Bug#1051288: marked as done (axis: CVE-2023-40743)
Your message dated Sun, 12 Nov 2023 15:02:25 + with message-id and subject line Bug#1051288: fixed in axis 1.4-28+deb11u1 has caused the Debian Bug report #1051288, regarding axis: CVE-2023-40743 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1051288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: axis Version: 1.4-28 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for axis. CVE-2023-40743[0]: | ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in | an application, it may not have been obvious that looking up a | service through "ServiceFactory.getService" allows potentially | dangerous lookup mechanisms such as LDAP. When passing untrusted | input to this API method, this could expose the application to DoS, | SSRF and even attacks leading to RCE. As Axis 1 has been EOL we | recommend you migrate to a different SOAP engine, such as Apache | Axis 2/Java. As a workaround, you may review your code to verify no | untrusted or unsanitized input is passed to | "ServiceFactory.getService", or by applying the patch from | https://github.com/apache/axis- | axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The | Apache Axis project does not expect to create an Axis 1.x release | fixing this problem, though contributors that would like to work | towards this are welcome. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40743 https://www.cve.org/CVERecord?id=CVE-2023-40743 [1] https://www.openwall.com/lists/oss-security/2023/09/05/1 [2] https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: axis Source-Version: 1.4-28+deb11u1 Done: Markus Koschany We believe that the bug you reported is fixed in the latest version of axis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1051...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated axis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 17 Oct 2023 14:05:20 +0200 Source: axis Architecture: source Version: 1.4-28+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Closes: 1051288 Changes: axis (1.4-28+deb11u1) bullseye; urgency=medium . * Team upload. * Fix CVE-2023-40743: When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. (Closes: #1051288) Checksums-Sha1: 912ed65a9be5a9b60d9d4861cba0d9eff0805960 2375 axis_1.4-28+deb11u1.dsc 9914108b8dd4c6497be68b3ed9762fc83c4742ec 14224 axis_1.4-28+deb11u1.debian.tar.xz d383a0e57429a98ac147fe68605c423ba5274e90 10185 axis_1.4-28+deb11u1_amd64.buildinfo Checksums-Sha256: ff69b3a66b91acc43ba6b2b249e2533c543b89791f9ffb0ed85bab136d5e26ab 2375 axis_1.4-28+deb11u1.dsc e1a743d7a7bc8ab284d08aa2dbcfe815e83a9be56010548aadb8ad8e608a4909 14224 axis_1.4-28+deb11u1.debian.tar.xz 7294ea93bf05f29c1d2a573192053748ebd67361f88404597006a1542678d813 10185 axis_1.4-28+deb11u1_amd64.buildinfo Files: 7cb90eb7aa87899ba0f4041841139e15 2375 java optional axis_1.4-28+deb11u1.dsc 9e3a047d2f3f91b8fa4435b0f683 14224 java optional axis_1.4-28+deb11u1.debian.tar.xz fe32b7720b9a2cbbd6055abb439335cc 10185 java optional axis_1.4-28+deb11u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUueflfFIAALgAo
Bug#1051288: marked as done (axis: CVE-2023-40743)
Your message dated Sun, 05 Nov 2023 17:47:08 + with message-id and subject line Bug#1051288: fixed in axis 1.4-28+deb12u1 has caused the Debian Bug report #1051288, regarding axis: CVE-2023-40743 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1051288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: axis Version: 1.4-28 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for axis. CVE-2023-40743[0]: | ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in | an application, it may not have been obvious that looking up a | service through "ServiceFactory.getService" allows potentially | dangerous lookup mechanisms such as LDAP. When passing untrusted | input to this API method, this could expose the application to DoS, | SSRF and even attacks leading to RCE. As Axis 1 has been EOL we | recommend you migrate to a different SOAP engine, such as Apache | Axis 2/Java. As a workaround, you may review your code to verify no | untrusted or unsanitized input is passed to | "ServiceFactory.getService", or by applying the patch from | https://github.com/apache/axis- | axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The | Apache Axis project does not expect to create an Axis 1.x release | fixing this problem, though contributors that would like to work | towards this are welcome. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40743 https://www.cve.org/CVERecord?id=CVE-2023-40743 [1] https://www.openwall.com/lists/oss-security/2023/09/05/1 [2] https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: axis Source-Version: 1.4-28+deb12u1 Done: Markus Koschany We believe that the bug you reported is fixed in the latest version of axis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1051...