Bug#762444: RFS: axis 1.4-21 [RC]
Markus Koschany
apo at gambaru.de
Thu Sep 25 21:00:47 UTC 2014
Control: tags -1 patch
Hi,
I have prepared a new revision for axis which addresses the security
vulnerability, bug #762444, and I am looking for someone who wants to
review and upload the package.
The package can either be found at mentors.debian.net
http://mentors.debian.net/debian/pool/main/a/axis/axis_1.4-21.dsc
or in the SVN repository.
I think this issue warrants a DSA and I also intend to prepare a fix for
wheezy soonish.
Changelog:
* Team upload.
* Fix CVE-2014-3596.
- Relace 06-fix-CVE-2012-5784.patch with CVE-2014-3596.patch which fixes
both CVE issues. Thanks to Raphael Hertzog for the report.
- The getCN function in Apache Axis 1.4 and earlier does not properly
verify that the server hostname matches a domain name in the subject's
Common Name (CN) or subjectAltName field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof SSL servers via a
certificate with a subject that specifies a common name in a field
that is not the CN field. NOTE: this issue exists because of an
incomplete fix for CVE-2012-5784.
- (Closes: #762444)
* Declare compliance with Debian Policy 3.9.6.
* Use compat level 9 and require debhelper >=9.
* Use canonical VCS fields.
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20140925/25dd0681/attachment.sig>
More information about the pkg-java-maintainers
mailing list