Your message dated Mon, 16 Oct 2023 23:34:18 +0000 with message-id <e1qsx6i-008dfr...@fasolo.debian.org> and subject line Bug#1051288: fixed in axis 1.4-29 has caused the Debian Bug report #1051288, regarding axis: CVE-2023-40743 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1051288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: axis Version: 1.4-28 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for axis. CVE-2023-40743[0]: | ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in | an application, it may not have been obvious that looking up a | service through "ServiceFactory.getService" allows potentially | dangerous lookup mechanisms such as LDAP. When passing untrusted | input to this API method, this could expose the application to DoS, | SSRF and even attacks leading to RCE. As Axis 1 has been EOL we | recommend you migrate to a different SOAP engine, such as Apache | Axis 2/Java. As a workaround, you may review your code to verify no | untrusted or unsanitized input is passed to | "ServiceFactory.getService", or by applying the patch from | https://github.com/apache/axis- | axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The | Apache Axis project does not expect to create an Axis 1.x release | fixing this problem, though contributors that would like to work | towards this are welcome. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40743 https://www.cve.org/CVERecord?id=CVE-2023-40743 [1] https://www.openwall.com/lists/oss-security/2023/09/05/1 [2] https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: axis Source-Version: 1.4-29 Done: Markus Koschany <a...@debian.org> We believe that the bug you reported is fixed in the latest version of axis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1051...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated axis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 17 Oct 2023 01:00:51 +0200 Source: axis Architecture: source Version: 1.4-29 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 1051288 Changes: axis (1.4-29) unstable; urgency=medium . * Team upload. * Fix CVE-2023-40743: When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. (Closes: #1051288) * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.6.2. Checksums-Sha1: 718729e8c6645d6771c12fe3a816d024eab8c418 2348 axis_1.4-29.dsc 93ee10a21f31b611356dfbe57b9cb03c36c62c2c 14252 axis_1.4-29.debian.tar.xz 021eae739065cee5f174a4499165785a70907e16 10944 axis_1.4-29_amd64.buildinfo Checksums-Sha256: 8ef6c38748a0e1e561741440f4b4b3f0b30c58fe17f4cf1c494894cd0ed1738f 2348 axis_1.4-29.dsc 30d44358d3362671355a872da5fa2648fc837d5f3114a8081487b474ccecd812 14252 axis_1.4-29.debian.tar.xz 6d9bd05a3193c5699297afe2c7a9b03b96f993680f374a1e2d652d6a81e47389 10944 axis_1.4-29_amd64.buildinfo Files: 8fe6c3151ae3d2b7a4cbea529ea55d38 2348 java optional axis_1.4-29.dsc 3a12de65ef9c4378ddb80d8e4edfbdd0 14252 java optional axis_1.4-29.debian.tar.xz 725ad4ab4653192ac083ef602c00c15f 10944 java optional axis_1.4-29_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUtxGNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkkykQALRa0Pu5pYDt8ykRSMLtqB5JZJweXrhT7w1q bstA3IVBQCh3sNKUvcUFW0kioFw/g9BTZdNbHAxB4dGirSe2AVqazY46gr4OFYHv Jq3IeDOREphOdBVhmP2jtfi+A+oupVZ1t9qTuE9BRJwnf1ytHcEfBwp+VD5wa32k y1laNdrl3M2OYHAyhvK4ziD/dujREktAZ7sJE0PbIJUY+XxgQbpAPn57Ae2Nc+3p 8r8SG9D7cArmdE+fhU8KgHPYBBC1U73FI5V0m9DsA+WcKMSO/QwplDabcuwRCQLa /gf4KDA8j/isAsNAP6G/gOdq7cyAl183B6Gc26kKgHxZ869Jz4pS9zGWJlCRkXV6 J+GyF9/JBV1N3+6XRobpO5Ec7bKFlAEUUCGjXlVII8IhROsI78t5WOx7OAno8xA7 aC6oszkEd0kfenjPRUhKllqVFQc4fnydXOiaXg2VMi0aoGF+6GmC6IN4vecffuej UUQ3U2YBiueCBJ/5XtCdmelaeqXRj11YTGiCm75ikyA/UoOfzZqe0GR1bU175uF4 bdPfSJgIVUFk1NHDoL1c7d8pcfwnXhjMxbxxL5V18gVTLjQwlrBHs4pv2Cjgni7Z ty/y6b7Pdr7WvEkNXP5cBxbCV31x2Jy0oH3gosc8512EfCfvXe/SNsqGnqQtSw/S 1rD22O8C =CMuA -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
