[
https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15967085#comment-15967085
]
Nilesh Shinde commented on AXIS2-5757:
--------------------------------------
Where and how I can access the builds with fixes or patch to fix these issues.
I am trying to refer the link shared here, yet the link not working.
NOT WORKING : https://builds.apache.org/job/axis2-1.7/72/
Why I need this:
CVE-2015-5262 - http/conn/ssl/SSLConnectionSocketFactory.java in Apache
HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout
configuration setting during an SSL handshake, which allows remote attackers to
cause a denial of service (HTTPS call hang) via unspecified vectors
CVE-2012-6153 - http/conn/ssl/AbstractVerifier.java in Apache Commons
HttpClient before 4.2.3 does not properly verify that the server hostname
matches a domain name in the subject's Common Name (CN) or subjectAltName field
of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL
servers via a certificate with a subject that specifies a common name in a
field that is not the CN field. NOTE: this issue exists because of an
incomplete fix for CVE-2012-5783
CVE-2014-3577 - org.apache.http.conn.ssl.AbstractVerifier in Apache
HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does
not properly verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof SSL servers via a "CN="
string in a field in the distinguished name (DN) of a certificate, as
demonstrated by the "foo,CN=www.apache.org" string in the O field
CVE-2012-5783 - Apache Commons HttpClient 3.x, as used in Amazon Flexible
Payments Service (FPS) merchant Java SDK and other products, does not verify
that the server hostname matches a domain name in the subject's Common Name
(CN) or subjectAltName field of the X.509 certificate, which allows
man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
certificate.
CVE-2011-1498 - Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents,
when used with an authenticating proxy server, sends the Proxy-Authorization
header to the origin server, which allows remote web servers to obtain
sensitive information by logging this header.
Action I want to perform is upgrade to version 4.3.6+. of
commons-httpclient-4.3*.*.jar, tried to replacing it however it failed at
runtime with errors as below:
ERROR [http-nio-8090-exec-1] (WarBasedAxisConfigurator.java:180) -
org/apache/commons/httpclient/HttpException
org.apache.axis2.deployment.DeploymentException:
org/apache/commons/httpclient/HttpException
at
org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:699)
at
org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:123)
> Version of httpclient bundled in axis2-1.7.1 is exposed to to the
> vulnerability CVE-2012-6153, CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-5757
> URL: https://issues.apache.org/jira/browse/AXIS2-5757
> Project: Axis2
> Issue Type: Bug
> Components: transports
> Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
> Environment: Axis2 used as a Web Service Provider for an application
> Reporter: Deepak
> Assignee: Andreas Veithen
> Labels: security
> Fix For: 1.7.4
>
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to to the
> vulnerability CVE-2012-6153, CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1 is
> susceptible to CVE-2012-6153, CVE-2014-3577
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in
> Apache Commons HttpClient before 4.2.3" is vulnerability.
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed
> in the upcoming 1.7.2 or 1.8 release or any other release. If yes, when would
> that be. Reason for this query is our application uses Axis2 and and hence
> exposed to this vulnerability.
> Thanks,
> Regds,
> Deepak
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
