Bug 8936

Summary: axis new security issue CVE-2012-5784
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, dmorganec, sysadmin-bugs
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/535742/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: axis-1.4-18.mga3.src.rpm CVE:
Status comment:

Description David Walser 2013-02-01 19:57:40 CET 
Fedora has issued an advisory on January 23:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/097912.html

Mageia 2 is also affected.
David Walser 2013-02-01 19:57:46 CET

Whiteboard: (none) => MGA2TOO

David Walser 2013-02-01 20:39:17 CET

CC: (none) => dmorganec

David Walser 2013-02-01 21:44:28 CET

URL: (none) => http://lwn.net/Vulnerabilities/535742/

Comment 1 David Walser 2013-02-02 00:11:22 CET 
I fixed this in Cauldron.

D Morgan, I'll need you to look at this for Mageia 2.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 2 David Walser 2013-02-20 18:50:02 CET 
RedHat has issued an advisory for this on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0269.html
Comment 3 D Morgan 2013-06-25 01:03:08 CEST 
fixed on svn
Comment 4 David Walser 2013-06-25 01:15:47 CEST 
Thanks D Morgan!

Advisory:
========================

Updated axis packages fix security vulnerability:

Apache Axis did not verify that the server hostname matched the domain name
in the subject's Common Name (CN) or subjectAltName field in X.509
certificates. This could allow a man-in-the-middle attacker to spoof an SSL
server if they had a certificate that was valid for any domain name
(CVE-2012-5784).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
https://rhn.redhat.com/errata/RHSA-2013-0269.html
========================

Updated packages in core/updates_testing:
========================
axis-1.4-6.1.mga2
axis-javadoc-1.4-6.1.mga2
axis-manual-1.4-6.1.mga2

from axis-1.4-6.1.mga2.src.rpm

Assignee: dmorganec => qa-bugs

Comment 5 Dave Hodgins 2013-07-01 04:10:27 CEST 
http://svnweb.mageia.org/advisories/8936.adv?view=markup&sortby=date
uploaded.

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2013-07-01 22:52:44 CEST 
As with other java development updates, we don't have anyone who knows how
to test this properly, so all we can do is confirm that it installs cleanly.

Could someone from the sysadmin team push 8936.adv

Keywords: (none) => validated_update
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Nicolas Vigier 2013-07-06 16:29:18 CEST 
http://advisories.mageia.org/MGASA-2013-0200.html

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:06:24 CEST

CC: boklm => (none)