put(PdfName.TYPE, PdfName.METADATA); xmp.put(PdfName.SUBTYPE, PdfName.XML); if (crypto != null !crypto.isMetadataEncrypted()) { @@ -341,8 +326,6 @@ newInfo.put(keyName, new PdfString(value, PdfObject.TEXT_UNICODE)); } } -newInfo.put(PdfName.MODDATE, date); -newInfo.put(PdfName.PRODUCER, new PdfString(producer)); if (append) { if (iInfo == null) info = addToBody(newInfo, false).getIndirectReference();
Bug#690256: uploaded to mentors
Hi I've just reuploaded gpsbabel 1.4.4 to mentors. we may consider packaging 1.5.0 El mar, 06-05-2014 a las 11:42 +0200, Florian Ernst escribió: Hello there, On Sat, Jun 22, 2013 at 01:24:31PM +0200, Alberto Fernández wrote: I've packaged version 1.4.4 and uploaded to mentors if you're interested on reviewing and sponsoring it. There doesn't seem to be such a package on mentors anymore. Bernd, any new on a possible update? Cheers, Flo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#740016: nvidia-driver: OpenGL image painted over other windows
It's still failling with 331.67-1 The workaround of starting xcompmgr is working for me. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#690256: uploaded to mentors
Hi! I've packaged version 1.4.4 and uploaded to mentors if you're interested on reviewing and sponsoring it. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: patch applied to commons-httpclient upstream
Hi The patch is applied upstream: http://svn.apache.org/viewvc?view=revisionrevision=1422573 http://svn.apache.org/repos/asf/httpcomponents/oac.hc3x/trunk Kind Regars Alberto -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687486:
Hi Oracle have fixed it in JDK 1.7.0_09: http://www.oracle.com/technetwork/java/javase/7u9-relnotes-1863279.html http://www.oracle.com/technetwork/topics/security/alerts-086861.html I suppose it's fixed at the same version of OpenJdk. I've tested openjdk at experimental (7u9-2.3.3-1) and seems to be fixed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695992: openjdk-7-jre: error parsing drop files parameter from pcmanfm and maybe others
Package: openjdk-7-jre Version: 7u9-2.3.3-1 Severity: minor Hi If you drop files to a java app the function that parse the parameters fail in some cases because some filemanagers send it as null-terminated string. This is the case of lxde filemanager, pcmanfm, and maybe others. I've tested and it works fine with nautilus. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages openjdk-7-jre depends on: ii libasound2 1.0.25-4 ii libatk-wrapper-java-jni 0.30.4-2 ii libatk1.0-0 2.4.0-2 ii libc62.13-37 ii libcairo21.12.2-2 ii libcups2 1.5.3-2.9 ii libfontconfig1 2.9.0-7 ii libfreetype6 2.4.9-1 ii libgdk-pixbuf2.0-0 2.26.1-1 ii libgif4 4.1.6-10 ii libgl1-mesa-glx 8.0.5-3 ii libglib2.0-0 2.33.12+really2.32.4-3 ii libgtk2.0-0 2.24.10-2 ii libjpeg8 8d-1 ii libpango1.0-01.30.0-1 ii libpng12-0 1.2.49-3 ii libpulse02.0-6 ii libx11-6 2:1.5.0-1 ii libxext6 2:1.3.1-2 ii libxi6 2:1.6.1-1 ii libxinerama1 2:1.1.2-1 ii libxrandr2 2:1.3.2-2 ii libxrender1 1:0.9.7-1 ii libxtst6 2:1.2.1-1 ii openjdk-7-jre-headless 7u9-2.3.3-1 ii zlib1g 1:1.2.7.dfsg-13 Versions of packages openjdk-7-jre recommends: ii libgconf2-4 3.2.5-1+build1 ii libgnome2-0 2.32.1-2 ii libgnomevfs2-01:2.24.4-1 ii ttf-dejavu-extra 2.33-3 Versions of packages openjdk-7-jre suggests: ii icedtea-7-plugin 1.3.1-1 -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#664205: bug entry created for openjdk
Hi I've created http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695992 to address this bug. The patch I've provided here can be applied as workaround for josm. Kind Regards Alberto -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#695992: testcase
Hi I attach a testcase for the bug. It's a simple application that open a window and writes de data droppped from a file-manager. With nautilus it works ok, but if you drop files from pcmanfm it throws a exception at the console. I also attach a patch to openjdk, to ignore lines with only null character, and a isolated test of the fail point. the function called to parse the drop data: ListFile fileList = (ListFile) tr.getTransferData(DataFlavor.javaFileListFlavor); Then, after some work, it goes to sun.awt.X11.XDataTransferer line ~287 while ((line = reader.readLine()) != null) { try { uri = new URI(line); // -- fails here } catch (URISyntaxException uriSyntaxException) { throw new IOException(uriSyntaxException); } uriList.add(uri); } and fails because it tries to make a URI from '\0', I've send the patch upstream, but their bug tracking system it's not public by default. I'll update this bug when I've notice. import java.awt.BorderLayout; import java.awt.datatransfer.DataFlavor; import java.awt.datatransfer.UnsupportedFlavorException; import java.awt.dnd.DropTargetDragEvent; import java.awt.dnd.DropTargetDropEvent; import java.awt.dnd.DropTargetEvent; import java.awt.dnd.DropTargetListener; import java.io.File; import java.io.IOException; import java.util.List; import java.util.TooManyListenersException; import javax.swing.JFrame; import javax.swing.JScrollPane; import javax.swing.JTextArea; public class FileDropTestCase extends JFrame implements DropTargetListener { private static final long serialVersionUID = 1L; private JTextArea text = null; public static void main(String[] args) throws TooManyListenersException { JFrame frame = new FileDropTestCase(); frame.setVisible(true); } public FileDropTestCase() throws TooManyListenersException { super(FileDropTestCase.class.getName()); text = new JTextArea(); this.getContentPane().add(new JScrollPane(text), BorderLayout.CENTER); this.setBounds(100, 100, 300, 400); this.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); setUpDnd(); this.setVisible(true); } private void setUpDnd() throws TooManyListenersException { final java.awt.dnd.DropTarget dt = new java.awt.dnd.DropTarget(); dt.addDropTargetListener(this); new java.awt.dnd.DropTarget(text, this); } @Override public void dragEnter(DropTargetDragEvent dtde) {} @Override public void dragOver(DropTargetDragEvent dtde) {} @Override public void dropActionChanged(DropTargetDragEvent dtde) {} @Override public void dragExit(DropTargetEvent dte) {} @Override public void drop(DropTargetDropEvent evt) { java.awt.datatransfer.Transferable tr = evt.getTransferable(); if (tr.isDataFlavorSupported(DataFlavor.javaFileListFlavor)) { evt.acceptDrop(java.awt.dnd.DnDConstants.ACTION_COPY); try { // This call fails dropping files from pcmanfm. // it works fine with nautilus, and windows explorer. // other environment not tested ListFile fileList = (ListFile) tr.getTransferData(DataFlavor.javaFileListFlavor); for (File file : fileList) { text.append(file.getCanonicalPath() + \n); } } catch (UnsupportedFlavorException e1) { e1.printStackTrace(); } catch (IOException e1) { e1.printStackTrace(); } // Mark that drop is completed. evt.getDropTargetContext().dropComplete(true); } } } import java.io.*; import java.net.*; import java.util.ArrayList; public class Test { public static void main(String[] args) throws IOException { /* * Real data from a debug session: * * file:///tmp/demo1.txt\nfile:///tmp/demo2.txt\n\0 */ byte[] bytes = { 102, 105, 108, 101, 58, 47, 47, 47, 116, 109, 112, 47, 100, 101, 109, 111, 49, 46, 116, 120, 116, 13, 10, 102, 105, 108, 101, 58, 47, 47, 47, 116, 109, 112, 47, 100, 101, 109, 111, 50, 46, 116, 120, 116, 13, 10, 0 }; URI[] list = simpleTestCaseFixed( new ByteArrayInputStream(bytes), bytes, UTF-8 ); for (URI uri : list) { System.out.println(uri); } } /* * This function correspond with a fragment of sun.awt.X11.XDataTransferer.dragQueryURIs (~256) * It's modified to ignore lines containing only a string with null terminator char. * */ private static URI[] simpleTestCaseFixed(InputStream stream, byte[] bytes, String charset) throws IOException { BufferedReader reader = null; reader = new BufferedReader(new InputStreamReader(stream, charset)); String line; ArrayListURI uriList = new ArrayListURI(); while ((line = reader.readLine()) != null) { try { // Only take on care of not empty lines if (!\0.equals(line)){ uriList.add(new URI(line)); } } catch (URISyntaxException uriSyntaxException) { throw new IOException(uriSyntaxException); } } return uriList.toArray(new URI[uriList.size()]);
Bug#664205: researching
Hi In short, I've attached a patch with a workaround. I've to test it in other environments (windows) before send it to upstream. I've to test too the jdk7 / pcmanfm bug and open a new bug. The root error is pcmanfm sends a null-terminated-string for file list (nautilus don't send it) When josm receives a drop, it parses the data calling: tr.getTransferData(java.awt.datatransfer.DataFlavor.javaFileListFlavor); Then, after some work, it goes to sun.awt.X11.XDataTransferer line ~287 while ((line = reader.readLine()) != null) { try { uri = new URI(line); // -- fails here } catch (URISyntaxException uriSyntaxException) { throw new IOException(uriSyntaxException); } uriList.add(uri); } and fails because it tries to make a URI with '\0', josm has two methods for processing drop data, the