Control: tags -1 patch


I have prepared a new revision for axis which addresses the security
vulnerability, bug #762444, and I am looking for someone who wants to
review and upload the package.

The package can either be found at

or in the SVN repository.

I think this issue warrants a DSA and I also intend to prepare a fix for
wheezy soonish.


* Team upload.
* Fix CVE-2014-3596.
  - Relace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
    both CVE issues. Thanks to Raphael Hertzog for the report.
  - The getCN function in Apache Axis 1.4 and earlier does not properly
    verify that the server hostname matches a domain name in the subject's
    Common Name (CN) or subjectAltName field of the X.509 certificate,
    which allows man-in-the-middle attackers to spoof SSL servers via a
    certificate with a subject that specifies a common name in a field
    that is not the CN field.  NOTE: this issue exists because of an
    incomplete fix for CVE-2012-5784.
  - (Closes: #762444)
* Declare compliance with Debian Policy 3.9.6.
* Use compat level 9 and require debhelper >=9.
* Use canonical VCS fields.


Attachment: signature.asc
Description: Digital signature

This is the maintainer address of Debian's Java team
Please use for discussions and questions.

Reply via email to