14103 – axis new security issue CVE-2014-3596

Bug 14103 - axis new security issue CVE-2014-3596

Summary: axis new security issue CVE-2014-3596

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/611992/
Whiteboard:	advisory MGA4-32-OK MGA4-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-09-16 19:04 CEST by David Walser
Modified:	2014-12-26 18:05 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	axis-1.4-24.mga4.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-09-16 19:04:21 CEST

RedHat has issued an advisory on September 15:
https://rhn.redhat.com/errata/RHSA-2014-1193.html

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:

David Walser 2014-09-16 19:04:31 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 Sander Lepik 2014-11-29 16:04:26 CET

Dropped from cauldron.

Whiteboard: MGA4TOO, MGA3TOO => (none)
Version: Cauldron => 4
CC: (none) => mageia

Comment 2 David Walser 2014-12-24 22:27:22 CET

Probably on its way back to Cauldron, but I added the upstream patch in Mageia 4 and Cauldron SVN (replacing the CVE-2012-5784 patch that it supercedes).  Fedora has yet to address this.

Comment 3 David Walser 2014-12-24 23:43:28 CET

Patched package uploaded for Mageia 4.

Verifying that the updated packages install cleanly is sufficient for testing this update.

Advisory:
========================

Updated axis packages fixes security vulnerability:

It was discovered that Axis incorrectly extracted the host name from an
X.509 certificate subject's Common Name (CN) field. A man-in-the-middle
attacker could use this flaw to spoof an SSL server using a specially
crafted X.509 certificate (CVE-2014-3596).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596
https://rhn.redhat.com/errata/RHSA-2014-1193.html
========================

Updated package in core/updates_testing:
========================
axis-1.4-24.1.mga4
axis-javadoc-1.4-24.1.mga4
axis-manual-1.4-24.1.mga4

from axis-1.4-24.1.mga4.src.rpm

Assignee: dmorganec => qa-bugs

Comment 4 olivier charles 2014-12-25 21:49:11 CET

Testing on Mageia4x32 real hardware.

First installed current packages :
axis-1.4-24.mga4
axis-javadoc-1.4-24.mga4
axis-manual-1.4-24.mga4

Then updated testing packages :
axis-1.4-24.1.mga4
axis-javadoc-1.4-24.1.mga4
axis-manual-1.4-24.1.mga4

No problem detected through installation.

CC: (none) => olchal
Whiteboard: (none) => MGA4-32-OK

Comment 5 Herman Viaene 2014-12-26 09:34:43 CET

MGA4-64 on HP Probook 6555b
No installation problems.

CC: (none) => herman.viaene
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK

Comment 6 claire robinson 2014-12-26 10:45:15 CET

Validating. Advisory uploaded.

Please push to updates

Thanks

Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 7 Mageia Robot 2014-12-26 18:05:46 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0549.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.