first is failing, the seconds works. The only thing attached patch does is to remove the first method. Description: Fix Drag and Drop Fix Drag and Drop from PCManFM (and maybe others) Origin: other Bug: url in upstream bugtracker Bug-Debian: http://bugs.debian.org/664205 Forwarded: no Last-Update: 2012-12-14 --- josm-0.0.svn5576+dfsg1.orig/src/org/openstreetmap/josm/gui/FileDrop.java +++ josm-0.0.svn5576+dfsg1/src/org/openstreetmap/josm/gui/FileDrop.java @@ -309,31 +309,7 @@ public class FileDrop { // Get whatever was dropped java.awt.datatransfer.Transferable tr = evt.getTransferable(); -// Is it a file list? -if (tr.isDataFlavorSupported (java.awt.datatransfer.DataFlavor.javaFileListFlavor)) -{ -// Say we'll take it. -//evt.acceptDrop ( java.awt.dnd.DnDConstants.ACTION_COPY_OR_MOVE ); -evt.acceptDrop ( java.awt.dnd.DnDConstants.ACTION_COPY ); -log( out, FileDrop: file list accepted. ); - -// Get a useful list -List? fileList = (List?)tr.getTransferData(java.awt.datatransfer.DataFlavor.javaFileListFlavor); - -// Convert list to array -final File[] files = fileList.toArray(new File[fileList.size()]); - -// Alert listener to drop. -if( listener != null ) { -listener.filesDropped( files ); -} -// Mark that drop is completed. -evt.getDropTargetContext().dropComplete(true); -log( out, FileDrop: drop complete. ); -} // end if: file list -else // this section will check for a reader flavor. -{ // Thanks, Nathan! // BEGIN 2007-09-12 Nathan Blomquist -- Linux (KDE/Gnome) support added. DataFlavor[] flavors = tr.getTransferDataFlavors(); @@ -365,7 +341,7 @@ public class FileDrop evt.rejectDrop(); } // END 2007-09-12 Nathan Blomquist -- Linux (KDE/Gnome) support added. -} // end else: not a file list + } // end try catch ( java.io.IOException io) { log( out, FileDrop: IOException - abort: );
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi. Both patches attached at upstream JIRA and reopened HTTPCLIENT-1265. Waiting for response. Kind regards Alberto -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#687692: examples
Hi Tobias Here's a testcase. In sid it works fine, but if I use the jars provided in testing it fails. Important: the pdf file is protected , so it's necesary bouncycastle to decrpyt it. Normal pdf files don't fail because they don't need bouncycastle. Attached sample pdf and sample java that counts the pages of a pdf. Sid. It prints the expected output pages = 1 In Testing: throws this exception: Exception in thread main java.lang.NoClassDefFoundError: org/bouncycastle/asn1/ASN1ObjectIdentifier at com.lowagie.text.pdf.PdfEncryption.init(Unknown Source) at com.lowagie.text.pdf.PdfReader.readDecryptedDocObj(Unknown Source) at com.lowagie.text.pdf.PdfReader.readDocObj(Unknown Source) at com.lowagie.text.pdf.PdfReader.readPdf(Unknown Source) at com.lowagie.text.pdf.PdfReader.init(Unknown Source) at com.lowagie.text.pdf.PdfReader.init(Unknown Source) at Main.main(Main.java:17) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.asn1.ASN1ObjectIdentifier at java.net.URLClassLoader$1.run(URLClassLoader.java:366) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:423) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at java.lang.ClassLoader.loadClass(ClassLoader.java:356) ... 7 more example2.pdf Description: Adobe PDF document import java.io.IOException; import com.lowagie.text.pdf.PdfReader; public class Main { /** * Test http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687692 * @throws IOException */ public static void main(String[] args) throws IOException { String fileName = example2.pdf; if (args != null args.length 0){ fileName = args[0]; } PdfReader reader = new PdfReader(fileName); System.out.println(pages = + reader.getNumberOfPages()); reader.close(); } }
Bug#687692: testcase bug 687692
Hie Tobias and Niels I've upload to the BTS a testcase for the bug. It's a protected pdf sample file and a simple java program that counts the number of pages of a PDF. It works fine in sid and fails in testing. Grettings Alberto -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689484: fixed in sid
fixed 689484 22.0.1229.94~r161065-1 thanks Hi This bug have been fixed upstream and sid-testing version works fine (at least works for me) they have recently applied the patch again to the M23 and M24 branches because they accidentally reverted it. Michael, can you please confirm it works for you and close the bug? Thanks -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: new patch for commons-httpclient CVE-2012-5783 (full patch)
