Chris Lamb pushed to branch debian/jessie at Debian Java Maintainers / axis
Commits: 0656198b by Chris Lamb at 2024-07-10T18:37:08+01:00 Add debian/.gitlab-ci.yml. - - - - - 8be899ad by Chris Lamb at 2024-07-10T18:37:08+01:00 CVE-2018-8032 - - - - - fc147bb5 by Chris Lamb at 2024-07-10T18:37:29+01:00 CVE-2023-40743 - - - - - 4baa95fd by Chris Lamb at 2024-07-11T16:54:17+01:00 releasing package axis version 1.4-21+deb8u1 - - - - - 5 changed files: - + debian/.gitlab-ci.yml - debian/changelog - + debian/patches/CVE-2018-8032.patch - + debian/patches/CVE-2023-40743.patch - debian/patches/series Changes: ===================================== debian/.gitlab-ci.yml ===================================== @@ -0,0 +1,2 @@ +include: + - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/.yml ===================================== debian/changelog ===================================== @@ -1,3 +1,17 @@ +axis (1.4-21+deb8u1) jessie-security; urgency=high + + * Non-maintainer upload by the Debian ELTS team: + + - CVE-2018-8032: Fix a cross-site scripting (XSS) attack in the default + servlet/services. (Closes: #905328) + + - CVE-2023-40743: Fix an issue in ServiceFactory.getService that allowed + potentially dangerous lookup mechanisms. When passing untrusted input to + this API method, this could have exposed the application to DoS, SSRF and + even attacks leading to remote code execution. (Closes: #1051288) + + -- Chris Lamb <[email protected]> Thu, 11 Jul 2024 16:45:17 +0100 + axis (1.4-21) unstable; urgency=high * Team upload. ===================================== debian/patches/CVE-2018-8032.patch ===================================== @@ -0,0 +1,31 @@ +From: Chris Lamb <[email protected]> +Date: Wed, 10 Jul 2024 18:04:55 +0100 +Subject: CVE-2018-8032 + +--- + src/org/apache/axis/encoding/SerializationContext.java | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/org/apache/axis/encoding/SerializationContext.java b/src/org/apache/axis/encoding/SerializationContext.java +index adbff8a..55ec6aa 100644 +--- a/src/org/apache/axis/encoding/SerializationContext.java ++++ b/src/org/apache/axis/encoding/SerializationContext.java +@@ -1176,12 +1176,13 @@ public class SerializationContext implements javax.xml.rpc.encoding.Serializatio + sb.append(':'); + sb.append(map.getPrefix()); + } +- if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) { ++ String qname = sb.toString(); ++ if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) { + writer.write(' '); +- sb.append("=\""); +- sb.append(map.getNamespaceURI()); +- sb.append('"'); +- writer.write(sb.toString()); ++ writer.write(qname); ++ writer.write("=\""); ++ getEncoder().writeEncoded(writer, map.getNamespaceURI()); ++ writer.write('"'); + } + } + } ===================================== debian/patches/CVE-2023-40743.patch ===================================== @@ -0,0 +1,32 @@ +From: Markus Koschany <[email protected]> +Date: Tue, 17 Oct 2023 00:46:49 +0200 +Subject: CVE-2023-40743 + +Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 +--- + src/org/apache/axis/client/ServiceFactory.java | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java +index 33054a5..73e89ee 100644 +--- a/src/org/apache/axis/client/ServiceFactory.java ++++ b/src/org/apache/axis/client/ServiceFactory.java +@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + + if (context != null) { + String name = (String)environment.get("jndiName"); ++ ++ if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1) { ++ return null; ++ } + if (name == null) { + name = "axisServiceName"; + } +@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory + context.bind(name, service); + } catch (NamingException e1) { + // !!! Couldn't do it, what should we do here? ++ return null; + } + } + } else { ===================================== debian/patches/series ===================================== @@ -3,3 +3,5 @@ axis-bz152255.patch javadoc.diff CVE-2014-3596.patch +CVE-2018-8032.patch +CVE-2023-40743.patch View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/faace5b630864afe81ccc937c1e851ef637591bc...4baa95fd6701f7b21241932d0081c0d321ed200c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/faace5b630864afe81ccc937c1e851ef637591bc...4baa95fd6701f7b21241932d0081c0d321ed200c You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
