[Git][java-team/axis][master] 6 commits: Fix CVE-2023-40743

Tue Oct 17 00:22:17 BST 2023


Markus Koschany pushed to branch master at Debian Java Maintainers / axis


Commits:
4e5d0e94 by Markus Koschany at 2023-10-17T00:50:18+02:00
Fix CVE-2023-40743

- - - - -
22eb305d by Markus Koschany at 2023-10-17T00:58:23+02:00
Switch to debhelper-compat = 13.

- - - - -
6fde825e by Markus Koschany at 2023-10-17T00:58:37+02:00
Declare compliance with Debian Policy 4.6.2.

- - - - -
c8ed7b83 by Markus Koschany at 2023-10-17T01:00:40+02:00
Update debian/copyright

- - - - -
8cf4f888 by Markus Koschany at 2023-10-17T01:02:37+02:00
Update changelog

- - - - -
6867c251 by Markus Koschany at 2023-10-17T01:14:15+02:00
Install the NOTICE file.

- - - - -


7 changed files:

- debian/changelog
- − debian/compat
- debian/control
- debian/copyright
- + debian/libaxis-java.docs
- + debian/patches/CVE-2023-40743.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+axis (1.4-29) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2023-40743:
+    When integrating Apache Axis 1.x in an application, it may not have been
+    obvious that looking up a service through "ServiceFactory.getService"
+    allows potentially dangerous lookup mechanisms such as LDAP. When passing
+    untrusted input to this API method, this could expose the application to
+    DoS, SSRF and even attacks leading to RCE. (Closes: #1051288)
+  * Switch to debhelper-compat = 13.
+  * Declare compliance with Debian Policy 4.6.2.
+
+ -- Markus Koschany <apo at debian.org>  Tue, 17 Oct 2023 01:00:51 +0200
+
 axis (1.4-28) unstable; urgency=medium
 
   * Fixed the build failure with Java 11 (Closes: #911187)


=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-11


=====================================
debian/control
=====================================
@@ -9,7 +9,7 @@ Uploaders:
 Build-Depends:
  ant-optional,
  bnd (>= 2.1.0),
- debhelper (>= 11~),
+ debhelper-compat (= 13),
  default-jdk,
  libcommons-discovery-java,
  libcommons-httpclient-java,
@@ -18,7 +18,7 @@ Build-Depends:
  libservlet3.1-java,
  libwsdl4j-java,
  maven-repo-helper
-Standards-Version: 4.2.1
+Standards-Version: 4.6.2
 Vcs-Git: https://salsa.debian.org/java-team/axis.git
 Vcs-Browser: https://salsa.debian.org/java-team/axis
 Homepage: http://ws.apache.org/axis/


=====================================
debian/copyright
=====================================
@@ -1,7 +1,7 @@
-Format: http://anonscm.debian.org/viewvc/dep/web/deps/dep5.mdwn?revision=202
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: Apache Axis
 Upstream-Contact: http://ws.apache.org/axis/
-Source: http://www.apache.org/dist/ws/axis/1_4/
+Source: https://www.apache.org/dyn/closer.cgi/ws/axis/1_4
 
 Files: *
 Copyright: 2006-2008, Apache Foundation


=====================================
debian/libaxis-java.docs
=====================================
@@ -0,0 +1 @@
+NOTICE


=====================================
debian/patches/CVE-2023-40743.patch
=====================================
@@ -0,0 +1,32 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
++++ b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+         
+         if (context != null) {
+             String name = (String)environment.get("jndiName");
++
++	    if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1)  {
++	        return null;
++            }
+             if (name == null) {
+                 name = "axisServiceName";
+             }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+                     context.bind(name, service);
+                 } catch (NamingException e1) {
+                     // !!! Couldn't do it, what should we do here?
++	            return null;
+                 }
+             }
+         } else {


=====================================
debian/patches/series
=====================================
@@ -8,3 +8,4 @@ javadoc-encoding.patch
 java9-compatibility.patch
 java11-compatibility.patch
 CVE-2018-8032.patch
+CVE-2023-40743.patch



View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/4e1efc36bb8fb27934fd6a1afb54604ffdc56504...6867c251c70e7b54bd3cda384f972cc6cc134e53

-- 
View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/4e1efc36bb8fb27934fd6a1afb54604ffdc56504...6867c251c70e7b54bd3cda384f972cc6cc134e53
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231016/f98407cd/attachment.htm>