Description: Fixed CN extraction from DN of X500 principal and wildcard validation commons-httpclient (3.1-10.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation Author: Alberto Fernández MartÃnez inf...@gmail.com Origin: other Bug-Debian: http://bugs.debian.org/692442 Forwarded: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 Last-Update: 2012-12-06 --- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -31,10 +31,25 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.regex.Pattern; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; @@ -55,6 +70,11 @@ public class SSLProtocolSocketFactory im */ private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory(); +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; + /** * Gets an singleton instance of the SSLProtocolSocketFactory. * @return a SSLProtocolSocketFactory @@ -79,12 +99,14 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -124,16 +146,19 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { -return createSocket(host, port, localAddress, localPort); +Socket sslSocket = createSocket(host, port, localAddress, localPort); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } else { // To be eventually deprecated when migrated to Java 1.4 or above -Socket socket = ReflectionSocketFactory.createSocket( +Socket sslSocket = ReflectionSocketFactory.createSocket( javax.net.ssl.SSLSocketFactory, host, port, localAddress, localPort, timeout); -if (socket == null) { -socket = ControllerThreadSocketFactory.createSocket( +if (sslSocket == null) { + sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } -return socket; +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } } @@ -142,10 +167,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -157,13 +184,271 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { -return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( +Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } + + + + +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new
Bug#692650: patch for axis CVE-2012-5784 (full patch)
Description: Fixed CN extraction from DN of X500 principal and wildcard validation axis (1.4-16.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation Author: Alberto Fernández MartÃnez inf...@gmail.com Origin: other Bug-Debian: http://bugs.debian.org/692650 Forwarded: https://issues.apache.org/jira/browse/AXIS-2883 Last-Update: 2012-12-06 --- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java +++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java @@ -15,12 +15,6 @@ */ package org.apache.axis.components.net; -import org.apache.axis.utils.Messages; -import org.apache.axis.utils.XMLUtils; -import org.apache.axis.utils.StringUtils; - -import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSocketFactory; import java.io.BufferedWriter; import java.io.IOException; import java.io.InputStream; @@ -28,7 +22,27 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.net.Socket; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; import java.util.Hashtable; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.regex.Pattern; + +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +import org.apache.axis.utils.Messages; +import org.apache.axis.utils.StringUtils; +import org.apache.axis.utils.XMLUtils; /** @@ -41,6 +55,10 @@ import java.util.Hashtable; */ public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory { +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; /** Field sslFactory */ protected SSLSocketFactory sslFactory = null; @@ -187,6 +205,260 @@ public class JSSESocketFactory extends D if (log.isDebugEnabled()) { log.debug(Messages.getMessage(createdSSL00)); } +verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new IllegalArgumentException(host to verify was null); + } + + SSLSession session = ssl.getSession(); + if (session == null) { +// In our experience this only happens under IBM 1.4.x when +// spurious (unrelated) certificates show up in the server's chain. +// Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); +/* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + +#1. Clean up the certificate chain that your server + is presenting (e.g. edit /etc/apache2/server.crt or + wherever it is your server's certificate chain is + defined). + + OR + +#2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + +// If ssl.getInputStream().available() didn't cause an exception, +// maybe at least now the session is available? + session = ssl.getSession(); + if (session == null) { +// If it's still null, probably