Bug#603284: Patch proposed

2015-01-25 Thread Alberto Fernández
Hi I've developped a patch to make iText not modify metadata on PdfStamperImp.java unless explicitily instructed. Patch attached --- a/core/com/lowagie/text/pdf/PdfStamperImp.java +++ b/core/com/lowagie/text/pdf/PdfStamperImp.java @@ -234,24 +234,9 @@ altMetadata = xmpMetadata;

Bug#692442: patch applied to commons-httpclient upstream

2012-12-16 Thread Alberto Fernández
Hi The patch is applied upstream: http://svn.apache.org/viewvc?view=revision&revision=1422573 http://svn.apache.org/repos/asf/httpcomponents/oac.hc3x/trunk Kind Regars Alberto __ This is the maintainer address of Debian's Java team

Bug#687692: testcase bug 687692

2012-12-11 Thread Alberto Fernández
Hie Tobias and Niels I've upload to the BTS a testcase for the bug. It's a protected pdf sample file and a simple java program that counts the number of pages of a PDF. It works fine in sid and fails in testing. Grettings Alberto __ This is the maintainer address of Debian's Java team

Bug#687692: examples

2012-12-11 Thread Alberto Fernández
Hi Tobias Here's a testcase. In sid it works fine, but if I use the jars provided in testing it fails. Important: the pdf file is "protected" , so it's necesary bouncycastle to decrpyt it. Normal pdf files don't fail because they don't need bouncycastle. Attached sample pdf and sample java that

Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-11 Thread Alberto Fernández
Hi. Both patches attached at upstream JIRA and reopened HTTPCLIENT-1265. Waiting for response. Kind regards Alberto __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org fo

Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-06 Thread Alberto Fernández
Hi I've reopened the two bugs. The first patch was incomplete, as pointed by David and by other bug i've found reviewing the code. The bug pointed by David can occur in some rare cases where the CA issues malformed certificates. It's rare, but there are may CA... The other bug it's about wildc

Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-06 Thread Alberto Fernández
ous > solution will not migrate to testing. I'll volunteer to sponsor your > new version if you confirm that this is needed to finally fix the issue. > > Kind regards > > Andreas. > > On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote: > > Hi

Bug#692650: patch for axis CVE-2012-5784 (full patch)

2012-12-06 Thread Alberto Fernández
Description: Fixed CN extraction from DN of X500 principal and wildcard validation axis (1.4-16.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation Author: Alberto Fernández Martínez Origin: other Bug-Debian: http://bugs.debian.org/692650 Fo

Bug#692442: new patch for commons-httpclient CVE-2012-5783 (full patch)

2012-12-06 Thread Alberto Fernández
Description: Fixed CN extraction from DN of X500 principal and wildcard validation commons-httpclient (3.1-10.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation Author: Alberto Fernández Martínez Origin: other Bug-Debian: http://bugs.debia

Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-06 Thread Alberto Fernández
Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot

Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-05 Thread Alberto Fernández
-12-2012 a las 21:51 +0100, Andreas Tille escribió: > Hi Alberto, > > On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote: > > I've uploaded the two packages to mentors.debian.net. > > > > We must solve the two bugs at the same time because axis uses

Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784

2012-12-05 Thread Alberto Fernández
Hi, I've uploaded the two packages to mentors.debian.net. We must solve the two bugs at the same time because axis uses commons-httpclient. Upstream seems End-of-life and rejected the patches. El mié, 05-12-2012 a las 16:43 +0100, Andreas Tille escribió: > Hi, > > seems the package is ready fo

Bug#692650: patch

2012-11-22 Thread Alberto Fernández
patch posted upstream: https://issues.apache.org/jira/browse/AXIS-2883 __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discussions and questions.

Bug#692442: patch upstream

2012-11-22 Thread Alberto Fernández
Here is the patch posted to upstream: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 __ This is the maintainer address of Debian's Java team . Please use debian-j...@lists.debian.org for discussions and question

Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-11-22 Thread Alberto Fernández
El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: > > I've backported the routine to validate certificate name, and I've made > > a patch (attached). > > > > I'm not sure it's a good idea apply the patch, it can break programs > > that connect with "bad" hostnames (ips, host in /etc/

Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784

2012-11-22 Thread Alberto Fernández
Hi Mike, I don't understand what you expect from me. I've uploaded the patches to the BTS, I don't know what next steep is. I suppose a maintainer would pick it from there. If there's something I can do let me know. Thanks, Alberto El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió:

Bug#692650: patch

2012-11-17 Thread Alberto Fernández
Hi I've made a patch (attached) It's basically the same patch i've submitted to commons-httpclient (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 ), This patch is tested in commons-httpclient but untested in axis (sorry) Description: Validates the hostname requested is the same in the

Bug#692442: patch

2012-11-17 Thread Alberto Fernández
Hi I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with "bad" hostnames (ips, host in /etc/hostname, etc) Description: Validates the hostname requested is the same in the