[
https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460812#comment-17460812
]
Robert Lazarski edited comment on AXIS-2905 at 12/16/21, 3:29 PM:
------------------------------------------------------------------
This issue is not for axis2 but rather axis 1.x that was last released in 2006.
We are required by the Apache security team to keep the trunk up to date
regarding CVE's.
I am not a user of Axis 1.x myself so it would require community interest to
push that forward in terms of an official release.
was (Author: robertlazarski):
This issue is not for axis2 but rather axis 1.x that was last released in 2006.
We are required by the Apache security team to keep the trunk up to date
regarding CVE's.
I am not a user of Axis 1.x myself so it would require community interest to
push that forward.
> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
> Key: AXIS-2905
> URL: https://issues.apache.org/jira/browse/AXIS-2905
> Project: Axis
> Issue Type: Bug
> Affects Versions: 1.4
> Reporter: David Jorm
> Priority: Major
> Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to
> check that the server hostname matches the domain name in the subject's CN
> field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack
> where the attacker can spoof a valid certificate using a specially crafted
> subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
