[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RFS: axis 1.4-21 [RC]

Control: tags -1 patch


I have prepared a new revision for axis which addresses the security
vulnerability, bug #762444, and I am looking for someone who wants to
review and upload the package.

The package can either be found at mentors.debian.net


or in the SVN repository.

I think this issue warrants a DSA and I also intend to prepare a fix for
wheezy soonish.


* Team upload.
* Fix CVE-2014-3596.
  - Relace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
    both CVE issues. Thanks to Raphael Hertzog for the report.
  - The getCN function in Apache Axis 1.4 and earlier does not properly
    verify that the server hostname matches a domain name in the subject's
    Common Name (CN) or subjectAltName field of the X.509 certificate,
    which allows man-in-the-middle attackers to spoof SSL servers via a
    certificate with a subject that specifies a common name in a field
    that is not the CN field.  NOTE: this issue exists because of an
    incomplete fix for CVE-2012-5784.
  - (Closes: #762444)
* Declare compliance with Debian Policy 3.9.6.
* Use compat level 9 and require debhelper >=9.
* Use canonical VCS fields.


Attachment: signature.asc
Description: Digital signature

Reply to: