[
https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832589#comment-16832589
]
robert lazarski edited comment on AXIS-2905 at 5/3/19 3:42 PM:
---------------------------------------------------------------
Thanks for looking into this ... the file referenced in the patch has not been
updated since 2002! Some of it uses internal com.sun classes.
There is a couple of LDAP import in the patch, I couldn't easily figure out a
smaller jar to use so for now this entry into the axis-rt-core pom.xml will do:
<dependency>
<groupId>org.apache.directory.server</groupId>
<artifactId>apacheds-all</artifactId>
<version>2.0.0.AM25</version>
</dependency>
When compiling on Linux with jdk1.8.0_181 and the latest maven 3.6.1 with -X
(debug mode) I ran into this error, that's as far as I have time on this today,
I don't run axis 1.x myself anymore - I just help maintain it:
[INFO] — animal-sniffer-maven-plugin:1.8:check (default) @ axis-rt-core —
[INFO] Checking unresolved references to
org.codehaus.mojo.signature:java14-sun:1.0
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.488 s
[INFO] Finished at: 2019-05-03T05:38:00-10:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check (default) on project
axis-rt-core: Execution default of goal
org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check failed: Invalid
signature file digest for Manifest main attributes -> [Help 1]
was (Author: robertlazarski):
Thanks for looking into this ... the file referenced in the patch has not been
updated since 2002! Some of it uses internal com.sun classes.
There is a couple of LDAP import in the patch, I couldn't easily figure out a
smaller jar to use so for now this entry into the axis-rt-core pom.xml will do:
<dependency>
<groupId>org.apache.directory.server</groupId>
<artifactId>apacheds-all</artifactId>
<version>2.0.0.AM25</version>
</dependency>
When compiling on Linux with jdk1.8.0_181 and the latest maven 3.6.1 with -X
(debug mode) I ran into this error, that's as far as I have time on this, I
don't run axis 1.x myself anymore - I just help maintain it:
[INFO] --- animal-sniffer-maven-plugin:1.8:check (default) @ axis-rt-core ---
[INFO] Checking unresolved references to
org.codehaus.mojo.signature:java14-sun:1.0
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 8.488 s
[INFO] Finished at: 2019-05-03T05:38:00-10:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check (default) on project
axis-rt-core: Execution default of goal
org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check failed: Invalid
signature file digest for Manifest main attributes -> [Help 1]
> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
> Key: AXIS-2905
> URL: https://issues.apache.org/jira/browse/AXIS-2905
> Project: Axis
> Issue Type: Bug
> Affects Versions: 1.4
> Reporter: David Jorm
> Priority: Major
> Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to
> check that the server hostname matches the domain name in the subject's CN
> field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack
> where the attacker can spoof a valid certificate using a specially crafted
> subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
