Your message dated Wed, 01 Oct 2014 03:19:16 +0000 with message-id <e1xzarg-0000jh...@franck.debian.org> and subject line Bug#762444: fixed in axis 1.4-21 has caused the Debian Bug report #762444, regarding Insecure certificate validation CVE-2014-3596 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 762444: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762444 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: axis Severity: grave Tags: security Hi, the following vulnerability was published for axis. CVE-2014-3596[0]: | The getCN function in Apache Axis 1.4 and earlier does not properly | verify that the server hostname matches a domain name in the subject's | Common Name (CN) or subjectAltName field of the X.509 certificate, | which allows man-in-the-middle attackers to spoof SSL servers via a | certificate with a subject that specifies a common name in a field | that is not the CN field. NOTE: this issue exists because of an | incomplete fix for CVE-2012-5784. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596 https://security-tracker.debian.org/tracker/CVE-2014-3596 https://issues.apache.org/jira/browse/AXIS-2905 Please adjust the affected versions in the BTS as needed. As is turns out, the fix for CVE-2012-5784 was incomplete and there's an updated patch available provided by RedHat: https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch Please update replace debian/patches/06-fix-CVE-2012-5784.patch with this one. Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/
--- End Message ---
--- Begin Message ---Source: axis Source-Version: 1.4-21 We believe that the bug you reported is fixed in the latest version of axis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 762...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@gambaru.de> (supplier of updated axis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 25 Sep 2014 19:45:08 +0000 Source: axis Binary: libaxis-java libaxis-java-doc Architecture: source all Version: 1.4-21 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@gambaru.de> Description: libaxis-java - SOAP implementation in Java libaxis-java-doc - SOAP implementation in Java (documentation) Closes: 762444 Changes: axis (1.4-21) unstable; urgency=high . * Team upload. * Fix CVE-2014-3596. - Replace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes both CVE issues. Thanks to Raphael Hertzog for the report. - The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784. - (Closes: #762444) * Declare compliance with Debian Policy 3.9.6. * Use compat level 9 and require debhelper >=9. * Use canonical VCS fields. Checksums-Sha1: 95cc11b21cf6819bc68eb8617806a454f4d98cfa 2246 axis_1.4-21.dsc 263e0ff0b63af097bf4c3f85e7843d35d8fbe33d 11476 axis_1.4-21.debian.tar.xz dbd687ccba324618a07bf98505658c14e9acca9b 1495266 libaxis-java_1.4-21_all.deb f1d5d295146affa2c2c8125e8606f4c74f948483 1064692 libaxis-java-doc_1.4-21_all.deb Checksums-Sha256: e97a76ebbb1b890b42c722db0343096d5d752081b264c8ec72998da38d39bbf5 2246 axis_1.4-21.dsc 4f4f2750da840c330cbbe1fca32955c16fc8220d501d5db09601df7089c85677 11476 axis_1.4-21.debian.tar.xz 3230be2f258dfcb953f2456eab192cbe5b9caaae224abef817d9f9cca9d0743b 1495266 libaxis-java_1.4-21_all.deb 3946539a0c3eab191cf743b8a667bcd98bc8cd070eb6cbfc04d04730cb5d7038 1064692 libaxis-java-doc_1.4-21_all.deb Files: ea9e4da875b544aaf75b87b468291b1c 1495266 java optional libaxis-java_1.4-21_all.deb b7b91fd7d069cd949bc3be444356dc14 1064692 doc optional libaxis-java-doc_1.4-21_all.deb 9a5ece1c68e6e59ca50f345e92ea07e3 2246 java optional axis_1.4-21.dsc 9738cc1034ad3534d9c9cb556c4b467b 11476 java optional axis_1.4-21.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJUK2snAAoJEGIODQuJV82l72wP/A1mtcF7CE7kDza++HwT/JCz /MzHKs8IEy7M77EVInF9xDWzEiVt+dbeUUOfNe/znm1Cu7hJt/MqWPepStCRmGp2 PYLyC8guZlxMGxoNXBXIgD6v2LTBhanMaQ3SmyDNzZeGgSUkjR2tt+SSseIqH5MY +JHrjaFlxUXM8c3Sjxr4CQyQEA9adzjT5Vq4zUrIVOph1PkxLYcVRgq1ZfVQy0ed 8D2fiLXvOOC5Slun9aouVcZYBR8LH6nP8QDezKENl/4InQouB/UJ+9HhGAwCEoBr OlaF5a2bNW5TevyS3Tr3H2PFhIvt67XfeVX+Ag431wtEb0kfoRWtzU33ywbiGxhL jdvoguShbqew0h7Q/uduR9+lu8jpzKCyqDf7UmBqhlj9H0unADLAGJukXtVWgwgC krtapqtquj8/mY17inrANa/xhk7pBjJE5Q5pJT/Z6PwvgoQwKkLbGkqbJrkNe3Tk fbSI63ocIJRx2tabwFBKIbLQSOd91r7hqw7HEq8DVXtLcC4k40dL0tmUL778Yh9L +2mYfyq/4jRLUsnbpK4aTBe43jV/hqh/KHoFSbqQkuHPgoddbn8IJyeaxfkKq9fQ eWDKpAbWFy8KWGsa47YFRjyENJrH4A1yS1Rzx2uJBXS8xbPPyDKMQ0Tkxl+io9LS UpopE/a7PFLG7f5sT7KU =rhQE -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