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated axis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 17 Oct 2023 14:05:20 +0200 Source: axis Architecture: source Version: 1.4-28+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Closes: 1051288 Changes: axis (1.4-28+deb12u1) bookworm; urgency=medium . * Team upload. * Fix CVE-2023-40743: When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. (Closes: #1051288) Checksums-Sha1: 530e10161cae94d3d4d911d6a7c2a545293637d5 2375 axis_1.4-28+deb12u1.dsc 6e688ab77c6e15bc4c9be0003ba3be600193e25c 14232 axis_1.4-28+deb12u1.debian.tar.xz 2db6781aea7c76dfdf2b303054cb476ffb61fc07 11044 axis_1.4-28+deb12u1_amd64.buildinfo Checksums-Sha256: 8c0404c7deb6b0a3dc09d54594be66daec5734687a5bd4cbc1f0b18e7c43b5a2 2375 axis_1.4-28+deb12u1.dsc 588df7082e0b6ae1750597010075d84666be27a4641c21793da599c90212ff6b 14232 axis_1.4-28+deb12u1.debian.tar.xz e825dfe825871d360d161e56e19a8e100540f1ba2d2cf4b0bf8a1c63ccb8e42f 11044 axis_1.4-28+deb12u1_amd64.buildinfo Files: 75f5cf773c59fdb3733a0b94d440a5d6 2375 java optional axis_1.4-28+deb12u1.dsc 558afb92dc173d31884d4793be287c0e 14232 java optional axis_1.4-28+deb12u1.debian.tar.xz 1fc0088c995d6a3f40e6b5269c67e263 11044 java optional axis_1.4-28+deb12u1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUueTVfFIAALgAo
Bug#1051288: marked as done (axis: CVE-2023-40743)
Your message dated Mon, 16 Oct 2023 23:34:18 + with message-id and subject line Bug#1051288: fixed in axis 1.4-29 has caused the Debian Bug report #1051288, regarding axis: CVE-2023-40743 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1051288: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051288 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: axis Version: 1.4-28 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for axis. CVE-2023-40743[0]: | ** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in | an application, it may not have been obvious that looking up a | service through "ServiceFactory.getService" allows potentially | dangerous lookup mechanisms such as LDAP. When passing untrusted | input to this API method, this could expose the application to DoS, | SSRF and even attacks leading to RCE. As Axis 1 has been EOL we | recommend you migrate to a different SOAP engine, such as Apache | Axis 2/Java. As a workaround, you may review your code to verify no | untrusted or unsanitized input is passed to | "ServiceFactory.getService", or by applying the patch from | https://github.com/apache/axis- | axis1-java/commit/7e66753427466590d6def0125e448d2791723210 . The | Apache Axis project does not expect to create an Axis 1.x release | fixing this problem, though contributors that would like to work | towards this are welcome. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40743 https://www.cve.org/CVERecord?id=CVE-2023-40743 [1] https://www.openwall.com/lists/oss-security/2023/09/05/1 [2] https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: axis Source-Version: 1.4-29 Done: Markus Koschany We believe that the bug you reported is fixed in the latest version of axis, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1051...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated axis package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Tue, 17 Oct 2023 01:00:51 +0200 Source: axis Architecture: source Version: 1.4-29 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Closes: 1051288 Changes: axis (1.4-29) unstable; urgency=medium . * Team upload. * Fix CVE-2023-40743: When integrating Apache Axis 1.x in an application, it may not have been obvious that looking up a service through "ServiceFactory.getService" allows potentially dangerous lookup mechanisms such as LDAP. When passing untrusted input to this API method, this could expose the application to DoS, SSRF and even attacks leading to RCE. (Closes: #1051288) * Switch to debhelper-compat = 13. * Declare compliance with Debian Policy 4.6.2. Checksums-Sha1: 718729e8c6645d6771c12fe3a816d024eab8c418 2348 axis_1.4-29.dsc 93ee10a21f31b611356dfbe57b9cb03c36c62c2c 14252 axis_1.4-29.debian.tar.xz 021eae739065cee5f174a4499165785a70907e16 10944 axis_1.4-29_amd64.buildinfo Checksums-Sha256: 8ef6c38748a0e1e561741440f4b4b3f0b30c58fe17f4cf1c494894cd0ed1738f 2348 axis_1.4-29.dsc 30d44358d3362671355a872da5fa2648fc837d5f3114a8081487b474ccecd812 14252 axis_1.4-29.debian.tar.xz 6d9bd05a3193c5699297afe2c7a9b03b96f993680f374a1e2d652d6a81e47389 10944 axis_1.4-29_amd64.buildinfo Files: 8fe6c3151ae3d2b7a4cbea529ea55d38 2348 java optional axis_1.4-29.dsc 3a12de65ef9c4378ddb80d8e4edfbdd0 14252 java optional axis_1.4-29.debian.tar.xz 725ad4ab4653192ac083ef602c00c15f 10944 java optional axis_1.4-29_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUtxGNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
