Bug#762444: Insecure certificate validation CVE-2014-3596
Raphael Hertzog
hertzog at debian.org
Mon Sep 22 11:59:56 UTC 2014
Package: axis
Severity: grave
Tags: security
Hi,
the following vulnerability was published for axis.
CVE-2014-3596[0]:
| The getCN function in Apache Axis 1.4 and earlier does not properly
| verify that the server hostname matches a domain name in the subject's
| Common Name (CN) or subjectAltName field of the X.509 certificate,
| which allows man-in-the-middle attackers to spoof SSL servers via a
| certificate with a subject that specifies a common name in a field
| that is not the CN field. NOTE: this issue exists because of an
| incomplete fix for CVE-2012-5784.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596
https://security-tracker.debian.org/tracker/CVE-2014-3596
https://issues.apache.org/jira/browse/AXIS-2905
Please adjust the affected versions in the BTS as needed.
As is turns out, the fix for CVE-2012-5784 was incomplete and
there's an updated patch available provided by RedHat:
https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch
Please update replace debian/patches/06-fix-CVE-2012-5784.patch with this
one.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/
More information about the pkg-java-maintainers
mailing list