Bug#762444: Insecure certificate validation CVE-2014-3596

Raphael Hertzog hertzog at debian.org
Mon Sep 22 11:59:56 UTC 2014


Package: axis
Severity: grave
Tags: security

Hi,
the following vulnerability was published for axis.

CVE-2014-3596[0]:
| The getCN function in Apache Axis 1.4 and earlier does not properly
| verify that the server hostname matches a domain name in the subject's
| Common Name (CN) or subjectAltName field of the X.509 certificate,
| which allows man-in-the-middle attackers to spoof SSL servers via a
| certificate with a subject that specifies a common name in a field
| that is not the CN field.  NOTE: this issue exists because of an
| incomplete fix for CVE-2012-5784.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596
    https://security-tracker.debian.org/tracker/CVE-2014-3596
    https://issues.apache.org/jira/browse/AXIS-2905
Please adjust the affected versions in the BTS as needed.

As is turns out, the fix for CVE-2012-5784 was incomplete and
there's an updated patch available provided by RedHat:
https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch

Please update replace debian/patches/06-fix-CVE-2012-5784.patch with this
one.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



More information about the pkg-java-maintainers mailing list