[ https://issues.apache.org/jira/browse/AXIS-2883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460816#comment-17460816 ]
Robert Lazarski commented on AXIS-2883: --------------------------------------- This issue is not for axis2 but rather axis 1.x that was last released in 2006. This issue was closed because it is superceded by AXIS-2905. The original fix was complete and the OP chose to create another issue. We are required by the Apache security team to keep the trunk up to date regarding CVE's. I am not a user of Axis 1.x myself so it would require community interest to push that forward in terms of an official release. > Insecure certificate validation CVE-2012-5784 > --------------------------------------------- > > Key: AXIS-2883 > URL: https://issues.apache.org/jira/browse/AXIS-2883 > Project: Axis > Issue Type: Bug > Affects Versions: 1.4 > Environment: All > Reporter: Alberto Fernández > Priority: Major > Attachments: CVE-2012-5784-2.patch > > > See. > http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf > Using JSSE you must manually validate server name you're connecting to > matches one of the names provided by the certificate. So you can detect a > man-in-the-middle type attack with a valid certificate for other site. > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784 -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org