a startHandshake() will +// unearth the real problem. +ssl.startHandshake(); + +// Okay, if we still haven't managed to cause an exception, +// might as well go for the NPE. Or maybe we're okay now? +session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + verifyHostName(host.trim().toLowerCase(Locale.US), (X509Certificate) certs[0]); + } + /** + * Extract the names from the certificate and tests host matches one of them + * @param host + * @param cert + * @throws SSLException + */ + + private static void verifyHostName(final String host, X509Certificate cert) + throws SSLException { +// I'm okay with being case-insensitive when comparing the host we used +// to establish the socket to the hostname in the certificate. +// Don't trim the CN, though. + +
Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Hi I've uploaded new packages to mentors. I'll be out until Monday, so feel free to review the patches and sponsor the new version if all you are confident it's all ok I think now it's fine , but if you find some other bug or improvement, I'll be happy to correct it. I'll insist next week upstream to include the last fix. El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió: Hi Alberto, thanks for your continuous work on this. As I said in my previous mail please remember to reopen the according bugs to make sure the previous solution will not migrate to testing. I'll volunteer to sponsor your new version if you confirm that this is needed to finally fix the issue. Kind regards Andreas. On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote: Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi I've reopened the two bugs. The first patch was incomplete, as pointed by David and by other bug i've found reviewing the code. The bug pointed by David can occur in some rare cases where the CA issues malformed certificates. It's rare, but there are may CA... The other bug it's about wildcard certificate validation. The first patch incorrect validates some cases. They're also rare cases of certificates of type *.xxx.com. Both are very rare cases, but I think they must be fixed before release. In outline, hosts name correctly validated: original - 0% (no validation at all) first patch - ¿99%? Never fails with valid certificates, block majority of invalid request. allow few rare cases which should be blocked second patch - 100%. I hope. Thanks for your patience -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Hi, I've uploaded the two packages to mentors.debian.net. We must solve the two bugs at the same time because axis uses commons-httpclient. Upstream seems End-of-life and rejected the patches. El mié, 05-12-2012 a las 16:43 +0100, Andreas Tille escribió: Hi, seems the package is ready for an upload. Any reason why this is not done? I could sponsor an upload or NMU if this would help. Kind regards Andreas. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Andreas I've uploaded both packages to mentors. commons-httpclient - bug #692442 CVE-2012-5783 axis - bug #692650 CVE-2012-5784 Since axis uses commons-httpclient, we need fix and upload both packages. Upstream has ignored axis patch, and rejected commons-httpclient patch. Basically, they say commons-httpclient is EOL and they don't want to spend time on it. They maybe would apply the patch to the SVN, but without revision and without releasing. I've tested the patches and they work ok. So I think it's fine to upload. Kind regards Alberto El mié, 05-12-2012 a las 21:51 +0100, Andreas Tille escribió: Hi Alberto, On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote: I've uploaded the two packages to mentors.debian.net. We must solve the two bugs at the same time because axis uses commons-httpclient. I guess you mean bug #692442, right? Upstream seems End-of-life and rejected the patches. Did upstream actively *rejected* the patch because of technical flaws or did they just ignored it because of the end-of-life status. There is no real need to have a patch accepted upstream if we as Debian maintainers agree that the patch is technically solving the reported problem. We actually do *not* want new upstream versions. So as far as I see we currently have the following situation: A package for axis that solves #692650 is waiting on mentors for sponsering. I'd volunteer to do this. Did you uploaded commons-httpclient fixing #692442 to mentors as well? If not I could also apply the patch in BTS and upload both to unstable. Just tell me if there is any reason to not upload these both packages? Kind regards and thanks for providing the patches Andreas. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Mike, I don't understand what you expect from me. I've uploaded the patches to the BTS, I don't know what next steep is. I suppose a maintainer would pick it from there. If there's something I can do let me know. Thanks, Alberto El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike Hi Mike I've read your tip again. Sorry for not understanding in the first time. I'll prepare the patch again upstream, and post it on their BTS. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: patch upstream
