Bug#929266: axis: CVE-2019-0227
Sylvain Beucler
beuc at beuc.net
Mon May 20 11:20:31 BST 2019
Package: axis
X-Debbugs-CC: team at security.debian.org
Tags: security
Hi,
The following vulnerability was published for axis.
CVE-2019-0227[0]:
| A Server Side Request Forgery (SSRF) vulnerability affected the Apache
| Axis 1.4 distribution that was last released in 2006. Security and bug
| commits commits continue in the projects Axis 1.x Subversion
| repository, legacy users are encouraged to build from source. The
| successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
| vulnerable to this issue.
The vulnerable 'StockQuoteService.jws' is not present in Debian binary
packages, however a SSRF mitigation was also committed [1].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-0227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227
[1] https://github.com/apache/axis1-java/commit/35511b872a6460129cfc0cd35baaccbd820977b5
Cheers!
Sylvain Beucler
Debian LTS Team
More information about the pkg-java-maintainers
mailing list