[Git][java-team/axis][debian/jessie] 4 commits: Add debian/.gitlab-ci.yml.
Chris Lamb (@lamby)
gitlab at salsa.debian.org
Thu Jul 11 16:58:12 BST 2024
Chris Lamb pushed to branch debian/jessie at Debian Java Maintainers / axis
Commits:
0656198b by Chris Lamb at 2024-07-10T18:37:08+01:00
Add debian/.gitlab-ci.yml.
- - - - -
8be899ad by Chris Lamb at 2024-07-10T18:37:08+01:00
CVE-2018-8032
- - - - -
fc147bb5 by Chris Lamb at 2024-07-10T18:37:29+01:00
CVE-2023-40743
- - - - -
4baa95fd by Chris Lamb at 2024-07-11T16:54:17+01:00
releasing package axis version 1.4-21+deb8u1
- - - - -
5 changed files:
- + debian/.gitlab-ci.yml
- debian/changelog
- + debian/patches/CVE-2018-8032.patch
- + debian/patches/CVE-2023-40743.patch
- debian/patches/series
Changes:
=====================================
debian/.gitlab-ci.yml
=====================================
@@ -0,0 +1,2 @@
+include:
+ - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/.yml
=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+axis (1.4-21+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Debian ELTS team:
+
+ - CVE-2018-8032: Fix a cross-site scripting (XSS) attack in the default
+ servlet/services. (Closes: #905328)
+
+ - CVE-2023-40743: Fix an issue in ServiceFactory.getService that allowed
+ potentially dangerous lookup mechanisms. When passing untrusted input to
+ this API method, this could have exposed the application to DoS, SSRF and
+ even attacks leading to remote code execution. (Closes: #1051288)
+
+ -- Chris Lamb <lamby at debian.org> Thu, 11 Jul 2024 16:45:17 +0100
+
axis (1.4-21) unstable; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2018-8032.patch
=====================================
@@ -0,0 +1,31 @@
+From: Chris Lamb <lamby at debian.org>
+Date: Wed, 10 Jul 2024 18:04:55 +0100
+Subject: CVE-2018-8032
+
+---
+ src/org/apache/axis/encoding/SerializationContext.java | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/src/org/apache/axis/encoding/SerializationContext.java b/src/org/apache/axis/encoding/SerializationContext.java
+index adbff8a..55ec6aa 100644
+--- a/src/org/apache/axis/encoding/SerializationContext.java
++++ b/src/org/apache/axis/encoding/SerializationContext.java
+@@ -1176,12 +1176,13 @@ public class SerializationContext implements javax.xml.rpc.encoding.Serializatio
+ sb.append(':');
+ sb.append(map.getPrefix());
+ }
+- if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
++ String qname = sb.toString();
++ if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
+ writer.write(' ');
+- sb.append("=\"");
+- sb.append(map.getNamespaceURI());
+- sb.append('"');
+- writer.write(sb.toString());
++ writer.write(qname);
++ writer.write("=\"");
++ getEncoder().writeEncoded(writer, map.getNamespaceURI());
++ writer.write('"');
+ }
+ }
+ }
=====================================
debian/patches/CVE-2023-40743.patch
=====================================
@@ -0,0 +1,32 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 17 Oct 2023 00:46:49 +0200
+Subject: CVE-2023-40743
+
+Origin: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
+---
+ src/org/apache/axis/client/ServiceFactory.java | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/org/apache/axis/client/ServiceFactory.java b/src/org/apache/axis/client/ServiceFactory.java
+index 33054a5..73e89ee 100644
+--- a/src/org/apache/axis/client/ServiceFactory.java
++++ b/src/org/apache/axis/client/ServiceFactory.java
+@@ -106,6 +106,10 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+
+ if (context != null) {
+ String name = (String)environment.get("jndiName");
++
++ if(name!=null && (name.toUpperCase().indexOf("LDAP")!=-1 || name.toUpperCase().indexOf("RMI")!=-1 || name.toUpperCase().indexOf("JMS")!=-1 || name.toUpperCase().indexOf("JMX")!=-1) || name.toUpperCase().indexOf("JRMP")!=-1 || name.toUpperCase().indexOf("JAVA")!=-1 || name.toUpperCase().indexOf("DNS")!=-1) {
++ return null;
++ }
+ if (name == null) {
+ name = "axisServiceName";
+ }
+@@ -120,6 +124,7 @@ public class ServiceFactory extends javax.xml.rpc.ServiceFactory
+ context.bind(name, service);
+ } catch (NamingException e1) {
+ // !!! Couldn't do it, what should we do here?
++ return null;
+ }
+ }
+ } else {
=====================================
debian/patches/series
=====================================
@@ -3,3 +3,5 @@
axis-bz152255.patch
javadoc.diff
CVE-2014-3596.patch
+CVE-2018-8032.patch
+CVE-2023-40743.patch
View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/faace5b630864afe81ccc937c1e851ef637591bc...4baa95fd6701f7b21241932d0081c0d321ed200c
--
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/java-team/axis/-/compare/faace5b630864afe81ccc937c1e851ef637591bc...4baa95fd6701f7b21241932d0081c0d321ed200c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20240711/00a98d08/attachment.htm>
More information about the pkg-java-commits
mailing list