Here is the patch posted to upstream: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692650: patch
patch posted upstream: https://issues.apache.org/jira/browse/AXIS-2883 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#692442: patch
Hi I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Description: Validates the hostname requested is the same in the certificate in ssl-connections Fixes CVE-2012-5783, validates hostname certificate in SSL connections. Backported from http-client 4, and from Apache Synapse (plus some bugfixes). Author: Alberto Fernandez inf...@gmail.com Bug-Debian: http://bugs.debian.org/692442 Forwarded: no --- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -31,11 +31,23 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.params.HttpConnectionParams; @@ -55,6 +67,11 @@ public class SSLProtocolSocketFactory im */ private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory(); +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; + /** * Gets an singleton instance of the SSLProtocolSocketFactory. * @return a SSLProtocolSocketFactory @@ -79,12 +96,14 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -124,16 +143,19 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { -return createSocket(host, port, localAddress, localPort); +Socket sslSocket = createSocket(host, port, localAddress, localPort); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } else { // To be eventually deprecated when migrated to Java 1.4 or above -Socket socket = ReflectionSocketFactory.createSocket( +Socket sslSocket = ReflectionSocketFactory.createSocket( javax.net.ssl.SSLSocketFactory, host, port, localAddress, localPort, timeout); -if (socket == null) { -socket = ControllerThreadSocketFactory.createSocket( +if (sslSocket == null) { + sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } -return socket; +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } } @@ -142,10 +164,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -157,14 +181,267 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { -return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( +Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; +} + + + + +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */
Bug#692650: patch
Hi I've made a patch (attached) It's basically the same patch i've submitted to commons-httpclient (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 ), This patch is tested in commons-httpclient but untested in axis (sorry) Description: Validates the hostname requested is the same in the certificate in ssl-connections Fixes CVE-2012-5784, validates hostname certificate in SSL connections. Backported from http-client 4, and from Apache Synapse (plus some bugfixes). Author: Alberto Fernandez inf...@gmail.com Bug-Debian: http://bugs.debian.org/692650 Forwarded: no --- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java +++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java @@ -19,6 +19,8 @@ import org.apache.axis.utils.Messages; import org.apache.axis.utils.XMLUtils; import org.apache.axis.utils.StringUtils; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import java.io.BufferedWriter; @@ -28,7 +30,15 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.net.Socket; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; import java.util.Hashtable; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; /** @@ -41,6 +51,10 @@ import java.util.Hashtable; */ public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory { +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; /** Field sslFactory */ protected SSLSocketFactory sslFactory = null; @@ -187,6 +201,255 @@ public class JSSESocketFactory extends D if (log.isDebugEnabled()) { log.debug(Messages.getMessage(createdSSL00)); } +verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new IllegalArgumentException(host to verify was null); + } + + SSLSession session = ssl.getSession(); + if (session == null) { +// In our experience this only happens under IBM 1.4.x when +// spurious (unrelated) certificates show up in the server's chain. +// Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); +/* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + +#1. Clean up the certificate chain that your server + is presenting (e.g. edit /etc/apache2/server.crt or + wherever it is your server's certificate chain is + defined). + + OR + +#2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + +// If ssl.getInputStream().available() didn't cause an exception, +// maybe at least now the session is available? + session = ssl.getSession(); + if (session == null) { +// If it's still null, probably a startHandshake() will +// unearth the real problem. +ssl.startHandshake(); + +// Okay, if we still haven't managed to cause an exception, +// might as well go for the NPE. Or maybe we're okay now? +session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + verifyHostName(host.trim().toLowerCase(), (X509Certificate) certs[0]); + } + /** + * Extract the names from the certificate and tests host matches one of them + * @param host + * @param cert + * @throws SSLException + */ + + private static void verifyHostName(final String host, X509Certificate cert) + throws SSLException { +// I'm okay with being case-insensitive when comparing the host we used +// to establish the socket to the hostname in the certificate. +// Don't trim the CN, though. + + String cn = getCN(cert); + String[] subjectAlts = getDNSSubjectAlts(cert); + verifyHostName(host, cn.toLowerCase(), subjectAlts); + + } + + /** + * Extract all alternative names from a certificate. + * @param cert + *
Bug#689484: chromium blocks icedtea saying it is outdated
the upstream bug is at: http://code.google.com/p/chromium/issues/detail?id=138386 It's marked as Fixed, but I think it needs some more work (last comment says it's undone) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#630914: wrong searchpath for default.style
I've tried putting a new rule on debian/rules and it works: override_dh_auto_configure: dh_auto_configure -- --datarootdir=/usr/share/osm2pgsql -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#630895: Incorrect postgres port
Hi Default postgresql port is 5432. If you try to install two different postgresql versions on Debian, it assigns the next port to the new database. I guest you have (at least at 8.4 install time) postgresql 8.3 installed too. I think it's not a bug (default port is ok) and you can always use the --port parameter. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#578624: josm does not start via josm exit
It's the launcher script, not josm. The echo command is failing if no console is available (or redirect to somewhere). if you put the echo commands this way echo message || true all works fine. if [ $JAVACMD ]; then echo Using $JAVACMD to execute josm. || true exec $JAVACMD $JAVA_OPTS -jar /usr/share/josm/josm.jar $@ else echo No valid JVM found to run JOSM. || true exit 1 fi -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608258: JOSM doesn't follow 301 HTTP response (Moved Permanently)
Seems to be fixed upstream in version 4262. I've tested on debian sid (4487) and seems to be ok. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#579206: osmosis doesn't have initialized log4j appenders after upgrade
Hi, I've solved that on my machine. You can try the following: Create the file /etc/osmosis/log4j.properties with a simple line (file attached) log4j.logger.org.java.plugin=WARN I've tried an empty file, because log4j is configured by osmosis (or a library osmosis uses), but it doesn't work To tell log4j/osmosis use that file, edit /usr/bin/osmosis and put an option to the launcher: -Dlog4j.configuration=file:/etc/osmosis/log4j.properties # Only show WARN or higher messages for org.java.plugin package log4j.logger.org.java.plugin=WARN
Bug#529294: josm: Can't load library: /usr/lib/jvm/java-6-openjdk/jre/lib/ext/libjava-access-bridge-jni.so
In debian sid (amd64) You can solve it installing libaccess-bridge-java-jni Maybe can be a 'required' by josm. This package install libjava-access-bridge-jni.so to /usr/lib/jni/libjava-access-bridge-jni.so, so you need to create a symlink in /usr/lib/jvm/java-6-openjdk/jre/lib/ext/libjava-access-bridge-jni.so ln -s /usr/lib/jni/libjava-access-bridge-jni.so /usr/lib/jvm/java-6-openjdk/jre/lib/ext/libjava-access-bridge-jni.so -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org