Bug#929266: axis: CVE-2019-0227
Markus Koschany
apo at debian.org
Thu May 23 22:42:51 BST 2019
Hi,
On Mon, 20 May 2019 12:20:31 +0200 Sylvain Beucler <beuc at beuc.net> wrote:
> Package: axis
> X-Debbugs-CC: team at security.debian.org
> Tags: security
>
> Hi,
>
> The following vulnerability was published for axis.
>
> CVE-2019-0227[0]:
> | A Server Side Request Forgery (SSRF) vulnerability affected the Apache
> | Axis 1.4 distribution that was last released in 2006. Security and bug
> | commits commits continue in the projects Axis 1.x Subversion
> | repository, legacy users are encouraged to build from source. The
> | successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not
> | vulnerable to this issue.
>
> The vulnerable 'StockQuoteService.jws' is not present in Debian binary
> packages, however a SSRF mitigation was also committed [1].
I believe the SSRF mitigation should be viewed in the context of the
vulnerable StockQuoteService.jws file. Since we don't ship this file in
our binary packages, I think it is correct to mark the issue as
unimportant. However I agree it is sensible to change
uconn.setInstanceFollowRedirects(true) to
uconn.setInstanceFollowRedirects(false).
I don't think it is likely that this issue is somehow exploited when
using our Debian package. We use axis mainly as a build-dependency for
other packages. We could change the default for
uconn.setInstanceFollowRedirects in Buster but keep it this way in
Jessie and Stretch.
It is nice to know that there is ongoing work on axis1. I think we could
update this package after the freeze and track the new upstream
development at
https://github.com/apache/axis1-java/
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20190523/2e3478a3/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list